UNIWA 2021 CTF: Fast Calculator Writeup

Category: Misc
Points:100
Made by: Fuzzer

Challenge’s Overview Panel

Disclaimer
This is my first writeup for a ctf. You have been warned.

Intro
We are given a url and a port. After first trying to ssh without luck, I tried netcat. Worked. From the challenge’s overview we get this:

To solve this challenge you need to think really fast.

Solving the challenge

So, after connecting we are greeted with this message:

Initial message from netcat server

I immediately thought, that this needs a scripting solution.
But wanted to be sure. So I first tried giving the server the correct answer, then a false one.

Testing correct and false answers

Two things to note here: First, the calculations are multiplication, division, subtraction and addition . Second, no matter how many times you restart the server, the calculations are given in the exact same order. They are not random. So, again this points to scripting.

I tried giving it a big string to see how it will handle it, but just errored out.

The server errors out when a long string is inserted

So off to scripting we go. I chose Node.js as at the time of this write-up, I use it daily and I am most comfortable with it.
I used the netcat module for connecting to the server and exchanging data. Never used it before but its documentation is pretty straight forward. I also used a module called StringMath to perform the actual math operations.

Struggles

I had to run the program a couple of times as the calculations were somewhat 200 and my script errored two times near the end of the challenge. First it doesn’t accept decimals, so I had to use Math.floor. Second, if the number is 0<Calc_Result<1, the accepted result given to the server is only 0.

Final Script

Code Explanation

Although pretty basic, here are some notes on the code.
With connect().on(‘data’), the function is activated every time we receive a message via netcat from the server. We use utf8 encoding as otherwise we get bytes of data. I first check if the message contains the UNIWA chars, which were the starting chars of every flag. The success message was put after the challenge was done, just so I get the complete flag message.
First, I added an if for the Answer: part cause it was actually sent as a seperate message after the calculation.
With some regex, I removed the newline character from the given calculation.
After that, I pass the string which contained the calculation over to StringMath and I get an int with the result. I added the if statement I talked early for sending 0 if the number was between 0 and 1 and I also floored the number as in the division calculation it only accepted numbers included in Z.
I finally convert the int to string and send it back.

Final Result

Here is the script in action:

Script working in action

And here is after one minute and countless calculations, the successful result:

Flag at the very end

UNIWA{H0p3_y0u_scr1pt3d_th1s}

Indeed we scripted this.

Conclusion

Had a lot of fun this weekend with the UNIWA CTF. Thanks to the guys that organized this. Fast Calculator was by far my favourite (and perhaps one of the easiest) challenge from this CTF.
Thanks for reading.

Software Engineer and security enthusiast.