Nullcon HackIM 2013 CTF – Programming 100/200/300/400/500

Nullcon HackIM 2013 CTF is over! Congratulations to the crew for organizing a nice CTF.
As always, thanks fly to my teammates Archie and Nahuel!

Programming 100 – big fib –
calculate 150000th fibonacci series, and flag is sum of the alternate numbers from answers.

We have to add the alternate numbers from the Fibonacci series up to the 150000th number.
Just in case, we added the numbers in even positions and the numbers in odd positions.

def fibo(step):
    num1 = 1
    num2 = 1
    yield num1
    yield num2

    for i in xrange(step - 2):
        old = num2
        num2 = num1 + num2
        num1 = old
        yield num2

def sum_alternates():
    alternate1 = 0
    alternate2 = 0
    cont = 0

    for num in fibo(150000):
        cont += 1
        if (cont % 1000) == 0:
            print "%s..." % cont

        if cont % 2:
            alternate1 += num
        else:
            alternate2 += num

    print "Done."
    print "Results saved to alternates.txt"
    f = open('alternates.txt', 'w')
    f.write('Alternate1: %s\n\n' % alternate1)
    f.write('Alternate2: %s\n\n' % alternate2)
    f.close()

sum_alternates()

And the flag was a huge number with 31348 digits! I’m just copying a part of that number:

625968522280032271161918224714221.....7864221103148810616835489800000

 

 

Programming 200 – Lazy Baba
gives answer once in every 4 hours.

This level was a web page that shows the flag every 4 hours. So Nahuel made a Python script that keeps requesting the page until hitting the answer at the right time:

import httplib
import time

while True:
    try:
        conn = httplib.HTTPConnection("ctf.nullcon.net")
        conn.request("GET", "/challenges/programming/answer.php")
        resp = conn.getresponse()
        html = resp.read()
        if html:
            msg = "Response is: %r\n" % html
            fd = open("lazybaba_out.txt", "a")
            fd.write(msg)
            fd.close()
            print msg

        time.sleep(5)
    except Exception,e:
        pass

And this an output snippet:

Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\nFlag is ABRAKADABRAGILIGILIGILI'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'
Response is: '\n'

So the flag for Programming 200 was: ABRAKADABRAGILIGILIGILI.

 

 

Programming 300 – Harmony in series
So our folks wanted to work on binomial series but they understood incorrectly so they made a series of this type.
if series is for 10 numbers
10/1 + 9/2 + 8/3 ….. 1/10 = 22.218
round to 2 decimal place = 22.21
now they did calculated this series for 31337 numbers can you help these guys in finding the number again.

And here’s the solution by Archie:

__author__ = 'archie'

"""
if series is for 10 numbers
10/1 + 9/2 + 8/3 ..... 1/10 = 22.218
round to 2 decimal place = 22.21
"""

n = 31337
sum = 0
for i in range(1, n):
    #print "sum += %d/%d" % (n, i)
    sum += float(n)/float(i)
    n -= 1

print round(sum, 2)

And the flag for Programming 300 was: 311180.65

 

 

Programming 400 – funky text
Question – interpret and give answer.
start reading from left
if digit then add the digit.
if x then remove it and go back 2 places
if y then remove and go front 2 places
example : 12y34x56 answer is 14
how : 1 + 2 + 5 + 6 = 14

12y34x5612345678910xy0981235432x4765893x219532y875439664y3x2345688x754312x2456x7876554x43y324x6778y7643223457789494x98696763y15348798y765341y1878979

And the solution by Archie:

__author__ = 'archie'

'''
Question - interpret and give answer.
start reading from left
if digit then add the digit.
if x then remove it and go back 2 places
if y then remove and go front 2 places
example : 12y34x56 answer is 14
how : 1 + 2 + 5 + 6 = 14
'''

def f(input, current_pos=0, current_sum=0):
    #print "f(%s, current_pos=%d, current_sum=%d)" % (input, current_pos, current_sum)
    if current_pos >= len(input):
        return current_sum
    elif input[current_pos].isdigit():
        #print "Es digito"
        return f(input, current_pos + 1, current_sum + int(input[current_pos]))
    elif input[current_pos] == "x":
        #print "Encontre x"
        input.remove(input[current_pos])
        return f(input, current_pos - 1, current_sum)
    elif input[current_pos] == "y":
        #print "Encontre y"
        input.remove(input[current_pos])
        return f(input, current_pos + 3, current_sum)
    else:
        print "Resultado no esperado: %s" % input[current_pos]

#lista = list("12y34x56")
#test = f(lista)
#if test == 14:
#    print "Test Ok"
#else:
#    print "Test Failed: Expected 14 -> Result: %d" % test

lista = list("12y34x5612345678910xy0981235432x4765893x219532y875439664y3x2345688x754312x2456x7876554x43y324x6778y7643223457789494x98696763y15348798y765341y1878979")
print f(lista)

And the flag for Programming 400 was: 557

 

 

Programming 500 – copy paste
no time to copy paste and what you see is not what you get.

