# 2024 AIS3 Pre-exam Writeup > **一個新手解題的心路歷程,是那麼的樸實無華、處處撞壁。** 第一次打MyFirstCTF 說來可笑,我的資歷大概是寶寶,學資安1年但什麼都不會🥺 目標是寫出5題(根本不可能😍😍😍) # Welcome ![image](https://hackmd.io/_uploads/HkqOvf1NA.png) 謝謝Welcom讓我寫出一題:) <code>AIS3{Welc0me_to_MYF1rstCTF_2o24!}</code> # Web ## Evil Calculator This is a calculator written in Python. It's a simple calculator, but some function in it is VERY EVIL!! Connection info: <code>http://chals1.ais3.org:5001</code> Author: TriangleSnake ![image](https://hackmd.io/_uploads/ByuXOz1NR.png) 這題我的思路是透過更改按鈕的值去做Injection,但我不知道要改甚麼🥲 ### 解答 我也不知道發生了甚麼,其實我還是不會寫這題,但Chatgpt會 心理湧現了一股暖流,在我撞牆撞到六親不認的時候,是chatgpt挺身而出... ![image](https://hackmd.io/_uploads/r1gkg8lEC.png) ![image](https://hackmd.io/_uploads/Hk-geLlV0.png) 來回丟幾次Error給他之後 ![image](https://hackmd.io/_uploads/H1rzeLxEA.png) <code>AIS3{7RiANG13_5NAK3_I5_50_3Vi1}</code> 謝謝Chatgpt讓我多寫出一題🥰 # MISC ## Quantum Nim Heist Welcome to the Quantum Nim Heist, where traditional logic intertwines with the enigmatic realm of quantum mechanics to create a Nim game like no other. <code>nc chals1.ais3.org 40004</code> 出題者說只要會打鍵盤就會寫這題 對不起我不會打鍵盤🫠 提示: 不要按照規則走,不要被遊戲規則拘束,不用看code ```bash= ┌──(kali㉿kali)-[~] └─$ nc chals1.ais3.org 40004 +-------------------- welcome --------------------+ | omg hi! | | | | welcome to microchess, the minimal online chess | | platform. | | i am a super powerful chess AI! | | can you win against me and get the flag? | +---+--------------- main menu -------------------+ | 0 | read the rules of the game | | 1 | start a new game against me | | 2 | load a saved game | | 3 | leave | +---+---------------------------------------------+ what would you like to do? 0 +--------------------- rules ---------------------+ | since chess is a combinatorial game with quite | | complicated rules, my microchip is too micro to | | handle it. instead, we shall play a simplified | | version of it: | | | | - the game starts with a few "piles". | | - each pile has a positive number of "stones". | | - two players take turns. on each turn, the | | player should choose a pile and remove any | | positive number of stones from it. | | - if all stones have been taken (so no moves | | can be made), the current player loses and | | the game ends. | | | | good luck! | +---+--------------- main menu -------------------+ | 0 | read the rules of the game | | 1 | start a new game against me | | 2 | load a saved game | | 3 | leave | +---+---------------------------------------------+ what would you like to do? ``` 傳統的尼姆遊戲,兩個人輪流拿石頭,一次可以拿1~n顆,但不能跨排拿取,拿走最後一顆的人獲勝。 ```bash= +---+-------------- stones info ------------------+ | 0 | oooooooooooo | | 1 | ooooooooooooooooooo | | 2 | ooooooooooooooo | | 3 | oooooooooooooooooooooooooooo | | 4 | oooooooooooooooooooooooooo | | 5 | ooooooooooooooooooooooooooo | | 6 | ooooooooooooo | +---+--------------- game menu -------------------+ | 0 | make a move | | 1 | save the current game and leave | | 2 | resign the game | +---+---------------------------------------------+ it's your turn to move! what do you choose? ``` 在原碼裡可以看到,他只給我們玩先手必輸版,然後叫我們先拿🧐 ```python= def menu(): print_main_menu() choice = input('what would you like to do? ').strip() if choice == '0': print_rules() elif choice == '1': game = Game() game.generate_losing_game() play(game) elif choice == '2': saved = input('enter the saved game: ').strip() game_str, digest = saved.split(':') if hash.hexdigest(game_str.encode()) == digest: game = Game() game.load(game_str) play(game) else: print_error('invalid game provided!') elif choice == '3': print('omg bye!') exit(0) elif choice == '1': game = Game() game.<b>generate_losing_game()</b> play(game) ``` 看來這是不可能獲勝的遊戲,但令人留意的是,他有一個存檔功能 ```bash= +---+-------------- stones info ------------------+ | 0 | oooooooooooo | | 1 | ooooooooooooooooooo | | 2 | ooooooooooooooo | | 3 | oooooooooooooooooooooooooooo | | 4 | oooooooooooooooooooooooooo | | 5 | ooooooooooooooooooooooooooo | | 6 | ooooooooooooo | +---+--------------- game menu -------------------+ | 0 | make a move | | 1 | save the current game and leave | | 2 | resign the game | +---+---------------------------------------------+ it's your turn to move! what do you choose? 