Skip to main content

PicotCTF2018 - Hideout - Scriptme

PicotCTF2018 - Hideout - Scriptme

 Objectives
Can you understand the language and answer the questions to retrieve the flag? Connect to the service with nc 2018shell.picoctf.com 22973

So here are we connect up to the shell and are presented with the following Logic
We need to figure out how this logic works, the telnet session has a timeout so manually doing the math here is not possible. So we need to write a script that will figure out the answers

 ​Rules:                                                                                                                     
() + () = ()()                                      => [combine]                                                           
((())) + () = ((())())                              => [absorb-right]                                                      
() + ((())) = (()(()))                              => [absorb-left]                                                       
(())(()) + () = (())(()())                          => [combined-absorb-right]                                             
() + (())(()) = (()())(())                          => [combined-absorb-left]                                              
(())(()) + ((())) = ((())(())(()))                  => [absorb-combined-right]                                             
((())) + (())(()) = ((())(())(()))                  => [absorb-combined-left]                                              
() + (()) + ((())) = (()()) + ((())) = ((()())(())) => [left-associative]                                                  
                                                                                                                           
Example:                                                                                                                   
(()) + () = () + (()) = (()())  
Solution

 So it took me a while to figure out the logic here, but once I got it it basically falls into
what is the depth of the parenthesis on each side of the operator
if They are equal in depth you simply combine them together
however if one is large it essentially eats the small group by opening the closest parenthesis inserts the smaller group and then puts the rest of the bigger side back in. Like I've mentioned  abunch of time I'm not a coder by profession so it took me alot of time to script this out and work the way its supposed to. I just copy and pasted the formula from the telnet session into my python program

Formula = input("F: ")Formula = Formula.replace(" ","")
formula_list = []formula_list = Formula.split('+')list_length = len(formula_list)


max_for_each_list = []
def get_depth():  #find the depths of each cluster  depth = []  current_depth = 0  int_i = formula_list.index(i)  for w in formula_list[int_i]:      if w =='(':     current_depth +=1       else:     depth.append(current_depth)     current_depth -=1       return max(depth)
def get_depth2(answerish2):    current_depth2 = 0    depth2 = []    for w in answerish2:        if w =='(':          current_depth2 +=1        else:          depth2.append(current_depth2)          current_depth2 -=1    return(max(depth2))

    
for i in formula_list:    counter_formula_list = 0    #print("For Formula: ",formula_list[counter_formula_list])    returned = str(get_depth())    max_for_each_list.extend(returned)      counter_formula_list +=1


    def mathseasy(left,right,formula_left,formula_right):                                   #print("left depth is: ",left)            #print("right depth is: ",right)            #print("formula_left: ", formula_left)            #print("formula_right: ", formula_right)            left = int(left)            right = int(right)                        if left == right:                #print("they is equal")                solution = formula_left + formula_right            elif left < right:                #print("absorb  left")                            solution = formula_right[0] + formula_left + formula_right[1:]            else:                #print("absorb  right")                solution = formula_left[0:-1] +formula_right+formula_left[-1]            return(solution)                                  
    

if list_length > 2:    temp = 0    temp2 = 1    answerish = ""    while temp2 < list_length:        if answerish == "":            answerish = mathseasy(max_for_each_list[temp],max_for_each_list[temp2],formula_list[temp],formula_list[temp2])           # print("anwerish was empty now its: " ,answerish)            answerish_depth = int(get_depth2(answerish))            #print("answerish depth: ",answerish_depth)                   else:            #print("answerish_depth: ", answerish_depth)            #print("else in big list")            #print("")            #print ("max_for_each_list[temp2] is: ", max_for_each_list[temp2])                        #print("formula_list[temp2] is: ", formula_list[temp2])            answerish = mathseasy(answerish_depth,max_for_each_list[temp2],answerish,formula_list[temp2])            #print("answerish is: ", answerish)            answerish_depth = int(get_depth2(answerish))        temp += 1        temp2 += 1    answer = answerish    else:    answer = mathseasy(max_for_each_list[0],max_for_each_list[1],formula_list[0],formula_list[1])        print("answer is: ",answer)



