Codefest2018 CTF writeups (prodigy and Access_denied)

Problem name: prodigy

problem statement:

Self proclaimed prodigy Gourav, has just learnt about binaries and compiler. He believes he can hide anything in the binary unless he doesn’t print it. Show him that he is wrong.

binary file:prodigy

walk-through:

open the binary in gdb and disassemble main

as you can see there is no cmp and jmp , and only one call to puts() which just print weird message : You won’t find anything here #grvdkd #irock

so main() got nothing. There must be other function in program which has the flag and also this function is not get called by main.

next step I did was finding the function

I objdump to disassemble all functions and found a function getFlag()

Next thing i did was open binary in gdb again and disassemble getFlag(just to see in intel flavour as objdump disassemble is hard to understand)

after analyzing the assembly i found a call to  strncat funtion at <getFlag+225> which seems interesting

so i put break point at next instruction to see what is in stack after call to strncat()

i put two break point

1.  at main
2.  at getFlag+230 (next instruction to strncat() call)

run the program and after reach first beak point i.e main i jump to getFlag .

After jump break point 2 reach and voila we get flag stored in EAX register

As you can see flag is CodefestCTF{`cZNjbcipTKZgHL} stored in EAX.

________________________________________________________________________________________________

Problem name: ACCESS DENIED

find problem at :      nc 34.216.132.109 9094

Statement:

A school IT staff manages access to secure files by the method of access code. You are required to give your name and the access code, and the program will give out secret information.

It checks whether you already have an access code, generates new random one along with a new user ID alloted to the user, if that user is not found locally on the system. The access codes are known to have random expiration time (don’t know what goes on in their minds!), so don’t be surprised if you generated an access code just seconds ago and next time the same access code doesn’t work.

Johnny decided to go into the IT room and copy the program into his pendrive. You can find it here.

Can you get the secret information out from the program? The service runs on 34.216.132.109 on port 9094.

Source code Jhonny Copied is:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import random
import user_functions

user = raw_input("Enter your name: ")

if not user_functions.exists(user):
  # generate a code

  count_ = user_functions.generateID(user)%1000	#User ID/ UID in the table is always positive

  generator = "xorshift"
  random.seed(generator)
  count = 0;

  for ch in user:
    ra = random.randint(1, ord(ch))
    rb = (ord(ch) * random.randint(1, len(user))) ^ random.randint(1, ord(ch))

    count += (ra + rb)/2

  
  code = 1

  for i in range(1,count+count_):
    code = (code + random.randint(1, i) ) % 1000000

  final = random.randint(1,9) * 1000000 + code

  #store it in the database
  user_functions.store(user, final)

else:
  #if user already exists, fetch access code
  final = user_functions.get_code(user)

code = raw_input("Enter your access code: ").strip()


while True:
  
  if code.isdigit():
    if (int(code) == final):
      print "The flag is " + user_functions.get_flag(user)
      exit()
    else:
      print "Incorrect access code"
  else:
    print "The code must be an integer"

  code = (raw_input("\nPlease enter the code: "))

  print "\n###############################################"

As you can see code is very straight forward

‘name’ is username and password generated with some operation on ‘name’ and stored in ‘final’ which is an Int.

There are two variable used to calculate ‘final’  …….’count’ and ‘count_’

‘count’ can be same all time by giving same value to ‘name’ all time

but ‘count_’ is something in range (0,1000) and we don’t know its value.

Also calculation of ‘final’ include some randomly generated integers.

however random is generated using a seed which can be reversed if we know the seed which is “xorshifted” as call to random with same seed generate same output.

so task is to generate all possible 1000 values of ‘final’ and brute force them.

I write very simple python script which is self explanatory.

crackAccessDenied.py

from pwn import *
import sys

name='cbmhacker'
passwords=[]
for i in range(0,1000):
    count_ = i
    random.seed("xorshift")
    count = 0;

    for ch in name:
        ra = random.randint(1, ord(ch))
        rb = (ord(ch) * random.randint(1, len(name))) ^ random.randint(1, ord(ch))

        count += (ra + rb)/2

    code = 1

    for i in range(1,count+count_):
        code = (code + random.randint(1, i) ) % 1000000

    final = random.randint(1,9) * 1000000 + code
    passwords.append(final)

conn = remote('34.216.132.109',9094)
conn.sendline(name)


for final in passwords:
    flag = conn.recv()
    if 'CodefestCTF{' not in flag:
        conn.sendline(str(final))
    else:
        print(flag)
        sys.exit()

 

run this python script

Bravo!! flag is CodefestCTF{1_s33_y0u_4r3_a_m4n_0f_r4nd0mn3ss}