🐍 Serpentine CTF Challenge Writeup
So, this challenge came with a Python script. I downloaded it using wget inside the webshell so I could inspect the source.
🧠 The Python Script
Here's the key part of the script (serpentine.py):
// Some code
ethangabriel-picoctf@webshell:~/Serpentine$ cat serpentine.py
import random
import sys
def str_xor(secret, key):
#extend key to secret length
new_key = key
i = 0
while len(new_key) < len(secret):
new_key = new_key + key[i]
i = (i + 1) % len(key)
return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for (secret_c,new_key_c) in zip(secret,new_key)])
flag_enc = chr(0x15) + chr(0x07) + chr(0x08) + chr(0x06) + chr(0x27) + chr(0x21) + chr(0x23) + chr(0x15) + chr(0x5c) + chr(0x01) + chr(0x57) + chr(0x2a) + chr(0x17) + chr(0x5e) + chr(0x5f) + chr(0x0d) + chr(0x3b) + chr(0x19) + chr(0x56) + chr(0x5b) + chr(0x5e) + chr(0x36) + chr(0x53) + chr(0x07) + chr(0x51) + chr(0x18) + chr(0x58) + chr(0x05) + chr(0x57) + chr(0x11) + chr(0x3a) + chr(0x0f) + chr(0x0e) + chr(0x59) + chr(0x06) + chr(0x4d) + chr(0x55) + chr(0x0c) + chr(0x0f) + chr(0x14)
def print_flag():
flag = str_xor(flag_enc, 'enkidu')
print(flag)
def print_encouragement():
encouragements = ['You can do it!', 'Keep it up!',
'Look how far you\'ve come!']
choice = random.choice(range(0, len(encouragements)))
print('\n-----------------------------------------------------')
print(encouragements[choice])
print('-----------------------------------------------------\n\n')
def main():
print(
'''
Y
.-^-.
/ \ .- ~ ~ -.
() () / _ _ `. _ _ _
\_ _/ / / \ \ . ~ _ _ ~ .
| | / / \ \ .' .~ ~-. `.
| | / / ) ) / / `.`.
\ \_ _/ / / / / / `'
\_ _ _.' / / ( (
/ / \ \\
/ / \ \\
/ / ) )
( ( / /
`. `. .' /
`. ~ - - - - ~ .'
~ . _ _ _ _ . ~
'''
)
print('Welcome to the serpentine encourager!\n\n')
while True:
print('a) Print encouragement')
print('b) Print flag')
print('c) Quit\n')
choice = input('What would you like to do? (a/b/c) ')
if choice == 'a':
print_encouragement()
elif choice == 'b':
print('\nOops! I must have misplaced the print_flag function! Check my source code!\n\n')
elif choice == 'c':
sys.exit(0)
else:
print('\nI did not understand "' + choice + '", input only "a", "b" or "c"\n\n')
if __name__ == "__main__":
main()
ethangabriel-picoctf@webshell:~/Serpentine$ Actually running the script i couldnt think about anything, but i found something interesting in the
// Some code
def str_xor(secret, key):
#extend key to secret length
new_key = key
i = 0
while len(new_key) < len(secret):
new_key = new_key + key[i]
i = (i + 1) % len(key)
return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for (secret_c,new_key_c) in zip(secret,new_key)])
We can see that the flag is being encrypted using a simple XOR with the string 'enkidu'. The encryption method just repeats the key until it's the same length as the flag, then does a XOR character by character.
The encrypted flag is stored like this:
// Some code
def print_flag():
flag = str_xor(flag_enc, 'enkidu')
print(flag)🧩 Reversing the Logic
So i basicly have the flag encripted, and the key, and the method he is usign, i just need to figure out how the encription actually works, and do it on reverse. Searching around i found out that he is usign ~xor~ method, kind obvius because its in the functions name, and works something like, ~flag XOR encript_key = flag_encripted. so i got the encript_key and the flag_encripted, reversing it, i can get the flag, and i didnt wanted to do it by hand, so i was thinking about building a little script that does it for me, since im learning C, im gonna do it in C.
💻 Writing My Own Decryptor (In C)
// What i made in C;
#include <stdio.h>
#include <stdlib.h>
void main(){
char flag_encrypted[] = {0x15, 0x07, 0x08, 0x06, 0x27, 0x21, 0x23, 0x15,
0x5c, 0x01, 0x57, 0x2a, 0x17, 0x5e, 0x5f, 0x0d,
0x3b, 0x19, 0x56, 0x5b, 0x5e, 0x36, 0x53, 0x07,
0x51, 0x18, 0x58, 0x05, 0x57, 0x11, 0x3a, 0x0f,
0x0e, 0x59, 0x06, 0x4d, 0x55, 0x0c, 0x0f, 0x14};
char decrypt_key[] = "enkidu";
int i, j = 0;
char decrypted_flag;
for(i=0;i<40;i++){
decrypted_flag = decrypt_key[j] ^ flag_encrypted[i];
printf("%c", decrypted_flag);
j++;
if(j >= 6)
j = 0;
}
}WIth it compiling it printed the flag 4 me, so i solved the challenge.
Last updated