DefCon CTF Quals GrabBag 300 Writeup
The question was:
Question: This is semi-real. 🙁
140.197.217.85:10435
Password: 5fd78efc6620f6
When you would connect using netcat you would see a 9 numbers and a user PIN. This would repeat thrice and then you would have to choose the right pin for the fourth pair 6×6 matrix of numbers. My first reaction was either the PINS were constant or they were following a pattern. So I wrote up this quick python script to solve this puzzle which helped me understand the problem also.
#!/usr/bin/python
import socket, re, threading, time
lookupdict = []
def process_array_pin(fs,s):
i = 6
temp = ''
pin = ''
while i > 0:
line = fs.readline()
#print line
#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
test = re.split(' ',line)
#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
i = i - 1
try:
temp += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
except IndexError:
pass
#i = 15
#while i > 0:
# print fs.readline()
# i = i - 1
#s.send('2\n')
#i = 15
#while i > 0:
# print fs.readline()
# i = i - 1
line = fs.readline()
try:
pin = re.match("..........User entered: (.*)", line).group(1)
except:
pass
#pin = fs.readline()
#print 'Line: '+line
#print 'Pin is : '+pin
strpin = re.sub(' ','',pin)
#strpin = re.split(' ',pin)
#lookupdict[temp] = strpin
print 'Pin for : ' + temp+' is '+strpin+'\n'
return temp,strpin
def play():
global fs, s
s = socket.create_connection(('140.197.217.85', 10435))
fs = s.makefile()
s.send('5fd78efc6620f6\n')
print fs.readline()
print fs.readline()
print fs.readline()
answer = []
numTimes = 0
while numTimes < 5:
j = 3
while j > 0:
test = process_array_pin(fs,s)
lookupdict.append(test[0])
lookupdict.append(test[1])
j = j - 1
if j > 0:
numlines = 3
while numlines > 0:
fs.readline()
numlines = numlines - 1
fs.readline()
pindigits = list(lookupdict[1])
#print pindigits
pinpos = 0
for num in pindigits:
i = 0
start = 0
end = len(lookupdict[0])
while i < lookupdict[0].count(num):
indofinterest = lookupdict[0].find(num,start,end)
#print 'index of interest '+str(indofinterest)
if lookupdict[2][indofinterest] == lookupdict[3][pinpos]:
if lookupdict[4][indofinterest] == lookupdict[5][pinpos]:
answer.append(indofinterest)
break
i = i + 1
start = indofinterest+1
pinpos = pinpos + 1
#print answer
# Get question
i = 6
temp1 = ""
while i > 0:
line = fs.readline()
#print line
#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
test = re.split(' ',line)
#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
temp1 += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
i = i - 1
#fs.read(14)
#fs.flush()
print "Question : " +temp1+'\n'
answerstr = ''
count = 0
for i in answer:
answerstr += temp1[i]
#print temp1[i],
count = count + 1
if count < 4:
answerstr += ' '
else:
answerstr += '\n'
print "Answer : "+answerstr
s.send(answerstr)
output = fs.readline()
#output = fs.readline()
print output
if output.find('Sun') > -1:
output = fs.readline()
else:
a = 10
while a > 0:
print fs.readline()
a = a - 1
#output = fs.readline()
#print 'Inside else\n'
#if output.find('NOVA') > -1:
# print 'NOVAFOUND!!!!!\n'
s.send('2\n')
print 'Sent last\n'
a = 100
while a > 0:
print fs.readline()
s.send('%d%n\n')
a = a - 1
#print fs.readline()
break
del answer[:]
del lookupdict[:]
del pindigits[:]
numTimes += 1
s.close()
#for i in range(2000):
#threading.Thread(target=play).start()
play()
The above file reads the numbers, filters out the formatting that adds color to the digits and picks out the indices that would be chosen as the key.
So to solve this, each pattern of digits had fixed matrix positions that would be chosen as the pin. Once you successfully solve the puzzle four time you are presented with an ATM screen as follows:
***NOVABANK ATM menu*** Balance: $9238740982570237012935.32 1) withdraw 2) deposit 3) transfer 4) exit <disconnected>
The real part is the balance i.e., 9238740982570237012935.32 is the answer. It took me various attempts to solve this one because the answer was for some reason not being accepted by the scoreboard until my teammate submitted it at which time it worked.
This was a really cool problem. Thanks DDTEK.