1 you game has been saved! here is your saved game: 12,19,15,28,26,27,13:7449082e6843011f +---+--------------- main menu -------------------+ | 0 | read the rules of the game | | 1 | start a new game against me | | 2 | load a saved game | | 3 | leave | +---+---------------------------------------------+ ``` 存檔: <b>12,19,15,28,26,27,13:7449082e6843011f</b> 他存檔的方式如下: ```bash= elif choice == '1': game_str = game.save() digest = hash.hexdigest(game_str.encode()) print('you game has been saved! here is your saved game:') print(game_str + ':' + digest) return ``` 而讀檔是這樣的: ```bash= elif choice == '2': saved = input('enter the saved game: ').strip() game_str, digest = saved.split(':') if hash.hexdigest(game_str.encode()) == digest: game = Game() game.load(game_str) play(game) else: print_error('invalid game provided!') ``` 所以我只要讓他讀一個<b>我一定必勝的殘局</b>,就可以讓我破解這題。 看起來,存檔是由<b>game_str</b>和<b>digest</b>構成 嘗試測試了一下 ```python= import myhash from game import Game, AIPlayer from text import * hash = myhash.Hash() game_str = "19,28,10,11,19,5,26,2" digest = hash.hexdigest(game_str.encode()) print('you game has been saved! here is your saved game:') print(game_str + ':' + digest) ``` 就會發現每次出來的digest都不一樣 所以做個自我測試 ```pyhotn= import myhash from game import Game, AIPlayer from text import * hash = myhash.Hash() game_str = "19,28,10,11,19,5,26,2" digest = hash.hexdigest(game_str.encode()) print('you game has been saved! here is your saved game:') print(game_str + ':' + digest) saved = "19,28,10,11,19,5,26,2:ab340a0a7825b340" saved.strip() game_str, digest = saved.split(':') if hash.hexdigest(game_str.encode()) == digest: print("correct") else: print_error('invalid game provided!') ``` 成功地跳出了invalid game provided! 即使是同一組game_str也會生成不同的結果,並且不通過驗證測試 因為我的測試程式會重複呼叫讓他一直生成新的hash秘鑰 但靶機的程式不會,他的秘鑰就一把,至少在那一輪中的都一樣。 但我去問了chatgpt 他說,不能反推...寶寶不會了寶寶想哭 ![image](https://hackmd.io/_uploads/Bkm9SX1NA.png) 在我撞壁撞到想不做資安的時候... <b>他給了提示:不需要看原始碼</b> 就是一個WTF 然後發現一直輸入-1就可以拿到flag... ```bash= it's your turn to move! what do you choose? -1 +--------------------- moved ---------------------+ | you removed 0 stones from pile 0 | +---+-------------- stones info ------------------+ | 0 | o | | 1 | o | +--------------------- moved ---------------------+ | i removed 1 stones from pile 1 | +---+-------------- stones info ------------------+ | 0 | o | +---+--------------- game menu -------------------+ | 0 | make a move | | 1 | save the current game and leave | | 2 | resign the game | +---+---------------------------------------------+ it's your turn to move! what do you choose? 0 which pile do you choose? 0 how many stones do you remove? 01 +---------------- congratulations ----------------+ | you are a true grandmaster of chess! here is | | the flag for you: | | AIS3{Ar3_y0u_a_N1m_ma57er_0r_a_Crypt0_ma57er?} | +-------------------------------------------------+ ``` 好意想不到,但這應該就是出題者想要的效果吧🙃 ## Three Dimensional Secret I shall send printable secrets Author: ja20nl1n 先說,我不會用wireshark,就現學現賣 說錯了不要笑我 ![image](https://hackmd.io/_uploads/ryZMxYy4A.png) 想說是不是照lengh排,越大的就越有可能有東西 上網查之後發現對封包按<b>右鍵</b>--><b>Follow</b>--><b>TCP Stream</b>可以看到更多東西 可是就算打開了也是媽咪我看不懂這個可以吃嗎 ![image](https://hackmd.io/_uploads/Sy8PZYJEA.png) 所以就問了Chatgpt ![image](https://hackmd.io/_uploads/H1bFZFk40.png) Google"<b>Gcode</b>"找到這個網站 ![image](https://hackmd.io/_uploads/rJ-3bF1EC.png) 把程式碼輸進去,旗子就跑出來了 ![image](https://hackmd.io/_uploads/BJfyftyER.png) 這題好玩 <code>AIS3{b4d1y_tun3d_PriN73r}</code> ## Emoji Console 這題還不錯玩 但就在考對kali的熟悉度 開了虛擬機試了好久才試出來 <code>🐱 ⭐</code>可以看到app.py&所有符號的對應字 <code>🐱 🚩</code>可以知道flag是一個目錄 於是<code>💿 🚩</code>可以進到叫flag的子目錄裡 <code>💿 🚩 😓🤬 🐱 ⭐</code>可以進到子目錄裡+看到裡面有甚麼 ![image](https://hackmd.io/_uploads/ryZ_j8xVR.png) 他開了一個flag-printer.py的檔案 所以我只要執行它就可以了 <code>💿 🚩 😓🤬 🐍 ⭐</code> <code>AIS3{🫵🪡🉐🤙🤙🤙👉👉🚩👈👈}</code> ![image](https://hackmd.io/_uploads/rkafo0zEA.png) 順帶一題 直接取flag會被擋權限 像這樣 🐱 😓🚩 ![image](https://hackmd.io/_uploads/SkQKoIeNR.png) # Crypto ## BabyRSA 這題我沒有寫出來,但在比賽結束之後受到高人題點才知道怎麼寫,覺得超級可惜,故此紀錄。 題目Code: ```python= import random from Crypto.Util.number import getPrime from secret import flag def gcd(a, b): while b: a, b = b, a % b return a def generate_keypair(keysize): p = getPrime(keysize) q = getPrime(keysize) n = p * q phi = (p-1) * (q-1) e = random.randrange(1, phi) g = gcd(e, phi) while g != 1: e = random.randrange(1, phi) g = gcd(e, phi) d = pow(e, -1, phi) return ((e, n), (d, n)) def encrypt(pk, plaintext): key, n = pk cipher = [pow(ord(char), key, n) for char in plaintext] return cipher def decrypt(pk, ciphertext): key, n = pk plain = [chr(pow(char, key, n)) for char in ciphertext] return ''.join(plain) public, private = generate_keypair(512) encrypted_msg = encrypt(public, flag) decrypted_msg = decrypt(private, encrypted_msg) print("Public Key:", public) print("Encrypted:", encrypted_msg) # print("Decrypted:", decrypted_msg) ``` 簡單的說,題目會生成兩個512位的質數拿去做RSA運算然後加密密文 比賽的時候都在想說要怎麼才有辦法爆破n,真的有可能做到嗎? 