Thursday, September 18, 2014

No cON Name CTF Quals 2014 - imMISCible 200 - [Team SegFault]

We were given a gzip compressed file which had the rot13 encoded python source for the challenge. The source had python bytecode which could be disassembled using dis module.
if __name__ == "__main__":
    codeobj = marshal.loads(bytecode.decode('base64'))
    f = new.function(codeobj, globals(), "f", None, None)

dis.dis(f)

  2           0 LOAD_CONST               0 (-1)
              3 LOAD_CONST               1 (('sha1',))
              6 IMPORT_NAME              0 (hashlib)
              9 IMPORT_FROM              1 (sha1)
             12 STORE_NAME               1 (sha1)
             15 POP_TOP             

  3          16 LOAD_CONST               0 (-1)
             19 LOAD_CONST               2 (('getenv',))
             22 IMPORT_NAME              2 (os)
             25 IMPORT_FROM              3 (getenv)
             28 STORE_NAME               3 (getenv)
             31 POP_TOP             

  4          32 LOAD_NAME                3 (getenv)
             35 LOAD_CONST               3 ('NO_CON_NAME')
             38 LOAD_CONST               4 ('')
             41 CALL_FUNCTION            2
             44 LOAD_CONST               5 ('Y')
             47 COMPARE_OP               2 (==)
             50 POP_JUMP_IF_FALSE      147

  6          53 LOAD_CONST               6 (' 57 68 61 74 20 69 73 20 74 68 65 20 61 69 72 2d ')
             56 STORE_GLOBAL             4 (flag)

  7          59 LOAD_GLOBAL              4 (flag)
             62 LOAD_CONST               7 (' 73 70 65 65 64 20 76 65 6c 6f 63 69 74 79 20 6f ')
             65 INPLACE_ADD         
             66 STORE_GLOBAL             4 (flag)

  8          69 LOAD_GLOBAL              4 (flag)
             72 LOAD_CONST               8 (' 66 20 61 6e 20 75 6e 6c 61 64 65 6e 20 73 77 61 ')
             75 INPLACE_ADD         
             76 STORE_GLOBAL             4 (flag)

  9          79 LOAD_GLOBAL              4 (flag)
             82 LOAD_CONST               9 (' 6c 6c 6f 77 3f ')
             85 INPLACE_ADD         
             86 STORE_GLOBAL             4 (flag)

 10          89 LOAD_GLOBAL              4 (flag)
             92 LOAD_ATTR                5 (replace)
             95 LOAD_CONST              10 (' ')
             98 LOAD_CONST               4 ('')
            101 CALL_FUNCTION            2
            104 STORE_GLOBAL             4 (flag)

 11         107 LOAD_GLOBAL              4 (flag)
            110 LOAD_ATTR                6 (decode)
            113 LOAD_CONST              11 ('hex')
            116 CALL_FUNCTION            1
            119 STORE_GLOBAL             4 (flag)

 12         122 LOAD_CONST              12 ('NCN')
            125 LOAD_NAME                1 (sha1)
            128 LOAD_GLOBAL              4 (flag)
            131 CALL_FUNCTION            1
            134 LOAD_ATTR                7 (hexdigest)
            137 CALL_FUNCTION            0
            140 BINARY_ADD          
            141 STORE_GLOBAL             4 (flag)
            144 JUMP_FORWARD             0 (to 147)
        >>  147 LOAD_CONST              13 (None)
            150 RETURN_VALUE        
This translates to below code:
#!/usr/bin/env python

from hashlib import sha1
from os import getenv

#from os import environ
#environ['NO_CON_NAME'] = 'Y'

if getenv('NO_CON_NAME') == 'Y':
    flag  = ' 57 68 61 74 20 69 73 20 74 68 65 20 61 69 72 2d '
    flag += ' 73 70 65 65 64 20 76 65 6c 6f 63 69 74 79 20 6f '
    flag += ' 66 20 61 6e 20 75 6e 6c 61 64 65 6e 20 73 77 61 '
    flag += ' 6c 6c 6f 77 3f '

    flag = flag.replace(' ','').decode('hex')
    flag = 'NCN' + sha1(flag).hexdigest()
    print flag
Flag for the challenge is NCN6ceeeff26e72a40b71e6029a7149ad0626fcf310

No comments :

Post a Comment