The First Half: Reloaded

Cryptography · MUST CTF: 2024 · Superior

Problem

This code represents a challenge where the goal is to deduce a secret "flag" value using a partially leaking encryption process.

The Encryption Process:

  1. Flag Setup:

    • A flag is fetched from the environment variable flag, defaulting to a placeholder value if not set.

    • The flag is stored as a byte-encoded string.

  2. Leak Function:

    • The function leak(i) takes an index i and returns the XOR of the i-th byte of the flag with a randomly chosen byte from the string MUSTCTF.

  3. User Interaction:

    • The program accepts user input i to specify the index of the flag byte to leak.

    • Leaks are restricted to the first half of the flag (len(flag) // 2).

  4. Termination:

    • An unexpected input or exception breaks the loop, terminating the process.

  5. Remote Access:

    • Players interact with the challenge through a remote service using the command:

      nc 139.162.5.230 10169
import os

flag = os.environ.get('flag', 'MUSTCTF{fake_flag_for_testing}').encode()

def leak(i):
    from random import choice
    return flag[i] ^ choice(b'MUSTCTF')


while True:
    try:
        i = int(input('i = '))
        assert i < len(flag) // 2  # Sorry. Only first half is leaked
        print('Leak:', leak(i))
    except Exception:
        print('Unexpected error')
        break

Solution

This Python script uses the Pwntools library to communicate with the remote server and deduce the flag:

  1. Setup:

    • Establishes a remote connection to the provided address.

    • Initializes an empty flag array to store deduced bytes.

    • Defines allowed_chars as the byte string b"MUSTCTF".

  2. Deduction Logic:

    • A helper function deduce_flag_byte iterates over possible byte values (0–255) and determines which matches the leaked XORed values.

    • A byte is deemed correct if XORing it with each leaked value produces a valid character from allowed_chars.

  3. Leaking Flag Bytes:

    • For each index in the last half of the flag (-32 to 0):

      • Sends the index to the remote service multiple times to gather leak values.

      • Uses deduce_flag_byte to find the actual flag byte.

      • Maps the deduced byte to the correct position in the flag array.

  4. Error Handling:

    • Handles EOF errors gracefully, ensuring the connection is closed cleanly.

  5. Output:

    • Prints the partially or fully reconstructed flag, replacing undeduced bytes with a ?.

from pwn import *

io = remote("139.162.5.230", 10169)

flag = [None] * 40

allowed_chars = b"MUSTCTF"

def deduce_flag_byte(leaks):
    for char in range(256):
        if all((char ^ leak) in allowed_chars for leak in leaks):
            return char
    return None

try:
    for i in range(-32, 0):
        leaks = []
        for _ in range(100):
            io.sendlineafter(b"i = ", str(i).encode())
            io.recvuntil(b"Leak: ")
            leak_value = int(io.recvline().strip())
            leaks.append(leak_value)

        flag_byte = deduce_flag_byte(leaks)
        
        positive_index = 32 + i
        
        if flag_byte is not None:
            flag[positive_index] = flag_byte
            print(f"Flag[{positive_index}] = {chr(flag[positive_index])}")
        else:
            print(f"Could not deduce Flag[{positive_index}]")

except EOFError:
    print("Connection closed by the server.")
finally:
    io.close()

print("Flag:", "".join(chr(c) if c else '?' for c in flag))

Last updated