Wednesday, 14 November 2018

Gofuscated Square CTF 2018

This is a writeup for the Gofuscated challenge in Square CTF 2018.

We were provided a Go program which takes a 26 characters input and performs several checks on it. If all the checks are true, then the value of flag will be printed.

Note: In Go language, you can print the value of the variables using fmt.Println(). This will be useful while solving the challenge.

The main function of the Go program looked like shown below:

There were 4 compute functions and their purpose is as follows:

1. compute1: It displays an interesting animation :)

2. compute2: It runs a long FOR loop for Space * Rounds iterations (total iterations: 100000 * 100000). This will take a few minutes to complete. After completing the iterations, it returns a 16 bytes hex string.

h := compute2([]byte(input), done)

As we can see later in the code, h corresponds to our flag:

flag := <-h

3. Before the flag, we have a call to the function, another_helper() and we can see that the return value of this function should be true so that our flag is printed.

4. another_helper() function takes an input string which was generated by compute4()

So, let's see how compute4() is used to process our input.

It first generates a mapping as shown below:

We can print the value of the map using fmt.Println(m)

This gives us the mapping as:

[100:113 114:114 109:121 107:122 122:102 97:104 111:110 110:97 102:106 116:120 112:119 118:101 106:111 117:112 113:103 105:105 115:107 121:108 104:109 120:98 101:99 108:100 103:118 98:115 99:116 119:117]

Then, this mapping is used to shuffle the characters in our input string.

If our input is: abcdefghijklmnopqrstuvwxyz

Then after shuffling the characters in the input using the above mapping we get: hstqcjvmiozdyanwgrkxpeublf

This value is passed to another_helper() function to validate.

another_helper() function is as shown below:

It checks the input to ensure that the ASCII value of each character is less than or equal to the ASCII value of the characters after it.

So, if another_helper() function receives: abcdefghijklmnopqrstuvwxyz as an input, it will return us true.

To solve this challenge, we need to pass an input such that compute4() function returns us: abcdefghijklmnopqrstuvwxyz

We can leverage the mapping above to get the value of an input which satisfies the above requirement.

Input: nxelvzqaifsyhojudrbcwgptmk

Now, we can pass the string: "nxelvzqaifsyhojudrbcwgptmk" as an input to the program and it will print our flag as shown below:



No comments:

Post a Comment