Do you want to use dark theme?

picoCTF 2019 Time's Up

Reversing, 400 points. 

Challenge

Time waits for no one. Can you solve this before time runs out?

Hints

Can you interact with the program using a script? 

Target Binary

Download from PicoCTF or mirror on my website.

Walkthrough

Let's run the program first and see what happens...

[email protected]:/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580$ ./times-up
Challenge: (((((1288057008) + (2021762573)) - ((489289688) + (-1858380255))) + (((1623481824) - (-8221812)) + ((-807258024) + (-1222959154)))) + ((((122253874) + (936856588)) - ((1864911763) + (-548664864))) - (((1416474072) + (-1599750822)) + ((-1902594544) + (1229572287)))))
Setting alarm...
Solution? Alarm clock

 

We just need to evaluate the equation fast enough? Seems simple...except, the equation changes every time. Ok, so the hint says we can solve it by interacting with the program using a script. Let's try it out using the pwnlib and send in a dummy answer.

from pwn import *

p=process("/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up")
p.recvline()
p.sendline('0')
print p.recvall()

Running it produces

[email protected]:~$ python times_up_solve.py
[+] Starting local process '/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up': pid 3271930
[+] Receiving all data: Done (315B)
[*] Process '/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up' stopped with exit code 0 (pid 3271930)
Challenge: (((((1902598880) + (2085037722)) + ((415567762) + (-470207022))) + (((-207809664) + (1259474180)) + ((-1119927238) + (-302757706)))) + ((((1765278410) + (-1591815140)) + ((-1232116622) + (900283584))) - (((1288178076) + (-1186474823)) + ((-1249666223) - (1710228294)))))
Setting alarm...
Solution? Nope!

So it seems the script can interact with the program without a problem. Let's see what will happen if we simply grab the equation, evaluate it, and send it back. 

from pwn import *
import re

p=process("/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up")
l=p.recvline()
eq=re.search("Challenge: (.+)",l).group(1)
p.sendline(str(eval(eq)))
print p.recvall()

 

Running it produces

[email protected]:/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580$ python ~/times_up_solve.py
[+] Starting local process '/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up': pid 3272458
[+] Receiving all data: Done (104B)
[*] Process '/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up' stopped with exit code 0 (pid 3272458)
Setting alarm...
Solution? Congrats! Here is the flag!
picoCTF{Gotta go fast. Gotta go FAST. #1dcd7f16}

and we got the flag. Easy.