比賽結束之後去問了密碼學專長的學長: ![image](https://hackmd.io/_uploads/BJwodMXV0.png) 好欸,我怎麼都喜歡在比賽的時候撞沒有洞的牆呢? ### 解答 其實只要把全部可能用到的字丟進去給他加密,在用加密過後的結果去對照密文,找出用了哪些字符就好了,這麼簡單我怎麼沒想到啊啊啊啊啊啊 所以我寫了一個python,把Ascii的32~127全部丟進去加密,在把加密結果存成json。 ```python= import random import json def encrypt(pk, plaintext): key, n = pk cipher = [pow(ord(char), key, n) for char in plaintext] return cipher public = (64917055846592305247490566318353366999709874684278480849508851204751189365198819392860386504785643859122396657301225094708026391204100352682992979425763157452255909781003406602228716107905797084217189131716198785709124050278116966890968003294485934472496151582084561439957513571043497031319413889856520421733, 115676743153063753482251273007095369919613374531038288437295760314264647231038870203981488393720761532040569270340726478402172283300622527884543078194060647393394510524980830171230330673500741683492143805583694395504141751460090539868114454005046898551218623342425465650881666420408703144859108346202894384649) flag = " !#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~" encrypted_msg = encrypt(public, flag) encrypt_dist = {char: enc for char, enc in zip(flag, encrypted_msg)} # 將 encrypt_dist 保存到文件中 with open('encrypt_dist.json', 'w') as f: json.dump(encrypt_dist, f, indent=4) print("Public Key:", public) print("Encrypted:") for char, enc in encrypt_dist.items(): print(f"{char} = {enc}") print("encrypt_dist has been saved to encrypt_dist.json") ``` 跑出來的json大概會長這樣 ![image](https://hackmd.io/_uploads/S1DYiMmNA.png) 再讀json檔,讓他去比對用了哪些字符並印出 ```python= import json # 讀取 encrypt_dist 從文件中 with open('encrypt_dist.json', 'r') as f: encrypt_dist = json.load(f) encrypted_list = [59582983136368434856816799733313446746433796034384724221174424464969737874802116129348607979328098841766335449896610931770063087921739964156335144291643702667891887833963756948394265219864837961748202920096128332905237576243643095664147826020400199347355043162641743846198725931842313977049712473768688780204, 95359547394031742813518330673269556403528254059894407470006786975603938062435320319282644182444182438612748874603359501010449113346386193598111715879103479311697744375488228536365895249959983701008182395138745363343749821348881488616739650767615867269542213617639437927373484681942750228038458670913761461906, 46329325300279098651694178842591774415260876326218182283454895682597312145324055490326488805186682301528705330448500034219715636964856131530973835780285303243952273742119154142469279746360304190118988650200422700136950019141246372634642054318988506247030406078971388938494583721698317950574261574174233878465, 99372516099607712778908802720080113062724120782160998443385643772511391370661101893707293382044546993124605549696368316348952556779713164710839853078160450782104255053788389238478472574549113909833434906535103012424826026640284958298083646000213492094244631381094489147645893989473799375006911204994971262513, 76560888147807476608165550435978536197327212318831455594999273843368454289391559274947371380742007729563677938535717707232627424457601159959128489070947748904688640279908482263289424669338790488996485849079890881530740377280113682547250364463080771156212510360194563192123664613212111565777733487081937952558, 12319813533472769541026063795801870849236715810997656653501875874806446093919930377755747066386074676697058702735112064576219731845584108035461434499628574742399407498867908576045220515065246483998134315307132901329833371485817530138131352593805641664023978795298886913968639954517583992930243922021434381738, 96951009388162450018398074248238612521098089563081241061172635732154749686698900516806076917644927142046116130006730586770841058020946718314769404592479949673385387831784647829787593435525861689652400487918043078535385527278516028607916478700007746817161408140805937414915909575928550204945457887011906141614, 1665805297521640119669919457094144711238099413231800824465470812913880572669116305626521524153911904267238129531937952423409222225023467794927666422627082314285814656075569814644205638687105792760533211008966815918943917251927254624389871965679206262024216136163262412286874416732008465838711695063592124435, 38031617734525236754862788270684927634041250565347090806313746312968815507316236887544784308484734926981400017478758364119367924220519253824976349577671434162884831759762106665665138444165001645856871491952279748415831766579735400499998753646766301606966507940299051979075677572064596983713461662607114250263, 