# Teaser CTF 2015 writeup(So easy, power level)

Teaser CTF is launched by *Dragon Sector*,* *is a Polish security Capture The Flag team. It was created in February 2013 and currently has 13 active members.

I solved two challenge in the first evening(so easy, power level) and tried to solves the pwnable challenge *quine *on Sunday Morning but failed, I found a write-any-where vulnerability but I didn’t see how to exploit.

### 1. power level (50 points)

This is a cryptography challenge, the encryption algorithm and the cipher text is given. The first 4 input character will be used as parameter of a polynomial which decides which encryption routine will be used for each characters to calculate an output.

So the complexity of brute forcing the key is (127-32)^4 ≈ 2^24 which is fairly weak, and we can brute force this deterministic encryption algorithm.

the following is part of the brute forcing code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
unsigned int result[4] = {8,223,137,2}; int main() { printf("%d %d %d %d\n",result[0],result[1],result[2],result[3]); int count=0; int flag =0; for(a=1;a<128;a++){ for(b=1;b<128;b++){ for(c=1;c<128;c++){ for(d=1;d<128;d++){ v[0] = f(a); v[0] = e[v[0]%1000](a) ^ (v[0]%251); v[1] = f(b); v[1] = e[v[1]%1000](b) ^ (v[1]%251); v[2] = f(c); v[2] = e[v[2]%1000](c) ^ (v[2]%251); v[3] = f(d); v[3] = e[v[3]%1000](d) ^ (v[3]%251); if(!(count++%100000)) printf("%d ",count/100000); //printf("%u ",v); if( v[0] ==result[0] &&v[1]==result[1] &&v[2]==result[2] &&v[3]==result[3]) { flag= 1; printf("\n%c %c %c %c\n",(char)a,(char)b,(char)c,(char)d); return 0; break; } } } } } if(!flag) { printf("not found!\n"); } } |

After get the keys(first four bytes), we can make a table for each ascii code and decrypt the cipher text.

PS: the encryption is not a one-to-one map and we need to resolver some hash collision.

The flag is:

1 |
DrgnS{SoManySoEasyafa56ba19cfd816e3e973eafc91ab34e} |

### 2. So easy(100 points)

This is a Reverse engineering challenge. The program get a input string, flip the upper/lower case and compare it to DrgnS{ThisWasSoEasy} and if equals it will call printf("Congratulations") . However, this is not correct flag. After some search I found that before calling the main function, the program calls sub_80488BE() which calls many __cxa_atexit() functions. These function passed into atexit functions will be called after exit() in reverse order, after some analysis, the input string is actually compared to the following string:

1 |
DrgnS{NotEvenWarmedUp} |

for more writeups please refer to:

https://github.com/ctfs/write-ups-2015/tree/master/confidence-ctf-teaser-2015

## Leave a Reply

You must be logged in to post a comment.