This post continues from my last post on. Two more writeups for RCTF are presented below.
This challenge was presented as an IP and port, with the clue that we had to “guess”. This challenge ended up being a variation of “Cows and Bulls” (or, if you prefer, the Fallout hacking puzzle). We guess 4 numbers, then are told how many we have in the correct position, and how many numbers have the correct value but are in the wrong position.
A simple Python script solves this cleanly, which you can download here.
Funnily enough, from the Wikipedia article, we note that the minimal average game length is just over 5 turns:
We are provided 6: therefore, our solution must be optimal (fortunately, the solver I found off github was).
This challenge was presented as a Linux binary, which you can download here. While presented as a reverse engineering challenge, I performed only minimal reverse engineering to complete this challenge.
Initial analysis showed that this executable took in some letters and a number, followed by some arbitrary additional input. The output seemed to be a series of dword values. One of what appears to be the encoding steps is shown below:
Based on this alone, I made a few assumptions:
- The application encoded one character at a time
- There was no meaningful randomness, despite randomness-based functions being called
- The order of characters didn’t matter (but this is slightly irrelevant if we have an encoding oracle)
I first tested my hypothesis by providing “test 15” as the first inputs, then encoding “abc” and “cba”. These provided the expected result: that is, one dword value corresponded to each character of input.
I then attempted to encode “RCTF”, which provided dword outputs which corresponded to the contents of the “out” file – I assumed at this point that this was the flag. Further testing confirmed that the order of characters did not matter.
From here, a little bit of Python makes this a trivial solve: we simply encode the entire alphabet, and test this against the “out” file. You can download the script I used here.
Overall, I enjoyed participating in this CTF – this showed me some serious gaps I have with webappsec and pwning. As always, I look forward to improving my skill for the next one.
See you all in “Security Fest CTF” and Faust CTF in two week’s time.