64855027109789931203406858899259092299626327163376469398846102754805420506427252072315662287801006608894162707199492268892939811482863649987034183371607590158980649349849687594118554925649076468007225363531072941142253057862686631842080812159597499430107963982315266135241847383726503265496996481889717246182, 38285633551521777138710771085033430239170710707266775875598456653892976969437761922968925746226073683095654278272586779539831402373205526909772633370025848937463033570747721110932401276480992827694564074802181306738438015295515798739406061377284368603543443076476369810597345436481251791260803352288977423573, 90968383857681404242927909477464252602387471219945950453665598772039832078487309149670692874283215437984574695320981806360379096212936326954111131608499584545969103096096842380877613033764006459107764277330135816044808210474597200172673683909558627722941503504083244424751773797618360290613996970960151563724, 95457298055868694391877219138576497445115151186056513418820503159496876268497080831408725541436969299827723238663173668798694515208450035233192338795425824459299174728295661096981248839235055855929604893139239340445385259232905864515397406993189217322907168121716905101208450279521267289056195400878302077398, 52468135911274945777529136529541932989316502665934748207836694395110108517204287366878248216053327656034128346107236076714109214143042824050810182510919475258788845504651287598248217763885663385525333584236650693667648746329707103824387098563158188013686337454772275459145419197015884603853408230553227896407, 34661612116812273325510815885632987773878634626625747042958636362152583931260969561869719786378247664638641161656878412129162010084766438156247296031040184022246208883138926132649114007757242227131459285251878118564710945280013332131793855359773876332415772442620349609897435915019325055421286197078708187352, 52468135911274945777529136529541932989316502665934748207836694395110108517204287366878248216053327656034128346107236076714109214143042824050810182510919475258788845504651287598248217763885663385525333584236650693667648746329707103824387098563158188013686337454772275459145419197015884603853408230553227896407, 72893301186321303683272295658327353212060838237559048917336264819112421968115615005989580760612444279776561566669272155758039717810976344470895667733780292960024364644216982543515945404550612735708418065359731237914621596888496631385879381090937225999965270114589266587955012094766794851372212812150698234716, 67602482196856820166971428403758405739455475263382367621161896414339370625380754447863410276767241406699969322350803814348655243066328706656427717483623041308690996376549835317954286006923639192767262817817435759143930376297271756237829141630002480289781731985465743331200468015517012225741723423203374827341, 44262354102194743351911268289256770008339497245528544280709170541530088518398751380655719846628700171065092804544687718896291531970838072744874705570156704628202662829757806782131182294252555844059856971743311355891113953747318316062265029166813195656690004051327523203179399349334322871113218009692321746302, 52468135911274945777529136529541932989316502665934748207836694395110108517204287366878248216053327656034128346107236076714109214143042824050810182510919475258788845504651287598248217763885663385525333584236650693667648746329707103824387098563158188013686337454772275459145419197015884603853408230553227896407, 17525442355443739006798161136945234538289135293732159010469949341666347513585837371870704355037863634098163883611042121878362686860890223724238562583526550649340086051319234134907577624853632886715848962127706255769976443912657070070366400669740596805962173530384420842637554803041466900119050709458062167550, 44014841046589017601891983719958867760419600204352901036629548332837496204051161377933425345536644034794916246706885620488552830053604204333015893225255398323167834260921720336325397193593333461140140475610284003097590899522403244883330800589948361851693870192559674072749868797979125684663605722325053340834, 52468135911274945777529136529541932989316502665934748207836694395110108517204287366878248216053327656034128346107236076714109214143042824050810182510919475258788845504651287598248217763885663385525333584236650693667648746329707103824387098563158188013686337454772275459145419197015884603853408230553227896407, 