I played ASIS CTF Quals 2019 as a member of insecure
. We got 224 pts and reached 88th place. Thanks to all the admins for the great competition.
I wanted to solve more difficult challenges.
[Coding 67pts(78 Solves)] Flag collision
Warm-up your fingers to capture next flags!
nc 37.139.9.232 19199
Just do it.
from ptrlib import * import binascii import string import random import hashlib import re def randomString(length, table=string.ascii_lowercase): return ''.join(random.choice(table) for i in range(length)) sock = Socket("37.139.9.232", 19199) sock.recvuntil("Submit a printable string X, such that ") method = sock.recvuntil("(X)").decode()[:-3] pos = int(sock.recvuntil("] = ").decode()[1:-5]) target = sock.recvline().decode().strip() print(method, pos, target) i = 0 while True: s = str(i) h = hashlib.new(method) h.update(s.encode()) if h.hexdigest()[pos:] == target: print(s) sock.sendline(s) break i += 1 while True: while True: line = sock.recvline().decode().strip() print(line) l = re.findall("len = ([0-9]+)", line) if l: l = int(l[0]) break print("len = {}".format(l)) table = {} while True: s = randomString(l-len("ASIS{}")) s = "ASIS{{{}}}".format(s) v = binascii.crc32(s.encode()) if v in table: print("({}, {})".format(table[v], s)) sock.sendline("{}, {}".format(table[v], s)) # sock.sendline("ASIS{{{}}}".format(s)) break table[v] = s for i in range(10): print(sock.recvline())
[Crypto 44pts(135 Solves)] A delicious soup
Once you've decided on what ingredients to use, making a delicious soup is very simple!
As I looked over the given script ( simple_and_delicious.py
), I found it shuffled the flag for a random number of times.
If we can get the two parameters, how many times the shuffle is applied and the resulf of random.shuffle(range(7))
, then the flag can be recovered. And, we can find the both parameters by bruteforce.
This solve.py
lists up all the possible flag patterns. Since the flag starts with ASIS{...
, I could filter the output. The flag was ASIS{1n54n3ly_Simpl3_And_d3lic1Ous_5n4ckS_eVEn_l4zY_Pe0pL3_Can_Mak3}
.