# Write-up: Friends ![badge](https://img.shields.io/badge/Post%20CTF-Writeup-success) ## Description ### My Story I just started Burp and analyzed the traffic! this is the result: ![network traffic](./1.png) There are some data that server respond, but the app doesn't show them; phone numbers. I didn't know what should I do with these phone numbers to get the flag. This is the captured server response: ``` HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Content-Type: application/json Cache-Control: no-cache, private Date: Mon, 26 Oct 2020 16:17:47 GMT X-RateLimit-Limit: 60 X-RateLimit-Remaining: 57 Access-Control-Allow-Origin: * Connection: close Content-Length: 1388 [{"id":1,"name":"Bugs Bunny","avatar":"bugs_bunny.jpg","email":"[email protected]","address":"4617 Goodwin Avenue","gender":"male","age":"22","phone":"36213893021"},{"id":2,"name":"Mickey Mouse","avatar":"mickey_mouse.jpg","email":"[email protected]","address":"3844 Stiles Street","gender":"male","age":"28","phone":"12369532255"},{"id":4,"name":"Bart Simpson","avatar":"bart_simpson.jpg","email":"[email protected]","address":"2418 Loving Acres Road","gender":"male","age":"35","phone":"55634559910"},{"id":3,"name":"Popeye","avatar":"popeye.jpg","email":"[email protected]","address":"New Jersey popeye Street","gender":"male","age":"43","phone":"22361255893"},{"id":5,"name":"Patrick Star","avatar":"patrick_star.jpg","email":"[email protected]","address":"Richmond 2136 Queens Lane","gender":"male","age":"18","phone":"41223365236"},{"id":6,"name":"Homer Simpson","avatar":"homer_simpson.jpg","email":"[email protected]","address":"Timber Oak Drive","gender":"male","age":"47","phone":"99632531930"},{"id":7,"name":"Olive Oyl","avatar":"olive_oyl.jpg","email":"[email protected]","address":"Ocala Rhapsody Street","gender":"female","age":"52","phone":"89633366552"},{"id":8,"name":"Sylvester","avatar":"sylvester.jpg","email":"[email protected]","address":"Tigard 2285 Kincheloe Road","gender":"male","age":"31","phone":"77632351752"}] ``` ### Exploit Time ... ### Flag It's ridiculous. just putting the numbers together: ``` RaziCTF{3621389302112369532255556345599102236125589341223365236996325319308963336655277632351752} ``` Original writeup (https://github.com/ternary-bits/CTF- Challenges/blob/master/android/razictf2020-friends/WRITEUP.md).## Description I made a really complicated math function. Check it out. ``` nc chall.csivit.com 30425 ``` ## Analysis Let's take a quick look at `namo.py`: ```python import math import sys def fancy(x): a = (1/2) * x b = (1/2916) * ((27 * x - 155) ** 2) c = 4096 / 729 d = (b - c) ** (1/2) e = (a - d - 155/54) ** (1/3) f = (a + d - 155/54) ** (1/3) g = e + f + 5/3 return g def notfancy(x): return x**3 - 5*x**2 + 3*x + 10 def mathStuff(x): if (x < 3 or x > 100): exit() y = fancy(notfancy(x)) if isinstance(y, complex): y = float(y.real) y = round(y, 0) return y print("Enter a number: ") sys.stdout.flush() x = round(float(input()), 0) if x == mathStuff(x): print('Fail') sys.stdout.flush() else: print(open('namo.txt').read()) sys.stdout.flush() ``` Ignore the mathy stuff and look at how the input is parsed: ``` print("Enter a number: ") sys.stdout.flush() x = round(float(input()), 0) if x == mathStuff(x): print('Fail') sys.stdout.flush() else: print(open('namo.txt').read()) sys.stdout.flush() ``` If