Itchy Route

Get straight to the point and list your options!

Category: misc

Solver: frcroth, mp455

Flag: ENO{4NY_M0R3_QU35T10N5M4RK5_0C?N?}

When connecting to this challenge, nothing greets us and if we are polite and ask “hello”, it responds with:

Request contained some illegal characters: “hello”

Also, when we take too long, we get different errors, e.g.:

Request timeout: firewall getting suspicious.

This already tells us that we probably need to use a script to interact here, since we won’t be able to type quickly enough. But we still didn’t know any way to communicate. Since illegal characters are mentioned, our next idea was to try all characters and see if we get a different answer than illegal characters. We used a small script with pwntools and got some different answers for “0”, “c”, “n”, “.”, “?”, “C”, “N”, “/”. Then we tried these chars:

When sending “.”, the answer is:

0cn
5unr
f6z0
i09
qczr

We finally got something! Now the hint “get straight to the point” makes sense as well. When sending “N”, the answer is:

Cannot access N: No such file or directory

It seems like we have some kind of file system on our hands. Indeed, when we enter “0cn”, we get:

Great, you found your way here. The flag is somewhere in this filesystem in another file also called ‘0cn’.

So we need to find our way through a filesystem to a file called “0cn”. When trying a different file e.g. 5unr, we once again get the error about illegal characters. Makes sense since they were not in the valid characters. Looking at the valid characters we found, there is also the “?”. We can use this character as a wildcard, so we can select the directory “5unr” by substituting all invalid characters with “?” and requesting “??n?” we get a correct response. We now make the assumption that for each directory even with wildcards every entry can be uniquely identified.

When sanitizing our input using the wildcard “?”, we get a new list of directories.

With this we have enough infos to start writing our script. We use a Breadth first search [1].

from pwn import *

allowed_chars = ["0", "c", "n", ".", "?", "C", "N", "/"] # Question mark is a wildcard

def log(msg):
    with open("log.txt", "a") as f:
        f.write(msg + "\n")

def sanitize_request(request):
    # Replace all characters except 0, c and n with "?"
    return "".join([c if c in allowed_chars else "?" for c in request])

def list_dirs(dir):
    io = connect("52.59.124.14", 5002)
    msg = sanitize_request(dir)
    log("Sending " + msg)
    io.sendline(msg)
    dirs = []
    try:
        while True:
            response = io.recvline().decode("utf-8").strip()
            if response == "0cn" and msg != ".":
                log("Found 0cn!")
                log(dir)
            if "No such" in response:
                log("Deadend at " + msg)
                break
            dirs.append(msg + "/" + response)
    except EOFError:
        pass
    io.close()
    return dirs

def main():
    responses = []
    visit_queue = list_dirs(".") # Start by listing the root directory
    while visit_queue:
        current_dir = visit_queue.pop(0)
        log("Visiting"  + current_dir)
        dirs = list_dirs(current_dir)
        responses.append((current_dir, dirs))
        visit_queue += dirs
    print(responses)

if __name__ == '__main__':
    main()

After a few minutes, we have found the path:

Sending ./??n?/c??/??00/?0?/??n/??c?/?n??/??c?/??0/??0?/?n?/??0?/?0?/0??/n??n/c??/0??/n??/0cn Found 0cn!

We can then query the path and get the flag.

More infos

[1] https://en.wikipedia.org/wiki/Breadth-first_search