# Pwn2Win 2k17: Baby Regex - Misc


# cat regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt
Open your eyes is all that is needing. The heart lies and the head plays tricks with us, but the eyes see true. Look with your eyes. Hear with your ears. Taste with your mouth. Smell with your nose. Feel with your skin. Then comes the thinking, afterward, and in that way <knowing the truth.
>
Open way to combat the horizon effect is to continue search when an otherwise terminal situation is judged to be particularly dynamic. Such heuristic continuation is sometimes called feedover.

The mind which is created quick to love, is responsive to everything that is pleasing, soon as by pleasure it is awakened into activity. Your apprehensive faculty draws an impression from a real object, and unfolds it within you, so that it makes the mind turn thereto. And if, being turned, it inclines towards it, that inclination is love, for don't say blabla; that is nature, which through pleasure is bound anew within you.

Tune up your circuits, check out your Chips

Because you're going to live a Long Life.
Check the identity card, it shows your code.

Listen to the white noise in your ears - it Fades AWAY.

Watching the sunset on the end of the HIGHWAY ---
City meditation in curving reflections of NEON signs on the Chrome of the Cars.
The WeT Concrete and mirrored Streets recall shows the traffic away,
recalls you to the smell of scratching cloudy sheets.
Billboards and Cholo-Ads above are the unfocused bottle of Time.
Drink it away, FLY to the ORBITAL Fly.
Away to drivin' the ocean of blue-green.
Drivin' away to the ocean of green-blue.
# ipython
> import re
> data = open('regexbaby_034fa13e17660024b26b6f570aa6b66bba446e2f837c052f012225190387bafa.txt').read()
> def check(regex):
... print len(regex)
... print re.findall(regex, data)

# "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars:
> check('(.{7}).+-(.{5})$')
16
[("Drivin'", 'blue.')]

# "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars:

# "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars:

# "<knowing the truth. >, without using "line break"", with max. "8" chars:
> check('<[^>]+>')
7
['<knowing the truth. \n>']

# "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars:
> check('(?i)(oPEn)')
10
['Open', 'Open']

# "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars:
> check('(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s')
36
['unfolds', 'within', 'makes', 'inclines', 'shows']

# "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars:
> check(' .{32} (.{5})\n')
14
['Chips', 'code.']

# Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars:
> check('(?P<a>..a)(?P=a)')
16
['bla']
# cat baby_regex.py
from pwn import *

qa = {
 'BONUS': 'cnn',
 'knowing the truth': '<[^>]+>',
 'FLY': '(?i)(F.y).+\\1',
 '[Pa]': '(?P<a>..a)(?P=a)',
 '[Ope-]': '(?i)(oPEn)',
 'Drivin': '(.{7}).+-(.{5})$',
 'unfolds': '(?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s',
 'Chips': ' .{32} (.{5})\\n'
}

nqa = len(qa)

host = '200.136.213.148'
port = 5000

correct = 0

while True:
 r = remote(host, port)

 while True:
  q = r.read(1024)
  print q
  if 'CTF-BR' in q: sys.exit(0)
  for k in qa:
   if k in q:
    a = qa[k]
    print 'Sending... ' + a
    r.sendline(a)
    resp = r.readline()
    if 'Nice, next...' in resp:
     correct += 1
     print '[*] OK!', correct
     print
    break
 r.close()

# python baby_regex.py
Type the regex that capture: "Chips" and "code.", and it is only allowed the letter "c" (insensitive)", with max. "15" chars:
Sending...  .{32} (.{5})\n
[*] OK! 1

Type the regex that capture: "<knowing the truth. >, without using "line break"", with max. "8" chars:
Sending... <[^>]+>
[*] OK! 2

Type the regex that capture: "the only word that repeat itself in the same word, using a group called "a" (and use it!), and the group expression must have a maximum of 3 chars, without using wildcards, plus signal, the word itself or letters different than [Pa]", with max. "16" chars:
Sending... (?P<a>..a)(?P=a)
[*] OK! 3

Type the regex that capture: "All "Open's", without using that word or [Ope-], and no more than one point", with max. "11" chars:
Sending... (?i)(oPEn)
[*] OK! 4

Type the regex that capture: "(BONUS) What's the name of the big american television channel (current days) that matchs with this regex: .(.)\1", with max. "x" chars:
Sending... cnn
[*] OK! 5

Type the regex that capture: "from "Drivin" until the end of phrase, without using any letter, single quotes or wildcards, and capturing "Drivin'" in a group, and "blue." in another", with max. "16" chars:
Sending... (.{7}).+-(.{5})$
[*] OK! 6

Type the regex that capture: "the follow words: "unfolds", "within" (just one time), "makes", "inclines" and "shows" (just one time), without using hyphen, a sequence of letters (two or more) or the words itself", with max. "38" chars:
Sending... (?:\s\S{2}d|t)\s([^F]\w{3,7}[n!s])\s
[*] OK! 7

Type the regex that capture: "FLY until... Fly", without wildcards or the word "fly" and using backreference", with max. "14" chars:
Sending... (?i)(F.y).+\1
[*] OK! 8

CTF-BR{Counterintelligence_wants_you!}

References

https://www.regexpal.com
https://www.debuggex.com

# GynvaelEN mission 018


# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/admin.php?password1=240610708&password2=10932435112'
Welcome back dear admin.
Your flag: I'm not sure this is how equality is supposed to work.

Now try with <a href='superadmin.php'>superadmin.php</a>!
# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/superadmin.php'
...
if (hash("sha256", $_GET['password']) ==
'0e12345678901234567890123456789012345678901234567890123456789012')
...
_:)

Source

https://www.youtube.com/watch?v=adHOlKKbFXM (2:00:22)

References

https://www.whitehatsec.com/blog/magic-hashes/

# GynvaelEN mission 017


zeros = '\x00'*32

base64.b64encode(zeros)
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='

Cookie: mission017session=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
ivencrypted.encode('hex') = '927a00302d2e13896de885ece9f3445d2de83b880d2043a6ecc6e8bbb0a831dc'

result = ''
new = '{"access_level":"admin"}'
for i in range(len(new)):
 result += chr(ord(new[i]) ^ ord(ivencrypted[i]))

base64.b64encode(result) == 6VhhU05LYPoyhOCajJ9mZw+JX+VkTmHb

Cookie: mission017session=6VhhU05LYPoyhOCajJ9mZw%2BJX%2BVkTmHb
Decrypted cookie data: {"access_level":"admin"}
Flag: HMAC? What do you mean "HMAC"?

Source

https://www.youtube.com/watch?v=9xGgZUMNl2Y (2:05:00)

References

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

# GynvaelEN mission 016


Wav to image using RX-SSTV

Slow-scan TV is a method to transmit an image over radio using frequency modulation.
This is the partial message that contains the image:

? ? R O N
D I Y M A
U Z ? ? ?
B C K P ?
? ? V W X

Y DHXDMW BQLF KDYNV

Manual decryption

Y D = I A
HX  = ??
DM  = AY
W B = ? P
QL  = ??
F K = ? ?
DY  = IM
NV  = RX

I A??AY? P??? ?AIRX ---> I ALWAYS PLAY FAIRX

Source

https://www.youtube.com/watch?v=locDS3uHv_E (2:03:00)

References

https://en.wikipedia.org/wiki/Slow-scan_television