EASYCTF - Little Language
21 Feb 2018I want root access to this special programming portal, and this file is my only clue. Maybe the password is inside? Even if it is, I’m not sure how to enter it. nc c1.easyctf.com 12480 Oh! Almost forgot… this might help.
For this challenge, we’ve been given an image: encrypted.png.
The instructions say that the password might be in it… When using strings on the picture, we get the following text:
note: the password is l7&4C&Cg
Also on the picture, we can see a pseudo mathematical expression with the followings:
- FLAG
- E(username) = root
- E(password) = REDACTED
In the instructions, we can find a link to a page with the following expression written on it:
S : E { ExpS $1 }
| global var '=' E { GlobalVarS $2 $4 }
Seems like a parsing expression grammar…
The goal of this challenge is to connect to the c1.easyctf.com server and get the flag.
When we connect to the server, it displays the following output :
ctflang commands begin with “:” (try :help)
:help gives us a little help saying that :
:helpshow this message:endstop current multi-line parse:qexit- note: certain language features only available to root users
The goal is clear : we have to login with username root and password l7&4C&Cg.
First, we can try a simple 1 + 1 which give us the output 2.
Good news ! Our expression is interpreted.
Then if we try username = "root", we get the following message : Could not evaluate statement or expression to a value.
So let’s try global username = "root" ! No error message…
Then entering username give us the output : "root".
It works the same with : global password = "l7&4C&Cg".
So we can try to print the flag with the command : flag.
Unfortunately it gives us the previous error message.
But if we try again username = "root", instead of an error message, we get a Yas !
Let’s try with password = "l7&4C&Cg" : and again we get a Yas !
Finally we just need to enter the command : flag to print the flag : EasyCTF{5m4ll_573p_53m4n71c5_4r3_fun_r16h7?}
