CSAW CTF Quals 2018 - Algebra
問題文
Are you a real math wiz?
nc misc.chal.csaw.io 9002
writeup
まずはncコマンドで接続してみる。
root@kali:~# nc misc.chal.csaw.io 9002
____ __ _ _ ___ ___
/ ___|__ _ _ __ _ _ ___ _ _ / _(_)_ __ __| | __ __ |__ \__ \
| | / _` | '_ \ | | | |/ _ \| | | | | |_| | '_ \ / _` | \ \/ / / / / /
| |__| (_| | | | | | |_| | (_) | |_| | | _| | | | | (_| | > < |_| |_|
\____\__,_|_| |_| \__, |\___/ \__,_| |_| |_|_| |_|\__,_| /_/\_\ (_) (_)
|___/
**********************************************************************************
17 - X = 126
What does X equal?:
HEYYYY THAT IS NOT VALID INPUT REMEMBER WE ONLY ACCEPT DECIMALS!
方程式をひたすら解いていく。
最初は簡単な式だったが、後半になるにつれて複雑になったため、sympyライブラリを使用した。
実行コードは以下の通り。
import socket import re import sympy from sympy.abc import _clash1 from sympy import sympify def recvuntil(s, tail): data = '' while True: if tail in data: return data data += s.recv(1).decode('utf-8') s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('misc.chal.csaw.io', 9002)) receivedata = s.recv(1024).decode('utf-8') print("[+]receivedata=",receivedata) while True: receivedata = recvuntil(s, "\n") print("[+]receivedata=",receivedata) pattern = r'(.*) = (.*)' m1 = re.search(pattern, receivedata) if m1: left = m1.group(1) right = m1.group(2) formula = "(" + left + ")" + "-" + right else: exit(1) print("[+]formula=",formula) ans = sympy.solve(sympify(formula, locals=_clash1)) print("[+]ans=",ans) if ans: senddata = str(eval(str(ans[0]))) else: senddata = str(0) print("[+]senddata=",senddata) s.sendall((senddata+"\n").encode("utf-8")) receivedata = recvuntil(s, "\n") print("[+]receivedata=",receivedata)
実行結果の後半はこちら。えぐい方程式。手作り実装は厳しい。
[+]receivedata= ((((((5 + 1) * (X + 17)) - ((13 * 10) + (15 * 12))) + (((15 + 5) + (1 - 5)) - ((16 - 12) * (7 * 10)))) * ((((8 - 12) * (11 - 14)) - ((17 * 14) - (9 * 15))) + (((20 * 19) + (1 * 6)) * ((19 - 11) - (14 + 8))))) * (((((13 * 9) - (5 * 18)) + ((3 - 15) * (17 - 11))) + (((8 * 16) + (9 + 15)) + ((6 + 4) - (4 - 3)))) * ((((11 - 1) * (20 - 20)) + ((3 - 11) + (5 - 3))) * (((17 * 10) * (12 - 19)) * ((18 - 1) + (8 * 9)))))) + ((((((6 - 16) * (7 - 9)) + ((7 - 7) - (16 * 6))) + (((2 - 16) + (12 - 13)) - ((3 * 13) - (14 * 10)))) * ((((15 - 14) * (17 * 11)) - ((18 + 15) * (4 + 12))) - (((14 + 16) - (13 + 18)) * ((10 + 9) * (15 - 4))))) + (((((8 - 12) - (13 * 2)) * ((11 * 1) * (20 * 18))) - (((6 - 14) - (15