32463563387229396502994321924065961632284043136468238906625180045736135155253223928723914405824284085442712712337348213915399745045346853697650399659292339726614512642835897683094877670342609027803404027945312939777902664125228095034970967750466928999176126534504349068649205422848461193336320361026425455874, 72893301186321303683272295658327353212060838237559048917336264819112421968115615005989580760612444279776561566669272155758039717810976344470895667733780292960024364644216982543515945404550612735708418065359731237914621596888496631385879381090937225999965270114589266587955012094766794851372212812150698234716, 12179738687529782107447590339149361896936551322934825418520525165858885435598866363152322677187041910693780230742925050834968940508546403788452893248148672885195158450001568668626998159030042932978014971079411358732702590558133373478956077176801426446288446920254354063720982962966912703174841575095158773376, 101125682339799901828662987568918086070282069568379908090074247169217184659644669626554838396604623590909101664987452894437649857681299514293609000818253780343589956828098266778252516930801354335366245918603834198786544373944956666900784678369416240212915856834107510529441463083826031881209805666209335413628, 101403644290884991310189664359755656780537902543354415482434580937410695343294757120985680350019917171639284125327989098680673553323894980248499865788837636944758311200094760909373728675822272584823764964753326309765279310435693879623302965536053211433064599526550676915084290753201910772032395483945950367273, 24333051506853181360030701569319128673885779416125109480872653360245763695810807795571148802002658160356587851857338891650119080260776136984074861612952869696123011417276568821410663401888348228549042676235853145756762295087473309782699704381451505573652641489540319626561348999020895690560418530256831740666, 20222920908058605457111970272150612273139460769260447235596498596781683961010128426184024637706564546340327246191020540223566835757304493325371606037680402571948650998523099138137441154209281794538860160477031997660506452095283151142470607354579609545040759974018408429796935802188551530478970289514572978617, 72893301186321303683272295658327353212060838237559048917336264819112421968115615005989580760612444279776561566669272155758039717810976344470895667733780292960024364644216982543515945404550612735708418065359731237914621596888496631385879381090937225999965270114589266587955012094766794851372212812150698234716, 32184464000490155748453165982143565340499464338829080683417468389784993809512708479494827939476307049612151190695993375700147700844413744001417893095868641387694266647992101758785355055413538046252854525860440227182911367045556141460084455472907278113962890024281663648508886642376786194323597791020547317088, 101125682339799901828662987568918086070282069568379908090074247169217184659644669626554838396604623590909101664987452894437649857681299514293609000818253780343589956828098266778252516930801354335366245918603834198786544373944956666900784678369416240212915856834107510529441463083826031881209805666209335413628, 44014841046589017601891983719958867760419600204352901036629548332837496204051161377933425345536644034794916246706885620488552830053604204333015893225255398323167834260921720336325397193593333461140140475610284003097590899522403244883330800589948361851693870192559674072749868797979125684663605722325053340834, 12179738687529782107447590339149361896936551322934825418520525165858885435598866363152322677187041910693780230742925050834968940508546403788452893248148672885195158450001568668626998159030042932978014971079411358732702590558133373478956077176801426446288446920254354063720982962966912703174841575095158773376, 63634815088527144255090148113948593793648445499224983027630191877159813968754095341812467946868079279626991968747689424489021633678743106301884613005477044402324870044751927862596590687251830485165119422247449722579599610918927243419033509419967393677988976255284611384351411782311379786356079256916831362626, 9304987377904341606117201715658113065608581640101320211543462955469900806281721467187032121463132314663326494170970278379001634044806680348131292368949519512445580695938064509920503814133961673755470696223243390646274004621955993274826096679460577701554059204349111764901921932386091658007427259226167178177, 