🐍 Serpentine CTF Challenge Writeup

So, this challenge came with a Python script. I downloaded it using wget inside the webshell so I could inspect the source.

🧠 The Python Script

Here's the key part of the script (serpentine.py):

// Some code
ethangabriel-picoctf@webshell:~/Serpentine$ cat serpentine.py 

import random
import sys



def str_xor(secret, key):
    #extend key to secret length
    new_key = key
    i = 0
    while len(new_key) < len(secret):
        new_key = new_key + key[i]
        i = (i + 1) % len(key)        
    return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for (secret_c,new_key_c) in zip(secret,new_key)])


flag_enc = chr(0x15) + chr(0x07) + chr(0x08) + chr(0x06) + chr(0x27) + chr(0x21) + chr(0x23) + chr(0x15) + chr(0x5c) + chr(0x01) + chr(0x57) + chr(0x2a) + chr(0x17) + chr(0x5e) + chr(0x5f) + chr(0x0d) + chr(0x3b) + chr(0x19) + chr(0x56) + chr(0x5b) + chr(0x5e) + chr(0x36) + chr(0x53) + chr(0x07) + chr(0x51) + chr(0x18) + chr(0x58) + chr(0x05) + chr(0x57) + chr(0x11) + chr(0x3a) + chr(0x0f) + chr(0x0e) + chr(0x59) + chr(0x06) + chr(0x4d) + chr(0x55) + chr(0x0c) + chr(0x0f) + chr(0x14)


def print_flag():
  flag = str_xor(flag_enc, 'enkidu')
  print(flag)


def print_encouragement():
  encouragements = ['You can do it!', 'Keep it up!', 
                    'Look how far you\'ve come!']
  choice = random.choice(range(0, len(encouragements)))
  print('\n-----------------------------------------------------')
  print(encouragements[choice])
  print('-----------------------------------------------------\n\n')



def main():

  print(
'''
    Y
  .-^-.
 /     \      .- ~ ~ -.
()     ()    /   _ _   `.                     _ _ _
 \_   _/    /  /     \   \                . ~  _ _  ~ .
   | |     /  /       \   \             .' .~       ~-. `.
   | |    /  /         )   )           /  /             `.`.
   \ \_ _/  /         /   /           /  /                `'
    \_ _ _.'         /   /           (  (
                    /   /             \  \\
                   /   /               \  \\
                  /   /                 )  )
                 (   (                 /  /
                  `.  `.             .'  /
                    `.   ~ - - - - ~   .'
                       ~ . _ _ _ _ . ~
'''
  )
  print('Welcome to the serpentine encourager!\n\n')
  
  while True:
    print('a) Print encouragement')
    print('b) Print flag')
    print('c) Quit\n')
    choice = input('What would you like to do? (a/b/c) ')
    
    if choice == 'a':
      print_encouragement()
      
    elif choice == 'b':
      print('\nOops! I must have misplaced the print_flag function! Check my source code!\n\n')
      
    elif choice == 'c':
      sys.exit(0)
      
    else:
      print('\nI did not understand "' + choice + '", input only "a", "b" or "c"\n\n')



if __name__ == "__main__":
  main()

ethangabriel-picoctf@webshell:~/Serpentine$

Actually running the script i couldnt think about anything, but i found something interesting in the

// Some code
def str_xor(secret, key):
    #extend key to secret length
    new_key = key
    i = 0
    while len(new_key) < len(secret):
        new_key = new_key + key[i]
        i = (i + 1) % len(key)        
    return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for (secret_c,new_key_c) in zip(secret,new_key)])

We can see that the flag is being encrypted using a simple XOR with the string 'enkidu'. The encryption method just repeats the key until it's the same length as the flag, then does a XOR character by character.

The encrypted flag is stored like this:

// Some code
def print_flag():
  flag = str_xor(flag_enc, 'enkidu')
  print(flag)

🧩 Reversing the Logic

So i basicly have the flag encripted, and the key, and the method he is usign, i just need to figure out how the encription actually works, and do it on reverse. Searching around i found out that he is usign ~xor~ method, kind obvius because its in the functions name, and works something like, ~flag XOR encript_key = flag_encripted. so i got the encript_key and the flag_encripted, reversing it, i can get the flag, and i didnt wanted to do it by hand, so i was thinking about building a little script that does it for me, since im learning C, im gonna do it in C.

💻 Writing My Own Decryptor (In C)

// What i made in C;

#include <stdio.h>
#include <stdlib.h>



void main(){
    char flag_encrypted[] = {0x15, 0x07, 0x08, 0x06, 0x27, 0x21, 0x23, 0x15,
                            0x5c, 0x01, 0x57, 0x2a, 0x17, 0x5e, 0x5f, 0x0d,
                            0x3b, 0x19, 0x56, 0x5b, 0x5e, 0x36, 0x53, 0x07,
                            0x51, 0x18, 0x58, 0x05, 0x57, 0x11, 0x3a, 0x0f,
                            0x0e, 0x59, 0x06, 0x4d, 0x55, 0x0c, 0x0f, 0x14};
    char decrypt_key[] = "enkidu";
    
    int i, j = 0;
    char decrypted_flag;
    for(i=0;i<40;i++){
        decrypted_flag = decrypt_key[j] ^ flag_encrypted[i];
        printf("%c", decrypted_flag);
        j++;
        if(j >= 6)
            j = 0;
    }


}

WIth it compiling it printed the flag 4 me, so i solved the challenge.

PreviousPicoCTF WriteUps Next🧾 ASCII Numbers CTF Challenge Writeup

Last updated 9 months ago

hashtag🧠 The Python Script

hashtag🧩 Reversing the Logic

hashtag💻 Writing My Own Decryptor (In C)

🧠 The Python Script

🧩 Reversing the Logic

💻 Writing My Own Decryptor (In C)