UCSB iCTF 2013 write-up

Hint: flag is not a frag: once you've got it, you can get one more...

The tasks were really "uporotye". Too many Joy and PPC, almost no hacking challenges and even no reverse.
Nevertheless, even it was not real CTF, there were rather useful tasks.
I'll describe only two popular PPC300 tasks.

Positive (300, ppc)
Код:
$ nc 194.106.195.60 9502
Be positive, change all minuses to pluses!
Rules: clicking on a cell changed it and it's neighbours.
Format: 
a) "\d\d" - number of cell
b) "(?:\d\d)+" numbers of cells
-++-------
--++----+-
-+--------
------+--+
--+-++++--
---+---+-+
---++-----
-----++---
+--+-+-+--
++-------+
After googling a bit, we can realize that it's "Lights out" problem.
To win the game, we should solve some system of linear equations. Let's do it with SageMath!

Код:
import socket

def lights_out( n ):
    M = MatrixSpace( GF( 2 ), n * n, n * n )
    A = M.matrix()
    for i in range( n ):
        for j in range( n ):
            m = n * i + j
            A[ (m, m) ] = 1
            if i > 0 : A[ (m, m - n) ] = 1
            if i < n - 1 : A[ (m, m + n) ] = 1
            if j > 0 : A[ (m, m - 1) ] = 1
            if j < n - 1 : A[ (m, m + 1) ] = 1
    return A

def lights_out_solver( n, b ):
    x = lights_out( n ).solve_right( b );
    button_press_matrix = matrix( GF( 2 ), n, n, x.list() )
    return button_press_matrix

def dostep( s ):
    m = vector( GF( 2 ), [ int( x.replace( '-', '1' ).replace( '+', '0' ) ) for x in list( s.recv( 128 ).replace( '\n', '' ) ) ] )
    a = lights_out_solver( 10, m )
    i, r = 0, ''
    for x in a:
        j = 0
        for y in x:
            if y == 1:
                r += '%s%s' % (i,j)
            j += 1
        i += 1
    s.send( '%s\n' % r )

def doit():
    s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
    s.connect( ('194.106.195.60', 9502) )
    s.recv( 128 )
    s.recv( 128 )
    for x in xrange( 0, 100 ):
        dostep( s )
        print s.recv( 128 )
    s.close()

if __name__ == '__main__':
    doit()
Output:
Код:
$ sagemath lights.sage
Solved!!! Have a fun and finally you will get a flag
.......
(100 times)
.......
Solved!!! Have a fun and finally you will get a flag

the flag is: 2e70bd4bbe1ed7c69a088c24c5a6fc95
Sudoku (300, ppc)
Код:
$ nc 194.106.195.60 9503
Have a nice time with sudoku
Format: 
a) "[1-9] [1-9] [1-9]" - coords and input digit 
b) "solution [1-9]{81}" - full solution
Other:
"restart" to start current game again
"[QqXx]" to exit
-------------
|5__|__8|4__|
|_3_|___|___|
|_2_|5__|___|
-------------
|___|___|72_|
|_1_|2__|___|
|2__|___|5__|
-------------
|__6|___|24_|
|__3|___|6__|
|4_2|1__|3__|
-------------
Again, we'll use SageMath, since it contains the class, which implements the solver of sudoku game. The only thing we need is to parse an input.

Код:
import socket, re

def dostep( s ):
    t = s.recv( 4096 )
    print t
    g = ''.join( re.findall( '[\d_]', t ) ).replace( '_', '.' )
    g = str( Sudoku( g ).solve().next() )
    s.send( 'solution %s' % ''.join( re.findall( '[\d]', g ) ) )

def doit():
    s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
    s.connect( ('194.106.195.60', 9503) )
    s.recv( 128 )
    s.recv( 128 )
    for x in xrange( 0, 101 ):
        dostep( s )
        print s.recv( 128 )
    s.close()

if __name__ == '__main__':
    doit()
Output:
Код:
Wow!!!
.......
(100 times)
.......
Wow!!!

the flag is: 328df3b4525e060de963a20d3cc86579