DefConCTF 2015 Access-Control Writeup
Point = 1
Category = Reverse
TL;DR
we are given a binary which seems to be a client to access a server.
you can see my solution here:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
| import socket
import telnetlib
s = socket.create_connection(("access_control_server_f380fcad6e9b2cdb3c73c651824222dc.quals.shallweplayaga.me", 17069))
cid = s.recv(1024).split(" ")[2]
#cid = "H\"Y1)3IY+yEl\\3\n"
print cid , len(cid)
s80 = ord(cid[7])
print chr(s80)
s80 = s80 % 3
#s80 = 0
dst = cid[s80+1:s80+1+5]
print dst
p = "duchess" #grumpy
passw = ""
for i in range(5):
passw += chr(ord(p[i]) ^ ord(dst[i]))
passw = list(passw)
print passw
for i in range(5):
if ord(passw[i]) <= 0x1f:
passw[i] = chr(ord(passw[i]) + ord(' '))
if ord(passw[i]) == 0x7f:
passw[i] = chr(ord(passw[i]) - 0x7E + 0x20)
passw = ''.join(passw)
print passw
print s.recv(1024)
#print s.recv(1024)
s.send("version 3.11.54\n")
print s.recv(1024)
s.send("duchess\n")
print s.recv(1024)
s.send(passw+"\n")
print s.recv(1024)
s.send("print key\n")
print s.recv(1024)
chall = s.recv(1024)
print chall
chall = chall.split(" ")[1]
print chall
#print s.recv(1024)
# compute answer on chall
dst = cid[s80+7:s80+7+5]
print dst
passw = ""
for i in range(5):
passw += chr(ord(chall[i]) ^ ord(dst[i]))
passw = list(passw)
print passw
for i in range(5):
if ord(passw[i]) <= 0x1f:
passw[i] = chr(ord(passw[i]) + ord(' '))
if ord(passw[i]) == 0x7f:
passw[i] = chr(ord(passw[i]) - 0x7E + 0x20)
passw = ''.join(passw)
print passw, len(passw)
s.send(passw+"\n")
t = telnetlib.Telnet()
t.sock = s
t.interact()
|
Running the script:
1
2
3
4
5
6
7
| $ python access-sol.py
XZI_}jT.'l@Km+
[..]
the key is: The only easy day was yesterday. 44564
hello duchess, what would you like to do?
|
@HAMIDx9