## Writeups – Numbers Game, BabyRE (RCTF – Part 2)

This post continues from my last post on. Two more writeups for RCTF are presented below.

# Numbers Game

This challenge was presented as an IP and port, with the clue that we had to “guess”. This challenge ended up being a variation of “Cows and Bulls” (or, if you prefer, the Fallout hacking puzzle). We guess 4 numbers, then are told how many we have in the correct position, and how many numbers have the correct value but are in the wrong position.

A simple Python script solves this cleanly, which you can download here.

Funnily enough, from the Wikipedia article, we note that the minimal average game length is just over 5 turns:

We are provided 6: therefore, our solution must be optimal (fortunately, the solver I found off github was).

# BabyRE

This challenge was presented as a Linux binary, which you can download here. While presented as a reverse engineering challenge, I performed only minimal reverse engineering to complete this challenge.

Initial analysis showed that this executable took in some letters and a number, followed by some arbitrary additional input. The output seemed to be a series of dword values. One of what appears to be the encoding steps is shown below:

Based on this alone, I made a few assumptions:

• The application encoded one character at a time
• There was no meaningful randomness, despite randomness-based functions being called
• The order of characters didn’t matter (but this is slightly irrelevant if we have an encoding oracle)

I first tested my hypothesis by providing “test 15” as the first inputs, then encoding “abc” and “cba”. These provided the expected result: that is, one dword value corresponded to each character of input.

I then attempted to encode “RCTF”, which provided dword outputs which corresponded to the contents of the “out” file – I assumed at this point that this was the flag. Further testing confirmed that the order of characters did not matter.

From here, a little bit of Python makes this a trivial solve: we simply encode the entire alphabet, and test this against the “out” file. You can download the script I used here.

Overall, I enjoyed participating in this CTF – this showed me some serious gaps I have with webappsec and pwning. As always, I look forward to improving my skill for the next one.

See you all in “Security Fest CTF” and Faust CTF in two week’s time.