FireShell Security Team Write Ups

Original writeup (https://heavenh.github.io/2017/write-ups/serial-
csaw-2017-quals/).# Serial  
## 50 points  
## Misc

This challenge was a pretty straight forward serial data transmission. The  
structure of the messages appear to be:

```  
bit[0] header bit, always 0  
bit[1-8] data  
bit[9] parity bit  
bit[10] stop bit, always 1  
```

The [parity bit](https://en.wikipedia.org/wiki/Parity_bit) is calculated by
essentially counting the number of high bits. If the  
number of high bits is even, the parity bit should be 1, and if it is odd the  
parity bit should be 0.

When connecting to the challenge service, it prompts you with:

`8-1-1 even parity. Respond with '1' if you got the byte, '0' to retransmit.`

So, we find the number of number of high bits in the 8 bits after the header  
bit, mod it by 2, and see if the parity bit is equal to the result. If it is,  
we append the character representation of that byte to our flag. Once we  
receive all of the bytes, we win.

See our [script](serial_solve.py).  

Original writeup
(https://github.com/ShellCollectingClub/csaw2017/tree/master/serial).# Serial

Author: [roerohan](https://github.com/roerohan) and
[thebongy](https://github.com/thebongy)

# Requirements

\- Node.js

# Source

```javascript  
var http = require('http');  
var url = require('url');  
var parse = require('querystring');  
var fs = require('fs');  
var index = fs.readFileSync('index.html');  
var flag = fs.readFileSync('flag.html');  
var err = fs.readFileSync('error.html');

http.createServer(function (req, res) {  
var q = url.parse(req.url, true)  
if (q.path == "/"){  
res.writeHead(200,{"Content-Type": "text/html"});  
res.write(index); //write a response to the client  
res.end(); //end the response  
}  
else if (q.path == "/enter"){  
if (req.method === 'POST') {  
var body = '';  
req.on('data', chunk=> {body += chunk.toString()});  
req.on('end', () => {  
console.log(body);  
body = parse.parse(body);  
console.log(body);  
var
a=parseInt(body.serial1),b=parseInt(body.serial2),c=parseInt(body.serial3);  
console.log("Serial:",a,b,c)  
if ( (a>0 && a < 1000000) & (b>0 && b < 1000000) & (c>0 && c < 1000000) &
a*a*a + b*b*b == c*c*c){  
res.writeHead(200,{"Content-Type": "text/html"});  
res.write(flag);  
res.end();  
}  
else{  
res.writeHead(200,{"Content-Type": "text/html"});  
res.write(err);  
res.end();  
}  
}  
)  
};  
}  
else{  
res.writeHead(404,{"Content-Type": "text/html"});  
res.write("<h1>404 Not found</h1>");  
res.end();  
}  
}  
).listen(8081);  
```

# Exploitation

The interesting part in this program is this line:

```javascript  
if ((a>0 && a < 1000000) & (b>0 && b < 1000000) & (c>0 && c < 1000000) & a*a*a
+ b*b*b == c*c*c) {...}  
```

Since the `==` operator has higher precedence than `&`, `a*a*a + b*b*b ==
c*c*c` will be evaluated first. This part of the expression will undergo
bitwise `&` with the other parts. Now, `a^n + b^n == c^n` for all `n > 2` is
mathematically impossible, as stated by Fermat's theorem, so it would seem
impossible to solve this challenge. But, if you notice, `999999 ^ 3` is way
past the range JS can accomodate. If you try `999999^3 + 1 == 999999^3`, you
will get true in JS! Now you know what to do.

```  
> 999999*999999*999999 + 1 == 999999*999999*999999  
true  
```

Pass `serial1 = 9999999, serial2 = 1 and serial 3 = 999999`. You successfully
get the flag.

The flag is:

```  
cybrics{CYB3R_M47H_15_57R4Ng3}  
```  

Original writeup (https://github.com/csivitu/CTF-Write-
ups/tree/master/CyBRICS%20CTF/Cyber/Serial).