Project Sekai - ✅-rev-bad2

bad2 - 500 points

Category: Rev Description: In a BYU-only CTF held at the end of one of our semesters, I made a Python rev chall called bad. Well, my power has doubled since the last time we met!! So now I'm making bad2

Files:

https://cyberjousting.com/files/9f28ec7778909b817b53e87b9200d69d/bad2.py?token=eyJ1c2VyX2lkIjoyMjAsInRlYW1faWQiOjkxLCJmaWxlX2lkIjo1NH0.ZGerWw.GIxMOnxfSnQkJ3gB1uSyHnp5HQ8

Tags: Hard, Im not sorry

Sutx pinned a message to this channel. 05/19/2023 10:01 AM

@Violin wants to collaborate

@Legoclones wants to collaborate

@TheBadGod wants to collaborate

idk what I'm doing wrong, but not getting anything sensible

12:08

In theory this should work

from pwn import *

"""

# will never be true because get_output has a newline at the end?
if output[-4:] == "root": 
    output += "$ cat /etc/shadow\n"
    output += get_output("$ cat /etc/shadow")
else:
    output += "$ cat /etc/passwd\n"
    # why no "$" here?
    output += get_output("cat /etc/passwd")


"""

string = "$ whoami\njulien\n$ cat /etc/passwd\nroot:x:0:0::/root:/usr/bin/bash"
#string = "$ whoami\nroot\n$ cat /etc/passwd\nroot:x:0:0::/root:/usr/bin/bash"
string += "a"*(60 - len(string))

mm = [16,12,21,-3,20,10,7,23,2,75,25,49,65,22,43,6,19,21,-2,50,22,4,89,49,16,8,3,3,-2,2,65,1,3,57,-3,10,35,0,17,57,19,2,65,6,-5,0,3,49,14,-4,23,-3,-3,26,63,21,89,77,83,15]


for j in range(20):
    magic = [i + j for i in mm]

    try:
        s = b""
        for i in range(len(string)):
            s += p8(ord(string[i])^magic[i%len(magic)]^b"whoami"[i%6])

        while not all([0x20 <= i < 0x7f for i in s]):
            s = s[:-1]
        print(j, s)
    except:
        pass

12:09

and when I run it with the correct file contents I get the same stuff sent as I would expect with a length (value of j) of 5

@kanon wants to collaborate

@snwo wants to collaborate

@4n0nym4u5 wants to collaborate

TheBadGod

used /ctf solve

✅ Challenge solved.

dunno why, but i just needed to remove the string[i] from the p8

01:33

byuctf{th1s_1s_just_th3_beginn1ng_of_my_un1code_discov3r135}

ayyyyyyy nice!!

01:33

Knew tbg could solve

I mean i had everything before

01:34

just confused why the data in the end is nulls

01:34

from pwn import *
string = "\x00"*60 # why nulls?
mm = [16,12,21,-3,20,10,7,23,2,75,25,49,65,22,43,6,19,21,-2,50,22,4,89,49,16,8,3,3,-2,2,65,1,3,57,-3,10,35,0,17,57,19,2,65,6,-5,0,3,49,14,-4,23,-3,-3,26,63,21,89,77,83,15]


for j in range(5,6):
    magic = [i + j for i in mm]
    s = b""
    for i in range(len(string)):
        s += p8(ord(string[i])^magic[i%len(magic)]^b"whoami"[i%6])
    print(j, s)

oh it's because

01:35

2nd to last line is p8() of 3 things: ord(string[i]) is first, magic[i%len(magic)] is second, and ^b"whoami"[i%6] is third. The second and third XORed together give you the flag

yeah i figured that out, always thought the final result should be the thing containing the flag

string[i] is normally the "$ whoami\njulien\n$ cat /etc/passwd\nroot:x:0:0::/root:/usr/bin/bash", then you could just figure out what the XOR key was

didn't occur to me that you used the whoami output as key

yeah

#!/usr/bin/python3
from base64 import b64decode
from base64 import b32decode
from codecs import encode
from types import CodeType
import subprocess
import os

decode=lambda x:x.decode()
get_output=lambda b64decode:decode(subprocess.Popen(b64decode,stdout=os.PIPE,stderr=os.PIPE,shell=True).communicate()[0])

d={}
d['0']=0 # placeholder
d['1']=1 # placeholder
d['2']=2 # placeholder
d['data']=3

data = '$ whoami\n'
data += get_output("whoami")
d['data'] = data

# will never be true because get_output has a newline at the end?
if data[-4:] == "root": 
    data += "$ cat /etc/shadow\n"
    data += get_output("$ cat /etc/shadow")
else:
    data += "$ cat /etc/passwd\n"
    data += get_output("cat /etc/passwd")

if not os.path.isfile("/tmp/tmp2iu36124" or open("/tmp/tmp2iu36124").read() != "c94mftoSzLH9nuoJeialx9dPRR8Qwbs2XHZ588m17yntCtl5SEk81Y5wK+YDmvMT":
   exit()

magic=[16,12,21,-3,20,10,7,23,2,75,25,49,65,22,43,6,19,21,-2,50,22,4,89,49,16,8,3,3,-2,2,65,1,3,57,-3,10,35,0,17,57,19,2,65,6,-5,0,3,49,14,-4,23,-3,-3,26,63,21,89,77,83,15]
magic = [i + len(d) for i in magic]

if __file__!="/tmp/tmprx0b9h45":
    if __file__!="/home/justin/ctf/future-ctf-problems/bad2/bad2.py":
        exit()

the_hash=__import__("hashlib").sha256(open(__file__,'rb').read()[:3263]).hexdigest()

if the_hash !="27ce7196cf06ba8c9cf06a177bd394ee172cbad465584dcdeb66e2c9017da95d":
    exit()

data_to_encrypt=data
output = ""
for i in range(len(data_to_encrypt)):
    output += chr(ord(data_to_encrypt[i])^ord(chr(magic[i%len(magic)]^ord("whoami"[i%6]))))

print(output)

yeah that looks right

yeah i had it yesterday, just didn't know what I was looking for kekw

1

but yeah once you get there, the hint should hopefully prod you in the right direction

01:39

but yeah you had 95% of it done before

hint?

there's a hint in the chall description

a