Backdoor CTF 2016 - ISOLVE

backdoorctf, programming

200 Points

First connect to the provided domain using netcat.

1
$ nc hack.bckdr.in 7070

After connecting to the service you will see this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#########################
######   ISOLVE   #######
#########################


Yes, you can solve! Your task is to provide a string that passes the regex provided
Good Luck


################################
#######     ROUND 0        #####
################################

Your regex:
([^cme]|me)*

Pass your solution:

The challenge provides the player with a regular expression, the player has to provide a string that will match the regular expression requirements. There are several rounds to go through and there is a limited time frame to think of a string between each round. If the player exceeds the time frame the connection to the service will close.

1
2
3
Pass your solution:
TIMEOUT
Dying, too much time taken

The time limit was an issue, to solve it I wrote a simple script using pwntools to receive the regular expression and compare it to a wordlist. If the wordlist contains the solution it will send the solution to the challenge.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/python

from pwn import *
import re

words = []
f = open('dict.txt').read().splitlines()

conn = remote('hack.bckdr.in', 7070)
regex = ''

for i in range(0,48):
    print conn.recvline()
    print conn.recvuntil(':\n')
    regex = conn.recvline()[:-1]
    #print regex
    print conn.recvuntil(':\n')
    for word in f:
        if re.match(regex, word):
            #print word
            conn.sendline(word)
            break
        else:
            continue

print conn.recvall()
conn.close()

The next issue was solving the regular expressions to populate the wordlist. As I am not experienced in regular expressions and I had help from a fellow teammate who helped to solve the regular expressions manually to populate the wordlist. With the script it was just a matter of running it a few times to see if we needed to to add more strings for different regular expressions as some of the expressions has the same solution.

In the end, there was a total of 47 rounds.

1
2
3
Passed regex! Way to go.
Congratulations, you can now say ISOLVE
<flag>