3 minutes
cherryNo.7
snaptrax
Jade CTF 2022 - SCP
SCP is a misc challenge that was part of the 2022 Jade CTF. We were given multiple sentences to verify against a given pattern to get the flag.
Pattern
$ nc 34.76.206.46 10013
...
My friend speaks in 3 kinds of sentences.
Sentence one is of 3 types:
Begins with "jade" followed by a sentence of type one and
terminates with "ctf"
Begins with "ctf" followed by a sentence of type one and
terminates with "2hard"
Begins with a sentence of type two and ends
Sentence two is of 5 types:
Begins with a sentence of type one followed by a sentence
of type one and ends with a sentence of type two
Begins with a sentence of type one followed by a sentence
of type two and ends with a sentence of type one
Begins with a sentence of type one followed by a sentence
of type two and ends with a sentence of type three
Begins with a sentence of type three and ends
Begins with "jadectf" and ends
Sentence three is of 5 types:
Begins with a sentence of type one followed by a sentence
of type three and ends with a sentence of type one
Begins with a sentence of type two and ends with "2ez"
Begins with "hehe" and ends with a sentence of type one
Begins with "bruh" and ends
Begins with "xD" and ends
Help me figure out whether he is my friend or an alien.
Input format: [friend|alien]
You received: jadebruh2ezbruhbruh
Answer:
Solution
The pattern was written in EBNF.
To solve the challenge, we could write our own parser or use an existing one: lark-parser.
The pattern, in lark format, is the following:
start: sentence
sentence: sentence_1
| sentence_2
| sentence_3
sentence_1 : "jade" sentence_1 "ctf"
| "ctf" sentence_1 "2hard"
| sentence_2
sentence_2 : sentence_1 sentence_1 sentence_2
| sentence_1 sentence_2 sentence_1
| sentence_1 sentence_2 sentence_3
| sentence_3
| "jadectf"
sentence_3 : sentence_1 sentence_3 sentence_1
| sentence_2 "2ez"
| "hehe" sentence_1
| "bruh"
| "xD"
Execution
Final script:
#!/usr/bin/env python3
from lark import Lark
from pwn import remote
l = Lark('''
start: sentence
sentence: sentence_1
| sentence_2
| sentence_3
sentence_1 : "jade" sentence_1 "ctf"
| "ctf" sentence_1 "2hard"
| sentence_2
sentence_2 : sentence_1 sentence_1 sentence_2
| sentence_1 sentence_2 sentence_1
| sentence_1 sentence_2 sentence_3
| sentence_3
| "jadectf"
sentence_3 : sentence_1 sentence_3 sentence_1
| sentence_2 "2ez"
| "hehe" sentence_1
| "bruh"
| "xD"
''')
r = remote("34.76.206.46", 10013)
r.recvuntil(b"[friend|alien]\n")
run = 0
while True:
run += 1
print(f"Run {run}")
r.recvline()
text = r.recvline().decode().strip()
if "received:" not in text:
print(r.recvall())
r.close()
break
msg = text.split(" ")[-1]
print(f"Received: {msg}")
r.recvuntil(b"Answer: ")
try:
l.parse(msg)
print("Valid")
r.sendline(b"friend")
except:
print("Invalid")
r.sendline(b"alien")
Output:
$ ./solve.py
[+] Opening connection to 34.76.206.46 on port 10013: Done
Run 1
Received: jadectfjadejadectfctfjadectfctfctfctfjadebruhctf2hard
2hard2hard2hardctf2hard2hardctfctf2hardctf
Valid
Run 2
Received: jadectfjadejadectfctf2hardctf
Valid
Run 3
Received: jadectfctfjadectf2hard2hardctf
Valid
...
Run 168
Received: ctfctfjadejadejadejadejadectfctfctfctfctf2hard2hard
Valid
Run 169
Received: jadectfctfctfjadectf2hard2hard2hardctf
Valid
Run 170
[+] Receiving all data: Done (24B)
[*] Closed connection to 34.76.206.46 port 10013
b'jadeCTF{p4rs1ng_2eZZZ!}\n'
Flag
The flag is “jadeCTF{p4rs1ng_2eZZZ!}”.