Hack.lu 2010 CTF #1 (Fun 300, Rock Lizard Spock) writeup

On the high seas, the nights get boring. Try to win the game against the captain!
pirates.fluxfingers.net port 6565/tcp

Let’s go & connect there:

> nc pirates.fluxfingers.net 6565
/9j/4AAQSkZJRgABAQEAYABgAAD//gAJbWQ1d2luc//bAEMABQ
MEBAQDBQQEBAUFBQYHDAgHBwcHDwsLCQwRDxISEQ8RERMWHBcT
<...>
EgWAYlOhQqadCpxQPCn4JDjQoVacgqCQ4dtCAY4+FChVJb7BVE
A6fCnKIB0+FChSuX3C8XQPuhoUKFd+JM//Z

The service gives us some base64 and waits 2 seconds for reply. Unbase64ing the data, we get this jpeg:

There is no EXIF tag, and `strings` don’t show anything interesting (only ‘md5wins’ which is not the flag). I connected again and got another image:

This looks like a pebble lying on sand, and it has a string: “p4ss: nothere” in it. Hard to understand what it’s for, so let’s connect some more times and dump some more data. Script for that:

<?php
$were = array();
while (true) {
 $s = fsockopen("pirates.fluxfingers.net", 6565);
 $ln = fgets($s);
 fclose($s);
 $ln = base64_decode($ln);
 $md5 = md5($ln);
 if (!isset($were[$md5])) {
  file_put_contents("$md5.jpg", $ln);
  $were[$md5] = true;
  echo "!";
 } else
  echo ".";
}
?>
>\php\php dump_images.php
!..........!...!!...........!.............................^C

>

The service sends out 5 different base64ed jpeg images:

spock.jpg rock.jpg paper.jpg sciss.jpg yasch.jpg

They all have useless text comments in them and nothing else. But they have something in common. They all are symbols from Rock Paper Scissors Lizard Spock game :)
Spock is beaten by lizard, Rock is beaten by paper, Paper – by scissors, and Lizard with Scissors are beaten by rock.

Task says we have to win the game, so let’s try to send Captain the base64 of an image that beats his image. D’oh, that doesn’t work! Remember the comment from Spock pic: “md5wins”? Let’s send him md5 of winning image. Yay, he replies with another base64! So we’re gonna code a bot that plays the game:

<?php
$objs = array("rock.jpg" => 1, "paper.jpg" => 1, "sciss.jpg" => 1, 
              "spock.jpg" => 1, "yasch.jpg" => 1);
foreach ($objs as $i => $nul)
 $objs[$i] = md5_file($i);

$s = fsockopen("pirates.fluxfingers.net", 6565);
while (true) {
 $orig = $ln = fgets($s);
 $ln = base64_decode($ln);
 $ln = md5($ln);
 if (($i = array_search($ln, $objs)) === false) {
  echo "GOT FLAG: $orig\n";
  break;
 } else {
  echo "$i - ";
  if ($i == "paper.jpg")
   $e = "sciss.jpg";
  elseif ($i == "rock.jpg")
   $e = "paper.jpg";
  elseif ($i == "yasch.jpg")
   $e = "rock.jpg";
  elseif ($i == "spock.jpg")
   $e = "yasch.jpg";
  else
   $e = "rock.jpg";
  fwrite($s, md5_file($e) . "\n");
  echo "$e\n";
 }
}
?>

Run it:

> \php\php rps.php
spock.jpg - yasch.jpg
yasch.jpg - rock.jpg
yasch.jpg - rock.jpg
paper.jpg - sciss.jpg
spock.jpg - yasch.jpg
rock.jpg - spock.jpg
sciss.jpg - rock.jpg
spock.jpg - yasch.jpg
GOT FLAG: the secret is: ev!lsYcerf0xxr0xx

The answer is ev!lsYcerf0xxr0xx

1 comment

    • noparticularskill on May 22, 2019 at 05:20
    • Reply

    Is it in Kali Linux? The terminal u use

Leave a Reply

Your email address will not be published.