Useless Animals Sorting
Flag: HACKDAY{c3rtIfIED_zOOlogI$t}
Challenge
Description
A bored zookeeper, tired of the monotony of his daily routine, decided to invent a machine to sort the animals arriving at the zoo. Not that it would make his life any easier... he's just bored out of his mind and needs something to pass the time. An amateur engineer in his spare time, he has begun designing the contraption and now turns to you for help. You look just as bored as he is and everyone loves machines right ? So why not lend a hand?
challenges.hackday.fr:51259
Ce challenge tourne sur un docker et n'est pas disponible
Solution
Une solution possible est d'utiliser le fait que le serveur ne dispose que de 1000 images et donne la réponse si l'on se trompe (on le voit en demandant plein, on reçoit de temps en temps une déjà croisée).
Pour ça, on fait faire une empreinte md5 des images et associer la bonne réponse.
from pwn import remote, context
from hashlib import md5
context.log_level = 'error' # Pour éviter que pwntools print des trucs
hashes: dict[str, str] = {} # Dictionnaire où on aura hash_image: animal
consecutive_hit = 0 # Juste pour indication dans les logs
client = None # Client TCP
while True:
if client is None:
# On créé un nouveau client TCP et on reset les divers valeurs
print(f'New client | {len(hashes): >4} hashes in memory | {consecutive_hit: >3} consecutive hits')
consecutive_hit = 0
client = remote('challenges.hackday.fr', 51259)
data = client.recvuntil(b'Press Enter to start the game')
client.send(b'\n') # Lance le jeu
data = client.recvline() # Ligne Image n°
if b'Image' not in data: # Si on a réussi le jeu, on reçoit le flag à la place
print(data.decode())
break
data = client.recvline() # Base64 de l'image
hash = md5(data).hexdigest() # MD5 de l'image
client.recvline() # Question "Animal ?"
# Si on a connaît déjà le hash, on envoie la bonne réponse, sinon on enverra "?"
response = hashes.get(hash, '?')
client.sendline(response.encode())
data = client.recvline() # Réponse du serveur
if b'Correct !' in data: # Si c'est correct, on ajoute un hit (juste pour les logs)
consecutive_hit += 1
else:
animal = data.split(b' ')[5].decode() # Si c'est faux, on récupère la bonne réponse
hashes[hash] = animal # On associe la bonne réponse au hash
if b' 0 errors' in data: # Si on a plus d'essai, on reset le client
client.close()
client = NoneNew client | 0 hashes in memory | 0 consecutive hits
New client | 5 hashes in memory | 0 consecutive hits
New client | 10 hashes in memory | 0 consecutive hits
New client | 15 hashes in memory | 0 consecutive hits
New client | 20 hashes in memory | 0 consecutive hits
New client | 25 hashes in memory | 0 consecutive hits
New client | 30 hashes in memory | 0 consecutive hits
New client | 35 hashes in memory | 0 consecutive hits
New client | 40 hashes in memory | 0 consecutive hits
New client | 45 hashes in memory | 0 consecutive hits
New client | 50 hashes in memory | 0 consecutive hits
New client | 55 hashes in memory | 0 consecutive hits
New client | 60 hashes in memory | 0 consecutive hits
New client | 65 hashes in memory | 0 consecutive hits
New client | 70 hashes in memory | 2 consecutive hits
[...]
New client | 860 hashes in memory | 51 consecutive hits
New client | 865 hashes in memory | 42 consecutive hits
New client | 870 hashes in memory | 29 consecutive hits
New client | 875 hashes in memory | 56 consecutive hits
New client | 880 hashes in memory | 22 consecutive hits
New client | 885 hashes in memory | 24 consecutive hits
New client | 890 hashes in memory | 31 consecutive hits
New client | 895 hashes in memory | 60 consecutive hits
New client | 900 hashes in memory | 23 consecutive hits
New client | 905 hashes in memory | 70 consecutive hits
New client | 910 hashes in memory | 27 consecutive hits
New client | 915 hashes in memory | 31 consecutive hits
New client | 920 hashes in memory | 38 consecutive hits
Congratulations, you won with 4 errors, here is your flag : HACKDAY{c3rtIfIED_zOOlogI$t}Dernière mise à jour
Cet article vous a-t-il été utile ?