58828925452729811932976588739787965824652220690551333824296205824127538696058603108169405357158211350616510470513672533759883740745736322687898383422522330915631984810878357007178714597068087752425823728826608887027664209314455243118645386520598961325656254330576959063500755210398248129074822706590225088700, 72893301186321303683272295658327353212060838237559048917336264819112421968115615005989580760612444279776561566669272155758039717810976344470895667733780292960024364644216982543515945404550612735708418065359731237914621596888496631385879381090937225999965270114589266587955012094766794851372212812150698234716, 32184464000490155748453165982143565340499464338829080683417468389784993809512708479494827939476307049612151190695993375700147700844413744001417893095868641387694266647992101758785355055413538046252854525860440227182911367045556141460084455472907278113962890024281663648508886642376786194323597791020547317088, 72893301186321303683272295658327353212060838237559048917336264819112421968115615005989580760612444279776561566669272155758039717810976344470895667733780292960024364644216982543515945404550612735708418065359731237914621596888496631385879381090937225999965270114589266587955012094766794851372212812150698234716, 12179738687529782107447590339149361896936551322934825418520525165858885435598866363152322677187041910693780230742925050834968940508546403788452893248148672885195158450001568668626998159030042932978014971079411358732702590558133373478956077176801426446288446920254354063720982962966912703174841575095158773376, 38031617734525236754862788270684927634041250565347090806313746312968815507316236887544784308484734926981400017478758364119367924220519253824976349577671434162884831759762106665665138444165001645856871491952279748415831766579735400499998753646766301606966507940299051979075677572064596983713461662607114250263, 42674155454878392842592499423860033988264245394501952163129442865919203299671995689679354090226093903765768139477289952989042795959374257614752953563152551974557414325407858919156902405925850703390450181868760242922958259454422450849566085988801215229822701373233313619020572460459663094142218119144686335871, 101125682339799901828662987568918086070282069568379908090074247169217184659644669626554838396604623590909101664987452894437649857681299514293609000818253780343589956828098266778252516930801354335366245918603834198786544373944956666900784678369416240212915856834107510529441463083826031881209805666209335413628, 75918055185950026238164530295762591705002247585433355113315303142207464051952569831664550604622541858093495062851840811257603174544255151597115446984458237694842739071530518936317606199598953518976167711716762043806043449827887577909963803673508838826582484003687958862302989732473748700329398645880243054148, 52468135911274945777529136529541932989316502665934748207836694395110108517204287366878248216053327656034128346107236076714109214143042824050810182510919475258788845504651287598248217763885663385525333584236650693667648746329707103824387098563158188013686337454772275459145419197015884603853408230553227896407, 42674155454878392842592499423860033988264245394501952163129442865919203299671995689679354090226093903765768139477289952989042795959374257614752953563152551974557414325407858919156902405925850703390450181868760242922958259454422450849566085988801215229822701373233313619020572460459663094142218119144686335871, 52468135911274945777529136529541932989316502665934748207836694395110108517204287366878248216053327656034128346107236076714109214143042824050810182510919475258788845504651287598248217763885663385525333584236650693667648746329707103824387098563158188013686337454772275459145419197015884603853408230553227896407, 47953002091054578020381201294163023730809574731463958773592358719441988187452655748118051277286650853337305718192021972814357369747332979634917684999259838316305009239963225119133204824897098152777119627043881500966537112886938182847527574241215915396651397126350467492479189194162628876529519538265140143596, 101403644290884991310189664359755656780537902543354415482434580937410695343294757120985680350019917171639284125327989098680673553323894980248499865788837636944758311200094760909373728675822272584823764964753326309765279310435693879623302965536053211433064599526550676915084290753201910772032395483945950367273, 52468135911274945777529136529541932989316502665934748207836694395110108517204287366878248216053327656034128346107236076714109214143042824050810182510919475258788845504651287598248217763885663385525333584236650693667648746329707103824387098563158188013686337454772275459145419197015884603853408230553227896407, 