CTF Writeup – CrikeyCon 2017: Fast Math

Category: Coding
Points: 300
Solves: 14
Description:  crikeyconctf.dook.biz:23776

Probing the host

Before doing anything else on this host I attempted to ncat to it, receiving the following:

The time between being presented with the challenge and receiving a timeout was a mere two seconds. Although handy with a calculator this wouldn’t be possible without a script/bot. I also noted that the response and timing to answer didn’t change on a second connection, but the base operator did. I then felt comfortable writing a script to connect to the host and return an answer to basic math questions (+-/*).

First answer script attempt

I put together a bot which would connect to the host and parse the challenge question using regex so it could answer it using an expression. This resulted in the following spaghetti code:

Regular expression (attempt)

The most important line here was the regex which consisted of the following (see if you can spot the mistake!):

This would skip everything proceeding the colon and whitespace and then group both sets of numbers, and the whitespace/operator between them for evaluation.

The response to this was the following:

I spent far more time on this part of the challenge than I care to admit. I didn’t entirely read my logs and spent my time stuck on the two lines where I have Sending 1766845 and the response 459060 is not correct and put a lot of focus into trying to identify why a different response was being sent to what was calculated (not the truth, but it’s what I was thinking).

Adding further regular expressions to catch x=x

Eventually I identified that the response to an answer was:

AnswerProvided is correct
AnswerProvided = AnswerProvided

And then the next question would be presented. This was causing issues with my regex as I was passing values from the previous answer into my group, ultimately preventing the correct evaluation from sending.

I resolved this by continuing back to the beginning of my loop if there wasn’t a mathematical operator in my decoded string, putting this after the sentinel check as I didn’t want to miss my flag (which likely wouldn’t contain an operator). This looked like the following:

Updating regular expression to handle more than one digit

This got me to question number 10 – at which point I realized that my regex of:

Would only work if I were to be presented with a single digit question. I updated this to the following:

Essentially the same as above, but it would now capture two digits over one as I didn’t expect the challenges to go past 99 (although could use \d* if they were to).

Flag Reveal

After making the changes above and letting the bot run for fifty questions I was then rewarded with the flag (redacted):