Page 3

Defcon CTF Quals 2014 – 100lines | zepvn

6/13/2014

return rax; }

So I got the final code to receive 38 OPT numbers from STDIN and print out ASCII values of expected input characters: defcon-2014-quals-100lines-bruteforce. In this version, I was too lazy to break down the expression when it checks the input character, so I kept the condition as it is and made a variable looping from 0 -> 255 to test whether that condition is met (ie. the expression returns True) Simply compile the code by $ g++ -o bruteforce bruteforce.c

Since I don't feel like writing socket code in C, let's write some Python script to communicate with the real service and execute the bruteforce code that we just got.

import socket from subprocess import Popen, PIPE, STDOUT s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('100lines_53ac15fc7aa93da92629d37a669e106c.2014.shallweplayaga.me', 20689)) data = s.recv(2048) data += s.recv(2048) data = data.split("\n")[1] print "OTP:" print data arr = [str(eval(_)) for _ in data.split()] p = Popen(['./bruteforce'], stdout=PIPE, stdin=PIPE, stderr=PIPE) stdout_data = p.communicate(input="\n".join(arr))[0] result = "".join(chr(int(_)) for _ in stdout_data.split("\n")[:-1]) print "Sending back: ",repr(result) s.send(result) print "Response:" print s.recv(2048) print s.recv(2048)

One of the sample output:

OTP: 0x0003477c0b80aa0f 0x00008985a385bd8e 0x000371f572962c37 0x0001bec6d1d1f7a6 0x000060f32eb8e2d1 0x00017c9388cc842b 0x00032d90a11d5d21 0x000251507644d55f 0x00017c68d057 Sending back: 'U<{v!&Vm' Response:

0xc6, 0x11,0x3e,0x93,0x67,0x6a,0xf2,0xcd,0xfe,0x29,0x0d,0x4d,0xf2,0x8a,0x87,0x48,0x2e,0x81,0x39,0xb7,0x20,0x88,0xc3,0x98,0x21,0x20,0xfb,0x51,0xdc,0xb4,0x2a,0x03,0x7f,0xb7,0x79,0xe

Okay, we are really close now. We got back 38 bytes and that must be some kind of encrypted form of the flag (or some text that contains flag). We continue reversing the last part of main function and get this:

... for (int i = 0; i<38; i++) { int c = flag[i] ^ getByte(OTP[i], seed, static_buffer); printf("0x%02x", c); } ...

It's pretty obvious now. I wrote another C code which is quite similar to the bruteforce one except that OTP is now hardcoded together with the 38 encrypted bytes: defcon-2014-quals-100lines-bruteforce.cpp. Compile, run it and enjoy the flag: $ g++ -o get_flag get_flag.cpp $ ./get_flag The flag is:#RadicalSpaceOptimization!

http://zepvn.com/blog/defcon-ctf-quals-2014-100lines.php

3/5

Defcon ctf quals 2014 – 100lines zepvn  
Defcon ctf quals 2014 – 100lines zepvn  
Advertisement