Welcome to my series of writeups for n00bzunit3d 2024 capture-the-flag competition. In this post, we look at the misc/addition challenge. First, let’s look at the challenge. The challenge runs on a server and requires to connect remotely to access the challenge. The server code is provided and is given below.



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

 
import time
import random

questions = int(input("how many questions do you want to answer? "))

for i in range(questions):
    a = random.randint(0, 10)
    b = random.randint(0, 10)

    yourans = int(input("what is " + str(a) + ' + ' + str(b) + ' = '))

    print("calculating")

    totaltime = pow(2, i)

    print('.')
    time.sleep(totaltime / 3)
    print('.')
    time.sleep(totaltime / 3)
    print('.')
    time.sleep(totaltime / 3)

    if yourans != a + b:
        print("You made my little brother cry 😭")
        exit(69)

f = open('/flag.txt', 'r')
flag = f.read()
print(flag[:questions])

The challenge asks the number of questions n the user wants to solve and then asks n addition question. Between each question, the program sleeps for 2^i second after answering the ith question and returns the first n characters of the flag at the end after answering all questions correctly. Getting a the flag the conventional way would take hours (if not days) depending on the length of the flag. We need to figure out a way around it.

We see that the program loops in range(questions) where questions is the number of questions we wish to answer. Since range(n) iterates only from 0 to n-1, giving a negative number will completely skip over the loop and directly gives us the flag.

how many questions do you want to answer?
Sending input: -1    
  p.sendline(f'{num}')
n00bz{REDACTED}