s4ch1n

Una Acies - SanDiegoCTF

Posted on

Description

'Tis an elegant Python poem. Thou shalt not reverse

This challenge has one source file una_acies.py and flag.txt.

Analysis

If you look carefully at the source file the first lambda is self calling function with 4 arguments.

(lambda __print, __g, __contextlib, __y: ...)((__import__('__builtin__', level=0).__dict__['print'], globals(), __import__('contextlib',     level=0), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)())))))

Let's check which global variables are present.

$ python2 -i una_acies.py
>>> globals()
{'test2': <function test2 at 0x7ffff792a850>, 'ok': <function ok at 0x7ffff792a7d0>, '__warningregistry__': {('With-statements now directly  support multiple context managers', <type 'exceptions.DeprecationWarning'>, 7): True}, 'no': <function no at 0x7ffff792a8d0>,                '__builtins__': <module '__builtin__' (built-in)>, 'flag': 'sdctf{example_flag}', '__package__': None, 'sys': <module 'sys' (built-in)>,     'why': <function why at 0x7ffff792a950>, 'secret': "7<`+'eX#&QcZ1zVrr2's`%>}B7", 'test': <function test at 0x7ffff792a9d0>, '__name__':      '__main__', '__doc__': None, 'print_function': _Feature((2, 6, 0, 'alpha', 2), (3, 0, 0, 'alpha', 0), 65536)}

Variables:

  • 'flag': 'sdctf{example_flag}' which is read from flag.txt.
  • 'secret': "7<+'eX#&QcZ1zVrr2's%>}B7"

Functions:

'test2': \function test2 at 0x7ff3bc3e3850>, No args -> 1079734025633873781522191095453466434393488467829981183
'ok': <function ok at 0x7ff3bc3e37d0>, 1 args -> ok(1) -> 1079734025633873781522191095453466434393488467829981183L
'no': <function no at 0x7ff3bc3e38d0>, No args -> 24174820773702277904438513296095994890636308596115538991428195003851059431016851239563801619073548623924767715011378533702776973138621606807751098367
'why': <function why at 0x7ff3bc3e3950>, 2 Args is zipped together and then XORed.
'test': <function test at 0x7ff3bc3e39d0>, 1 args (this is our check function) -> nope or flag

for __g['flag'] in [(open('flag.txt').read())]][0] this line interprets to flag = open("flag.txt").read().

for __g['secret'] in [("7<+'eX#&QcZ1zVrr2's%>}B7")]][0] same secret var is set.

for __g['test'], test.__name__ in [(lambda what: (lambda __l: [[[[('nope', flag)[(why(why(__l['what'], no()), test2()) == secret)] for       __l['j'] in [(test2())]][0] for __l['d'] in [(ok(5))]][0] for __l['b'] in [(no())]][0] for __l['what'] in [(what)]][0])({}), 'test')]][0]
for __g['why'], why.__name__ in [(lambda a, b: (lambda __l: [''.join([chr((ord(__l['x']) ^ ord(__l['y'])))
    for (__l['x'], __l['y']) in zip(str(__l['a']), __l['b'])])
    for __l['a'], __l['b'] in [(a, b)]][0])({}), 'why')]][0]
for __g['no'], no.__name__ in [(lambda : (lambda __l: [(lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i:         [[__this()
    for __l['k'] in [((__l['k'] | (((__l['a'] * __l['a']) << ((__l['a'] % __l['k']) * __l['a'])) ^ (__l['a'] * __l['k']))))]][0]
    for __l['a'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(23)), lambda:             str(__l['k']), [])
    for __l['k'] in [(3)]][0])({}), 'no')]][0]
for __g['test2'], test2.__name__ in [(lambda : str(ok(2)), 'test2')]][0]

for __g['ok'], ok.__name__ in [(lambda test: (lambda __l: [[(lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i:    [[__this()
    for __l['x'] in [((__l['x'] | (__l['i'] ^ ((__l['i'] * __l['x']) + __l['x']))))]][0]
    for __l['i'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(43)), lambda: __l['x'],   [])
    for __l['x'] in [(5)]][0]
    for __l['test'] in [(test)]][0])({}), 'ok')]][0]
  • This is the part where our key is passed to why function ('nope', flag)[(why(why(__l['what'], no()), test2()) == secret)] why(why(key, no()), test()) and then checks it with secret.
  • why function takes two argument, zips it and then xors it with together.
>>> why(why(secret, test2()), no())
'48f%$n^##Sf^2pSvr3&rf$7qB4'
$ ncat acies.sdc.tf 1337
Enter key: 48f%$n^##Sf^2pSvr3&rf$7qB4
sdctf{r0s3s_R_r3d,V101375_r_blu3,Pyth0n_3ntangl3s,&u_unr4v3l}

Submit Flag

Flag

sdctf{r0s3s_R_r3d,V101375_r_blu3,Pyth0n_3ntangl3s,&amp;u_unr4v3l}