The question was:
\nQuestion: This is semi-real. \ud83d\ude41
\n140.197.217.85:10435
\nPassword: 5fd78efc6620f6<\/p>\n
When you would connect using netcat you would see a 9 numbers and a user PIN. This would repeat thrice and then you would have to choose the right pin for the fourth pair 6×6 matrix of numbers. My first reaction was either the PINS were constant or they were following a pattern. So I wrote up this quick python script to solve this puzzle which helped me understand the problem also.<\/p>\n
#!\/usr\/bin\/python\r\nimport socket, re, threading, time\r\n \r\nlookupdict = []\r\n\r\ndef process_array_pin(fs,s):\r\n\ti = 6\r\n\ttemp = ''\r\n\tpin = ''\r\n\twhile i > 0:\r\n\t\tline = fs.readline()\r\n\t\t#print line\r\n\t\t#re.match(\".{11}(.).{12}(.).{12}(.)\", line).group(1)\r\n\t\ttest = re.split(' ',line)\r\n\t\t#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]\r\n\t\ti = i - 1\r\n\t\ttry:\r\n\t\t\ttemp += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]\r\n\t\texcept IndexError:\r\n\t\t\tpass\r\n\t\t\t#i = 15\r\n\t\t\t#while i > 0:\r\n\t\t\t#\tprint fs.readline()\r\n\t\t\t#\ti = i - 1\r\n\t\t\t#s.send('2\\n')\r\n\t\t\t#i = 15\r\n\t\t\t#while i > 0:\r\n\t\t\t#\tprint fs.readline()\r\n\t\t\t#\ti = i - 1\r\n\tline = fs.readline()\r\n\ttry:\r\n\t\tpin = re.match(\"..........User entered: (.*)\", line).group(1)\r\n\texcept:\r\n\t\tpass\r\n\t#pin = fs.readline()\r\n\t#print 'Line: '+line\r\n\t#print 'Pin is : '+pin\r\n\tstrpin = re.sub(' ','',pin)\r\n\t#strpin = re.split(' ',pin)\r\n\t#lookupdict[temp] = strpin\r\n\tprint 'Pin for : ' + temp+' is '+strpin+'\\n'\r\n\treturn temp,strpin\r\ndef play():\r\n\tglobal fs, s\r\n\ts = socket.create_connection(('140.197.217.85', 10435))\r\n\tfs = s.makefile()\r\n\ts.send('5fd78efc6620f6\\n')\r\n\tprint fs.readline()\r\n\tprint fs.readline()\r\n\tprint fs.readline()\r\n\tanswer = []\r\n\tnumTimes = 0\r\n\twhile numTimes < 5:\r\n\t\tj = 3\r\n\t\twhile j > 0:\r\n\t\t\ttest = process_array_pin(fs,s)\r\n\t\t\tlookupdict.append(test[0])\r\n\t\t\tlookupdict.append(test[1])\r\n\t\t\tj = j - 1\r\n\t\t\tif j > 0:\r\n\t\t\t\tnumlines = 3\r\n\t\t\t\twhile numlines > 0:\r\n\t\t\t\t\tfs.readline()\r\n\t\t\t\t\tnumlines = numlines - 1\r\n\t\tfs.readline()\r\n\t\tpindigits = list(lookupdict[1])\r\n\t\t#print pindigits\r\n\t\tpinpos = 0\r\n\t\tfor num in pindigits:\r\n\t\t\ti = 0\r\n\t\t\tstart = 0\r\n\t\t\tend = len(lookupdict[0])\r\n\t\t\twhile i < lookupdict[0].count(num):\r\n\t\t\t\tindofinterest = lookupdict[0].find(num,start,end)\r\n\t\t\t\t#print 'index of interest '+str(indofinterest)\r\n\t\t\t\tif lookupdict[2][indofinterest] == lookupdict[3][pinpos]:\r\n\t\t\t\t\tif lookupdict[4][indofinterest] == lookupdict[5][pinpos]:\r\n\t\t\t\t\t\tanswer.append(indofinterest)\r\n\t\t\t\t\t\tbreak\r\n\t\t\t\ti = i + 1\r\n\t\t\t\tstart = indofinterest+1\r\n\t\t\tpinpos = pinpos + 1\r\n\t\t#print answer\r\n\t\t# Get question\r\n\t\ti = 6\r\n\t\ttemp1 = \"\"\r\n\t\twhile i > 0:\r\n\t\t\tline = fs.readline()\r\n\t\t\t#print line\r\n\t\t\t#re.match(\".{11}(.).{12}(.).{12}(.)