Monday, June 6, 2011

Defcon 19 CTF qualifiers: gb200

Another challenge, concretely gb200. After connecting to the server we observed it was sending back some ordered numbered (000111222333444555 x 3) asking for a password, and then for some numbers.

$ ncat pwn522.ddtek.biz 6000
Never$olv3d!
000111222333444555000111222333444555000111222333444555
1
3
145350200111313244203511223232143550241432444500553500
1
2
invalid msg3
2
invalid msga
^C

After playing a bit, it can be observed that the output of the server is always the same characters but unordered, and that the service accepts a maximum of 4 digits. So maybe we need to find a key that is able to "reorder" again the string.

So, we need some scripting...
# db200_sol.py
import socket

def connect():
    HOST = 'pwn522.ddtek.biz'    
    PORT = 6000             
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(3)
    try:
        s.connect((HOST, PORT))
        s.send('Never$olv3d!\n')
    except Exception as e:
        return None
    return s

i=100
s=connect()

while 1:
    data1=None
    data2=None
    try:
        data1 = s.recv(1024)
        data2 = s.recv(1024)
        print '[RECV]: ', repr(data1)+repr(data2)
        data1='0'
        data2=str(i)
        i = i+1
        print '[SENT]: ', repr(data1)+repr(data2)
        s.send(data1)
        s.send(data2)
    except Exception as e:
        print '[ERROR]: ' + str(e)
        if (s <> None):
            s.close()
        s=connect()
        continue
    
s.close()


If we run the previous script on the background and wait some minutes, we'll be able to obtain the following response from the service.
$ python db200_sol.py > db.txt&
$ cat db.txt | sort | uniq -c | sort | more
      1 [ERROR]: [Errno 32] Broken pipe
      1 [RECV]:  '0'"00111222333444555000111222333444555000111222333444555\nLet's not be too rough on our own ignorance; it's what makes America great!\n\n"
      1 [RECV]:  '0''00211022443145544200011122333145553122104443552553330\n'
      1 [RECV]:  '0''02454034521103233304013422435241154254253515523111000\n'
      1 [RECV]:  '0''03213030403235555504410122532443152411544102134152023\n'
      ^C
Solution: Let's not be too rough on our own ignorance; it's what makes America great!
Game over :).

Note: I've added the script here

1 comment: