February 22, 2022

🤦🏽‍♀️ One of my pet peeves about CTFs

Something I really hate about certain forms of CTFs that I think has been around forever is when the prompts or questions are written either in a misleading fashion, or (perhaps more likely) simply incorrectly.

Take this prompt I did for a recent CTF:

Anyway, we've started organising the files to try and make sense of them, but they're all locked with a numerical three-digit passcode. See if you can write a script to get into this example file alien.zip and read the text file inside which we think is named whatever the zip is (so in this case alien.txt). Oh, by the way, files should be extracted to the /tmp/ directory.

I literally went from 0-999, and none of those passcodes worked. I also tried different ways of printing the failed passcodes versus a possible working one, just in case I might have missed the output. No dice. So clearly, the answers are not within 000-999. I tried a few hundred 4-digit numbers, then thought that was kind of silly. I'm trying hex digits now, and if that doesn't work, I guess I could try every possible sequence of 3-digit ASCII characters. (Because surely they wouldn't be lying about the 3 digit requirement, right?)

To that end, I'll leave my short little code snippet here, which harkens back to when a senior employee at my last employment once complained that my code was overly long and inefficient. I'm clearly still salty about this.

# Note: The script can timeout if this occurs try narrowing
# down your search

import zipfile
import itertools, string


file_name = '/tmp/alien.zip'

with zipfile.ZipFile(file_name) as f:
  # for hex, 0xfff == 4095
  for i in range(3000,4096):
    pwd = format(i, 'x').zfill(3)
    try:
       print(f.read('alien.txt', pwd=b"{pwd}"))
    except RuntimeError:
       print(f"{pwd} didn't work")

OK.. but that's not the point of my blog post. My point is, why do people run CTFs this way, especially for one that is supposedly geared for beginners? Is it because there's a lack of practitioners with plain english skills to describe the ask? Is it to emulate that often times a security mission will be confusing and wrong? Because in either case, the resulting lesson a beginner should get out of it is to clarify the ask. It's a bit ridiculous to go out on a mission or produce deliverables on shitty directions.

That being said, there could be some argument for the traditionally esteemed ability to creative re-interpret directions when it comes to hacking. I dunno, perhaps this is what's being exercised here.

Back to work.

Update:

I actually had a chance to talk with the CTF admins about this, and as it turned out, my original attempt at using a b"{pwd:03}" format was not actually doing what I was hoping it would do.. i.e., it was not a legitimate formatter because it wasn't really a string. So... that explains the hiccup of my original code.