MaaS · 0x3EB

Decription Link to heading

Welcome to MaaS - Modulo as a Service!

nc challs.n00bzunit3d.xyz 51081

attachement :

#!/usr/bin/python3
import random
from Crypto.Util.number import *
flag = open('flag.txt').read()
alpha = 'abcdefghijklmnopqrstuvwxyz'.upper()
to_guess = ''
for i in range(16):
	to_guess += random.choice(alpha)
for i in range(len(to_guess)):
	for j in range(3):
		inp = int(input(f'Guessing letter {i}, Enter Guess: '))
		guess = inp << 16
		print(guess % ord(to_guess[i]))
last_guess = input('Enter Guess: ')
if last_guess == to_guess:
	print(flag)
else:
	print('Incorrect! Bye!')
	exit()

Solving Link to heading

The code will generate a random string of characters of length 16. The program will then loop through the entire string.

We can enter three characters. Inputs will be shifted 16 bits to the left. Then the modulo of the input by the character guessed will be calculated.

This means we have 3 chances to guess each character.

To solve this problem, we’ve decided to always use the same three numbers as input (65, 75, 90).

We perform the calculation that the program performs on the whole alphabet with our three inputs. We store the three results in a tuple that we place in an array.

input = [65, 75, 90]

def generate_data():
    val = []
    shift_a = input[0] << 16
    shift_b = input[1] << 16
    shift_c = input[2] << 16
    for i in alph:
        val.append(tuple((shift_a % ord(i), shift_b % ord(i), shift_c % ord(i))))
    return val

Once we’ve obtained the whole array of the modulos of our inputs by the characters of the alphabet, all we have to do is compare the results obtained by the program to find which character the result corresponds to.

To connect to the server we will use the PwnTools library.

Exploit Link to heading

from pwn import *
import time
alph = 'abcdefghijklmnopqrstuvwxyz'.upper()

input = [65, 75, 90]
array_tuples = []
tab = []
string_val = ''

def generate_data():
    val = []
    shift_a = input[0] << 16
    shift_b = input[1] << 16
    shift_c = input[2] << 16
    for i in alph:
        val.append(tuple((shift_a % ord(i), shift_b % ord(i), shift_c % ord(i))))
    return val

conn = remote('challs.n00bzunit3d.xyz', 51081)
while True:
    tab.clear()
    for j in range(3):
        try:
            val = 0
            data = conn.recvuntil(b':').strip()
            print(data)
            if not b'Guessing' in data:
                alphabet = generate_data()
                for t in array_tuples:
                    if t in alphabet:
                        string_val += alph[alphabet.index(t)]
                res = bytes(string_val, 'ascii')
                conn.sendline(res)
                state = conn.recvline()
                print(state.decode())
            else:
                res = str(input[j])
                res = bytes(res, 'ascii')
                conn.sendline(res)
                state = conn.recvline()
                #print(state.decode())
                tab.append(int(state.decode().replace('\n','')))   
        except Exception:
            print(conn.recvline())
    array_tuples.append(tuple(tab))
# Fermeture de la connexion
conn.close()

Result Link to heading

python3 exploit.py
n00bz{M0dul0_f7w_1a4d3f5c!}