NCL Gym Exploitation 'Python 1'
NCL Gym 2018 - Enumeration and Exploitation Python 1
This flag is a Python password flag. Figure out what the password should be to satisfy the if statement. Easy.
Here is the code.
#!/usr/bin/python
import sys
def main():
if len(sys.argv) != 2:
print "Invalid args"
return
password = sys.argv[1]
builder = 0
for c in password:
builder += ord(c)
if builder == 1000 and len(password) == 10 and ord(password[1]) == 83:
print "correct"
else:
print "incorrect"
if __name__ == "__main__":
main()
There are a few things in here that can be just thrown to the side because it won’t make a difference to the mission. It’s just house keeping. Afterwards you have just this.
for c in password:
builder += ord(c)
if builder == 1000 and len(password) == 10 and ord(password[1]) == 83:
print "correct"
There are parts to this that if you haven’t seen you may need to do a quick googles. Those things are
- ord()
- len()
- and the password[1] part.
basically ord() is the oppsite of chr() ord takes a character and gives the unicode of the character. ie
>>> ord('c')
99
>>> ord('a')
97
>>> chr(97)
'a'
>>> chr(99)
'c'
so to figure out
ord(password[1]) == 83:
Open up terminal and run
python
chr(83)
to get the character
>>> chr(83)
'S'
len() takes a string and counts the length.
len('cat')
>>> 3
and then the password[1] part. That’s happening because the password string is being iterated through each character. so the [1] spot is what it’s looking at. Remember that means the second spot because [0] is the first.
so we can sort of sudocode out what we need…
Starting at the first letter
Builder starts at 0
for the current letter we are looking at in password do this and loop:
add the value of the letter to a thing called builder.
if builder's total hits 1000
and the total length of the password is 10
and the second letter of the string is 'S'
print "correct"
else
you got it wrong
I decided to write a modified version of the code to double check
import sys
def main():
if len(sys.argv) !=2:
print "Invalid args"
return
password = sys.argv[1]
builder = 0
for c in password:
builder += ord(c)
print builder
if __name__== "__main__":
main()
Then ran it with the same letter 3 times.
root@KaliOnWindows:~/Downloads# python Python1-test.py aaa
97
194
291
Edited the test python to print the ord and the builder values through the characters
import sys
def main():
if len(sys.argv) !=2:
print "Invalid args"
return
password = sys.argv[1]
builder = 0
for c in password:
builder += ord(c)
print 'Builder ='
print builder
print '-----'
print 'Ord ='
print ord(c)
print '-----'
if __name__== "__main__":
main()
and output was beautifully
root@KaliOnWindows:~/Downloads# python Python1-test2.py aaa
Builder =
97
-----
Ord =
97
-----
Builder =
194
-----
Ord =
97
-----
Builder =
291
-----
Ord =
97
-----
Added a print of length by throwing this into the for loop
print len(password)
print '-----'
Now I came up with a random password that seemed to satisfy the conditions.
I picked tSaaxaacaa. Not sure why. Ran it in our program.
root@KaliOnWindows:~/Downloads# python Python1-test4.py tSaaxaacaa
Builder =
116
-----
Ord =
116
-----
10
-----
Builder =
199
-----
Ord =
83
-----
10
-----
Builder =
296
-----
Ord =
97
-----
10
-----
Builder =
393
-----
Ord =
97
-----
10
-----
Builder =
513
-----
Ord =
120
-----
10
-----
Builder =
610
-----
Ord =
97
-----
10
-----
Builder =
707
-----
Ord =
97
-----
10
-----
Builder =
806
-----
Ord =
99
-----
10
-----
Builder =
903
-----
Ord =
97
-----
10
-----
Builder =
1000
-----
Ord =
97
-----
10
-----
It seemed to meet the conditions. Len was 10. The second character ord was 83 and we hit our goal of 1000.
Run it in the PYTHON1.py program annnndddd.
root@KaliOnWindows:~/Downloads# python PYTHON1.py tSaaxaacaa
correct
Okay Done and Done. This took a little bit of time to run through but it was worth 150 points. Whew.
Cheers,
Zack