You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

185 lines
5.5 KiB

  1. +++
  2. title = "STM CTF 2021 Ear To Ear Coding Writeup"
  3. date = "2021-10-25T09:49:22+02:00"
  4. author = "Yigit Colakoglu"
  5. authorTwitter = "theFr1nge"
  6. cover = ""
  7. tags = ["ctf", "coding", "numpy", "stmctf2021"]
  8. keywords = ["ctf", "cybersecurity", "coding", "python"]
  9. description = "The writeup to the Ear to Ear coding challenge on STM CTF 2021"
  10. showFullContent = false
  11. +++
  12. For the challenge, we are given a web server that provides the json data:
  13. ```json
  14. {
  15. "word": "hidden",
  16. "sequence": "938658411126141947251193886"
  17. }
  18. ```
  19. The server also has an endpoint where you can submit an answer and the server
  20. would respond with the flag. We are also given a file, called *vectors.txt*
  21. that contains one word, and a set of signed decimal numbers. You can download
  22. the file [here](https://yeetstore.s3.eu-central-1.amazonaws.com/vectors.txt)
  23. OK, that is a cryptic question, thankfully the creators of the question
  24. realized this and provided a hint.
  25. > Each vector represents the corresponding word in a vector space where the
  26. > similar words are closer to each other. You can use the cosine distances
  27. > between vectors to find the nth most similar words. You are given a sequence
  28. > of numbers and a word as a starting point. To find the flag, you need to
  29. > traverse the words using the nth most similar words, based on the given
  30. > sequence.
  31. >
  32. > Dummy Example (Similar words are chosen randomly, for demonstration): Word:
  33. > Apple Sequence: 213 The 2nd most similar word of 'apple' -> 'pie' The 1st
  34. > most similar word of 'pie' -> 'cake' The 3rd most similar word of 'cake' ->
  35. > 'chocolate' Send chocolate to api to retrieve the flag.
  36. Now that we know what the question is about, it is actually pretty easy. All we
  37. need to do is save each vector on a numpy array, and compare the vector of the
  38. word that is provided to us on the web server with every single vector and get
  39. the n+1th vector that has the smallest distance with the word(because the
  40. closest neighbour to the word would be itself). Lucky for us, we can calculate
  41. the cosine distance if each vector in two matrices using the
  42. (scipy.spatial.distance)[https://docs.scipy.org/doc/scipy/reference/spatial.distance.html]
  43. and numpy's
  44. (argsort)[https://numpy.org/doc/stable/reference/generated/numpy.argsort.html].
  45. Here is the function that return's n'th closest neighbour to a vector in a vector space.
  46. ```py
  47. def getnclosest(v,n):
  48. distances = distance.cdist([v], vectors, 'cosine')
  49. p = np.argsort(distances)
  50. return p[0][n-1]
  51. ```
  52. Now that we have the basic function, we can easily write some wrapper code that will allow us to
  53. find the resulting word. Here is the full code that should do that:
  54. ```py
  55. from scipy.spatial import distance
  56. from tqdm import tqdm
  57. import numpy as np
  58. def vectortostr(vec):
  59. vs = ""
  60. for i in range(len(vec)):
  61. vs += str(vec[i])
  62. if i != len(vec) - 1:
  63. vs += " "
  64. return vs
  65. f = open("vectors.txt", "r")
  66. l1 = f.readline()
  67. y = int(l1.split(" ")[0])
  68. x = int(l1.split(" ")[1])
  69. vectors = [None]*y
  70. wordvectormap = {}
  71. vectorwordmap = {}
  72. print("[INFO]: Loading vectors from file.")
  73. for i in tqdm(range(y)):
  74. newlist = [None]*(x)
  75. l = f.readline().split(" ")
  76. for j in range(1,x+1):
  77. newlist[j-1] = float(l[j])
  78. vectors[i] = newlist
  79. wordvectormap[l[0]] = newlist
  80. vectorwordmap[vectortostr(newlist)] = l[0]
  81. vectors = np.array(vectors)
  82. print("[INFO]: Done loading vectors. Dropping you into a shell")
  83. def getnclosest(v,n):
  84. distances = distance.cdist([v], vectors, 'cosine')
  85. np.fill_diagonal(distances, np.inf)
  86. return p[0][n-1]
  87. cmd = 0
  88. while cmd != "exit":
  89. try:
  90. cmd = input(">> ")
  91. cmdparts = cmd.split(" ")
  92. if cmdparts[0] == "search":
  93. vector = [None]*(x)
  94. for i in range(1, x+1):
  95. vector[i-1] = float(cmdparts[i])
  96. dist, index = tree.query(vector, k=[int(cmdparts[-1])])
  97. v = tree.data[index][0]
  98. print(vectorwordmap[vectortostr(v)])
  99. elif cmdparts[0] == "eartoear":
  100. w = cmdparts[1]
  101. vector = np.array(wordvectormap[w])
  102. sequence = cmdparts[2]
  103. print("START: " + w)
  104. for i in sequence:
  105. cindex = getnclosest(vector, int(i)+1)
  106. vector = vectors[cindex]
  107. w = vectorwordmap[vectortostr(vector)]
  108. print("END: " + w)
  109. except KeyboardInterrupt:
  110. break
  111. except Exception as e:
  112. print(str(e))
  113. print("\nBye Bye")
  114. ```
  115. When we run the code, here is the result:
  116. ```
  117. [INFO]: Loading vectors from file.
  118. 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1193514/1193514 [00:10<00:00, 112756.85it/s]
  119. [INFO]: Done loading vectors. Dropping you into a shell
  120. >> eartoear hidden 938658411126141947251193886
  121. START: hidden
  122. brings, 9
  123. gives, 3
  124. could, 8
  125. n't, 6
  126. if, 5
  127. know, 8
  128. n't, 4
  129. think, 1
  130. n't, 1
  131. think, 1
  132. know, 2
  133. mean, 6
  134. know, 1
  135. n't, 4
  136. think, 1
  137. either, 9
  138. unless, 4
  139. because, 7
  140. means, 2
  141. everything, 5
  142. something, 1
  143. everything, 1
  144. means, 9
  145. unless, 3
  146. matter, 8
  147. difference, 8
  148. reasons, 6
  149. END: reasons
  150. >>
  151. ```
  152. And after we submit, we get the flag: `STMCTF{Je0pardy_w@ts0n}`. Nice!