This Challange does not require you to access any other Port
nc 43.204.152.119 1337
When connecting to the server we are given with Base64 encoded text and we have to submit the Base64 decoded text in the input but doing so it keep asking for new Base64 text
Looking at the challenge category (Scripting), we can figure out that this process requires automation with the use of any scripting language. I'm am using Python here
Click to see python code :diamond_shape_with_a_dot_inside:
from pwn import *
conn = remote('43.204.152.119', 1337)
a = conn.recvline()
print(a)
a = a.decode().split("\t")[1].split("\n")[0]
a = b64d(a)
print(a)
for i in range(2, 102):
print(i)
conn.sendline(a)
a = conn.recvline()
print(a)
try:
a = a.decode().split("\t")[1].split("\n")[0]
a = b64d(a)
except IndexError as e:
print(e)
pass
# print(a)
pass
# n=101 ; flag: CSEK{3he_bas3_dec04er}
conn.close()
Click to see output :diamond_shape_with_a_dot_inside:
PS D:\GitHub\ctf> python .\1.py
[x] Opening connection to 43.204.152.119 on port 1337
[x] Opening connection to 43.204.152.119 on port 1337: Trying 43.204.152.119
[+] Opening connection to 43.204.152.119 on port 1337: Done
b'What does this mean:\tblZNdGp4endmVzRrNTZoRHBsZUpLSXlMWDFQVWlDYloyY1RGZDhFMDM5T3ZzUkFtSGFCUUdnWVNvN3JOcXU=\n'
b'nVMtjxzwfW4k56hDpleJKIyLX1PUiCbZ2cTFd8E039OvsRAmHaBQGgYSo7rNqu'
2
b'> What does this mean:\tSGV6RjhocWF0MGlMUlBEQTFsTXJWS1VFNEpqVE9HTnhwMlhkNllCM3Y5U29zV0l3NXltYjdjbmtDUVpndWY=\n'
3
b'> What does this mean:\telc3S1JnODNTRXlNWXFQcDBqNEF0czZ1VXhmSWxhQkxta1puT0RUTlF2aDVlVmkxZGNIR2JYbzlGQ3JKMnc=\n'
4
b'> What does this mean:\tNHpiSk84Zm4yR2gzNWFLTHNXU1ZSQXkwWnZIN3FEZ2l1ZU45dGRyVUJtSXBUMUN4UTZNandFa1BYRmNvWWw=\n'
5
b'> What does this mean:\tVkZHQ3BydjBtWkExaHNkS0JQeTV1NGxqUlNuT01EaWdXYXc5dFQzZXFKTjhZUUliMlU2azdFY1h6SHhmTG8=\n'
6
b'> What does this mean:\tVmZ5UXZ3UnRHbjUwbWVwN1U0ck5kNkgzQmxjRVRBTzFrdXNLRkRqWWI5UG9XSlhocXpaZ0lDaUw4U3hNYTI=\n'
7
b'> What does this mean:\tdkdRbUVlckRTd1dUMml4SlJDNGdYYTMwTmgxOWNIejY4dFpWeXNvRnVPVWJCNTdwcWRuTWpQTGZLSWtsWUE=\n'
8
b'> What does this mean:\taE5KVXFrUnRXVnoxb2N5Z0ZmMFo4NW1CZGoySVFuVEFLN01PaTZIWUQ0M0xzYVNYcEV3UGVDcjlseHVHYnY=\n'
9
b'> What does this mean:\tSmFkWG1JMk9wVEg3am5yQ0dpOEt6OVo1eXE0eEUxZjNRZ0Z0NmV1QVVvQmJMd05QRGNsaE1Za1ZXUlMwc3Y=\n'
10
b'> What does this mean:\tZTN1cGd6UW1mSE5MQmRJODdLVnRGWk9jRUFZR1drYWJ2b0RpVDlSUzBscTVVd3NocjZNeDJQWGpuSkM0MXk=\n'
11
b'> What does this mean:\tVkN2UEJJSHJlMGlaRXhkTDNXZmJSMUtuTzhBZ29qVW1KVDdwWE15YWhxNHNTMndGOWx1UVljenQ1RGtORzY=\n'
12
b'> What does this mean:\tRWw2eEpoaUtudUFXTTNJRlZMWDBtWW9ITnExa2V2ZGNRYlB5MmdVclpwYURUT0M4U1I1ZnM3dEJqOUc0enc=\n'
13
b'> What does this mean:\tVmJ4cHJzRWNZZUZqbTVoWjYxSEt2U1JpZ0p6azlPZENHQldVQTBhTG9mUTdJVFBxeU50d2xEM1g0Mm51TTg=\n'
14
b'> What does this mean:\taDdmMXhYa05aYjlHZ0U2SndtaXBRME92V2NqQWEzNWxJcmVxQlBSVkNZVXlUOEQyU3VuRk16ZDRvc0tIdEw=\n'
15
b'> What does this mean:\tVW9pRUN0Tzc2alNETjJaTVc0Rnh6clFrcVgxSElnZWJScDBQQm05eUd2Y3dhdXNLVDUzTEFoWWRWbG5KOGY=\n'
16
b'> What does this mean:\tVHYzVzhRWmFBandIS3ljaGcxck9FYlBlNEp0TTk1ZFJ1a0JvMlNtWExZVXpscXhuZjBGN0dpNkRDTnBzSVY=\n'
17
b'> What does this mean:\td0ZaUXZuZm1BY05SREdUalNpVXJzMXl4dGhLNFhiSnVrWUU4UE1JSHBnQk96N1dsVjJhM0M2ZExvOTBxZTU=\n'
18
b'> What does this mean:\tNzZmakxLeU5NYmNZQ3dUV2QxSnpIbHN0b1FVOWV4NDBtYVJGcjVCSXFaVkFrR1hoTzN2bmkyRURwUGdTOHU=\n'
19
b'> What does this mean:\tTkRqN29CUFR0OVVPUXZoMkxBNHl4U0V3QzZhM1pzZUhxaW1HRmtuZklLWWdWYjFKOHBsdVIwclhjNU16ZFc=\n'
20
b'> What does this mean:\tQjhIMllTalJyTjRWSmU5V25rYmNwcUZaRVB4aG9YS0Q3RzBheUFJc3Y2Q1F3VDUxbXVpVWxPdGczTGZ6ZE0=\n'
21
b'> What does this mean:\tQ2lLY3FTTkxvRm1XVVRSM0R1UFk4ZnpudjcwUUpieWFqNXQyVk9oR0lwRWRneDFYNEFlczZCa0haTWw5d3I=\n'
22
b'> What does this mean:\tSGxQcHhlOFNhZzN3N01GaU9zQ0oya1hZTmgxb1VJVDU0Yks2eVIwV3JHQlZRTDlxdkVqdW1BZER6WmNudGY=\n'
23
b'> What does this mean:\tR3psdWY1ZWtJcThUTXh0b1lFN1ZuTGhVSzIzQVdwQ3liY1BzUURtOUhnWnJYaXdKNE5SRk9CMVNkdmFqNjA=\n'
24
b'> What does this mean:\tRFNkTXR3eDhZZ3lHT0ExNG5YaG9GUWxXOTdiSEpjNkxhQzJ1WmVta3BzSzUzVlROclB2QmpVMHpSaWZxRUk=\n'
25
b'> What does this mean:\tM09OMjBaWURWbEx3SUtkSmJmaHU1Ukh0cEVBazZ4TW9URzRYUzFjVXpyQ1BqOG5naXZReXFGOVdCN3NhbWU=\n'
26
b'> What does this mean:\tUEZzek9veU1wNnRaZ0hMSkdiMDI3YWNXQWt1UmxkMWV2VU5JaVF4VlRZOW1Dd0RFSzNmcXI4U2g1Qm5YajQ=\n'
27
b'> What does this mean:\tRTdoVzhUSXBOb3REUGFuNHZzSDk1ZVJ6MlNPNmNNTGozcXdVaVpRQmRHS21GdXhDZnJYa3kwZzFsQVZiSlk=\n'
28
b'> What does this mean:\tYXZiTFRtV013OWxRWmVxSkg4QTRFQmtnQ2p5bnpPZllzdG83Y0d4S3VkRlJJaFY1cFNQRHJVMjE2M05YaTA=\n'
29
b'> What does this mean:\tV1oyNFl3M2lEWHRVMUVQcW1mdmJsUU5qQjB4OFI2a1ZMVENySmhTRktBR3pkOU1uZW9jdU9Ic2dJeTc1cGE=\n'
30
b'> What does this mean:\tYkFWZnY1VEIxWkpqN08zaHNOVVBJOG9uUWFGbFI2ckxrV3F5bXAyeDA0Z0RTaVlLQ3pHRXdjSDlYZE1ldXQ=\n'
31
b'> What does this mean:\tdGNkMUhTSURLVWFPZzhXWnhHRmtobG5CdVFOVkFYam95czJmWTUwYjRNRVJpdnpyTGVKVHc5cTNQN3BDNm0=\n'
32
b'> What does this mean:\tcDloNmdsYkZubVZFUTdPQ0JENHZHS2pIV3g4STFhZU5SekxYQTBmVHlzdTV3a0p0UzNjcm9xZFBVWVoyTWk=\n'
33
b'> What does this mean:\tcnFqN3pMdTlRMWNUQUU1Tml3OHlnU3NoRmQ0SkllWjBiM2E2S21PWFZvdld0TWZsR0RZVW54SENwUmtQQjI=\n'
34
b'> What does this mean:\tdnVoaVh4cTFLWWxBUWpOT1M2a0hwYTVDM29QMHJCc1VJOEV0OUQ0YmNWUkZMZm55Sk16d1ptZGVUN1dnMkc=\n'
35
b'> What does this mean:\tS3c0TkFEMDVsN3lWVWlmbk1jYVRHMWVrU1c2dFJvSTlKRWJPTEZoQjh4WlF6UHVxM21qdlhzcFlDSHJnMmQ=\n'
36
b'> What does this mean:\tN3JkdVN0NmxqZkZucUxVM2I0MFZDcHZOWmN6NU9LSXM5SldNZ1gyaERpUkhha1BBVDFCeUVHd29ZbThRZXg=\n'
37
b'> What does this mean:\tQjR3RUZJRDlybE9xYmc4R1h2SHRWNjNZaFNkZW95WnVVSmN6a2lLbm1MUEFNUVIyVHA1MUNmTnMwN2phV3g=\n'
38
b'> What does this mean:\ta1NwUEd2YmhtamNFSXlKMGlud05YVVZETWxBcllnTEZUN3RRMk80NWZDbzN4Ukh1ZTE5enNLWmE2VzhxZEI=\n'
39
b'> What does this mean:\tek1aZ2NyYUtvQ0lEYll4NzR0UVZoSGp2MHAzc3FQeWw4a0ZTOWZlbjE1TlRXT0xVWEVCd2kybXVkSlJBRzY=\n'
40
b'> What does this mean:\tc1RSVWlqTU9Ka1M0UFlabUlOcTVocjMxRDJ1eVZ3V2ZRR0VGeHRwSEFLOWxYZXZDZGMwYWJ6ODZnQm5Mbzc=\n'
41
b'> What does this mean:\tNzlDMWU0bWw1dnJFU2dBWlg2UXN0Zld6Rk5wRE0wZG93cTNMS2NZdWthSGJVTzhCUlZ4Sm55aFBJVEdqMmk=\n'
42
b'> What does this mean:\tWDZoQmFHN2o4Vk51Y1dpUmVsU2Z6QTV3OUNyM0tIVG5iT0l4UUR5czBrb2QxUExwbU1ndHZxVUY0WllKMkU=\n'
43
b'> What does this mean:\tRHlOMkhoQUJLT0xxV2djMTVDanN0cGlWWWRyUlNmOEdabDd1SkVROXZQbU1GeG80bjNUYlhla0lhejYwVXc=\n'
44
b'> What does this mean:\tNUYxMmJmWHFHdG4wdVJBYWxjVDM4aU9KTUxaeHBDTnlRV2drSTlIcjZoRG1QVmpLZDdzWUJTdjRVZW9Fenc=\n'
45
b'> What does this mean:\tbk5Cb1NnUnNYY0ZFeE1Rdjc1T2tiZVVaemZUMkdyeXB3Q0hoYWQ4TEpXMWlQRDRJQUszVnVZMDZsam05cXQ=\n'
46
b'> What does this mean:\tV3h6UElTMDhteVI5aUZZRUtvUUxjSlZYRHdHZ05xNWtNdkI2ZHNBZm5sYXRwQ1p1ZVVyMTIzSDdoYmpPVDQ=\n'
47
b'> What does this mean:\tSWQyMUtSaFVQdlkzdUY5NGVRbENrQnhYYnBtY0hpV3JWc25PYVN0Z3lmQTg3VEpOTERFNXpHcVp3MGpvTTY=\n'
48
b'> What does this mean:\tb0RqdUJnYjJNcDZZQTdjMGtRWExhVGY5bkdpMW1zM1dPSWhFd2R5bENTenhSdEZIS3Y1clVOOGVaSnFQNFY=\n'
49
b'> What does this mean:\tRXcyaXhWNUczN2FDUTRSNkpTcHlxMURrSFRkQmUwRnR2TmxNb2pnVWZtQThMemhaUFdYcklLc09ZdW5iOWM=\n'
50
b'> What does this mean:\tT2RYaFZ2ek1FV3dDSGYybG8zNE5xMGNpZW03Rkl1QkpHOGJaYXA1eTkxU3NuallLREw2VEFRVWtQeFJ0Z3I=\n'
51
b'> What does this mean:\tTHNweGZ1emE0SVFFblRxaTU2dGJGZ1JoTW9BQzNsUGVqR0hLN3JKd1ZYODlOT3ZaMlV5MURja21CMGRXU1k=\n'
52
b'> What does this mean:\teWM5bGl6M0FrcW5XcFFOVjJYdjZZN1pteHNMd2gwdTFNUlVGNW9mdEI4RGdKYmFPSFRqQ3JFS0lQZWQ0R1M=\n'
53
b'> What does this mean:\tR296NTlTRENoYmRzWXBMbXhUWml2OGUyUHFjUWtWbEVuVWc0RnJCN1gzZkFXeTBITjZhdU90d0lqS00xSlI=\n'
54
b'> What does this mean:\tZlpoUEJYVVFTOFlscTN6VnljUnZwRE5ka0F3N245MjZpeEdJT3RUbTEwNUtiakVzZ0pGYUh1b2U0TUNXckw=\n'
55
b'> What does this mean:\tUEFKUUY2OGVWYnA0TmtqMFpXWTNjZHd1N1RubFh5MXRhbXFnU0lCeExVMk9LaEVSc0c5cjVpQ0Rmdm9ITXo=\n'
56
b'> What does this mean:\tNnhpU1BmcXQ0MHJ3empXN00zSkxIZ2hac3ZDUlhlbEZJTjFEVUdWZFFvblliT3lBRTJUYUttOGNrNXB1Qjk=\n'
57
b'> What does this mean:\tUDFYYnpNRGdFQkNXMGV2WTZuU3E3eDJOUWxkNW05YUFUTDRaVXlHZkhrRm93T2ozY0ppckt1cGh0VnM4Ukk=\n'
58
b'> What does this mean:\tRnRhSzBMdlJicm1Ya3pDWUluUzZBUUJVNW9zdUh4V0VPOGhNZXlkTkRKcWNmaVYyUHc0ZzczcFRHajFsOVo=\n'
59
b'> What does this mean:\tY0hpYm1SOEVBelp1WWszTzE5NWx2MlVmVlNwNEtRdGdUTFhuTlBEV0Z3SmVzckcwQzZCYXhkcXlqSU1obzc=\n'
60
b'> What does this mean:\tZnFVYlk3TkpPeTMwZVdER0xGUWtDVm1zd2FabEU2Qk1pS2hYdXZUOW81bkhJODQxdHJBU2Myamd6eHBQZFI=\n'
61
b'> What does this mean:\tajk0NnowN0VsR2tLc3gxVzJpblpOTFlRZUozcXRkbUFYNXJmYW84SE1JUndPdXZWeVVjcGdoQ2JUUEJTREY=\n'
62
b'> What does this mean:\tVWtMdmExaGQ5QlNxeVRQWkVHbGM1RGdzekEzTVFwaUowS0hZQ21Jb1JydzhGWFZldWZqbjJPNzR0TjZXYng=\n'
63
b'> What does this mean:\tUzVnVURHbVZuWlQwejNpUElsT0trOWR2Y2pIZVl1WEpzQjJ4V0ZoQTFwYXd0cU5mTW9yNHk2QzdSOExFYlE=\n'
64
b'> What does this mean:\tZEFzYXk3TFdvOVlycFMxVXV4ZU5qR25jRno2QzBINU9nVHdrSVZpSmhCYktmcTgybTN0RGw0UE1RWlhFdlI=\n'
65
b'> What does this mean:\tSXJRMFA1dDdkQ0RMbUt6T2lOMmNuUldzQnZsNHF1VjY5aHdZVGVTYmdqVWtGb0hFZjhNMTNhcFpKWHhBR3k=\n'
66
b'> What does this mean:\tejlaa3FlNXZKNEdmMFdBSXNWaG83YUZZYktUMU1jUXlOd3JQU2xSZ3BFQjJMNmp0T0hkQzhVdVhteG5EaTM=\n'
67
b'> What does this mean:\teVhQUjNrS3NwZ2RMb2xaVVNUTXF3QjRRZTdEOVd2NjJiTjBHWXhDaGpmRmFySm1BOEl1Vk9FaUh0emNuMTU=\n'
68
b'> What does this mean:\tYXdYOUlKR1prdVlXUGpVcXA2NTJIRWlURm9NMXowTzhLU0FiTmc3bGQ0TFZDY1JoeWVmRHZuUXJtM0J0eHM=\n'
69
b'> What does this mean:\tZEZQN21PVW9ZQnYwOHBRTGg5d0tiZ015Mm5XY0laM0RpbENyVkE1MUg2RUc0U0p1VE5mcWFSZXNYanp0a3g=\n'
70
b'> What does this mean:\taFlHRDByY21QM2ZsekNXMVVvSDYyYUlUZGpxOEtSTmVGNHNYTWJ0Z2s1dlNPUUV1Sm5CaVY5cFp5N0x3QXg=\n'
71
b'> What does this mean:\tbmI1aWg0am9rckdEM1kwOUtwcUpGUGZzN1hjV3ptQXVUQ0I2Z05sOFJFTUxhWkhVSU90UWUyU3d5eHZWZDE=\n'
72
b'> What does this mean:\tV3hscWtKejh5VTRzdkh3cDdqY1h0dWQ2ZURTVEtpVkJBMVI5UWhHWlluNTJhTE1nRWJOM28wbU9ySUNGUGY=\n'
73
b'> What does this mean:\tRnhJTHp0cDVLeU1PZVRQWEIyZHdvYzhIU0R2TjNHNHJuZ2k3UVlDVWtBRVIxVkp1WnM2bGhtYmZqOVdxMGE=\n'
74
b'> What does this mean:\tUlpocTl4bkxCUXJ1WHAwc1R3ZjFDem1qRGJNT3ZkMzg2eVNhVkpLNTRBaVVJMkZ0WW9lY2tsTjdFUFdIZ0c=\n'
75
b'> What does this mean:\tSlN5a0h3enhRVW1iTWo4YUFyREN0czJpbGYwRVZvRm5ZWFd1OXFCWmdOZGU3S1JoUFRjNjF2TzVJRzRMM3A=\n'
76
b'> What does this mean:\tOVNSMW5jV2xtbzI1NGR5dVUwUUhpT0R2c2FxaFY2elA3Q3JBWWZNQkZHRXhnazhlS2J3cFhMSXQzSk5aVGo=\n'
77
b'> What does this mean:\tdnJTUFRlbmpHZmRFVTBXSzJGd0kza1liNHN4WmhDQW9NWExWbWxpNUI3SlE4Z3F0dTlPeWMxTkR6NnBhSFI=\n'
78
b'> What does this mean:\tcWwydEJ4OVlETmc2M2hHbmlPSmZ3a1RwUG1WTUVkSXl2MTgwTHI1ekhhVWVYNGJRN0Z1Q1pLaldTQWNSb3M=\n'
79
b'> What does this mean:\tc1hvWkJKNzk0cFEzZG1URXdNajBueERPUHJnTld6cUxpVXZidHlSRkhBbGs1dVkxSzZJaFZhQzhTZmNlMkc=\n'
80
b'> What does this mean:\tbWQwakZmMmlRWUpiZVpSaHBOa09jdTRWUE1FQXRMc1R6SEk2S3hXQmd2d0c1bFVuQzhTeVhvcWExM3I3OUQ=\n'
81
b'> What does this mean:\tSFVXbVRvWUR3MTBTYU5meHNBZ1Fqa0VWdkxoT3RGeUN6MjM4ZDRsQks3Y1JNcXA5clhHUDZaNUludWlKZWI=\n'
82
b'> What does this mean:\tNGgwRXc1cW1XS0NEMk55OWJrUGNCYUdGcDNUSHhSSmpYTDhzZzE3T3VuQVlvU3ZJVXJsZTZWaU1kdFFmelo=\n'
83
b'> What does this mean:\tVTZHaVgwVFJueFZZZEQzenZCNGhmRkNKTGpLdW9FZ2tIWnRNTnJjMnlxc0FsUThXcEk1ZXcxOWJPUFNhN20=\n'
84
b'> What does this mean:\tNmVwbUJrTWFMSlRpWHN6TjcyUG9LM3JsU3hmRjA0WTh1d0NFYmdocWNabmREMUhHVVZ2Ulc1QVFqOXlPSXQ=\n'
85
b'> What does this mean:\tekpBaVY3RnlNbzRSV3ZHT2pxWVhwY2U5Q3MyYnVsUGs2OG5yWndkUzB4M0hmSU4xbVFCREVndDVVYUtoTFQ=\n'
86
b'> What does this mean:\tbHNHOU1KUVdidTJ2TGo3ZmtPMUhOWWV5RlRtM2NadDB6YXBCOFVpRGRBNm5xRTVJWGdWd1NLUlBveENoNHI=\n'
87
b'> What does this mean:\tVUc3UWVEZnFOU1l2bzJzQTNpVE1tUGN4VjUwQ1prcmRYVzRIYmhnbGFSOEJ1MUtFaklGcG5Kenc2T0x0OXk=\n'
88
b'> What does this mean:\tenhQSFVqU2Ezc084b2VRS3V0djFnYjVCN0FHMnJXNGZpZEZEMHlxWmxJWGtKUnBDRTlWTUw2d2NUbk5tWWg=\n'
89
b'> What does this mean:\taHBHY2RNMmdXVjRLaUNVSnV0blBRcmFPZnltTnNIUmowSThEVExiQTdCOWxFWTV4cTZYZW9TM1p2Rncxems=\n'
90
b'> What does this mean:\tcEZXbUUxM2FEWG9NOWxVczhpNGg2QmVUeHFmZ2tMellKSUhiQ1ZuT1Nyd1JqZHVHS3YyWjA1Y1B0eUFRTjc=\n'
91
b'> What does this mean:\tcEo0OWxWcXN3ODI2anREQ2MzN094S3J6RW5QMXZORklTVFpVWTVtZUdMeTBkUWJNSGZYaG9hQXVnUkJpa1c=\n'
92
b'> What does this mean:\tZU83UzVOOWp6aXNUb2hsSks0clpuNmJ3eFh1cVdtRVEyR2R0cFlhTUJDSWtBOEhEZ2N5VmYzUlAwMUx2VUY=\n'
93
b'> What does this mean:\tVmNSMDhiNkkyZ1M1czdyaHZqNFlUZnlOSm5BSzNYRnFXZFo5d2FCVUd1UTFMaXpleENPa29sREhQdG1NcEU=\n'
94
b'> What does this mean:\tb09TUDIxTUhXc1hUeHFydmpWN21FOENpNXQ2WjNmdXcwS2VuVURSYWtGSkxibFFCZGNwTnlnQWhHNFl6STk=\n'
95
b'> What does this mean:\taG1IMlR0Q2IwOGRaSVNxOVZQSnVyN0JPallveTZNRkVmcEtMUkdEWFdVa2F4c1F3QW52ZzM1Y2llemw0TjE=\n'
96
b'> What does this mean:\tc0RGYVZBRWR3eWpaNlBmYlVCN1hwTWtRTE80MXQyM1dvZVJ1bU5UbDU5SUtIaXJ6MGdZRzhKdmh4bmNDcVM=\n'
97
b'> What does this mean:\tVkpIM1FabWZSdjVOOEVJc1l5MVdpRmF3ZGxiS0dEWDcweEx6a01ocUJQQ29PZVVTVHRuNHIyY2c5QXBqdTY=\n'
98
b'> What does this mean:\teUs5YU04cUp3U0NmaHBFVmlYM2wydVVrZEcwUmJuakx6bUFnUUI0WnM2dHZXTzVJUGN4WTFURkhOZTdEb3I=\n'
99
b'> What does this mean:\tSHltaGdNVWNJUTdvM3J3RFB1WmVuZlRLWXhxYjZOWHZHanpTOEZ0aU8yOUVBa1JkSldWc2wwTDRwQkMxNWE=\n'
100
b'> What does this mean:\tSnpzNkVCUTdZRloyd3JlNHUzVU1Sa2xtTHBPZzVkV1hEOXFiaHgwdmpTVlAxeUdUTkNuS2NmQTh0YWlISW8=\n'
101
b'> CSEK{3he_bas3_dec04er}\n'
list index out of range
[*] Closed connection to 43.204.152.119 port 1337
Flag: CSEK{3he_bas3_dec04er}
Serialization Saga
Points: 100
Description:
This Capture The Flag (CTF) challenge is designed to assess your ability to identify and exploit fundamental insecure deserialization vulnerabilities. Can you successfully execute the necessary functions and retrieve the flags? Lesssgoo!
PS: No Bruteforcing is required
https://webctf.cloudsek.com/serialization-saga
On the webpage we can see the php code
Click to see PHP code :diamond_shape_with_a_dot_inside:
<?php
error_reporting(0);
class CloudSEK {
private $func_no;
private $func_name;
function __construct($no , $name) {
if ($no == NULL && $name == NULL) {
$this->func_no = $no;
$this->func_name = $name;
}
}
function __wakeup() {
$func_map = array(
1 => "XVigil",
2 => "BeVigil",
3 => "GetMeDemFlagz",
);
$func_no = $this->func_no;
$func_name = str_rot13($this->func_name);
if ($func_map[$func_no] === $func_name) {
$this->$func_name();
}
else {
echo "<h3>Invalid Object Data</h3>";
}
}
function XVigil() {
echo "<h3>XVigil is a cybersecurity platform designed to help organizations monitor and mitigate potential security threats and vulnerabilities across the digital landscape.</h3>";
}
function BeVigil() {
echo "<h3>World's first Security Search Engine mobiles that makes sure the applications installed in your phone are safe.</h3>";
}
function GetMeDemFlagz() {
$flag_file = "/tmp/flag.txt";
if (file_exists($flag_file)) {
$file_contents = file_get_contents($flag_file);
echo $file_contents;
}
else {
$err_msg = "<h3>File Not Found!</h3>";
$file_contents = $err_msg;
echo $err_msg;
}
}
}
// $cloudsek = new CloudSEK(1 , "XVigil");
$sess = $_GET["sess"];
if (!isset($sess)) {
exit();
}
$data = base64_decode($sess);
$obj = unserialize($data);
?>
In this code we can see that it is checking if GET parameter sess exist if yes Base64 decode it and parse it to php unserialize()
There is also __wakeup() function which is called on unserialize
to get the flag we have to call GetMeDemFlagz function. __wakeup function will perform rot13 on func_name and value of func_no should be index of the name of function in func_map array.
Now lets create the payload
Object name would be CloudSEK <-- name of the class. func_no = 3 and func_name = rot13("GetMeDemFlagz")
Dive into the depths of "The SHA Juggler," a mysterious web challenge that tests your prowess in PHP type juggling, cunning encoding techniques, and web exploitation. Your mission is to outwit the system, leveraging the peculiarities of PHP type comparisons, decipher the applied encodings, and exploit vulnerabilities to retrieve the concealed flag. Can you navigate the enigmatic interplay of types and encodings and emerge victorious?
PS: No Bruteforcing is required
https://webctf.cloudsek.com/the-sha-juggler
in the pagesource of the webpage there is a variable isThisNormal which have long hex code, let's decode it
Tool used to decode: https://gchq.github.io/CyberChef/#
after decoding it with hex and Base64 we get php code
Click to see code :diamond_shape_with_a_dot_inside:
<?php
// you_found_me.php
if (isset($_GET['hash'])) {
if ($_GET['hash'] === "10932435112") {
die('Do you think its that easy??');
}
$hash = sha1($_GET['hash']);
$target = sha1(10932435112);
if($hash == $target) {
include('flag.php');
print $flag;
} else {
print "CSEK{n0_4lag_4_u}";
}
}
?>
This is php code for file you_found_me.php and it will check for GET parameter hash and to get the flag it will check for the condition if sha1(10932435112) == sha1($_GET['hash'])
But before this it will check if $_GET['hash'] === "10932435112" if yes die.
We can see that for the flag condition it is using == in $hash == $target. this is loosely comparision
The sha1 of 10932435112 = 0e07766915004133176347055865026311692244 and in php this is treated as scientific E-notation.
Scientific E-notation is used to write very long numbers in a short form, 1e6 is 10^6 which is 1000000
Now because this sha1 hash of "10932435112" start with 0e0 it will be trated as "0" because 0^anythig is 0. so any string which have sha1 hash starting with 0e and followed by any number will be treated as "0" and it will pass the condition.
Reference for this type of hashes: https://github.com/spaze/hashes/blob/master/sha1.md