前言
這次跟 734m_N4M3_h3r3 一起打神盾盃,最後以第 8 名進入決賽
(記分板是竹狐大亂鬥
Calculator
打開題目看到只有一個正常的計算機
從 Detect it easy 發現是 C# .NET
使用 dnSpy 看 source code,在 Btn_Equals_OnClick() 看到可疑的數字字串及 XOR,推測是加密 flag 的部分
string text3 = "1565023222387235312162663";
string text4 = string.Format("{0}", (long.Parse(text3.Substring(0, 5)) ^ 56L) + 65681531L) + string.Format("{0}", (long.Parse(text3.Substring(5, 4)) ^ 8L) + 83121454L) + string.Format("{0}", (long.Parse(text3.Substring(9, 8)) ^ 56L) + 65681531L) + string.Format("{0}", (long.Parse(text3.Substring(17, 8)) ^ 8L) + 83121454L);
bool flag14 = this.textBox_OutPutValue.Text == text4;
if (flag14)
{
int[] array = new int[]{ 2, 2, 2, 2, 2, 3, 2, 2, 2, 2, 2, 2, 2, 2, 3};
StringBuilder stringBuilder = new StringBuilder();
int num = 0;
foreach (int num2 in array)
{
string s = text4.Substring(num, num2);
int num3 = int.Parse(s);
char value = (char)num3;
stringBuilder.Append(value);
num += num2;
}
this.Label.Text = stringBuilder.ToString();
}
去掉包含 this 的部分後用 C# sandbox 跑上面的程式成功得到 flag
Easy Jail
Stage 1
import os
def validate_and_execute(user_input, expected_length):
EXPECTED_RESULT = 2
allowed_characters = set('abcdefg123456{}"')
if len(user_input) != expected_length:
print(f"Invalid input length. Your input must be exactly {expected_length} characters long.")
return False
if set(user_input).difference(allowed_characters):
print("Invalid input. Only a,b,c,d,e,f,g,1,2,3,4,5,{,} certain characters are allowed.")
return False
expression = f"int({user_input})"
result = eval(expression, {'__builtins__': None}, {'int': int})
try:
if result != EXPECTED_RESULT:
print(f"Error.")
return False
else:
return True
except Exception:
print(f"Error.")
return False
levels = [1, 3, 4, 6, 7, 8, 10, 11]
def start_game():
logo="""
░█████╗░███████╗░██████╗░██╗░██████╗ Eazy Jail For Beginner
██╔══██╗██╔════╝██╔════╝░██║██╔════╝
███████║█████╗░░██║░░██╗░██║╚█████╗░
██╔══██║██╔══╝░░██║░░╚██╗██║░╚═══██╗
██║░░██║███████╗╚██████╔╝██║██████╔╝
╚═╝░░╚═╝╚══════╝░╚═════╝░╚═╝╚═════╝░ STAGE 1"""
print(logo)
print("Your task is to enter a string that, when used in a command like 'int(YOUR_INPUT)', results in the number 2.")
print("Each level requires a different input length. If you succeed through all levels, you will reach the next stage!")
for level in levels:
print(f"\nLevel {levels.index(level) + 1} of {len(levels)}: Enter a payload exactly {level} characters long.")
while True:
user_input = input("Enter a payload: ")
if validate_and_execute(user_input, level):
print(f"Congratulations on passing level {levels.index(level) + 1}!")
if level == 11:
os.system('clear')
os.system('node stage2.js')
return
break
else:
print("An error occurred.")
return
if __name__ == "__main__":
start_game()
exit()
隊友解出前 5 levels,後面 3 levels 仿造前面,解答:
1. 2
2. "2"
3. f"2"
4. f"{2}"
5. """2"""
6. f"""2"""
7. f"""{2}"""
8. """""""2"""
Stage 2
const fs = require('fs');
const fa = fs.readFileSync('./flag', 'utf-8');
const readline = require('readline').createInterface({
input: process.stdin,
output: process.stdout
});
const LOGO = `
░█████╗░███████╗░██████╗░██╗░██████╗ Eazy Jail For Beginner
██╔══██╗██╔════╝██╔════╝░██║██╔════╝
███████║█████╗░░██║░░██╗░██║╚█████╗░
██╔══██║██╔══╝░░██║░░╚██╗██║░╚═══██╗
██║░░██║███████╗╚██████╔╝██║██████╔╝
╚═╝░░╚═╝╚══════╝░╚═════╝░╚═╝╚═════╝░ STAGE 2\n`;
const QUESTION = `
${LOGO}
What's my favorite number?