107340541989905757204370662416845552037146078905222935505789033122562501577684655501092154588544305605078885306044047839464564901594898750722560559313996616820973286189602827331851868376927628179028545097753144658073207307785378721899783095713473789007231709234504050418717400729711972350669632384570468096830, 43967923748936484351732805873555964174712775706889811180819474140612599586161884530658035908721232399384729457223641995556425707839305124083600738135036620220298476686325110132022730675370888898063942501477522619906479683016701151321856269078215479158146009655223314957908787521092587379267241203076718674092, 24333051506853181360030701569319128673885779416125109480872653360245763695810807795571148802002658160356587851857338891650119080260776136984074861612952869696123011417276568821410663401888348228549042676235853145756762295087473309782699704381451505573652641489540319626561348999020895690560418530256831740666, 20472445493228441292721090614657967895462252302228260568752427996680563809601852655319833688134475798137834395223726607334321531235376774219216055134601030184130917876549113091114144486261794932716233808194664233936783735663266743029212488020840969559603523111887524998658108503660068448898570323437482810017, 72893301186321303683272295658327353212060838237559048917336264819112421968115615005989580760612444279776561566669272155758039717810976344470895667733780292960024364644216982543515945404550612735708418065359731237914621596888496631385879381090937225999965270114589266587955012094766794851372212812150698234716, 64855027109789931203406858899259092299626327163376469398846102754805420506427252072315662287801006608894162707199492268892939811482863649987034183371607590158980649349849687594118554925649076468007225363531072941142253057862686631842080812159597499430107963982315266135241847383726503265496996481889717246182, 52468135911274945777529136529541932989316502665934748207836694395110108517204287366878248216053327656034128346107236076714109214143042824050810182510919475258788845504651287598248217763885663385525333584236650693667648746329707103824387098563158188013686337454772275459145419197015884603853408230553227896407, 75918055185950026238164530295762591705002247585433355113315303142207464051952569831664550604622541858093495062851840811257603174544255151597115446984458237694842739071530518936317606199598953518976167711716762043806043449827887577909963803673508838826582484003687958862302989732473748700329398645880243054148, 12708160939460449797746334640370189741594393156198590130563300705594742285274155378452384449752817944962371880018673966875751948953034846634284138305820292201281595210265881917297911731564408181887226462606892964361033320116765426523499831287478314065882300932476595216136350756971622192468975464823677154324, 52745488365658861485519010696623986434656675831322149607647058389953842185045922621964255927212518970223978973817292179059730382537814695353016058702226289640834171560498112170760826276332972100423555174686162215383841925656596984188536350046664199627214379076416024495451320834231863438007383528385204646269, 8855798603366167912634233401398286651752671525801140525178611090639905433230380535711326462952071294452556819384200831430822862220907470038589552641363759764881881084119960616686113091264272665290715332905431138686504873774368450566561688814993821800992967990682116846800657243011069696481920893909247794983, 96951009388162450018398074248238612521098089563081241061172635732154749686698900516806076917644927142046116130006730586770841058020946718314769404592479949673385387831784647829787593435525861689652400487918043078535385527278516028607916478700007746817161408140805937414915909575928550204945457887011906141614, 3085377115073481737487767519304315808353144937670566256348398664810936964565637157736537945459712875615504238408907602974507381828272609303797146395233485026377776965939508974096385939172942695211339651597248692728550782246178293579153110379844451779466255357619524290412118137515779354431956948078394927940, 48345447683174081443502925378502329908064423944850311779861406407783604557812792515281621715817536127803162311234459315836524837064977025182379655213338205159741266326939713833052921255157742860610743189155260503439836583887313584730345974553768985184119012533854386867355018502198395672167297716386558437643, 