\", line).group(1)\r\n\t\t\ttest = re.split(' ',line)\r\n\t\t\t#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]\r\n\t\t\ttemp1 += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]\r\n\t\t\ti = i - 1\r\n\t\t#fs.read(14)\r\n\t\t#fs.flush()\r\n\t\tprint \"Question : \" +temp1+'\\n'\r\n\t\tanswerstr = ''\r\n\t\tcount = 0\r\n\t\tfor i in answer:\r\n\t\t\tanswerstr += temp1[i]\r\n\t\t\t#print temp1[i],\r\n\t\t\tcount = count + 1\r\n\t\t\tif count < 4:\r\n\t\t\t\tanswerstr += ' '\r\n\t\t\telse:\r\n\t\t\t\tanswerstr += '\\n'\r\n\t\tprint \"Answer : \"+answerstr\r\n\t\ts.send(answerstr)\r\n\t\toutput = fs.readline()\r\n\t\t#output = fs.readline()\r\n\t\tprint output\r\n\t\tif output.find('Sun') > -1:\r\n\t\t\toutput = fs.readline()\r\n\t\telse:\r\n\t\t\ta = 10\r\n\t\t\twhile a > 0:\r\n\t\t\t\tprint fs.readline()\r\n\t\t\t\ta = a - 1\r\n\t\t\t#output = fs.readline()\r\n\t\t\t#print 'Inside else\\n'\r\n\t\t\t#if output.find('NOVA') > -1:\r\n\t\t\t#\tprint 'NOVAFOUND!!!!!\\n'\r\n\t\t\ts.send('2\\n')\r\n\t\t\tprint 'Sent last\\n'\r\n\t\t\ta = 100\r\n\t\t\twhile a > 0:\r\n\t\t\t\tprint fs.readline()\r\n\t\t\t\ts.send('%d%n\\n')\r\n\t\t\t\ta = a - 1\r\n\t\t\t#print fs.readline()\r\n\t\t\tbreak\r\n\t\tdel answer[:]\r\n\t\tdel lookupdict[:]\r\n\t\tdel pindigits[:]\r\n\t\tnumTimes += 1\r\n\t\r\n\ts.close()\r\n#for i in range(2000):\r\n#threading.Thread(target=play).start()\r\nplay()<\/pre>\nThe above file reads the numbers, filters out the formatting that adds color to the digits and picks out the indices that would be chosen as the key.<\/p>\n
So to solve this, each pattern of digits had fixed matrix positions that would be chosen as the pin. Once you successfully solve the puzzle four time you are presented with an ATM screen as follows:<\/p>\n
***NOVABANK ATM menu***\r\n\r\n Balance: $9238740982570237012935.32\r\n\r\n 1) withdraw\r\n 2) deposit\r\n 3) transfer\r\n 4) exit\r\n\r\n <disconnected><\/pre>\nThe real part is the balance i.e., 9238740982570237012935.32 is the answer. It took me various attempts to solve this one because the answer was for some reason not being accepted by the scoreboard until my teammate submitted it at which time it worked.<\/p>\n
This was a really cool problem. Thanks DDTEK.<\/p>\n","protected":false},"excerpt":{"rendered":"
The question was: Question: This is semi-real. \ud83d\ude41 140.197.217.85:10435 Password: 5fd78efc6620f6 When you would connect using netcat you would see a 9 numbers and a user PIN. This would repeat thrice and then you would have to choose the right pin for the fourth pair 6×6 matrix of numbers. My first reaction was either the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[230],"tags":[222,224,223],"class_list":["post-345","post","type-post","status-publish","format-standard","hentry","category-howto","tag-ctf","tag-defcon","tag-quals"],"_links":{"self":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/comments?post=345"}],"version-history":[{"count":4,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/345\/revisions"}],"predecessor-version":[{"id":368,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/345\/revisions\/368"}],"wp:attachment":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/media?parent=345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/categories?post=345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/tags?post=345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}