DawgCTF 2021: BBomb - Phase 4

BBomb - Phase 4

Category: Binary Bomb

chal

150 points

This is the phase you have been waiting for… one may say it’s the golden stage!

Let’s switch things up! Numerical inputs map to line numbers in rockyou.txt, and each word is separated by a ’’ (if the phase’s solution is 4 5, the flag would be DawgCTF{passwordiloveyou})

rockyou.txt: https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Author: treap_treap

Solution

Fourth phase of Binary Bomb challenge chain which started with BBomb - Phase 1.

ghidra

As it was in BBomb - Phase 3 we’ve been given some logic with helper functions.

func4

Once again I’ve decided to rewrite the logic and bruteforce. During implementation I’ve realized that func4 is actually a Fibonacci Series. With that knowledge I was able to optimize the program and get flag really fast in reasonable time.

import concurrent.futures

encoded_flag = [1, 0x7b, 0x3b18, 0x1c640d]
decoded_flag = [0 for i in range(4)]
flag = ''

answers = {}

def func4(n):
    if n < 1:
        return 0
    elif n == 1:
        return 1
    else:
        if n not in answers:
            n1 = func4(n - 1)
            n2 = func4(n - 2)
            answers[n] = n1 + n2
        return answers[n]

f = open('rockyou.txt', 'rb')
rockyou_len = len(f.readlines())
f.close()

factor = func4(10)

def check(i):
    for j in range(4):
        if func4(i) == encoded_flag[j] * factor:
            return i, j
    return 0, 0

with concurrent.futures.ThreadPoolExecutor(max_workers=8) as executor:
    offset_start = 0
    for offset_end in range(0, rockyou_len + 1, 1000):
        jobs = []
        for i in range(offset_start, offset_end):
            jobs.append(executor.submit(check, i))
        offset_start = offset_end
        print('Submitted 1000 new jobs, processing...')
        for r in concurrent.futures.as_completed(jobs):
            i, j = r.result()
            if i != 0:
                decoded_flag[j] = i
                print('Found i = {}, j = {}'.format(i, j))
            if 0 not in decoded_flag:
                break
        if 0 not in decoded_flag:
            break
    print('Answer: {}'.format(decoded_flag))
    executor.shutdown(wait=False)

f = open('rockyou.txt', 'rb')
passwords = f.readlines()
f.close()

for i in decoded_flag:
    flag = flag + passwords[int(i) - 1][:-1].decode('utf-8') + '_'
print('Flag: DawgCTF{{{}}}'.format(flag[:-1]))

Output:

Submitted 1000 new jobs, processing...
Submitted 1000 new jobs, processing...
Found i = 40, j = 3
Found i = 20, j = 1
Found i = 30, j = 2
Found i = 10, j = 0
Answer: [10, 20, 30, 40]
Flag: DawgCTF{abc123_qwerty_anthony_123123}

Flag

DawgCTF{abc123_qwerty_anthony_123123}

Privacy Policy
luc © 2021