2943509185067047938273565758747957807917637430462018374124947856251091022696853505230975399503014099411245162812979057344198094444949853114144790397928000334361276864689352349519363636219566973775714458213611238774130167222835759501223813455853370320854862131109567941072112035263351158877256955712543549605, 76560888147807476608165550435978536197327212318831455594999273843368454289391559274947371380742007729563677938535717707232627424457601159959128489070947748904688640279908482263289424669338790488996485849079890881530740377280113682547250364463080771156212510360194563192123664613212111565777733487081937952558] # 從 encrypt_dist 中建立 encrypted_dict encrypted_dict = {value: char for char, value in encrypt_dist.items()} # 解密過程 decrypted_message = ''.join(encrypted_dict[value] for value in encrypted_list) print(decrypted_message) ``` 就可以讓他跑出flag: <code>@)!,*^=AIS3{NeverUseTheCryptographyLibraryImplementedYourSelf}-=1#&*</code> # Reverse ## The Long Print 這題出題者說去看成大的社課影片,看完就會做了,但我看了兩次,我還是不會做。 但這是我第一次點開reverse的題目,並學習怎麼用IDA,也算是有所收穫吧。 很感謝出題者說用IDA Decompile就會出來了,才能把我騙去碰Reverse。 ### 我的解題思路 ```c= int __fastcall main(int argc, const char **argv, const char **envp) { unsigned int v4; // [rsp+4h] [rbp-Ch] int i; // [rsp+8h] [rbp-8h] int j; // [rsp+Ch] [rbp-4h] puts("Hope you have enough time to receive my flag:"); for ( i = 0; i <= 23; i += 2 ) { v4 = *(_DWORD *)&secret[4 * i] ^ key[*(unsigned int *)&secret[4 * i + 4]]; for ( j = 0; j <= 3; ++j ) { sleep(0x3674u); printf("%c", v4); v4 >>= 8; fflush(_bss_start); } } puts("\rOops! Where is the flag? I am sure that the flag is already printed!"); return 0; } ``` 真的是第一次學IDA <code>Tab</code>可以Decompile <code>按變數名稱</code>可以看他宣告的內容 <code>shift+e</code>可以匯出變數的值 是不是把變數的值抓出來,再自己寫一個程式去跑就可以印出flag 於是: ```c= #include <stdio.h> #include <stdint.h> // Define the secret and key arrays unsigned char secret[] = { 0x46, 0x41, 0x4B, 0x45, 0x0B, 0x00, 0x00, 0x00, 0x7B, 0x68, 0x6F, 0x6F, 0x0A, 0x00, 0x00, 0x00, 0x72, 0x61, 0x79, 0x5F, 0x02, 0x00, 0x00, 0x00, 0x73, 0x74, 0x72, 0x69, 0x08, 0x00, 0x00, 0x00, 0x6E, 0x67, 0x73, 0x5F, 0x06, 0x00, 0x00, 0x00, 0x69, 0x73, 0x5F, 0x61, 0x05, 0x00, 0x00, 0x00, 0x6C, 0x77, 0x61, 0x79, 0x07, 0x00, 0x00, 0x00, 0x73, 0x5F, 0x61, 0x6E, 0x04, 0x00, 0x00, 0x00, 0x5F, 0x75, 0x73, 0x65, 0x09, 0x00, 0x00, 0x00, 0x66, 0x75, 0x6C, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x63, 0x6F, 0x6D, 0x6D, 0x01, 0x00, 0x00, 0x00, 0x61, 0x6E, 0x7A, 0x7D, 0x03, 0x00, 0x00, 0x00 }; unsigned char key[] = { 0x01, 0x10, 0x01, 0x3A, 0x0D, 0x1B, 0x4C, 0x4C, 0x2D, 0x00, 0x0B, 0x3A, 0x40, 0x4F, 0x45, 0x00, 0x1A, 0x32, 0x04, 0x31, 0x1D, 0x16, 0x2D, 0x3E, 0x31, 0x0A, 0x12, 0x2C, 0x03, 0x11, 0x3E, 0x0D, 0x2C, 0x00, 0x1A, 0x0C, 0x32, 0x14, 0x1D, 0x04, 0x00, 0x31, 0x00, 0x1A, 0x07, 0x08, 0x18, 0x76 }; int main(int argc, const char **argv, const char **envp) { unsigned int v4; int i, j; puts("Hope you have enough time to receive my flag:"); for (i = 0; i < 24; i++) { // XOR 4 bytes from secret with 4 bytes from key v4 = *((unsigned int *)(secret + 4 * i)) ^ *((unsigned int *)(key + 4 * i)); // Print each byte of the resulting integer for (j = 0; j < 4; ++j) { printf("%c", v4 & 0xFF); v4 >>= 8; } } puts("\nOops! Where is the flag? I am sure that the flag is already printed!"); return 0; } ``` 當然,這個方法沒有成功,他只會跑出一對亂碼,我還在這裡糾結是不是我的程式碼寫錯了糾結超級久。 ### 大佬的解法 17.一到直接去找大佬Demo給我看,看完覺得難怪我寫不出來,真的不可能寫出來。 在此紀錄大佬的Demo步驟 #### 1. 開IDA ![image](https://hackmd.io/_uploads/Sk8uwmXVC.png) #### 2. Decompile ![image](https://hackmd.io/_uploads/HJsYPmXN0.png) #### 3. 發現他偷睡覺 我們要讓它不睡覺 要怎麼才能讓他不睡覺呢 要改sleep()的變數 在IDA中 雖然不能改程式碼,但能改Byte值 #### 4. 改sleep()的變數 先鎖定他 ![image](https://hackmd.io/_uploads/HkNk9Q74A.png) 跟IDA說我要改 ![image](https://hackmd.io/_uploads/HkAWqQm4R.png) 原本是3674 Hex會變成7463 ![image](https://hackmd.io/_uploads/HyEQq7Q40.png) 所以我只要改成0100即可(改成1秒) ![image](https://hackmd.io/_uploads/H1UiqmQV0.png) 如圖 改完之後要apply一下 ![image](https://hackmd.io/_uploads/B18b6rX4R.png) 會跳出視窗 按ok ![image](https://hackmd.io/_uploads/Hk246S7EC.png) #### 5. 存檔 在kali裡面跑 接下來就可以把檔案拖到kali裡執行 ![image](https://hackmd.io/_uploads/BJR26rmE0.png) <code>AIS3{You_are_the_master_of_time_management !!!!?</code> # 最終結果 ![image](https://hackmd.io/_uploads/rJTLGez4R.png) ![image](https://hackmd.io/_uploads/BkxebM440.png) 其實還是有解到5題,算是有達到一開始設的小目標? 但沒有很開心,因為有些題目只差臨門一腳感覺好可惜 期待官方盡快開放分享Writeup,好想知道那些跟鬼一樣的題目都是怎麼被解開的 謝謝Ais3,今年的午餐便當很好吃,飲料零食也讓我覺得很滿足 謝謝出題者們,希望明年的題目可以簡單一點 身為一個初學者,還是希望既然是<b>「我的第一個CTF」</b> 還是希望有讓人成功、獲得成就感的感覺 題目可以有更好的鑑別度、可以全部都標示難易度、~~可以出多一點Easy~~ 在此放上排球少年中貓又教練的名言 ![jvAKads](https://hackmd.io/_uploads/HkrIxQm4C.jpg) **明年再接再厲🫠🫠🫠🫠**