Created
December 1, 2019 18:16
-
-
Save AndrewPla/62ccf308ed5d3050fff34b50fa7e52b9 to your computer and use it in GitHub Desktop.
This script was written to solve the Based challenge from PicoCTF 2019.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Description | |
| This script was written to solve the Based challenge from PicoCTF 2019. | |
| This script connects to a target computer nad port and converts the output from Base2, Base8, and Base16. | |
| It establishes a tcp connection, answers the questions and returns the flag for this challenge. | |
| #> | |
| [cmdletbinding()] | |
| param( | |
| [string]$computer = '2019shell1.picoctf.com', | |
| $port = '44303', | |
| [System.Text.Encoding]$Encoding = [System.Text.Encoding]::ASCII | |
| ) | |
| #region connection setup | |
| $Client = New-Object -TypeName System.Net.Sockets.TcpClient | |
| $Client.Connect($Computer, $Port) | |
| $Stream = $Client.GetStream() | |
| $reader = New-Object System.IO.StreamReader -ArgumentList $Stream, $Encoding | |
| $Writer = New-Object -Type System.IO.StreamWriter -ArgumentList $Stream, $Encoding, $Client.SendBufferSize, $true | |
| # script hangs if you don't enable autoflush | |
| $writer.AutoFlush = $true | |
| $Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize | |
| #endregion connection setup | |
| # grab data from tcp stream | |
| $ByteCount = $Stream.Read($Buffer, 0, $Buffer.Length) | |
| $Result = $Encoding.GetString($Buffer, 0, $ByteCount) | |
| Write-Verbose "$Result" -Verbose | |
| #region convert Base 2 and send response | |
| # parse the response to grab the base2 data | |
| $base2 = (($result -split 'Please give the ')[-1] -split ' as a word')[0] | |
| # convert base2 to ascii and turn it into a word | |
| $answer = ($base2 -split ' ' | ForEach-Object { | |
| [char]([convert]::ToInt32("$_", 2)) }) -join '' | |
| Write-Verbose "Sending Answer: $Answer" -Verbose | |
| $Writer.WriteLine($answer) | |
| #endregion convert Base 2 and send response | |
| #region convert Base8 and send the response | |
| $ByteCount = $Stream.Read($Buffer, 0, $Buffer.Length) | |
| $Result = $Encoding.GetString($Buffer, 0, $ByteCount) | |
| Write-Verbose "$Result" -Verbose | |
| $base8 = (($result -split 'the ')[-1] -split ' as a word')[0] | |
| $base8 = $base8 -split ' ' | Where-Object { $null -notlike $_ } | |
| $answer = ($base8 | ForEach-Object { [char]([convert]::toInt32("$_", 8)) } ) -join '' | |
| Write-Verbose "Sending Answer: $Answer" -Verbose | |
| $Writer.WriteLine($answer) | |
| #endregion | |
| #region Convert Base16 and send response | |
| $ByteCount = $Stream.Read($Buffer, 0, $Buffer.Length) | |
| $Result = $Encoding.GetString($Buffer, 0, $ByteCount) | |
| Write-Verbose "$Result" -Verbose | |
| $base16 = (($result -split 'the ')[-1] -split ' as a word')[0] | |
| # using some magic found on https://blogs.msdn.microsoft.com/timid/2013/10/04/splitting-a-hex-encoded-string-into-pairs-of-hex-characters-a-k-a-to-pull-a-noah/ | |
| # The hex string has no spaces, this below code turns 5423 into 54 23 so we can | |
| # convert the hex into ASCII | |
| $answer = ($base16 -split '(..)' | | |
| Where-Object { $_ } | | |
| ForEach-Object { | |
| [char]([convert]::toint16($_, 16)) | |
| }) -join '' | |
| Write-Verbose "Sending answer $Answer" -Verbose | |
| $Writer.WriteLine($answer) | |
| #endregion | |
| # Get Key and display result :) | |
| $ByteCount = $Stream.Read($Buffer, 0, $Buffer.Length) | |
| $Result = $Encoding.GetString($Buffer, 0, $ByteCount) | |
| "$Result" | |
| #region cleanup | |
| $Stream.Dispose() | out-null | |
| $Client.Dispose() | out-null | |
| $reader.Dispose() | out-null | |
| $writer.Dispose() | out-null | |
| #endregion cleanup |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment