Sharpturn Writeup
CSAW 2015

This challenge came in a compressed tar file (tar xvf <filename>). After the decompression the directory structure was reminiscent of a .git folder in a git repository.

  • sharpturn
    • description
    • objects/
      • ef/da2f556de36b9e9e1d62417c5f282d8961e2f8
      • ...
    • refs/
      • tags
      • heads/master
    • hooks/
      • ...
    • ...

To begin, I did a quick git log command, which listed the commit history. The two interesting commits were “All done now! Should calculate the flag..assuming everything went okay.” and “There’s only two factors. Don’t let your calculator lie.” Interesting.

Further investigation with git fsck (along with the challenge text – “I think my SATA controller is dying.”) revealed there were several git objects compromised. According to several stack overflow answers, this meant that the sha1 hash of the contents of the objects appended with blob [filesize]\0 did not match the file name.

Using git cat-file -p master^{tree} and git cat-file -p <filename>, I was able to print the files stored in the git objects. This yielded two files, Makefile and sharp.cpp. The C++ file took a series of inputs printed a sha1 hash inside flag{}. That looks promising.

Most of the inputs to the program were clear. “Input 51337”, “Input the two prime factors of the number 270031727027”, “Enter flag” (which I took literally), and “C.R.E.A.M. Get da _____” from youtube video from Wu-Tang Clan. However, 270031727027 had 6 factors including itself and 1. Additionally, where it was supposed to print the flag it said &lag instead of flag. Therefore, I assumed that a digit could be off somewhere. I wrote a script to cycle through all possible values for the number and check if it was a semiprime number.

I used pwntools (probably overkill) to run the compiled (g++ sharp.cpp -o sharp -lcrypto) C++ program and check the flags hashes outputted. Unfortunately, this didn’t work, but someone pointed out that “51337” was probably “31337” (duh – whoops).

Final Inputs:
- flag
- 31337
- money
- 31357 (273031727027 was the right number)
- 8675311

Written by on