Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.

Challenge Prompt

Can You Math It?
Miscellaneous

Solves (25) - 313 Points

Can you solve 100 math equations?

What if you only have 5 seconds to solve each?

Server source code available here

[This is a scripting challenge. You are expected to write a script to solve it.]

Connect to the challenge at nc challs.sieberrsec.tech 29079

Solution

The source code is given but is really not required. Just useful to verify that the math challenges provided aren’t too crazy.

from time import time, sleep
from random import randint, choice

operations = ('+', '-', '*', '/')

def givechal():
# generate and solve equation, return both question and answer
challenge = str(randint(1, 999)) + ' ' + choice(operations) + ' ' + str(randint(1, 999)) + ' ' + choice(operations) + ' ' + str(randint(1, 999))
result = int(eval(challenge))
return challenge, result

def main():
# intro
print('Can You Math It?')
sleep(1) # add some arbitrary delay
print('You have 5 seconds to answer each question')
print('You have 100 questions to solve')
print('Good luck')
sleep(1)
for i in range(100):
challenge, result = givechal() # generate and store question and answer
print('Solve ', challenge, ' :') # show the question
start = time() # start a timer
timetaken = time() - start # stop timer, calculate time taken
if timetaken < 5 and answer == str(result): # if within time limit and correct answer
print('Correct!')
print('Next question')
elif timetaken > 5: # if more than 5 secs taken
print('Took longer than 5 seconds')
exit()
exit()
print('Congratulations! You CAN math it')
print('The flag is IRS{FLAG_REDACTED}') # the flag goes here

if __name__ == '__main__':
main() # run the program

Pwntools offers the safeeval utility to safely evaluate expressions. We can use this to solve the script without fear of shenanigans.

#!/usr/bin/env python

from pwn import *

# context.log_level = 'debug'

def main():
p = remote('challs.sieberrsec.tech', 29079)

for i in range(100):
p.recvuntil(b'Solve  ')
challenge = p.recvuntil(b':')[:-1].strip()
solution = int(util.safeeval.expr(challenge))
p.sendline(str(solution).encode())
log.info('Challenge {}: {} = {}'.format(i, challenge.decode(), solution))

p.recvuntil(b'Congratulations! You CAN math it\n')
log.success(p.recvline())

if __name__ == '__main__':
main()

Running the script yields the flag:

\$ python exploit.py
[+] Opening connection to challs.sieberrsec.tech on port 29079: Done
[*] Challenge 0: 360 / 510 / 350 = 0
[*] Challenge 1: 845 - 303 / 294 = 843
[*] Challenge 2: 814 * 232 - 427 = 188421
[*] Challenge 3: 924 / 510 - 714 = -712
[*] Challenge 4: 941 + 367 - 712 = 596
[*] Challenge 5: 772 / 294 + 734 = 736
[*] Challenge 6: 86 * 323 / 191 = 145
[*] Challenge 7: 189 / 532 + 830 = 830
[*] Challenge 8: 473 / 788 - 500 = -499
[*] Challenge 9: 639 * 889 * 190 = 107933490
[*] Challenge 10: 611 / 508 / 240 = 0
...
[*] Challenge 94: 698 * 558 - 118 = 389366
[*] Challenge 95: 922 - 815 + 252 = 359
[*] Challenge 96: 82 * 147 - 947 = 11107
[*] Challenge 97: 719 / 91 * 360 = 2844
[*] Challenge 98: 444 - 463 - 478 = -497
[*] Challenge 99: 104 - 284 / 650 = 103
[+] The flag is IRS{4f2cd85d0a9f32f4}

Flag: IRS{4f2cd85d0a9f32f4}

Tags:

Updated: