Knight Squad Blog

Keygen Walk-through (SHELL CTF)

Posted on by Maruf Bin Murtuza

Hey everyone!
It’s Maruf here, back again to solve another challenge from SHELL CTF with you. But this time we are going to solve a reverse engineering challenge together.

The challenge name is “Keygen”.

We got nothing but a Python script to solve the challenge. And we need to reverse engineer the script to get the flag.

So, let’s get started.
Here is the code that we need to reverse:

def checkends(password):
    end_status = 0
    if password[:6] == "SHELL{":
        end_status = 1
    if password[28] == "}":
        end_status = 1
    return end_status

def checkmiddle1(password):
    middle1_status = 0
    if password[27] == "1"  and password[17] == "4" and password[8] == "n" and password[23] == "y" and password[10] == "0":
        middle1_status = 1
    if password[11] == "n" and password[12] == "z" and password[13] == "a" and password[21] == "g" and password[15] == "u":
        middle1_status = 1
    if password[16] == "r"and password[7] == "3" :
        middle1_status = 1
    return middle1_status

def checkmiddle2(password):
    middle2_status = 0
    if password[18] == "_" and password[25] == "5" and password[20] == "4" and password[14] == "k" and password[22] == "3" and password[9] == "b"  and password[24] ==  "0":
        middle2_status = 1
    if  password[19] == "k" and password[26] == "h" and password[6] == "s" :
        middle2_status = 1
    return middle2_status
    
a = input("enter your flag: ")
if checkends(a) == 1 and checkmiddle1(a) == 1 and checkmiddle2(a) == 1:
    print("congrats thats the flag.")
else:
    print("Wrong flag.")

Here in the code, we can see that we have three functions. They are:

  • checkends
  • checkmiddle1
  • checkmiddle2

Here in the script, we can see that, the script will ask us to input the flag. And if we input the right flag, it will return us “congrats thats the flag.”. Otherwise we’ll get the “Wrong flag.” message.

In the code we have an array named “password” and its length is 28. And most importantly, this is the array where the program will store our input.

def checkends(password):
    end_status = 0
    if password[:6] == "SHELL{":
        end_status = 1
    if password[28] == "}":
        end_status = 1
    return end_status

Here we can see that, the first function of that script checks for the first six index and the 28th index.

So, if our input contain “SHELL{” at first six index (0 to 5) and “}” in the “}” at the 28th index it will return 1 and pass our input to the second function.

def checkmiddle1(password):
    middle1_status = 0
    if password[27] == "1"  and password[17] == "4" and password[8] == "n" and password[23] == "y" and password[10] == "0":
        middle1_status = 1
    if password[11] == "n" and password[12] == "z" and password[13] == "a" and password[21] == "g" and password[15] == "u":
        middle1_status = 1
    if password[16] == "r"and password[7] == "3" :
        middle1_status = 1
    return middle1_status

Here in the second function, we can see that, the script will check that whether our input have,

  • “1” in 27th
  • “4” in 17th
  • “n” at 8th
  • “y” at 23rd
  • “0” at 10th
  • “n” at 11th
  • “z” at 12th
  • “a” at 13th
  • “g” at 21st
  • “u” at 15th
  • “r” at 16th
  • “3” at 7th index

If yes, then it will pass our input to the third function.

def checkmiddle2(password):
    middle2_status = 0
    if password[18] == "_" and password[25] == "5" and password[20] == "4" and password[14] == "k" and password[22] == "3" and password[9] == "b"  and password[24] ==  "0":
        middle2_status = 1
    if  password[19] == "k" and password[26] == "h" and password[6] == "s" :
        middle2_status = 1
    return middle2_status

This function will check if our input contains,

  • “_” at 18th
  • “5” at 25th
  • “4” at 20th
  • “k” at 14th
  • “3” at 22nd
  • “b” at 9th
  • “0” at 24th
  • “k” at 19th
  • “h” at 26th
  • “s” at 6th index

So, here from after reviewing all the three functions of the script, we can get that if we want the “congrats thats the flag.” message, the “password” array should be like this:

password[28] = [S,H,E,L,L,{,s,3,n,b,0,n,z,a,k,u,r,4,_,k,4,g,3,y,0,5,h,1,}]

That means, our input should be:

SHELL{s3nb0nzakur4_k4g3y05h1}

So, let’s check if we are right or wrong.

Here I’ve downloaded the script so let’s show you the script at first.

And now let’s check if the flag works or not.

And yes, as you can see, it works!

That was easy, right?

Let us know your feedback about that challenge whether it was too easy or a bit harder or anything else.

And stay with us for more CTF writeups . We’ll be back soon…

Till then, take care of yourself and your family.

Happy Hacking…