* 13)) * ((14 * 3) * (9 * 9)))) * ((((10 + 13) - (14 - 11)) * ((6 + 6) * (19 + 5))) - (((14 - 15) - (16 + 18)) - ((5 - 11) + (7 + 12)))))) = 147443309452728
[+]formula= (((((((5 + 1) * (X + 17)) - ((13 * 10) + (15 * 12))) + (((15 + 5) + (1 - 5)) - ((16 - 12) * (7 * 10)))) * ((((8 - 12) * (11 - 14)) - ((17 * 14) - (9 * 15))) + (((20 *
19) + (1 * 6)) * ((19 - 11) - (14 + 8))))) * (((((13 * 9) - (5 * 18)) + ((3 - 15) * (17 - 11))) + (((8 * 16) + (9 + 15)) + ((6 + 4) - (4 - 3)))) * ((((11 - 1) * (20 - 20)) + ((3 - 11) + (5 - 3))) * (((17 * 10) * (12 - 19)) * ((18 - 1) + (8 * 9)))))) + ((((((6 - 16) * (7 - 9)) + ((7 - 7) - (16 * 6))) + (((2 - 16) + (12 - 13)) - ((3 * 13) - (14 * 10)))) * ((((15 - 14) * (17 * 11)) - ((18 + 15) * (4 + 12))) - (((14 + 16) - (13 + 18)) * ((10 + 9) * (15 - 4))))) + (((((8 - 12) - (13 * 2)) * ((11 * 1) * (20 * 18))) - (((6 - 14) - (15 * 13)) * ((14 * 3) * (9 * 9)))) * ((((10 + 13) - (14 - 11)) * ((6 + 6) * (19 + 5))) - (((14 - 15) - (16 + 18)) - ((5 - 11) + (7 + 12)))))))-147443309452728
[+]ans= [18]
[+]senddata= 18
[+]receivedata= What does X equal?: YAAAAAY keep going
[+]receivedata= ((((((8 - X) + (13 + 15)) + ((20 * 18) * (10 - 10))) * (((2 * 12) - (9 * 18)) * ((9 * 2) + (8 - 12)))) * ((((19 * 15) * (9 - 17)) - ((16 - 16) * (7 + 14))) * (((20 * 5) + (1 * 8)) * ((1 * 7) * (15 - 14))))) * (((((9 + 5) - (14 - 1)) + ((3 + 19) + (12 - 17))) - (((13 * 20) * (20 * 18)) - ((19 - 16) - (8 * 3)))) + ((((10 * 13) * (10 * 16)) -
((13 * 4) * (12 * 16))) - (((20 * 2) - (14 - 8)) - ((9 - 8) * (5 + 7)))))) - ((((((1 * 8) - (9 - 17)) + ((8 - 2) - (7 + 1))) + (((16 - 17) + (6 - 5)) * ((3 * 5) - (10 + 14)))) + ((((10 + 17) * (9 * 19)) * ((9 * 16) - (19 - 6))) - (((7 + 12) * (5 * 12)) * ((11 - 13) + (13 - 6))))) - (((((20 - 19) + (1 * 16)) + ((3 - 17) - (17 * 19))) + (((9 * 7) - (1 - 1))
+ ((1 + 20) - (8 - 20)))) - ((((7 - 18) - (8 - 12)) - ((11 * 5) * (20 - 6))) + (((3 + 16) + (3 * 20)) + ((8 - 8) + (10 * 17)))))) = -7169925658970677
[+]formula= (((((((8 - X) + (13 + 15)) + ((20 * 18) * (10 - 10))) * (((2 * 12) - (9 * 18)) * ((9 * 2) + (8 - 12)))) * ((((19 * 15) * (9 - 17)) - ((16 - 16) * (7 + 14))) * (((20 *
