EasyCTF IV – Soupstitution

Table of Contents

EasyCTF - This article is part of a series.

Part 1: EasyCTF IV - Recap

Part 2: EasyCTF IV - Not OTP

Part 3: EasyCTF IV - RSA V

Part 4: This Article

Part 5: EasyCTF IV - Special Endings

Description
#

We had a flag, but lost it in a mess of alphabet soup! Can you help us find it?

Connect to the server via nc c1.easyctf.com 12484.

Resolution
#

This is the (cleaned up) python code for the server :

#!/usr/bin/env python3

from binascii import unhexlify

ME_FLAGE = '<censored>'

def inverseNum(arg):
    soup = 0
    while arg != 0:
        soup = (soup * 10) + (arg % 10)
        arg //= 10
    return soup

def toNum(arg):
    soup = 0
    for e in arg:
        soup *= 10
        soup += ord(e) - ord('0')
    return soup

def main():
    Soup = input()[:7]
    print(Soup)
    if not Soup.isdigit():
        print("that's not a number lol")
    return

SouP = hex(inverseNum(toNum(Soup)))[2:].zfill(8)[-8:]
if unhexlify(SouP) == 's0up'.encode():
    print("oh yay it's a flag!", ME_FLAGE)
else:
    print('oh noes rip u')

if __name__ == '__main__':
    main()

The input is transformed into a number, reversed and converted to hexadecimal. Then it is converted to a string and compared to “s0up”.

I inverted the process to find a number that would give the desired output :

"s0up".encode("hex")
# '73307570'
0x73307570
# 1932555632
"1932555632"[::-1]
# '2365552391'

It looks like I just have to enter 2365552391 to get the flag but wait ! The input is limited to 7 characters ! ☹️

The toNum() function does a subtraction between the ASCII codes of “0” and the letter. If I manage to pass something else than an Arabic number, I can get a bigger result. The only thing preventing this is the initial check with isdigit().

After some searches I found out that the isdigit() function doesn’t only return true for numbers like we commonly know them (Arabic numbers) but also for every Unicode character that is representing a number.

I did some tests to see what would happen if I input one of theses characters :

toNum("൯")
# 3391
toNum("൯1")
# 33911
toNum("൯123")
# 3391123

One Unicode character can give me 4 numbers. It’s enough to write the rest using the 6 remaining characters but I need to find a Unicode character that produces 2365. I ended up making a loop and found that ७ was the one. Now I can connect to the challenge and input my final payload :

nc c1.easyctf.com 12484
७552391
७552391
oh yay it's a flag! easyctf{S0up_soup_soUP_sOuP_s0UP_S0up_s000000OOOOOOuuuuuuuuppPPppPPPp}

Nice ! 😄