ふるつき

v(*'='*)v かに

ASIS CTF Quals 2019 Writeup

I played ASIS CTF Quals 2019 as a member of insecure. We got 224 pts and reached 88th place. Thanks to all the admins for the great competition.

I wanted to solve more difficult challenges.

[Coding 67pts(78 Solves)] Flag collision

Warm-up your fingers to capture next flags!

nc 37.139.9.232 19199

Just do it.

from ptrlib import *
import binascii
import string
import random
import hashlib
import re

def randomString(length, table=string.ascii_lowercase):
    return ''.join(random.choice(table) for i in range(length))

sock = Socket("37.139.9.232", 19199)

sock.recvuntil("Submit a printable string X, such that ")
method = sock.recvuntil("(X)").decode()[:-3]
pos = int(sock.recvuntil("] = ").decode()[1:-5])
target = sock.recvline().decode().strip()
print(method, pos, target)

i = 0
while True:
    s = str(i)
    h = hashlib.new(method)
    h.update(s.encode())
    if h.hexdigest()[pos:] == target:
        print(s)
        sock.sendline(s)
        break
    i += 1


while True:
    while True:
        line = sock.recvline().decode().strip()
        print(line)
        l = re.findall("len = ([0-9]+)", line)
        if l:
            l = int(l[0])
            break
    print("len = {}".format(l))
    table = {}
    while True:
        s = randomString(l-len("ASIS{}"))
        s = "ASIS{{{}}}".format(s)
        v = binascii.crc32(s.encode())
        if v in table:
            print("({}, {})".format(table[v], s))
            sock.sendline("{}, {}".format(table[v], s))
            # sock.sendline("ASIS{{{}}}".format(s))
            break
        table[v] = s

for i in range(10):
    print(sock.recvline())

[Crypto 44pts(135 Solves)] A delicious soup

Once you've decided on what ingredients to use, making a delicious soup is very simple!

As I looked over the given script ( simple_and_delicious.py), I found it shuffled the flag for a random number of times.

If we can get the two parameters, how many times the shuffle is applied and the resulf of random.shuffle(range(7)), then the flag can be recovered. And, we can find the both parameters by bruteforce.

This solve.py lists up all the possible flag patterns. Since the flag starts with ASIS{..., I could filter the output. The flag was ASIS{1n54n3ly_Simpl3_And_d3lic1Ous_5n4ckS_eVEn_l4zY_Pe0pL3_Can_Mak3}.