hacktracking: September 2017

# EkoParty CTF 2017: OnTheWire (300) - Misc

Introduction

We have sniffed some bytes of a transmission. What does it say?
51 91 51 31 51 71 112 31 51 123 91 71 95 127 121 51 112 95 121 121 91 71 112 126 112 112 95 79 121 121 95 51 91 71 112 123 121 126 112 91 112 109 91 71 95 51 121 48 112 121 112 126 95 78 121 51 112 123 112 61

Hint
You will see the flag in a lcd display

Solution

# cat onthewire.py

bytes = [51, 91, 51, 31, 51, 71, 112, 31, 51, 123, 91, 71, 95, 127, 121, 51, 112, 95, 121, 121, 91, 71, 112, 126, 112, 112, 95, 79, 121, 121, 95, 51, 91, 71, 112, 123, 121, 126, 112, 91, 112, 109, 91, 71, 95, 51, 121, 48, 112, 121, 112, 126, 95, 78, 121, 51, 112, 123, 112, 61]

r = ''
table = {}

for b in bytes:
 if hex(b) not in table:
  letter = raw_input(hex(b) + '? ')
  table[hex(b)] = letter
 else:
  letter = table[hex(b)]
 r += letter

print r.decode('hex')

# python onthewire.py
0x33? 4
0x5b? 5
0x1f? b
0x47? f
0x70? 7
0x7b? 9
0x5f? 6
0x7f? 8
0x79? 3
0x7e? 0
0x4f? e
0x6d? 2
0x30? 1
0x4e? c
0x3d? d
EKO{I_h4v3_pwn3d_y0ur_d1spl4y}

Reference

https://en.wikichip.org/wiki/seven-segment_display/representing_letters

# GynvaelEN mission 015

# cat mission_15.py
import hashlib
import itertools
import png
import numpy as np

r = png.Reader(file = open('leak.png'))
(width, height, iterator, info) = r.read()

b = [0] * width

for i in iterator:
 row = i.tolist()
 for i in xrange(0, len(row), 3):
  value = row[i:i + 3]
  if value == [255, 0, 0]:
   b[i / 3] += 1

print ''.join([chr(c) for c in b])

hashes = [
 'e6d9fe6df8fd2a07ca6636729d4a615a',
 '273e97dc41693b152c71715d099a1049',
 'bd014fafb6f235929c73a6e9d5f1e458',
 'ab892a96d92d434432d23429483c0a39',
 'b56a807858d5948a4e4604c117a62c2d'
]

alphabet = ' !ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

password = [' '] * 5
counter = 0

for result in itertools.product(alphabet, repeat = 5):
 word = ''.join(list(result))
 m = hashlib.md5()
 m.update(word)
 hd = m.hexdigest()
 if hd in hashes:
  pos = hashes.index(hd)
  print pos, word
  password[pos] = word
  counter += 1
  if counter == 5: break

print ''.join(password)

# python mission_15.py
<?php

if (!isset($_GET['password']) || !is_string($_GET['password'])) {
  die("bad password");
}

$p = $_GET['password'];

if (strlen($p) !== 25) {
  die("bad password");
}

if (md5($p) !== 'e66c97b8837d0328f3e5522ebb058f85') {
  die("bad password");
}

// Split the password in five and check the pieces.
// We need to be sure!
$values = array(
  0 => 'e6d9fe6df8fd2a07ca6636729d4a615a',
  5 => '273e97dc41693b152c71715d099a1049',
  10 => 'bd014fafb6f235929c73a6e9d5f1e458',
  15 => 'ab892a96d92d434432d23429483c0a39',
  20 => 'b56a807858d5948a4e4604c117a62c2d'
);

for ($i = 0; $i < 25; $i += 5) {
  if (md5(substr($p, $i, 5)) !== $values[$i]) {
    die("bad password");
  }
}

die("GW!");

2  are
0 Pie c
3 delic
1 harts
4 ious!
Pie charts are delicious!

Source

https://www.youtube.com/watch?v=BQRX3owv2JI (1:57:30)