Challenge 1 & 2 Write-Up – SMP CTF 2010 Hacker Olympics…
Hey,
This is the first of many write-up’s to come from SMP CTF that happened over the weekend. Challenge 1, which was worth 200 points consisted of the following:
Set S = 1
Set P = 1
Set previous answer = 1
answer = S * P + previous answer + R
R = 39
After this => S + 1 and P + 1 ('answer' becomes 'previous answer') + 39
then repeat this till you have S = 11065.
The final key will be the value of 'answer' when S = 11065.
Example:
So if R = 15..
17 = 1 * 1 + 1 + 15
36 = 2 * 2 + 17 + 15
60 = 3 * 3 + 36 + 15
Submit the correct answer and you will receive a flag. Have fun ;D
Looking at the source page to this challenge we find a hidden hint:
!--VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7--
This looks awfully like base64, lets see…
[zoidberg@/dev/null:~ ] $ echo VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7 | base64 -d
The values of S and R change every 5 minutes or so hehe ;
[zoidberg@/dev/null:~ ] $
So moving on, this is a pretty straight forward math problem that we can easily translate into some perl / python code to work it out for us π
Our team member Nex, was the person to complete this challenge, he came up with the following perl one liner:
perl -e 'my $pan=1; for (my $a=1;$a<=11065;$a++) { $ans=$a*$a+$pan+39; $pan=$ans; } print "$ans\n";'
Which pretty much translates to the math problem above, just broken down and put into code. When we run this piece of code, we get the following answer:
451639883701
Which when you submitted it, gave you the following:
Challenge ID: 36b1c546
Flag: WaSThAtFunORwhaT?!?xxxxxx
Yay so we completed that level. I wrote my own code in python for this challenge which consisted of the following:
>>> p_ans = 1
>>> val = 11065
>>> a = 1
>>> r = 39
>>> for i in range(a, val+1):
... answer = i * i + p_ans + r
... p_ans = answer
...
>>> print answer
451639883701
>>>
So that is how we beat Challenge 1. I won’t be writing a write-up for Challenge 2, I will briefly explain it now as it was such a simple challenge. So, this is what we got for challenge 2 (which was for 100 points):
Where's waldo?
ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf
Help find waldo..
Upon logging into the server the users shell must of been set to /usr/bin/vi because we were presented with a vi terminal instead of a shell. This is quite a common trick and can be evaded simply by typing the following:
:set shell=/bin/sh
:sh
This will then drop you to a /bin/sh shell and you can proceed to find waldo any method you wish π
We simply issued a few find / grep commands and found waldo hiding in a dot file under the /usr directory. If my memory serves me correctly it was as simple as this:
find /usr -name smp
This then gave us the following location:
/usr/lib/.flag/smp
Looking at the file ‘smp’ in the .flag directory we seemed to have found waldo π
Challenge Key: cfc6adcc
Flag: HAHAHAHAHAHAHHAHAponies
Anyway, lookout for the next write-up which will be for Challenge 3 – the most craziest challenge there was I think π
Leave a Reply