In the question, we are given nc address and the python source code for the server.
https://gist.github.com/aa3bb2f846543954afff657311fed813
Reading through the code, the code give first 3 random number to the user then the user need to enter (guess/predict) the next number(remainder of divide by 10000) that the server generated correctly for 1000 times consecutively.
In PRNG(pseudo random generator) class it generate a random a, b and given p value, also it has state value initialize through object creation. After that function next is to create calculate the next number using the number before. Therefore, the function is a type of linear function. This specific generator are called Linear Congruential Generator(LCG)
https://gist.github.com/fa1afc77ea32143f8f4390208c0c512d
In here, the server will generate random number that will become the seeds of the PRNG object, then it will generate next 3 number and print to users Since it is type of linear function.
p is given in the source code 11760071327054544317, So we need to find a and b to predict/solve the next number. Since we have 2 equation and 2 unknown a and b, we can solve the equation. Here are detail explaination of finding the missing Multiplier and Increment, also contains different ways to crack LCG. Once we find out the a and b, we can find out next number using script below.
https://gist.github.com/5752782d601fc02fdfd56cfc3e1bcab6
By implement some of his code to find a and b then we write the script to answer 1000 consecutive number correctly until it return a flag.
Given APK file SpeedyQuizy.apk
Using online apk decompiler, we can decompile the file.
Inside source code StartQuiz.java, below some snippet of the code
https://gist.github.com/cca286dcd130460695baad1c88c69d1b
We know that it used socket to connect to the server, therefore we can just use nc in terminal to the server www2.wargames.my with port 8080.
In terminal we nc www2.wargames.my 8080
https://gist.github.com/33a059dcdbbf12a0746240ed05ae6987
Typing ok will lead to question
https://gist.github.com/9b2136180b6ac1b07926591900e7a417
But the question are randomly select from a set of question. Therefore we need to fetch some of the question so we can create script to answer it.
Using script below we can fetch some of the question. Credits to H0j3n
https://gist.github.com/77b617fe370682b801b4389d24e1b4d9
Below is list of some of the question
https://gist.github.com/79899fd7fc6540d4329ba550e85de056
Script below will automatically answer the question:
https://gist.github.com/9935f1ec2a31afbd59ae6ae2aadf8e87
Given file nuisance.arc
Open file using HxD to look for signature file, Quick Google of .arc file type signature found 41 72 43 01 which is a FreeArc compress file.
Download FreeArc software, In the software we cannot extract the file due to it is corrupted. But the software has the ability to repair the damaged achive.
After repairing and extract, we still cannot open flag.palm file. So, we did a quick google on .palm file and found some information and it says that the file is an image file of Palm OS Bitmap Image that can be open with application ImageDisk. Download ImageDisk and open the file using it:
Given file bomb.zip. The file is a Zip bomb which contain file that have multiple time been compress. Open it using Winrar
We can see that one of the zip is contains file size and CRC32 that is diffrent, so we just click it to reveal another of the same situation. so we just click all zip file that is different until it reach to flag.txt
The we just extract the flag.txt file, but the file is 2GB. So cannot open with any normal text editor, but HxD can open it, then scroll down to find the flag.
Scoreboard
Thank you, Wargames.my for the competetion & question and thank you my team H0j3n.
Member