[H4CK1T 2016] Belarus – Electronicon Writeup

Standard

Description:

Belarus – Electronicon – PPC – 250 pts
EN: This task is one of the methods for the psychological attacks. It is intended for people who don’t have heart diseases and reached 18 years ūüėČ

h4ck1t{flag.upper()}

paint.txt

As the attached file says, it was real pain. I opened the file in the browser and saw this horrible thing:

h4ck1t_belarus_1

Looks bad and it crashed my browser. This text file was too big for it to handle. So I opened it on Notepad++ and it was’t any better:

h4ck1t_belarus_2

Still terrifying and it was heavy for notepad++ also. But this time something catched my eye. Look at the rows panel on the left, it says only 1 line. Let’s cancel word wrap (View > Word wrap) and check what it is:

h4ck1t_belarus_3

Aah ah! It was a HUGE ascii-art. How huge? 11 rows of 1830661 chars each! It’s a long hex string. So now we need to parse it. I tried using this module but without any success so I decided to go for the hard way. I parsed it myself.

First, I edited the file in order to make it easy for me to parse it. I wanted that every char will be in it’s own line. I wrote a script to separate the characters:

import os

fin = open('pain.txt','r')
fout = open('out.txt', 'w')

content=fin.read()

splitted=content.split('\n')
width=13
	
print len(content)
for j in xrange(len(splitted[0])/width):
	for i in xrange(len(splitted)):
		fout.write(splitted[i][:width]+"\n")
		splitted[i]=splitted[i][width:]

Now let’s open the edited file with EmEditor that is capable of open large files and see how our¬†file is looking¬†like:

h4ck1t_belarus_4

Good! Looks exactly like I wanted! Now in order to parse it we need to tell the code how every letter or digit is looking like so I started to define variable for each letter or digit with the matching ascii-art. It was something like that:

f_in = open('out.txt', 'r')
ff = open('flag.txt', 'w')
content = f_in.read()
content = content.split("\n")

f = content[0:11] # The letter f
c8 = content[37:48] # The digit 8
... # Another letters and digits
... # Another letters and digits
... # Another letters and digits

index = 0
while True:
     lines=content[index*12:(index+1)*12-1]
     if lines==a:
             ff.write("a")
     elif lines==b:
             ff.write("b")
     elif lines==c:
             ff.write("c")
     elif lines==c0:
             ff.write("0")
     elif lines==c1:
             ff.write("1")
     elif lines==c2:
             ff.write("2")
     elif lines==c3:
             ff.write("3")
     elif lines==c4:
             ff.write("4")
     elif lines==c5:
             ff.write("5")
     elif lines==c6:
             ff.write("6")
     elif lines==c7:
             ff.write("7")
     elif lines==c8:
             ff.write("8")
     elif lines==c9:
             ff.write("9")
     elif lines==d:
             ff.write("d")
     elif lines==e:
             ff.write("e")
     elif lines==f:
             ff.write("f")
     index+=1

I took the long hex-string and paste in hex editor. It was this photo:h4ck1t_belarus_5

Well, that’s it. We got the flag and¬†we now can rest in peace.

Flag: h4ck1t{1_L0V3_3P1C_F0NT$}

[H4CK1T 2016] HellMath – Mongolia Writeup

Standard

Description:

HellMath – Mongolia – 100 – PPC – NEW

EN: Somebody thinks that you are able to calculate well. Is it true? Pass this task, prove the abilities and maybe we will recommend you to one of the most secret missions in this war.

# nc ctf.com.ua 9988 #

This one was a tricky question. Sometime we tend to think too complicated that we forget the basics of the basics.

Let’s begin. We are given with a netcat command. Let’s run¬†it and see what will happen:

Megabeets: /tmp/h4ck1t/# nc ctf.com.ua 9988
Hello, stranger!
In this task you must solve 100 math questions.
Every task prints value C, where

C = A ^ B
and you need to return A and B.
Simple, isn't it?

C =  902688766290655704373689275053375955411443638316509920323848941975222889419457168696920458154297992623673837270038581569454814243805830583810239007096636651566143112784253577358992076929281284042240081518611899927486014041391480636127371844583712500925858241436577687881647483088199415935267570657867465207599620844695004309619118983781089160978919651087719815749856394166367766706778110070467678821838496167634418163901082752730509337302890389749997313424181834067339889277882795763685153563883836605864618300712713269080489519361527692457350059854544553090827217232806958474200121801180519077734723322730821821456307012680580248247037218481409333193782453105202353618778481032198022578852166518606909721942977575590954265237839696664727220865292977163448587698573864445402565395985502519681641780784380764161304054798829812233490916257278759562538568573426337720533085242758348167474155869479478584700074966635983754095730722241717146186660268605302301836193395575194171496181059843678720055443249024604241326634039569309251564445571858850712209536694524027635248909838940066204355066967778407959555544148932174508982884171285719680370353907943024211899094303816973257264835368157414233144693065775543775665646374894255716733398422962657186374363379853482641303616490385754787152837430574499189926206208167378653776600678668050752826349915972573133077173212387799225263508329369454811848100118727431542734051975488119495581578101088438806260901755298558179381970655381433179960687477909164284017317873303284836205753800005799794061481880410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Well, We are given with a number C and we need to find numbers A and B that A^B (Power, not XOR) gives C.

