PlaidCTF 2019
Pwn, RE, Web, Crypto & Misc

This is the partial writeup for the challenges presented in this year’s PlaidCTF.


Misc

docker (10 pts)

docker pull whowouldeverguessthis/public

After pulling the docker image and running it in interactive mode, a first look at the common folders only highlights the file “/flag”, but the content is useless. "I'm sorry, but your princess is in another castle"

Next place to check for any clues is the history of the docker image.

docker image history --no-trunc whowouldeverguessthis/public

There, we can see the flag (inside “/flag” file) before it was changed.

🏁 PCTF{well_it_isnt_many_points_what_did_you_expect}

can you guess me (100 pts)

Here’s the source to a guessing game:

You can access the server at

nc canyouguessme.pwni.ng 12349

Source formatted for clearness

#! /usr/bin/env python3

from sys import exit
from secret import secret_value_for_password, flag, exec

...

try:
    val = 0
    inp = input("Input value: ")
    count_digits = len(set(inp))
    if count_digits <= 10:          # Make sure it is a number
        val = eval(inp)
    else:
        raise

    if val == secret_value_for_password:
        print(flag)
    else:
        print("Nope. Better luck next time.")
except:
    print("Nope. No hacking.")
    exit(1)

The code takes a string as input, checks it has a max of 10 different chars in it and then evaluates it with eval(). If the evaluated input is the same as a “secret value” imported initially, the flag is given.

A bruteforce would be infeasible since the connection is closed each time and we’re not sure how the “secret value” is formatted.

Moving on to the imported modules, there’s the flag and supposedly exec? Trying to give the program “exec(input())” (which are exactly 10 different chars), forthwith informs the user that exec is useless by showing an ascii art of a troll face.

Since the shebang is set to python3, we are forced to use print() function with parenthesis. This reduce the number of chars we can use of 2 therefore “print(flag)” is rejected since it’s 11 differents chars.

Looking throught python3 built-in functions, vars() stands out. It returns a dict with name:value pairs of all the objects. Seeing that “print(vars())” is exactly 10 different chars, giving it as input to the server results in the flag (amongs other objects) being printed.

🏁 PCTF{hmm_so_you_were_Able_2_g0lf_it_down?_Here_have_a_flag}

*****
Written by born2scan Team on 14 April 2019