This is the partial writeup for the challenges presented in this year’s PlaidCTF.
docker (10 pts)
docker pull whowouldeverguessthis/public
After pulling the docker image and running it in interactive mode, a first look at the common folders only highlights the file “/flag”, but the content is useless.
"I'm sorry, but your princess is in another castle"
Next place to check for any clues is the history of the docker image.
docker image history --no-trunc whowouldeverguessthis/public
There, we can see the flag (inside “/flag” file) before it was changed.
can you guess me (100 pts)
Here’s the source to a guessing game:
You can access the server at
nc canyouguessme.pwni.ng 12349
Source formatted for clearness
#! /usr/bin/env python3 from sys import exit from secret import secret_value_for_password, flag, exec ... try: val = 0 inp = input("Input value: ") count_digits = len(set(inp)) if count_digits <= 10: # Make sure it is a number val = eval(inp) else: raise if val == secret_value_for_password: print(flag) else: print("Nope. Better luck next time.") except: print("Nope. No hacking.") exit(1)
The code takes a string as input, checks it has a max of 10 different chars in it and then evaluates it with eval(). If the evaluated input is the same as a “secret value” imported initially, the flag is given.
A bruteforce would be infeasible since the connection is closed each time and we’re not sure how the “secret value” is formatted.
Moving on to the imported modules, there’s the flag and supposedly
Trying to give the program “
exec(input())” (which are exactly 10 different chars), forthwith informs the user that exec is useless by showing an ascii art of a troll face.
Since the shebang is set to python3, we are forced to use
print() function with parenthesis.
This reduce the number of chars we can use of 2 therefore “
print(flag)” is rejected since it’s 11 differents chars.
Looking throught python3 built-in functions,
vars() stands out. It returns a dict with name:value pairs of all the objects.
Seeing that “
print(vars())” is exactly 10 different chars, giving it as input to the server results in the flag (amongs other objects) being printed.