At the beginning I tried to find algorithms online, “Such algorithms must exist!” I thought to myself. I found nothing and gave up for the day because it was late and I wanted to sleep. I was in my bed while¬†message a friend the question and he simply answered:
“Did you tried 1?”
– “What 1?”
¬†“You know, every number power 1 equals the number” (i.e C = C^1)
– “OMG! It is so simple! You are the smartest person¬†on earth!”

 

So I ran to my computer and wrote this short python script that gave me the flag:

from pwn import *
from time import sleep

r = remote('ctf.com.ua', 9988)
 
print r.recvuntil('?')
print r.recvline()

counter=0

while True:	
	if counter==100:
		print r.recv()
	q = r.recvline()
	c = q[5:].rstrip('\n')
	print q
	print "\n----------\n"
	print c

	ans = '%s 1'%c
	print ans
	r.send('%s\n'%ans)
	counter+=1
	
# Flag: h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}

Flag: h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}

 

[H4CK1T 2016] Hex0gator – Paraguay Writeup

Standard

Description:

EN: All Experts of The Silver Shield Project can’t decipher the intercepted data. Who knows, maybe you can do it?
100_00edb54bed7e46bd5cdb7c06059881c2

 

In this PPC 250 pts challenge we got only one file. Let’s run File command on it to determine it’s type.

Megabeets:/tmp/h4ckit/paraguay# file 100_00edb54bed7e46bd5cdb7c06059881c2
100_00edb54bed7e46bd5cdb7c06059881c2: Zip archive data, at least v2.0 to extract

 

This is a zip file which contains another folder within. The folder contains a file named ‘99‘. Let’s extract it and figure out it’s type:

Megabeets:/tmp/h4ckit/paraguay# file 99
99: Zip archive data, at least v1.0 to extract

99 is also a¬†zip file, and inside it has another zip, and another zip… well, I see where it going to. I wrote a simple Powershell script to extract all the archives¬†using the ultimate archive manipulator – 7-zip.

# Set $path to a folder only with the file '99'
# 99 Exists in 'work_folder' inside the first archive

$path = "C:\\your\\\path"

while($true)
{
    $file = (gci $path)[0]
    &'C:\Program Files\7-Zip\7z.exe' e $file.Fullname -y > $null
    if($file.Name -eq 'flag')
    {
        # print the content of the file
        gc $file
        break;

    }
    else
    {
        Remove-Item $file.Fullname
    }
}

Now let’s run it:

PS C:\h4ckit\paraguay> C:\h4ckit\paraguay\solve.ps1
FLAG: 0W_MY_G0D_Y0U_M4D3_1T

 

[CSAW 2016] Regexpire Writeup

Standard

Description:

I thought I found a perfect match but she ended up being my regEx girlfriend.

nc misc.chal.csaw.io 8001

It wasn’t so hard, I asked google for the best way to generate matched string to a given pattern and wrote the following script. The only headache was when my generator used newlines (“\n”) so I removed them.

from pwn import *
import rstr
import exrex
from time import sleep
import re

# conect to server
r = remote('misc.chal.csaw.io', 8001)

# Print the question string
print r.recvline()

# Counter
i=1

while True:
	# Recieve the regex pattern
    reg = r.recvline()[:-1]
    print "%d -------\n"%i
    print reg
    print "-------\n"
    ans=rstr.xeger(reg).replace('\n','') # Remove newlines!
    # ans=exrex.getone(reg).replace('\n','')  # Another possible option
    r.sendline(ans)
    i+=1
	sleep(0.2)

And after 1000 tests we got the flag: flag{^regularly_express_yourself$}

[CSAW 2016] Coinslot Writeup

Standard

Description:

#Hope #Change #Obama2008

nc misc.chal.csaw.io 8000

Let’s connect to the server and see what will happen:

[Megabeets] /tmp/CSAW/Coinslot# nc misc.chal.csaw.io 8000
$0.07
$10,000 bills: 0
$5,000 bills: 0
$1,000 bills: 0
$500 bills: 0
$100 bills: 0
...
...

So, the server is displaying a wanted amount of money and we need to¬†calculate¬†the number of bills¬†and coins¬†given¬†the amount. All we need is writing a simple python script and a coffee break because it will take about 10 minutes for the flag to come up ūüôĀ

from pwn import *

r = remote('misc.chal.csaw.io',8000)

# Create an array of dollars and coins values
money = [10000.0, 5000.0, 1000.0, 500.0, 100.0, 50.0, 20.0, 10.0, 5.0, 1.0, 0.5, 0.25, 0.1, 0.05, 0.01]
count = 0

while(True):
	count += 1
	amount = 0.0
	
	# Recieve the wanted amount of money
	amount = float(r.recvline()[1:])
	print "Wanted amount is " + str(amount)

	# Send the number of dollars and coins for each value
	for m in money:
		print r.recv()
		ans = int(amount/m)
		print "Sending %d" %ans
		r.sendline(str(ans))
		amount = round((amount - (ans*m)), 2)
		print "Left with " + str(amount)
	print "[+] Finished %d" %count
	print r.recvline()

 

The flag is: flag{started-from-the-bottom-now-my-whole-team-fucking-here}