backdoor CTF 2015: NONAME

Category: Exploit Points: 200 Author: Amanpreet Singh Difficulty: Solves: 25 Description:

• https://backdoor.sdslabs.co/challenges/NONAME

Intrestingly enough, even though it was not expected, Chintu found a cool website to play with, though he can't get the flag. Can you? Visit this. Submit the SHA-256 hash of the flag obtained.

Gaylord : At first, (str (all-ns)) to get all namespaces. And then (clojure.repl/dir noname.people.admin) to see what inside. There is including flag and secret. Used (noname.people.admin/flag) to get the  a half of the flag.

Chuymichxinhdep: However secret is a private variable variable, I used ((noname.people.admin/secret)) to obtain the other half of the flag. Problem solved.

backdoor CTF 2015: QR

Category: Misc Points: 70 Author: Abhay Bir Singh Rana Difficulty: Easy Solves: 84 Description:

• https://backdoor.sdslabs.co/challenges/QR

Decode some QR codes at nc hack.bckdr.in 8010

 

chuymichxinhdep:

from subprocess import Popen, PIPE
i = 0
import socket

sock = socket.socket()
sock.connect(("hack.bckdr.in", 8010))
s= sock.recv(1024)
print(s)
while True:
	i=i+1
	string = ""
	s= sock.recv(65535)
	data= s.replace("\x20\x20","0").replace("\xe2\x96\x88\xe2\x96\x88","1")
	file = open('qr','w')
	for line in data.split("\n"):
		string = string+line[1:len(line)-1]+"0"*(47-len(line))+"\n"
	file.write(string[46:len(string)-1-46])
	file.close()
	output = Popen(["python", "sqrd.py", "qr"], stdout=PIPE).communicate()[0]
	print i, output.strip()
	sock.send(output.strip())

Convert the QR to binary only and use Strong QR to decode. After 50 submissions we've got the flag.

backdoor CTF 2015: RAPIDFIRE

Category: Misc Points: 500 Author: Amanpreet Singh Difficulty: TODO Solves: 0 Description:

• https://backdoor.sdslabs.co/challenges/RAPIDFIRE

I am enjoying it really. Are you? nc hack.bckdr.in 8007. Submit the SHA-256 hash of the flag obtained.

Chuymichxinhdep: Just use a brilliant source code from gaylord.

import socket, hashlib, time, requests
from geopy import GoogleV3
import re
import shelve
import omdb

host = '128.199.107.60'
port = 8008
rep_countrycode = False

def fib(n):
    i = h = 1
    j = k = 0
    while (n > 0) :
        if (n%2 == 1) : # when n is odd
            t = j*h
            j = i*h + j*k + t
            i = i*k + t
        t = h*h
        h = 2*k*h + t
        k = k*k + t
        n = int(n/2)
    return j

def get_country(place_name):
    gapi = shelve.open('googly_cache', writeback=True)
    try:
        wat = place_name.encode('base64')
    except UnicodeEncodeError:
        wat = u' '.join(place_name).encode('utf-8').strip().encode('base64')
    if (wat in gapi):
        print('[*] Found in shelf')
        loc = gapi[wat]
    else:
        print('[*] Request from GGAPI')
        loc = geolocator.geocode(place_name).raw
        gapi[wat] = loc
        gapi.sync()
    gapi.close()
    for comp in loc['address_components']:
        if 'country' in comp['types']:
            if rep_countrycode:
                return comp['short_name'] # TODO: not short_name but something else
            else:
                return comp['long_name']

def get_release(movie_name):
    gapi = shelve.open('moviee_cache', writeback=True)
    try:
        wat = movie_name.encode('base64')
    except UnicodeEncodeError:
        wat = u' '.join(movie_name).encode('utf-8').strip().encode('base64')
    if (wat in gapi):
        print('[*] Found in shelf')
        loc = gapi[wat]
    else:
        print('[*] Request from OMDB')
        s = omdb.title(movie_name)
        loc = s['year']
        gapi[wat] = loc
        gapi.sync()
    gapi.close()
    return loc
    
def read_until(wat):
    buf = ''
    while not (wat in buf):
        buf += sock.recv(1)
    return buf
    
def read_for_fun(sz):
    d = ''
    while (sz > 0):
        tmp = sock.recv(sz)
        sz -= len(tmp)
        d += tmp
    return d

# init connection
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
geolocator = GoogleV3()
pii = requests.get('http://www.angio.net/pi/digits/pi1000000.txt').text
# read & answer
while True:
    s = sock.recv(8192)
    if ('code is in CAPS' in s): rep_countrycode = True
    if (s == ''): sleep(10)
    print(s)
    n = 'wat'
    res = n
    if ('sum' in s):
        n = int(re.findall(r'first\ (\d+)\ ', s)[0])
        if ('odd' in s):
            res = n * n
        elif ('fibonacci' in s):
            res = fib(n+2) - 1
        elif ('natural number' in s):
            res = (n * (n + 1) // 2)
        res = str(res)
    elif ('prime' in s):
        n = int(re.findall(r'the\ (\d+)(st|nd|rd|th)', s)[0][0]) + 1
        n = str(n)
        page = requests.get('http://numbersofprime.com/prime/' + n)
        res = re.findall(r'
', page.text)[1]
        res = res.replace(',', '')
        res = res.strip()
    elif ('md5' in s):
        n = re.findall(r'of\ (.*)\n', s)[0]
        res = hashlib.md5(n).hexdigest()
    elif ('pi' in s):
        n = int(re.findall(r'the\ (\d+)(st|nd|rd|th)', s)[0][0])
        res = pii[n+1]
    elif ('fibonacci' in s):
        n = int(re.findall(r'the\ (\d+)(st|nd|rd|th)', s)[0][0])
        res = str(fib(n))
    elif ('binary' in s):
        n = int(re.findall(r'of\ (\d+)\ in', s)[0])
        res = bin(n)[2:]
    elif ('country' in s):
        n = re.findall(r'of\ (.*)\n', s)[0]
        res = get_country(n)
    elif ('release year' in s):
        n = re.findall(r'of\ (.*)\n', s)[0]
        res = get_release(n)
    print '[*] n = ', n
    print '[*] res = ', res
    sock.sendall(res+'\n')

I added pycountry to get the alpha-2 code of country. After 199 submissions we will get the flag. Not a fun challange because of slow server and too many stupid questions.

-chuymichxinhdep.

BabyPhD.