PicoCTF - SoRandom

Write-Ups

Posted on April 15, 2017 as PicoCTF 2017. 3 minutes read.

SoRandom - 75 PTS

We found sorandom.py running at shell2017.picoctf.com:42263. It seems to be outputting the flag but randomizing all the characters first. Is there anyway to get back the original flag?

#!/usr/bin/python -u
import random,string

flag = "FLAG:"+open("flag", "r").read()[:-1]
encflag = ""
random.seed("random")
for c in flag:
  if c.islower():
    #rotate number around alphabet a random amount
    encflag += chr((ord(c)-ord('a')+random.randrange(0,26))%26 + ord('a'))
  elif c.isupper():
    encflag += chr((ord(c)-ord('A')+random.randrange(0,26))%26 + ord('A'))
  elif c.isdigit():
    encflag += chr((ord(c)-ord('0')+random.randrange(0,10))%10 + ord('0'))
  else:
    encflag += c
print "Unguessably Randomized Flag: "+encflag

How this code works? Firstly it opens the flag file, reading its content, then it creates a loop which will iterate every letter in the flag string. Then, these 3 'if' statements check, whether or not the letter is lowercase, uppercase or digit, and according to that, it will append some random number to the ASCII value of a letter. Those random values were firstly seeded with a work random, meaning that everytime the code starts running, it will generate the same output.

We can simply crack it, by reversing the scheme and simply substracting those values. By firstly, let's connect to the server to get the encrypted flag.

[email protected] ~> nc shell2017.picoctf.com 42263
Unguessably Randomized Flag: BNZQ:8o149b15764q471k2533971t6w78liec

Now we can change the code.

#!/usr/bin/python -u
import random,string

flag = "BNZQ:8o149b15764q471k2533971t6w78liec"
encflag = ""
random.seed("random")
for c in flag:
  if c.islower():
    #rotate number around alphabet a random amount
    encflag += chr((ord(c)-ord('a')-random.randrange(0,26))%26 + ord('a'))
  elif c.isupper():
    encflag += chr((ord(c)-ord('A')-random.randrange(0,26))%26 + ord('A'))
  elif c.isdigit():
    encflag += chr((ord(c)-ord('0')-random.randrange(0,10))%10 + ord('0'))
  else:
    encflag += c
print "Unguessably Randomized Flag: "+encflag

And lastly, let's run this code once again on our local computer. Remember to use python2!

[email protected] ~/Pobrane> python2 sorandom.py
Unguessably Randomized Flag: FLAG:5d968c92267e701f5846515f1b31deab

Here we go.

Keep learning and stay safe!

~ W3ndige