GeeksSpeak Team Blog

WriteUps and random thoughts

CSAW 2015 - FOR400 - Sharpturn

| Comments

CSAW 2015 - FOR400 - Sharpturn

Basic useful feature list:

  • I think my SATA controller is dying.
  • HINT: git fsck -v

We had a tar.xz file , after extracting found a git repository. We had a good hint :

1

git fsck -v

and the response :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

Checking HEAD link
Checking object directory
Checking directory objects/2b
Checking directory objects/2e
Checking directory objects/35
Checking directory objects/4a
Checking directory objects/4c
Checking directory objects/7c
Checking directory objects/a1
Checking directory objects/cb
Checking directory objects/d5
Checking directory objects/d9
Checking directory objects/e5
Checking directory objects/ef
Checking directory objects/f8
Checking tree 2bd4c81f7261a60ecded9bae3027a46b9746fa4f
Checking commit 2e5d553f41522fc9036bacce1398c87c2483c2d5
error: sha1 mismatch 354ebf392533dce06174f9c8c093036c138935f3
error: 354ebf392533dce06174f9c8c093036c138935f3: object corrupt or missing
Checking commit 4a2f335e042db12cc32a684827c5c8f7c97fe60b
Checking tree 4c0555b27c05dbdf044598a0601e5c8e28319f67
Checking commit 7c9ba8a38ffe5ce6912c69e7171befc64da12d4c
Checking tree a1607d81984206648265fbd23a4af5e13b289f83
Checking tree cb6c9498d7f33305f32522f862bce592ca4becd5
Checking commit d57aaf773b1a8c8e79b6e515d3f92fc5cb332860
error: sha1 mismatch d961f81a588fcfd5e57bbea7e17ddae8a5e61333
error: d961f81a588fcfd5e57bbea7e17ddae8a5e61333: object corrupt or missing
Checking blob e5e5f63b462ec6012bc69dfa076fa7d92510f22f
Checking blob efda2f556de36b9e9e1d62417c5f282d8961e2f8
error: sha1 mismatch f8d0839dd728cb9a723e32058dcc386070d5e3b5
error: f8d0839dd728cb9a723e32058dcc386070d5e3b5: object corrupt or missing
Checking connectivity (32 objects)
Checking a1607d81984206648265fbd23a4af5e13b289f83
Checking e5e5f63b462ec6012bc69dfa076fa7d92510f22f
Checking 4a2f335e042db12cc32a684827c5c8f7c97fe60b
Checking cb6c9498d7f33305f32522f862bce592ca4becd5
Checking 4c0555b27c05dbdf044598a0601e5c8e28319f67
Checking 2bd4c81f7261a60ecded9bae3027a46b9746fa4f
Checking 2e5d553f41522fc9036bacce1398c87c2483c2d5
Checking efda2f556de36b9e9e1d62417c5f282d8961e2f8
Checking 354ebf392533dce06174f9c8c093036c138935f3
missing blob 354ebf392533dce06174f9c8c093036c138935f3
Checking d57aaf773b1a8c8e79b6e515d3f92fc5cb332860
Checking f8d0839dd728cb9a723e32058dcc386070d5e3b5
missing blob f8d0839dd728cb9a723e32058dcc386070d5e3b5
Checking d961f81a588fcfd5e57bbea7e17ddae8a5e61333
missing blob d961f81a588fcfd5e57bbea7e17ddae8a5e61333
Checking 7c9ba8a38ffe5ce6912c69e7171befc64da12d4c

We can see a missing blobs and SHA1 mismatch . maybe its broken so we need to repair objects hashes . but lets search more .

1
2
3

git ls-tree -r HEAD
100644 blob e5e5f63b462ec6012bc69dfa076fa7d92510f22f   Makefile
100644 blob f8d0839dd728cb9a723e32058dcc386070d5e3b5   sharp.cpp

We can see sharp.cpp and Makefile , its good .go on lets check commits log :

1
2
3
4
5
6
7
8
9
10
11

git log --oneline --raw -c

4a2f335 All done now! Should calculate the flag..assuming everything went okay.
:000000 100644 0000000... e5e5f63... A  Makefile
:100644 100644 d961f81... f8d0839... M  sharp.cpp
d57aaf7 There's only two factors. Don't let your calculator lie.
:100644 100644 354ebf3... d961f81... M  sharp.cpp
2e5d553 It's getting better!
:100644 100644 efda2f5... 354ebf3... M  sharp.cpp
7c9ba8a Initial commit! This one should be fun.
:000000 100644 0000000... efda2f5... A  sharp.cpp

it seems we are in a good way , it seems sharp.cpp calculate flag . lets try read sharp.cpp , logs should be a good place :)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

git log -p -m

All done now! Should calculate the flag..assuming everything went okay.

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..e5e5f63
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,6 @@
+
+CXXFLAGS:=-O2 -g -Wall -Wextra -Wshadow -std=c++11
+LDFLAGS:=-lcrypto
+
+ALL:
+       $(CXX) $(CXXFLAGS) $(LDFLAGS) -o sharp sharp.cpp
diff --git a/sharp.cpp b/sharp.cpp
index d961f81..f8d0839 100644
--- a/sharp.cpp
+++ b/sharp.cpp
@@ -2,8 +2,57 @@
 #include <string>
 #include <algorithm>

+#include <stdint.h>
+#include <stdio.h>
+#include <openssl/sha.h>
+
 using namespace std;
+std::string calculate_flag(
+               std::string &part1,
+               int64_t part2,
+               std::string &part4,
+               uint64_t factor1,
+               uint64_t factor2)
 ........ Bunch of Code .

` We find it . Full source Code here : http://paste2.org/9Mnm1MX6

after compiling , and running :

1
2
3
4
5
6
7
8
9
10

parsa@xored:~/Desktop$ ./for400
Part1: Enter flag:
flag
Part2: Input 31337:
31337
Part3: Watch this: https://www.youtube.com/watch?v=PBwAxmrE194
watched
Part4: C.R.E.A.M. Get da _____:
money
Part5: Input the two prime factors of the number 272031727027.

we need 5 part to get flag , it seems we have 4 parts , they are flag,31337,watched,money but we need 5th part . lets factor 272031727027 to primes .

Python Code :

1
2
3
4
5
6
7
8
9
10
11
12
13
14

def factors(n):
    i = 2
    factors = []
    while i * i <= n:
        if n % i:
            i += 1
        else:
            n //= i
            factors.append(i)
    if n > 1:
        factors.append(n)
    return factors
num = 272031727027
print factors(num)

Result :

1
2

parsa@xored:~/Desktop$ python aaa.py
[31357, 8675311]

lets run Binary again :

1
2
3
4
5
6
7
8
9
10
11
12
13

parsa@xored:~/Desktop$ ./for400
Part1: Enter flag:
flag
Part2: Input 31337:
31337
Part3: Watch this: https://www.youtube.com/watch?v=PBwAxmrE194
watched
Part4: C.R.E.A.M. Get da _____:
money
Part5: Input the two prime factors of the number 272031727027.
31357
8675311
flag{3b532e0a187006879d262141e16fa5f05f2e6752}

and done The flag is : 3b532e0a187006879d262141e16fa5f05f2e6752

Good Luck .

Comments