PicoCTF Writeup – vault-door-3
# Information:
CTF Name: PicoCTF
CTF Challenge: vault-door-3
Challenge Category: Reverse Engineering
Challenge Points: 200
PicoCTF 2019.
# Challenge Description:
This vault uses for-loops and byte arrays. The source code for this vault is here: VaultDoor3.java
Hint: Make a table that contains each value of the loop variables and the corresponding buffer index that it writes to.
# Writeup:
In this challenge we are presented with a file VaultDoor3.java. This file consists in java code, as you can see below:
import java.util.*;
class VaultDoor3 {
public static void main(String args[]) {
VaultDoor3 vaultDoor = new VaultDoor3();
Scanner scanner = new Scanner(System.in);
System.out.print("Enter vault password: ");
String userInput = scanner.next();
String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
if (vaultDoor.checkPassword(input)) {
System.out.println("Access granted.");
} else {
System.out.println("Access denied!");
}
}
// Our security monitoring team has noticed some intrusions on some of the
// less secure doors. Dr. Evil has asked me specifically to build a stronger
// vault door to protect his Doomsday plans. I just *know* this door will
// keep all of those nosy agents out of our business. Mwa ha!
//
// -Minion #2671
public boolean checkPassword(String password) {
if (password.length() != 32) {
return false;
}
char[] buffer = new char[32];
int i;
for (i=0; i<8; i++) {
buffer[i] = password.charAt(i);
}
for (; i<16; i++) {
buffer[i] = password.charAt(23-i);
}
for (; i<32; i+=2) {
buffer[i] = password.charAt(46-i);
}
for (i=31; i>=17; i-=2) {
buffer[i] = password.charAt(i);
}
String s = new String(buffer);
return s.equals("jU5t_a_sna_3lpm12g94c_u_4_m7ra41");
}
}
As you can see the code above makes a password check. The password seems to be the flag. However, by looking at the code we can not retrieve the password, we must reverse engineer it. We have some information in the code that can helps solve this, in particular, the return of the method checkPassword makes a comparison between the string s, which corresponds the password after being altered by the code, and the string: “jU5t_a_sna_3lpm12g94c_u_4_m7ra41”. Knowing this we can start developing the script.
To do so I decided to create a python 3 script that receives the string “jU5t_a_sna_3lpm12g94c_u_4_m7ra41” as input and then performs the same instructions presented in the code above, as such:
def checkPassword(password):
if (not len(password) == 32):
return False
buffer = [""]*32
print(buffer)
for i in range(8):
buffer[i] = password[i]
for i in range(8, 16):
buffer[i] = password[23-i]
for i in range(16, 32, 2):
buffer[i] = password[46-i]
for i in range(31, 16, -2):
buffer[i] = password[i]
print(''.join(buffer))
checkPassword("jU5t_a_sna_3lpm12g94c_u_4_m7ra41")
I basically translated the code from java to python 3. In the last for loop I did:
for i in range(31, 16, -2):
Because in java we have:
for (i=31; i>=17; i-=2) {
To be able to get the same result in Python 3 we have to go from 31 to 16 and decrease by 2 units because the for loops in python 3 stop when the index is the same as the second position of the range function, in this case 16. If we kept 17, we would not be able to get the 17 as an index. This is the case because once the index was decremented to 17 the condition would be met, which is 17 == 17, and it would stop the loop, missing one position. The Python script source code is available in a link below.
The flag is:
The Python 3 script source code be found here.
Thank you very much for reading!
Cheers,
MRegra
