Challenge

how many layers of vm are you on

like,, maybe 5, or 6 right now my dude

you are like a baby... watch this

nc 2020.redpwnc.tf 31755

We're also given a python file and a Dockerfile.

Decoding

Looking at the python file shows that it writes out a file named breakout.aallo and calls exec on a string after base64-decoding and lzma-uncompressing it. We can modify the file to save the executed file to disk instead. It's a python script, but all of the variables are random unicode characters. Although the python interpreter is happy to run the code, it's nearly impossible to understand.

Problem

Can you crack the key to decrypt map2 for us? The key to map1 is 11443513758266689915.

Hint

z3

Solution

Given the problem and the hint, it is clear that we can use z3 to solve this problem. We can create a z3 BitVec and pass it into the verify function to avoid writing a custom decrypter. Because we don't know the length of the bit vector, I used a conservative estimate of 128.

Problem

"There seem to be a few more files stored on the flash card server but we can't login. Can you?"

Solution

The site appears to be the same as the previous flaskcard challenges Flaskcards Skeleton Key and Flaskcards.

When we create an account, we are presented with the following screen:

We can try server side injection. If we type in {{1+1}}, the webpage displays 2. Any values in double brackets is being executed on the server. After trying to find hidden variables, such as config, flag, etc; I decided to look for a remote code execution vulnerability.