while chunck = s.read(1) print chunck raw += chunck if /You gotta be fassssssssst :D/.match?(raw) input_flag = true end if input_flag == true x, xt, y, yt = raw.match(/.* '([A-Z]{1})' ([0-9]+) times followed by '([a-z]{1})' ([0-9]+) times, .* the sum of their ASCII values/).captures answer = x*xt.to_i + y*yt.to_i + (x.ord + y.ord).to_s s.puts answer puts answer input_flag = false raw = '' end end
Executing the script I got the flag:
1 2 3 4 5
$ ruby typing-master.rb Give me 'R' 148 times followed by 'k' 169 times, followed by the sum of their ASCII values. This connection will close in 10 secs ;) You gotta be fassssssssst :DRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk189 The flag is: CodefestCTF{1_s33_y0u_4r3_a_m4n_0f_sp33d}
It is expected to complete reading a book/novel to pass the course, but the students being clever avoid reading the whole book by going through the summary only.
Santosh(their course teacher) comes up with a new idea, he creates a magic book (you can only go to next page, that is: you can't go to next page without reading the previous one and so on, and you can only start from the beginning).
It is know that the flag is hidden somewhere in the book, so the only way to pass the course is to read the whole book, find the flag. The book has 1000 pages so better be fast. And if you are lucky, you may even find the key on the very first page itself.
# Initialize a cookie jar jar = HTTP::CookieJar.new
flag_found = false
# find next page deffind_np(html) doc = Nokogiri::HTML(html) form = doc.css('form').first next_page = form['action'] end
# Persistent connection Net::HTTP.start(uri.host, uri.port) do |http| # request req = Net::HTTP::Get.new uri # response res = http.request req # parse the html to get next page URL next_page = find_np(res.body)
# now try all page until we find the flag until flag_found uri = URI(base_url + next_page) req = Net::HTTP::Get.new uri # Get cookie res.get_fields('Set-Cookie').each do |value| jar.parse(value, req.uri) end # Use cookie req['Cookie'] = HTTP::Cookie.cookie_value(jar.cookies(uri)) res = http.request req # if there is a flag show it if /flag/.match?(res.body) puts res.body flag_found = true # else continue browsing else next_page = find_np(res.body) end end end
A good amount of requests later we finally got the page where is hidden the flag.
A school IT staff manages access to secure files by the method of access code. You are required to give your name and the access code, and the program will give out secret information.
It checks whether you already have an access code, generates new random one along with a new user ID alloted to the user, if that user is not found locally on the system. The access codes are known to have random expiration time (don't know what goes on in their minds!), so don't be surprised if you generated an access code just seconds ago and next time the same access code doesn't work.
Johnny decided to go into the IT room and copy the program into his pendrive. You can find it here.
Can you get the secret information out from the program? The service runs on 34.216.132.109 on port 9094.
for ch in user: ra = random.randint(1, ord(ch)) rb = (ord(ch) * random.randint(1, len(user))) ^ random.randint(1, ord(ch))
count += (ra + rb)/2
code = 1
for i inrange(1,count+count_): code = (code + random.randint(1, i) ) % 1000000
final = random.randint(1,9) * 1000000 + code
#store it in the database user_functions.store(user, final)
else: #if user already exists, fetch access code final = user_functions.get_code(user)
code = raw_input("Enter your access code: ").strip()
whileTrue: if code.isdigit(): if (int(code) == final): print"The flag is " + user_functions.get_flag(user) exit() else: print"Incorrect access code" else: print"The code must be an integer"
#!/usr/bin/env python from pwn import * import sys
codes = [] user = ''
# Generates all possible codes for i inrange(0,1000): count_ = i
# the seed is always the same generator = "xorshift" random.seed(generator) count = 0;
for ch in user: ra = random.randint(1, ord(ch)) rb = (ord(ch) * random.randint(1, len(user))) ^ random.randint(1, ord(ch))
count += (ra + rb)/2
code = 1
for i inrange(1,count+count_): code = (code + random.randint(1, i) ) % 1000000
final = random.randint(1,9) * 1000000 + code codes.append(final)
# Connect to the server r = remote('34.216.132.109',9094) r.recvuntil('Enter your name: ') r.sendline()
# Now try all codes we previously generated for x in codes: text = r.recv() if'flag'notin text: r.sendline(str(x)) else: print(text) print(x) sys.exit()
Running it we get the flag.
1 2 3 4 5 6 7 8 9 10 11
$ python2 access-denied.py [*] Checking for new versions of pwntools To disable this functionality, set the contents of /home/noraj/.pwntools-cache/update to 'never'. [*] A newer version of pwntools is available on pypi (3.1.0 --> 3.12.0). Update with: $ pip install -U pwntools [+] Opening connection to 34.216.132.109 on port 9094: Done
The flag is CodefestCTF{1_s33_y0u_4r3_a_m4n_0f_r4nd0mn3ss}
9017059 [*] Closed connection to 34.216.132.109 port 9094