we enter a regular number, we hit the 'Fail' path: ``` kali@kali:~/Downloads$ nc chall.csivit.com 30425 Enter a number: 4 Fail kali@kali:~/Downloads$ nc chall.csivit.com 30425 Enter a number: 5 Fail ``` But this is a float, so what about `nan`? This stands for "not a number" which causes all math comparisons to return false. Passing `nan` as input triggers the `else` branch and prints `namo.txt`: ``` kali@kali:~/Downloads$ echo nan | nc chall.csivit.com 30425 Enter a number: Mitrooon bhaiyo aur behno "Enter a number" mann ki baat nambar agar nambar barabar 1 hai { bhaiyo aur behno "s" } nahi toh agar nambar barabar 13 hai { bhaiyo aur behno "_" } nahi toh agar nambar barabar 15 hai { bhaiyo aur behno "5" } nahi toh agar nambar barabar 22 hai { bhaiyo aur behno "4" } nahi toh agar nambar barabar 28 hai { bhaiyo aur behno "k" } nahi toh agar nambar barabar 8 hai { bhaiyo aur behno "y" } nahi toh agar nambar barabar 17 hai { bhaiyo aur behno "4" } nahi toh agar nambar barabar 9 hai { bhaiyo aur behno "_" } nahi toh agar nambar barabar 4 hai { bhaiyo aur behno "t" } nahi toh agar nambar barabar 3 hai { bhaiyo aur behno "c" } nahi toh agar nambar barabar 20 hai { bhaiyo aur behno "r" } nahi toh agar nambar barabar 12 hai { bhaiyo aur behno "n" } nahi toh agar nambar barabar 0 hai { bhaiyo aur behno "c" } nahi toh agar nambar barabar 23 hai { bhaiyo aur behno "t" } nahi toh agar nambar barabar 27 hai { bhaiyo aur behno "0" } nahi toh agar nambar barabar 10 hai { bhaiyo aur behno "n" } nahi toh agar nambar barabar 11 hai { bhaiyo aur behno "4" } nahi toh agar nambar barabar 7 hai { bhaiyo aur behno "m" } nahi toh agar nambar barabar 25 hai { bhaiyo aur behno "c" } nahi toh agar nambar barabar 24 hai { bhaiyo aur behno "_" } nahi toh agar nambar barabar 6 hai { bhaiyo aur behno "{" } nahi toh agar nambar barabar 16 hai { bhaiyo aur behno "_" } nahi toh agar nambar barabar 18 hai { bhaiyo aur behno "_" } nahi toh agar nambar barabar 2 hai { bhaiyo aur behno "i" } nahi toh agar nambar barabar 5 hai { bhaiyo aur behno "f" } nahi toh agar nambar barabar 19 hai { bhaiyo aur behno "g" } nahi toh agar nambar barabar 14 hai { bhaiyo aur behno "1" } nahi toh agar nambar barabar 21 hai { bhaiyo aur behno "3" } nahi toh agar nambar barabar 26 hai { bhaiyo aur behno "0" } nahi toh agar nambar barabar 29 hai { bhaiyo aur behno "}" } nahi toh { bhaiyo aur behno "" } achhe din aa gaye ``` Copy those phrases into google translate and it's just a set of rules defined in Hindi. 0 = c, 1 = s, 2 = i, and so on. ## Solution I just started with the basic `nan` trick and then piled on parsing commands on top of that: ``` kali@kali:~/Downloads$ echo nan | nc chall.csivit.com 30425 | grep -A1 'hai {' | sed 's/agar nambar barabar //' | sed 's/nahi toh //' | sed 's/ hai {$/ =/' | sed 's/^\tbhaiyo aur behno \"//' | sed 's/\"$//' | sed 's/--//' | sed ':a;N;$!ba;s/=\n/ /g' | sort -n | uniq | awk '{print $2}' | tr -d '\n'; echo '' csictf{my_n4n_15_4_gr34t_c00k} ``` This strips away all the text except for the key:value pairs defined by the rules, then sorts each line by the key, removes all the duplicate empty lines, prints the value of each key, and finally strips out all the newline characters to give us the flag. Original writeup (https://github.com/dobsonj/ctf/tree/master/writeups/2020/csictf/friends).