Let's start with a warmup. 
() + ((())()) = ??? 
> (()(())()) 
Correct! 
Okay, now we're cookin! 
() + (()(())) + (()()) = ??? 
> (()()(())(()())) 
Correct! 
Alright see if you can get this one. 
() + ()() + ((())()) + (()(())) + (()()()(())()()) = ??? 
> (()()()(())())(()(()))(()()()(())()()) 
Correct! 
This one's a little bigger! 
(()) + (((((()))))(((())))((()))(())()) + (()()()) + () + (()()()) + ()()() + (()()()) + (()(((()()())()())()())) + (()((((
)()())()())()())) + (()()()()()()()()) = ??? 
> ((())((((()))))(((())))((()))(())()(()()())()(()()())()()()(()()())(()(((()()())()())()()))(()(((()()())()())()()))(()()(
)()()()()())) 
Correct! 
Ha. No more messin around. Final Round. 
((()()())((()(())((()))(((())))()()))()) + ((()()()())(()()()()()()()())((((()))))(((())))((()))(())()) + (()()()()(((()()(
))()())()())) + ((()())(()()())((()(())((()))(((())))()()))()) + ((()()())(()()())()()()(())()()) + ((()()()()()()()(())()(
))((((()))))(((())))((()))(())()) + ((()()(())(()()()()()()()()))((()())()())()) + (()()(())()()())(()()()(())()()) + ((()(
())()()()())((((()))))(((())))((()))(())()) + ((()()())(())())(()()()(())()()) + (()())(()()()()()()()()) + ((()()(()))(()(
)()(())()())((((()))))(((())))((()))(())()) + ((()())(())()()()(())()()) + ((()(())()()())()(())((()))(((())))((((()))))) +
((()()()()(())()())()(())((()))(((())))((((()))))) + (((()())()(()))()(())((()))(((())))((((()))))) + (((()()(()))()(((()(
)())()())()()))()(())((()))(((())))((((()))))) + (())(()()()()()()()()) + ((()()()()()(((()()())()())()()))((((()))))(((())
))((()))(())()) + ((()()(()))((()())()())()) + ((()())((()())()())()) + (((()()()(())()())((()())()())())()(((()()())()())(
)())) + ((()()())()(())()()) + ((()()()())()(((()()())()())()())) + (((()()()()()()()())()(((()()())()())()()))((((()))))((
(())))((()))(())()) + ((()()())(()()())()(((()()())()())()())) + (((()())((()())()())())()(((()()())()())()())) + ((()()())
()(()))((())()) + ((()(())()(()()()))((()())()())()) + (()()()()()()()()()()()) + ((()()()()()()()()())()(((()()())()())()(
))) + (()()()(())((()))(((())))((((())))))(((((()))))(((())))((()))(())()) + (()()(())()())(()()()(())()()) + ((()()(()))((
()())()())()) + (()()()()()((()(())((()))(((())))()()))()) + ((()()()()()())((()())()())()) + (()()()()()()()()(())()()) + 
(()()()()()(((()()())()())()())) + ((()()(()))((())())()(((()()())()())()())) + (((()()(()))((()())()())())()(((()()())()()
)()())) + (()()()())(()()()) + ((()())(())()()()()) + ((()()()()()())((()(())((()))(((())))()()))()) + ((()()())()(())((())
)(((())))((((()))))) + ((()())(()()())()(((()()())()())()())) + ((()()()()(((()()())()())()()))((((()))))(((())))((()))(())
()) + ((())()(()()())(()()()()()()()())) + (((()()())((()())()())())()(((()()())()())()())) + ((((()())()())())((()(())((()
))(((())))()()))()(((((()))))(((())))((()))(())())) + ((()()()())()(((()()())()())()())) = ??? 
> ((()()())((()(())((()))(((())))()()))()((()()()())(()()()()()()()())((((()))))(((())))((()))(())())(()()()()(((()()())()(
))()())))((()())(()()())((()(())((()))(((())))()()))()((()()())(()()())()()()(())()())((()()()()()()()(())()())((((()))))((
(())))((()))(())())((()()(())(()()()()()()()()))((()())()())())(()()(())()()())(()()()(())()())((()(())()()()())((((()))))(
((())))((()))(())())((()()())(())())(()()()(())()())(()())(()()()()()()()())((()()(()))(()()()(())()())((((()))))(((())))((
()))(())())((()())(())()()()(())()())((()(())()()())()(())((()))(((())))((((())))))((()()()()(())()())()(())((()))(((())))(
(((())))))(((()())()(()))()(())((()))(((())))((((())))))(((()()(()))()(((()()())()())()()))()(())((()))(((())))((((())))))(
())(()()()()()()()())((()()()()()(((()()())()())()()))((((()))))(((())))((()))(())())((()()(()))((()())()())())((()())((()(
))()())())(((()()()(())()())((()())()())())()(((()()())()())()()))((()()())()(())()())((()()()())()(((()()())()())()()))(((
()()()()()()()())()(((()()())()())()()))((((()))))(((())))((()))(())())((()()())(()()())()(((()()())()())()()))(((()())((()
())()())())()(((()()())()())()()))((()()())()(()))((())())((()(())()(()()()))((()())()())())(()()()()()()()()()()())((()()(
)()()()()()())()(((()()())()())()()))(()()()(())((()))(((())))((((())))))(((((()))))(((())))((()))(())())(()()(())()())(()(
)()(())()())((()()(()))((()())()())()))(()()()()()((()(())((()))(((())))()()))()((()()()()()())((()())()())())(()()()()()()
()()(())()())(()()()()()(((()()())()())()()))((()()(()))((())())()(((()()())()())()()))(((()()(()))((()())()())())()(((()()
())()())()()))(()()()())(()()())((()())(())()()()()))((()()()()()())((()(())((()))(((())))()()))()((()()())()(())((()))((((
))))((((())))))((()())(()()())()(((()()())()())()()))((()()()()(((()()())()())()()))((((()))))(((())))((()))(())())((())()(
()()())(()()()()()()()()))(((()()())((()())()())())()(((()()())()())()())))((((()())()())())((()(())((()))(((())))()()))()(
((((()))))(((())))((()))(())())((()()()())()(((()()())()())()()))) 
Correct! 
Congratulations, here's your flag: picoCTF{5cr1pt1nG_l1k3_4_pRo_b184d89d} 



Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more