Una Acies - SanDiegoCTF
Posted on
Description
'Tis an elegant Python poem. Thou shalt not reverse
This challenge has one source file una_acies.py and flag.txt.
Analysis
If you look carefully at the source file the first lambda is self calling function with 4 arguments.
(lambda __print, __g, __contextlib, __y: ...)((__import__('__builtin__', level=0).__dict__['print'], globals(), __import__('contextlib', level=0), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)())))))
Let's check which global variables are present.
$ python2 -i una_acies.py
>>> globals()
{'test2': <function test2 at 0x7ffff792a850>, 'ok': <function ok at 0x7ffff792a7d0>, '__warningregistry__': {('With-statements now directly support multiple context managers', <type 'exceptions.DeprecationWarning'>, 7): True}, 'no': <function no at 0x7ffff792a8d0>, '__builtins__': <module '__builtin__' (built-in)>, 'flag': 'sdctf{example_flag}', '__package__': None, 'sys': <module 'sys' (built-in)>, 'why': <function why at 0x7ffff792a950>, 'secret': "7<`+'eX#&QcZ1zVrr2's`%>}B7", 'test': <function test at 0x7ffff792a9d0>, '__name__': '__main__', '__doc__': None, 'print_function': _Feature((2, 6, 0, 'alpha', 2), (3, 0, 0, 'alpha', 0), 65536)}
Variables:
'flag': 'sdctf{example_flag}'which is read fromflag.txt.'secret': "7<+'eX#&QcZ1zVrr2's%>}B7"
Functions:
'test2': \function test2 at 0x7ff3bc3e3850>, No args -> 1079734025633873781522191095453466434393488467829981183
'ok': <function ok at 0x7ff3bc3e37d0>, 1 args -> ok(1) -> 1079734025633873781522191095453466434393488467829981183L
'no': <function no at 0x7ff3bc3e38d0>, No args -> 24174820773702277904438513296095994890636308596115538991428195003851059431016851239563801619073548623924767715011378533702776973138621606807751098367
'why': <function why at 0x7ff3bc3e3950>, 2 Args is zipped together and then XORed.
'test': <function test at 0x7ff3bc3e39d0>, 1 args (this is our check function) -> nope or flag
for __g['flag'] in [(open('flag.txt').read())]][0] this line interprets to flag = open("flag.txt").read().
for __g['secret'] in [("7<+'eX#&QcZ1zVrr2's%>}B7")]][0] same secret var is set.
for __g['test'], test.__name__ in [(lambda what: (lambda __l: [[[[('nope', flag)[(why(why(__l['what'], no()), test2()) == secret)] for __l['j'] in [(test2())]][0] for __l['d'] in [(ok(5))]][0] for __l['b'] in [(no())]][0] for __l['what'] in [(what)]][0])({}), 'test')]][0]
for __g['why'], why.__name__ in [(lambda a, b: (lambda __l: [''.join([chr((ord(__l['x']) ^ ord(__l['y'])))
for (__l['x'], __l['y']) in zip(str(__l['a']), __l['b'])])
for __l['a'], __l['b'] in [(a, b)]][0])({}), 'why')]][0]
for __g['no'], no.__name__ in [(lambda : (lambda __l: [(lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [[__this()
for __l['k'] in [((__l['k'] | (((__l['a'] * __l['a']) << ((__l['a'] % __l['k']) * __l['a'])) ^ (__l['a'] * __l['k']))))]][0]
for __l['a'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(23)), lambda: str(__l['k']), [])
for __l['k'] in [(3)]][0])({}), 'no')]][0]
for __g['test2'], test2.__name__ in [(lambda : str(ok(2)), 'test2')]][0]
for __g['ok'], ok.__name__ in [(lambda test: (lambda __l: [[(lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [[__this()
for __l['x'] in [((__l['x'] | (__l['i'] ^ ((__l['i'] * __l['x']) + __l['x']))))]][0]
for __l['i'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(43)), lambda: __l['x'], [])
for __l['x'] in [(5)]][0]
for __l['test'] in [(test)]][0])({}), 'ok')]][0]
- This is the part where our key is passed to
whyfunction('nope', flag)[(why(why(__l['what'], no()), test2()) == secret)]why(why(key, no()), test())and then checks it withsecret. whyfunction takes two argument, zips it and then xors it with together.
>>> why(why(secret, test2()), no())
'48f%$n^##Sf^2pSvr3&rf$7qB4'
$ ncat acies.sdc.tf 1337
Enter key: 48f%$n^##Sf^2pSvr3&rf$7qB4
sdctf{r0s3s_R_r3d,V101375_r_blu3,Pyth0n_3ntangl3s,&u_unr4v3l}
Flag
sdctf{r0s3s_R_r3d,V101375_r_blu3,Pyth0n_3ntangl3s,&u_unr4v3l}