- 1024 is my birthday
- 532 is my last 3 digits of my phone
`;
const CORRECT_ANSWER = 1024;
const EXPECTED_RESULT = 532;
console.log(QUESTION);
readline.question('Guess the number: ', input => {
const guessedNumber = Number(input);
let spinnerInterval;
let spinnerIndex = 0;
const spinnerChars = ['|', '/', '-', '\\'];
const startSpinner = () => {
spinnerInterval = setInterval(() => {
process.stdout.write(`\rChecking your answer... ${spinnerChars[spinnerIndex]}`);
spinnerIndex = (spinnerIndex + 1) % spinnerChars.length;
}, 100);
};
const stopSpinner = () => {
clearInterval(spinnerInterval);
process.stdout.write('\rChecking your answer... Done!\n');
};
startSpinner();
setTimeout(() => {
stopSpinner();
console.log(`\n=====================================\n`);
if (guessedNumber === CORRECT_ANSWER) {
console.log("pass")
try {
const evaluationResult = safeEval(input);
console.log(evaluationResult)
if (evaluationResult === EXPECTED_RESULT) {
displaySuccess();
} else {
displayFailure();
}
} catch (error) {
displayError();
}
} else {
displayFailure();
}
readline.close();
}, 1500);
});
function safeEval(input) {
const allowedChars = /^[0-9+\-*/.\s]+$/;
if (!allowedChars.test(input)) {
throw new Error('Invalid characters detected!');
}
return new Function(`return (${input})`)();
}
function displaySuccess() {
console.log(`Good job! You got it! :)`);
console.log(`Flag: ${fa.trim()}\n`);
}
function displayFailure() {
console.log('Oops! Wrong answer! Try again :)\n');
}
function displayError() {
console.log(`Error occurred! Please try again!\n`);
}
從 stage2.js 看出要讓 Number(input) 回傳 1024 跟 Function(`return (${input})`)() 回傳 532,在 Number() 的 document 中發現:
A leading 0 digit does not cause the number to become an octal literal (or get rejected in strict mode).
而且,\(1024_{(8)} = 532_{(10)}\),所以 stage2 的答案為 01024,Number() 會視為 10 進位,但 return 時會變成 8 進位。
Just play a game
題目簡介
小寫 a 到 z 的 8 位 1A2B 遊戲,只能猜 18 次
Solve
暴力破解會有 \(P^{26}_8 = 62990928000 \approx 6.3 \times 10^{10}\),數字太大跑不完。
先縮小可能性,令答案包含 a, b, c, d 中的字元數量為 \(abcd\),以此類推令 \(efgh\), \(ijkl\), \(mnop\), \(qrst\), \(uvwx\) 共 6 個 4 字元組,每次送兩個字元組組合,得到的 A + B 數量就會是該兩字元組數量的和,e.g. 猜 acdefgh 得到 2A3B 代表 \(abcd + efgh = 2 + 3 = 5\)。解 6 個未知數需要 6 條式子,全部解完還會剩下 12 次可以猜,另外,答案包含 y, z 中的字元數量 \(yz = 8 - abcd - efgh - ijkl - mnop - qrst - uvwx\)。所有可能的排列會剩下 \(C^4_{abcd}C^4_{efgh}C^4_{ijkl}C^4_{mnop}C^4_{qrst}C^4_{uvwx}C^2_{yz} \times 8! \leq 1296 \times 8! = 52254720 \approx 5.2 \times 10^7\),花一些時間就能跑完。
from itertools import combinations, product, permutations
from pwn import *
from z3 import *
# calculate A and B
def cmp(x, y):
a = 0
b = 0
for i in range(8):
if x[i] == y[i]:
a += 1
b = len(set(x).intersection(set(y))) - a
return a, b
# connect to server
p = remote("0.cloud.chals.io", 34971)
# send one guess
def get_result(input):
p.sendlineafter(b"Please enter your guess:", input.encode())
res = p.recvline().decode().split()
print(input, res)
return int(res[0]), int(res[2])
# solve for abcd, ...
solver = Solver()
nums = []
chars = "abcdefghijklmnopqrstuvwxyz"
for i in range(6):
nums.append(Int(chars[4*i:4*i+4]))
solver.add(nums[i] >= 0, nums[i] <= 4)
for a, b in [(0, 1), (2, 3), (4, 5), (0, 2), (4, 1), (5, 3)]:
res = get_result(str(nums[a]) + str(nums[b]))
solver.add(nums[a] + nums[b] == res[0] + res[1])
if solver.check() == sat:
print(solver.model())
# generate all possibility
candidate = []
l = []
for s in combinations('yz', 8 - sum(solver.model()[nums[i]].as_long() for i in range(6))):
l.append("".join(s))
candidate.append(l)
for i in range(6):
l = []
for s in combinations(str(nums[i]), solver.model()[nums[i]].as_long()):
l.append("".join(s))
candidate.append(l)
candidate = list(product(*candidate))
candidate = ["".join(c) for c in candidate]
candidate = [["".join(s) for s in permutations(c)] for c in candidate]
# brute force all possibility
while sum(len(l) for l in candidate) > 1:
print(sum(len(l) for l in candidate))
new_candidate = []
a, b = get_result(candidate[0][0])
for l in candidate:
# early break for wrong character set
if sum(cmp(l[0], candidate[0][0])) != a + b:
continue
new_l = []
for c in l:
if cmp(c, candidate[0][0]) == (a, b):
new_l.append(c)
new_candidate.append(new_l)
candidate = new_candidate
print(sum(len(l) for l in candidate))
p.interactive()