Basically you had to request a web page, copy & paste a phrase to a text field and submit
the form in less than two seconds.

So Archie made a crawler using the mechanize Python library:

__author__ = 'archie'

import mechanize
from bs4 import BeautifulSoup

"""
NullCon Programming 500 - copy paste -

Basically you need to copy & paste a phrase to a text field and submit
the form in less than two seconds.

Since i've done some crawlers with python and mechanize lib I went through that way.
"""

user_agent = ("TravestiSec Browser")
br = mechanize.Browser()
br.addheaders = [('User-agent', user_agent)]
response = br.open("http://ctf.nullcon.net/challenges/programming/challenge.php")

html = response.read()
soup = BeautifulSoup(html)
paragraph = soup.p.text.encode("utf-8")
#I couldn't decode chars below so I just replaced them
paragraph = paragraph.replace("\xc2", " ")
paragraph = paragraph.replace("\xa0", "")
#Now remove the part of the text we don't need and just leave the phrase
phrase_start_pos = paragraph.rfind("\n") + 1
phrase = paragraph[phrase_start_pos:].strip()

#Form does not have a name so we select it by number
br.select_form(nr=0)
#Set text field to phrase
br["answer"] = phrase
#Submit form and print response
br.submit()
print br.response().read()

The output was:

Congrats You won use 73404297426f8f7e9d63a01f0f3c3014b5f253f6 to claim the level</pre>
<form action="challenge.php" method="POST">
Type the words within 2 seconds to clear this level.

User submitted : For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled. - Richard P. Feynman

	Answer: <input type="text" autocomplete="off" name="answer" value="" />
<input type="submit" name="submit" value="Submit" /></form>
<pre>

So the flag for Programming 500 was: 73404297426f8f7e9d63a01f0f3c3014b5f253f6

Advertisements

6 thoughts on “Nullcon HackIM 2013 CTF – Programming 100/200/300/400/500

  1. For the programming 400, can you explain why it is necessary to subract 1 and add 3, rather than the 2 the instructions specify? Even if you interpret the instructions as ‘skip 2 characters’ you do not end up with 14total on the example. I have added addional output to your solution to illistrate the problem:

    (1)2y34x56
    step1: current_pos = 0 adding: 1

    1(2)y34x56
    step2: current_pos = 1 adding: 2

    12(y)34×56
    step3: current_pos = 2 y: removing and moving front

    1234x(5)6
    step4: current_pos = 5 adding: 5

    1234×5(6)
    step5: current_pos = 6 adding: 6

    On step 4, your code ( and presumably the correct answer) has our pointer landing on the 5. Which takes 3 steps, if you remove the ‘y’ first (as the instructions say), or 4 steps if you move before removing the ‘y’ (which would be wrong as well).

    As far as i can see, if you first remove the ‘y’, then move 2, you should be pointing at the ‘x’ for step 4?

    Thanks
    /Salernost

  2. Logically speaking, you don’t need to write a program to sum up the alternate numbers of Fibonacci Series upto 150000th.
    Observation:
    considering Fibonacci Series up to 10,
    which is 1,1,2,3,5,8,13,21,34
    here sum up 1st 2 alternate nos. : 1 (1st in pos) + 2 (3rd in pos) = 3 (position of last alternate no. + 1)
    Similarly Sum up 4 alternate nos. : 1+2+5+13=21 (which is next in position to no. 13).

    Therefore if we simply calculate the 150000th no. in Fibo. series, the sum of all alternate numbers, is the 150000th number itself.

  3. @Stephen

    I had the same doubts as you when I first read the example, so I went with the TDD aproach (well, sort of) and just wrotte my function in a way that would match 14.

    The logic would be that when you remove an “x” or “y” you move to the next position and so you count two places forward or backwards from there and not from when you where.

  4. Thanks for showing the last digits of the Fib[150000]! It completed my pattern and now I can tell you with 99.99% certainty that Fib [225000] ends in 700000 and Fib[1500000] ends in 8000000. I don’t have much skill in programming, so if you know any software (or maybe you have compiled something of your own) that would let me calculate Fib numbers way beyond 150000, please let me know!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s