Writeup - Easy Math 1 (UIUCTF 2022)
UIUCTF 2022 - easy math 1 Writeup
- Type - pwn
- Name - easy math 1
- Points - 88
Description
1 | Take a break from exploiting binaries, and solve a few* simple math problems! |
Writeup
This pwn problem was pretty interesting and not too difficult to implement. Once you signed in to the server using the provided credentials, you were greeted with four challenge files:
1 | $ ssh ctf@easy-math.chal.uiuc.tf |
The README
contained some information about what programs were installed on the Ubuntu 18.04 instance to help with on-prem solve scripts. The flag
file was only readable by the admin
user. Then, the source code and binary for easy-math
were provided. The whole source code can be found here, but the important parts are below:
1 |
|
The gist of this script is that 10,000 simple math problems will be thrown at you, and if all of them are solved correctly, then the flag will be printed out. However, this binary wasn’t accessible through a netcat listener, but rather when signed in to the SSH server. There were two approaches I could take - develop a script that would sign in to SSH and answer all the problems, or create a script on the server that would solve it for me. I was lazy, so I decided to take the first route.
My solve script (math.py) hinged on the Python library pexpect. This library allowed you to run system commands, capture the output, and send custom input dynamically by using the spawn()
, expect()
, and sendline()
commands. It SSHed into the system, ran the executable, and captured both numbers. It then passed it into eval and sent the result to the program through the SSH tunnel. It printed out each question it solved and then the flag:
1 | $ python3 math.py |
Flag: uiuctf{now do it the fun way :D}