5) + (1 * 8)) * ((1 * 7) * (15 - 14))))) * (((((9 + 5) - (14 - 1)) + ((3 + 19) + (12 - 17))) - (((13 * 20) * (20 * 18)) - ((19 - 16) - (8 * 3)))) + ((((10 * 13) * (10 * 16)) - ((13 * 4) * (12 * 16))) - (((20 * 2) - (14 - 8)) - ((9 - 8) * (5 + 7)))))) - ((((((1 * 8) - (9 - 17)) + ((8 - 2) - (7 + 1))) + (((16 - 17) + (6 - 5)) * ((3 * 5) - (10 + 14)))) + ((((10 + 17) * (9 * 19)) * ((9 * 16) - (19 - 6))) - (((7 + 12) * (5 * 12)) * ((11 - 13) + (13 - 6))))) - (((((20 - 19) + (1 * 16)) + ((3 - 17) - (17 * 19))) + (((9 * 7) - (1 - 1)) + ((1 + 20) - (8 - 20)))) - ((((7 - 18) - (8 - 12)) - ((11 * 5) * (20 - 6))) + (((3 + 16) + (3 * 20)) + ((8 - 8) + (10 * 17)))))))--7169925658970677
[+]ans= [10]
[+]senddata= 10
[+]receivedata= What does X equal?: YAAAAAY keep going
[+]receivedata= ((((((2 - X) + (5 + 7)) * ((5 + 5) - (4 - 19))) * (((1 * 10) * (8 + 20)) - ((5 - 16) + (20 * 2)))) * ((((9 * 4) - (4 * 4)) - ((3 + 13) - (5 + 7))) + (((8 * 15) - (1 + 14)) * ((5 - 20) - (19 * 14))))) * (((((7 - 9) * (12 - 3)) - ((8 + 2) * (12 * 20))) - (((19 + 15) - (13 * 15)) - ((19 - 14) * (9 * 18)))) + ((((20 - 2) + (6 * 15)) + ((9 + 11) * (3 * 5))) + (((4 * 4) * (13 + 18)) + ((6 * 3) - (3 * 3)))))) * ((((((20 + 12) + (18 - 3)) + ((12 * 1) + (5 + 15))) + (((3 * 2) + (19 * 4)) + ((13 - 19) + (18 * 12)))) * ((((13
- 18) - (2 - 6)) + ((19 + 19) + (1 - 7))) * (((11 * 6) * (17 - 2)) + ((17 - 2) - (20 - 9))))) * (((((13 + 9) - (16 - 11)) - ((8 * 12) + (17 - 20))) + (((9 + 6) * (17 + 16)) - ((6
+ 13) + (4 - 7)))) + ((((10 + 6) - (8 - 19)) * ((20 + 9) + (1 * 18))) + (((8 - 14) - (12 * 6)) * ((12 + 12) * (2 - 12)))))) = -115177287736476361956000
[+]formula= (((((((2 - X) + (5 + 7)) * ((5 + 5) - (4 - 19))) * (((1 * 10) * (8 + 20)) - ((5 - 16) + (20 * 2)))) * ((((9 * 4) - (4 * 4)) - ((3 + 13) - (5 + 7))) + (((8 * 15) - (1 + 14)) * ((5 - 20) - (19 * 14))))) * (((((7 - 9) * (12 - 3)) - ((8 + 2) * (12 * 20))) - (((19 + 15) - (13 * 15)) - ((19 - 14) * (9 * 18)))) + ((((20 - 2) + (6 * 15)) + ((9 + 11) *
(3 * 5))) + (((4 * 4) * (13 + 18)) + ((6 * 3) - (3 * 3)))))) * ((((((20 + 12) + (18 - 3)) + ((12 * 1) + (5 + 15))) + (((3 * 2) + (19 * 4)) + ((13 - 19) + (18 * 12)))) * ((((13 - 18) - (2 - 6)) + ((19 + 19) + (1 - 7))) * (((11 * 6) * (17 - 2)) + ((17 - 2) - (20 - 9))))) * (((((13 + 9) - (16 - 11)) - ((8 * 12) + (17 - 20))) + (((9 + 6) * (17 + 16)) - ((6 + 13) + (4 - 7)))) + ((((10 + 6) - (8 - 19)) * ((20 + 9) + (1 * 18))) + (((8 - 14) - (12 * 6)) * ((12 + 12) * (2 - 12)))))))--115177287736476361956000
[+]ans= [19]
[+]senddata= 19
[+]receivedata= What does X equal?: YAAAAAY keep going
[+]receivedata= flag{y0u_s0_60od_aT_tH3_qU1cK_M4tH5}
以降、例外発生
フラグゲット。
flag{y0u_s0_60od_aT_tH3_qU1cK_M4tH5}
