Description
We had a flag, but lost it in a mess of alphabet soup! Can you help us find it?
Connect to the server via nc c1.easyctf.com 12484
.
Resolution
This is the (cleaned up) python code for the server :
#!/usr/bin/env python3 from binascii import unhexlify ME_FLAGE = '<censored>' def inverseNum(arg): soup = 0 while arg != 0: soup = (soup * 10) + (arg % 10) arg //= 10 return soup def toNum(arg): soup = 0 for e in arg: soup *= 10 soup += ord(e) - ord('0') return soup def main(): Soup = input()[:7] print(Soup) if not Soup.isdigit(): print("that's not a number lol") return SouP = hex(inverseNum(toNum(Soup)))[2:].zfill(8)[-8:] if unhexlify(SouP) == 's0up'.encode(): print("oh yay it's a flag!", ME_FLAGE) else: print('oh noes rip u') if __name__ == '__main__': main()
The input is transformed into a number, reversed and converted to hexadecimal. Then it is converted to a string and compared to “s0up”.
I inverted the process to find a number that would give the desired output :
>>> "s0up".encode("hex") '73307570' >>> 0x73307570 1932555632 >>> "1932555632"[::-1] '2365552391'
It looks like I just have to enter 2365552391 to get the flag but wait ! The input is limited to 7 characters ! 🙁
The toNum()
function does a subtraction between the ASCII codes of “0” and the letter. If I manage to pass something else than an Arabic number, I can get a bigger result. The only thing preventing this is the initial check with isdigit()
.
After some searches I found out that the isdigit()
function doesn’t only return true for numbers like we commonly know them (Arabic numbers) but also for every Unicode character that is representing a number.
I did some tests to see what would happen if I input one of theses characters :
>>> toNum("൯") 3391 >>> toNum("൯1") 33911 >>> toNum("൯123") 3391123
One Unicode character can give me 4 numbers. It’s enough to write the rest using the 6 remaining characters but I need to find a Unicode character that produces 2365. I ended up making a loop and found that ७ was the one. Now I can connect to the challenge and input my final payload :
nc c1.easyctf.com 12484 ७552391 ७552391 oh yay it's a flag! easyctf{S0up_soup_soUP_sOuP_s0UP_S0up_s000000OOOOOOuuuuuuuuppPPppPPPp}
Nice ! 🙂