«

»

Jan
19

Padocon CTF 2011 Binary100 Writeup (200)

This task we were given a binary and a host/port where it is running:
HOST : 168.188.130.217
PORT : 8080
Binary

Note: At the beginning of the contest, there was no binary. But nobody solved it and the binary was added, I guess it’s because of strange format of the input.

Summary: reversing (or guessing) simple algorithm and coding a client

The program is quite straight forward (rebuilded source). It generates a random printable string of length 15 and an string of length 1000 (cube 10x10x10), sends it via socket, and wants coordinates of each char from the first string in cube. The strange thing is the format of input, let’s look into the parsing function:

void check_input()
{
    int i;
    int xpos, ypos, zpos, x, y, z;
    int good_count;

    xpos = 1;
    ypos = 3;
    zpos = 5;
    good_count = 0;
    for ( i = 0; i <= 14; ++i ) {
        x = atoi(&buffer[xpos]);
        y = atoi(&buffer[ypos]);
        z = atoi(&buffer[zpos]);
        if ( bytestring[i] != cube[z*100 + y*10 + x] )
            err("Your cube's coordinate not accord with pass\n");
        ++good_count;
        xpos += 8;
        ypos += 8;
        zpos += 8;
    }
    if ( good_count == 15 )
        exit(0);
}

So, the size of the (x,y,z) tuple is 8. It must look like
_x_y_z__

Let’s code a script to solve the task:

#!/usr/bin/env python
#-*- coding:utf-8 -*-

import socket

fs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
fs.connect(("168.188.130.217", 8080))

a = fs.recv(17).strip()     #15 digits and two \n
b = fs.recv(1001).strip()   #1000 + \n

answer = ''
for c in a:
    pos = b.find(c)
    if pos == -1:
        print c, "not found"
        exit(1)
    x = pos % 10
    y = (pos // 10) % 10
    z = (pos // 100) % 10
    answer += "_%d_%d_%d__" % (x,y,z)

fs.send(answer+"\n")
print fs.recv(100500)
$ py pwn.py
} not found
$ py pwn.py
} not found
$ py pwn.py
aReYouSoLoYeT?.?

So, the flag: aReYouSoLoYeT?.?

2 comments

  1. idkwim says:

    Thanks for writing of my binary XD

  2. La Mare du Gof » Blog Archive » Outils, services, sites à (re)découvrir-2011-s03 says:

    […] 18/01/2011. Source : http://www.twitter.com/sbrabez 19/01/2011. Padocon CTF 2011 Binary100 Writeup (200) : leetmore.ctf.su/wp/padocon-ctf-2010-binary100-writeup-200/ 20/01/2011. Padocon CTF 2011 Binary500 Writeup (300) : […]

Leave a Reply to La Mare du Gof » Blog Archive » Outils, services, sites à (re)découvrir-2011-s03 Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>