Prompt

We have created a python script for you to break into as training. See if you can figure out a password that will authenticate with the program. Note: The password cannot contain special characters.

PYTHON1.py0.3KB

#!/usr/bin/python

import sys

def main():
  if len(sys.argv) != 2:
    print("Invalid args")
    return
  password = sys.argv[1]
  builder = 0
  for c in password:
    builder += ord(c)
  if builder == 1000 and len(password) == 10 and ord(password[1]) == 83:
    print("correct")
  else:
    print("incorrect")

if __name__ == "__main__":
  main()

Walk-Through

This challenge involves involves analyzing vulnerabilities in a poorly implemented password verification function.

Using a terminal, you can get a better understanding of the code by entering your own submissions. Create a file named python1.py. Copy the code provided in the code window on the platform and paste into the new file using your mouse. Save the file. Then enter python python1.py on the command line to run the program.

💡

Please note that this code is using Python 2.7. If you try to edit or run this program on your own terminal, you may need to change the syntax of the code to get it to work, or run Python 2.7 in it’s own virtual environment.

Guide

This guide will review the lines of the main function in order to better understand how to get the correct password, or ‘secret key’— as referred to in the question— that can pass validation. For this challenge, we want to get the output “correct” to print after running the program.

Below are lines 5-8, the first few lines of the main function. Line 6 is checking that the length of sys.argv is or is not equal to 2. This means that there needs to be 2 entries stored in sys.argv. If there aren’t two, then the program will print “Invalid args” and end.

def main():
  if len(sys.argv) != 2:
    print("Invalid args")
    return

Lets temporarily add a line to our program that allows us to see what is contained in sys.argv.

print(sys.argv)

Add the line print(sys.argv) right above the ‘if’ statement on line 6.

Watch the Tutorial Video below or query the web to learn more about sys.argv.

This is the output of the program after adding the print line. We can tell that sys.argv[0]is the script’s name. [0] often refers to the first element in a list or array. To provide new elements to the list, type after the program name when running the program via the command line.

Line 9 in the main function takes a new variable, password, and makes it equal to sys.argv[1]— this is the new element that will be added when calling the program. On the next line, a new variable, builder, is set to equal zero before lines 11 and 12 where a ‘for’ loop takes each character of password and returns the Unicode number to be added to builder.

password = sys.argv[1]
  builder = 0
  for c in password:
    builder += ord(c)

Lets temporarily add a few lines to our program that allows us to see how ord works with elements we enter for sys.argv[1]. Add value=ord(c) below line 11. And add a print line at the end of the ‘for’ loop. It should look similar to the following:

  for c in password:
    value = ord(c)  
    builder += ord(c)
    print("Added {} (ord('{}')), builder is now {}".format(value, c, builder))

The Python version used is 2.7, therefore, newer syntax might not be supported.

Lets test our our code to verify what’s happening.

builder increments each time by the ASCII/Unicode value of the character entered.

Understanding lines 13-14 are going to help us determine what to enter for the ‘password’ since line 14 will return “correct” if all of the conditions in line 13 are met. First, builder will need to add up to 1000 exactly. Next, the length of password, or the number of characters in password, is equal to 10, and the Unicode for the second character in password is equal to 83.

  if builder == 1000 and len(password) == 10 and ord(password[1]) == 83:
    print("correct")
  else:
    print("incorrect")

Lets use the command line to determine what the ASCII for “83” is. Enter the following:

printf "\\$(printf '%o' 83)\n"

83 is Unicode for the capital letter “S”

Now we need an easy way to solve for the rest of the characters. We know that one of the characters is 83. The remaining characters are then equal to 917 (1000-83=917).

Unfortunately, 917 isn’t divisible by 9 evenly (917/9=101.899), but 8 characters could equal 101 and the last character could equal the remainder.

The only remaining task is to look up what ASCII character the numbers translate to and make sure that none of the characters used in the password are symbols.

This answer has been partially redacted. Be sure that the second character in your answer is a capital “S”

This is one path to solve for the password, but it is certainly not the only path. A variety of answers are accepted for this challenge.

Tutorial Video

Cyber Skyline Live - Code Reverse Engineering Basics - March 10, 2022

In Cyber Skyline Live - Code Reverse Engineering Basics, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to analyze source code and bypass basic authentication mechanisms. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live - Code Reverse Engineering Basics - March 10, 2022

Questions

1. What is a secret key that will pass validation?

This can be solved by finding a string of length 10 whose ASCII values sum to 1000 and also has an S (ASCII code 83) as the second character in the string. The values of the other nine character in the string is any combination of characters whos ASCII values sum to 917 (the remaining sum after accounting for the necessary S character).

Python 1