EasyCTF IV – Soupstitution


We had a flag, but lost it in a mess of alphabet soup! Can you help us find it?

Connect to the server via nc c1.easyctf.com 12484.


This is the (cleaned up) python code for the server :

#!/usr/bin/env python3

from binascii import unhexlify

ME_FLAGE = '<censored>'

def inverseNum(arg):
    soup = 0
    while arg != 0:
        soup = (soup * 10) + (arg % 10)
        arg //= 10
    return soup

def toNum(arg):
    soup = 0
    for e in arg:
        soup *= 10
        soup += ord(e) - ord('0')
    return soup

def main():
    Soup = input()[:7]
    if not Soup.isdigit():
        print("that's not a number lol")

SouP = hex(inverseNum(toNum(Soup)))[2:].zfill(8)[-8:]
if unhexlify(SouP) == 's0up'.encode():
    print("oh yay it's a flag!", ME_FLAGE)
    print('oh noes rip u')

if __name__ == '__main__':

The input is transformed into a number, reversed and converted to hexadecimal. Then it is converted to a string and compared to “s0up”.

I inverted the process to find a number that would give the desired output :

>>> "s0up".encode("hex")
>>> 0x73307570
>>> "1932555632"[::-1]

It looks like I just have to enter 2365552391 to get the flag but wait ! The input is limited to 7 characters ! 🙁

The toNum() function does a subtraction between the ASCII codes of “0” and the letter. If I manage to pass something else than an Arabic number, I can get a bigger result. The only thing preventing this is the initial check with isdigit().

After some searches I found out that the isdigit() function doesn’t only return true for numbers like we commonly know them (Arabic numbers) but also for every Unicode character that is representing a number.

I did some tests to see what would happen if I input one of theses characters :

>>> toNum("൯")
>>> toNum("൯1")
>>> toNum("൯123")

One Unicode character can give me 4 numbers. It’s enough to write the rest using the 6 remaining characters but I need to find a Unicode character that produces 2365. I ended up making a loop and found that ७ was the one. Now I can connect to the challenge and input my final payload :

nc c1.easyctf.com 12484
oh yay it's a flag! easyctf{S0up_soup_soUP_sOuP_s0UP_S0up_s000000OOOOOOuuuuuuuuppPPppPPPp}

Nice ! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *