Nuit du Hack Quals 2015 - Bpythonastic - Forensic Challenge

Reading time ~1 minute

CTFing at Easter time was super challenging. Endless family commitments, using my iPhone to browse challenges while at the dinner table and thinking through how to attack them when I can finally get to a PC. Fortunately NDH seemed to go for long enough for me to at least try a few of the challenges, which I did!

I’ve decided to document Bpythonastic for the reason that it was worth 300 points and not everyone got it, surprising because it was a trivial challenge.

The challenge, like many at NDH2k15 was just a link to a file. Which when you download it is a 81Mb file that extracts a 1.4GB raw file:

root@mankrik:~/ndh/bpy# ls -lah  
total 1.5G  
drwxr-xr-x 2 root root 4.0K Apr 5 12:37 .  
drwxr-xr-x 15 root root 4.0K Apr 5 10:38 ..  
-rw-r--r-- 1 root root 81M Apr 3 03:10 Bpythonastic.tar.gz  
-rw-r--r-- 1 root root 1.4G Mar 20 03:32 chall.raw

file reports it as a ELF file. It might be a memory dump I suppose.

root@mankrik:~/ndh/bpy# file chall.raw   
chall.raw: ELF 64-bit LSB core file x86-64, version 1 (SYSV)

Let’s just use strings and look for a flag.

root@mankrik:~/ndh/bpy# strings chall.raw | grep -c flag  
2893

Ok 2893 instances of the word flag, thats a few but we’re looking for something related to Python I guess from the name of the challenge so I’ll widen the context of the grep to show a little before and after and review them quickly.

Before long I spot this python code in the strings.

 >>> from chall import *  
 >>> flag=Challenge()  
 >>> flag=base64.b64encode(pickle.dumps(flag))  
 >>> print flag  
 KGljaGFsbApDaGFsbGVuZ2UKcDAKKGRwMQpTJ2ZsYWcnCnAyClMnYTYzOWEyMWE0YTc0NzAzZmEwNDJk  
 NjE3NjgxYWE0NGJiNGQxYzA4YmM1ZmJmN2VmZDZiNDU1ODJiMGYwZDQwMycKcDMKc1MnaWQnCnA0Ckkw  
 CnNTJ2F1dGhvcicKcDUKUydZZ2dkcmFzaWwnCnA2CnNiLg==

When I decode the base64 string I see this:

(ichall  
Challenge  
p0  
(dp1  
S'flag'  
p2  
S'a639a21a4a74703fa042d617681aa44bb4d1c08bc5fbf7efd6b45582b0f0d403'  
p3  
sS'id'  
p4  
I0  
sS'author'  
p5  
S'Yggdrasil'  
p6  
sb.

Ok so that looks right, the flag is hashed though and we need the raw value. So we need to find what is generating this hash.

We look a little further in the strings output and find this:

     self.author="Yggdrasil"  
     self.flag=hashlib.sha256("Yougotit").hexdigest()  
 import chall  
 flag=Challenge()

Which I conclude is probably the code that generates the above code, so the flag is probably “Yougotit”. I submitted it and it was correct.

So 300 points for using strings and grep. Nice.

Read More

Interviewing in Tech: Security Engineer & Security Analyst

Landing a job as a security engineer or analyst at a tech company is a significant feat. It requires not only technical acumen but also s...… Continue reading

BSides Sydney 2023 Writeups

Published on November 24, 2023

DUCTF 2023 Writeups

Published on August 31, 2023