Challenge 1 & 2 Write-Up – SMP CTF 2010 Hacker Olympics…

July 13, 2010 at 7:45 pm (Capture The Flag, SMP CTF)

Hey,

This is the first of many write-up’s to come from SMP CTF that happened over the weekend. Challenge 1, which was worth 200 points consisted of the following:

Set S = 1
Set P = 1
Set previous answer = 1

answer = S * P + previous answer + R
R = 39

After this => S + 1 and P + 1 ('answer' becomes 'previous answer') + 39
then repeat this till you have S = 11065.

The final key will be the value of 'answer' when S = 11065.

Example:
So if R = 15..

17 = 1 * 1 + 1 + 15
36 = 2 * 2 + 17 + 15
60 = 3 * 3 + 36 + 15


Submit the correct answer and you will receive a flag. Have fun ;D

Looking at the source page to this challenge we find a hidden hint:

!--VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7--

This looks awfully like base64, lets see…

[zoidberg@/dev/null:~ ] $ echo VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7 | base64 -d
The values of S and R change every 5 minutes or so hehe ;
[zoidberg@/dev/null:~ ] $

So moving on, this is a pretty straight forward math problem that we can easily translate into some perl / python code to work it out for us πŸ˜‰

Our team member Nex, was the person to complete this challenge, he came up with the following perl one liner:

perl -e 'my $pan=1; for (my $a=1;$a<=11065;$a++) { $ans=$a*$a+$pan+39; $pan=$ans; } print "$ans\n";'

Which pretty much translates to the math problem above, just broken down and put into code. When we run this piece of code, we get the following answer:

451639883701

Which when you submitted it, gave you the following:

Challenge ID: 36b1c546
Flag: WaSThAtFunORwhaT?!?xxxxxx

Yay so we completed that level. I wrote my own code in python for this challenge which consisted of the following:

>>> p_ans = 1
>>> val = 11065
>>> a = 1
>>> r = 39
>>> for i in range(a, val+1):
... answer = i * i + p_ans + r
... p_ans = answer
...
>>> print answer
451639883701
>>>

So that is how we beat Challenge 1. I won’t be writing a write-up for Challenge 2, I will briefly explain it now as it was such a simple challenge. So, this is what we got for challenge 2 (which was for 100 points):

Where's waldo?

ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf

Help find waldo..

Upon logging into the server the users shell must of been set to /usr/bin/vi because we were presented with a vi terminal instead of a shell. This is quite a common trick and can be evaded simply by typing the following:

:set shell=/bin/sh
:sh

This will then drop you to a /bin/sh shell and you can proceed to find waldo any method you wish πŸ™‚

We simply issued a few find / grep commands and found waldo hiding in a dot file under the /usr directory. If my memory serves me correctly it was as simple as this:

find /usr -name smp

This then gave us the following location:

/usr/lib/.flag/smp

Looking at the file ‘smp’ in the .flag directory we seemed to have found waldo πŸ™‚

Challenge Key: cfc6adcc
Flag: HAHAHAHAHAHAHHAHAponies

Anyway, lookout for the next write-up which will be for Challenge 3 – the most craziest challenge there was I think πŸ™‚

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: