This task we were given a binary and a host/port where it is running:
HOST : 168.188.130.217
PORT : 8080
Binary
Note: At the beginning of the contest, there was no binary. But nobody solved it and the binary was added, I guess it’s because of strange format of the input.
Summary: reversing (or guessing) simple algorithm and coding a client
The program is quite straight forward (rebuilded source). It generates a random printable string of length 15 and an string of length 1000 (cube 10x10x10), sends it via socket, and wants coordinates of each char from the first string in cube. The strange thing is the format of input, let’s look into the parsing function:
void check_input() { int i; int xpos, ypos, zpos, x, y, z; int good_count; xpos = 1; ypos = 3; zpos = 5; good_count = 0; for ( i = 0; i <= 14; ++i ) { x = atoi(&buffer[xpos]); y = atoi(&buffer[ypos]); z = atoi(&buffer[zpos]); if ( bytestring[i] != cube[z*100 + y*10 + x] ) err("Your cube's coordinate not accord with pass\n"); ++good_count; xpos += 8; ypos += 8; zpos += 8; } if ( good_count == 15 ) exit(0); }
So, the size of the (x,y,z) tuple is 8. It must look like
_x_y_z__
Let’s code a script to solve the task:
#!/usr/bin/env python #-*- coding:utf-8 -*- import socket fs = socket.socket(socket.AF_INET, socket.SOCK_STREAM) fs.connect(("168.188.130.217", 8080)) a = fs.recv(17).strip() #15 digits and two \n b = fs.recv(1001).strip() #1000 + \n answer = '' for c in a: pos = b.find(c) if pos == -1: print c, "not found" exit(1) x = pos % 10 y = (pos // 10) % 10 z = (pos // 100) % 10 answer += "_%d_%d_%d__" % (x,y,z) fs.send(answer+"\n") print fs.recv(100500)
$ py pwn.py } not found $ py pwn.py } not found $ py pwn.py aReYouSoLoYeT?.?
So, the flag: aReYouSoLoYeT?.?
1 comment
1 ping
Thanks for writing of my binary XD
[…] 18/01/2011. Source : http://www.twitter.com/sbrabez 19/01/2011. Padocon CTF 2011 Binary100 Writeup (200) : leetmore.ctf.su/wp/padocon-ctf-2010-binary100-writeup-200/ 20/01/2011. Padocon CTF 2011 Binary500 Writeup (300) : […]