 Hey everyone, this is a video write-up for the challenge algebra from CSAW CTF 2018 Prompt here is are you a real math whiz and it gives us a net cat connection that we can connect to? So if we go ahead and try to connect to this it says, can you find x? x is Okay, looks like an algebraic expression there. We can solve for x And we could do this by hand each time, but it sounds like we're gonna be doing this a lot So we should try and figure out how we can automate that Well, I have a handy dandy youtube video tutorial series on simpi, which is a neat and handy Simpi, I don't know why it all completed that. Thanks. Cool. You suck the Python library for symbolic mathematics So essentially computer algebra system solves algebraic equations does cool stuff I'm just gonna run through how to use it Essentially to just solve this challenge, but I have a little bit of another video tutorial series It's very very old Sorry, it might suck But you can check that out if you want to see more of it, but it's pretty cool Just again just solving algebraic expressions So let's go ahead and start up a script where we can connect to this thing and work with it I'm going to create a shebang line here user bin environment Python Let's get just that hostname set up for us If you don't have some pie installed you can probably pseudo pip install it If you don't have pipsudo app get install pip and let's import simpi just as I said and from Bone import all okay cool So s can equal remote with that hostname and port being 902. Let's do s.close and then Let's just see what we've got to work with right up here Let's do print s.receive and we'll pop this over to our shell over here where we can Python 8 and Looks like we get the ASCII text so we don't need that one But we do want to check out what s.receive up here is now after we see that and it says okay two new lines The actual equation that we need to solve and the prompt what does x equal? So let's save that as a variable I don't know why again. I was gonna say value, but I knew I should have said variable So okay, let's have prompt and then let's say Equation can equal prompt dot split New lines and let's just get zero here and then we can display the equation each time So looks like that's gonna. I can just fine great Let's go ahead and create a variable that we can work with with simpi now Let's say x can equal simpi dot symbol capital S for symbol a string of the variable that we wanted to be represented as So capital X in this case Now we can go ahead and split up the equation with both sides of the equation the left and the right side so let's say left right can equal equation dot split on this and Now we can go ahead and try and create an equation Simpi module sense that will go ahead and evaluate this kind of thing. We could if we wanted to put together a Simpi dot eq left and right let's just say or how about eq lowercase and We will want left and right as actual constants. So unfortunately I would not encourage this usually we're kind of have to be trusting the CTF challenge Which is again already a big bad thing and vulnerability We would normally want to run like the safe eval or the safe expression that comes with Utils or pon pon tools pon utils. You could run safe eval expression on left or right But because it has x in there as a variable It doesn't even trust that because x could be anything it could be remote code or whatever So unfortunately, I feel bad. We are gonna have to use the dangerous eval function in this case to go ahead and convert it in a quick dirty way to something that simpi can handle So if we were to print out eq after we've got it Let's again display it all here now We have an equation that we can tell simpi to solve it simpi dot solve eq with our x variable We can say answer And let's print out answers. So we know we've got something working negative five for whatever that case may be We're gonna index it zero here perfect so now let's go ahead and send line of The string of answer because it's just a number here. Let's go ahead and print what we receive following that Let's say okay. We got yay. Keep going and that gives us the next question So if we wanted to loop this real quick if we just wanted to turn the crank on it What we receive or prompt any iteration is going to essentially have the next question in the success message So it's kind of a quick patch what I'm gonna do is I'm gonna test if Yay keep going is in the prompt Otherwise sure if it's the first occurrence we can get the equation from the top line But if yay is in there, we're gonna end up getting it from the second line As you can see yay keep going is the first response line and then the equation is the second one So just dirty patch CTF code if yeah, or whatever is in the prompt. We will use the Second line for our equation. If not, we'll use the equation down below and then Let's print out s dot receive again just to make sure that all works and We'll let's go ahead and crank through it. Let's see if we don't receive and then we Start after we've gotten the banner. Let's turn the crank on it while one starts to loop through stuff Let's print out our prompts So we always see what we get in case the flag is in there and let's run through it Looks like we get a couple but eventually one of them one of the Questions one of the equations one of the queries tells us. Hey, that's not valid input. Remember. We only accept decimals So it looks like this is gonna end up returning a fraction for us. So Sympa is gonna want to handle that as a real fraction like an exact value one over three or something Not a decimal, but they're only accepting decimals. So, okay, that's fine Let's take the answer turn it to a float Before we actually turn it to a string so we can pass along an answer. Just just fine Now let's run this crank through it and it's going to go through a bunch of these. Oh, okay. Looks like one of them missed That's all right. Let's try it again Lots of crazy algebraic expressions come out here And as I am testing this over and over I'm finding cases where we're getting what could be a complex equation and Sympa is not easily handling that easily handling that so What I'm gonna end up trying is actually just trying the script over and over again until we actually hit the flag unless we just get lucky and Finally have something that doesn't give us a complex system After a little bit of hard fuzzing we got it didn't take too too long I realize it's probably not the most elegant solution. Just kind of waiting on when we actually Get lucky and don't hit any complex solutions or whatever the case may be, but we do get the flag So let's go ahead and save that we could submit it for the points Win some win some prizes or whatever, but uh, that's it. That's that challenge Sympa super cool module to solve algebraic expressions. Uh, keep that in mind. Keep that in your toolkit in your arsenal But uh, hope you guys enjoyed quick special shout out to the people that support me on patreon. Thank you guys so much I can't say it enough. Uh, this list keeps growing and that's just incredible. Thank you. Thank you. Thank you Thank you can't say it enough one dollar a month on patreon I'll give you a special shout out just like this at the end of every video just to make you feel good Like you're helping like you're supporting helping the channel grow. Thank you $5 a month on patreon. I'll give you early access to everything they release on youtube before it goes live So I like to record in bulk and then let youtube gradually like release things on a scheduled basis But if you want stuff right away white right when it's unrecording, this is the best way to do it Just five dollars a month on patreon if you did like this video Please you'll like comment and subscribe if you are willing to join our discord server Please do link in the description cool community full of ctf players programmers and hackers You want to hang out with me or other awesome people? That's the place to do it We like to team up for some ctf's where we can like seesaw This itself where where if we don't have a team capsize We'll just all go in hard. Uh, if there is a little bit of a team capsize We kind of just divide into some sub components and we'll have group chats and it's it's just fine It's a cool ctf work camp. So we're gonna be tackling seesaw red this weekend and pico ctf as it comes live So it's a great thing come join the party. I'll personally greet and welcome you if I'm awake and alive So thanks again guys. Hope to see you on patreon. Hope to see you in the next video. Love you. Bye