Pragyan Ctf 2020 Htide Writeup

LeeDoHyun · February 25, 2020

Team OpenToAll WriteUP

Tony stark before dying in Avengers End Game he says one last thing to Doctor Strange which is '0daaba74f35afe20988172f4680e68b8' ,which is the key for his Edith. Help Doctor Strange find the key...

nc ctf.pragyan.org 13500

The problem is this content.

nc server and “0daaba74f35afe20988172f4680e68b8” Hash value

If you connect to the nc server, it comes out like this.

[email protected]:/home/pragyan/pwnable/auction# nc ctf.pragyan.org 13500
To view the Flag u should be root user userid:350 groupid:123
Enter the secret key : 0daaba74f35afe20988172f4680e68b8
0daaba74f35afe20988172f4680e68b8
userid:300
groupid:100

If you modify the hash code one by one, there is a place where Python error occurs.

userid how [12:15] and groupid how [8:11]

If you xor this value, it’s a problem

The exploit code was used after modifying the code sent by team members.

ex.py

from pwn import *
import binascii

IP = "ctf.pragyan.org"
PORT = "13500"
r = remote(IP, PORT)

data = bytearray(binascii.unhexlify('0daaba74f35afe20988172f4680e68b8'))
data[12:15] = xor(data[12:15], xor('300', '350'))
data[8:11] = xor(data[8:11], xor('100', '123'))
info("hex = " + binascii.hexlify(data))

print r.recvuntil(": ")
r.sendline(binascii.hexlify(data))
r.interactive()

Result

[email protected]:/home/pragyan/crypto/htide# python ex.py
[+] Opening connection to ctf.pragyan.org on port 13500: Done
[*] hex = 0daaba74f35afe20988371f4680b68b8
To view the Flag u should be root user userid:350 groupid:123
Enter the secret key :
[*] Switching to interactive mode
0daaba74f35afe20988172f4680e68b8
userid:350
groupid:123
p_ctf{[email protected][email protected]_is_m3lted}
[*] Got EOF while reading in interactive
$

Twitter, Facebook