[SECCON Beginners CTF 2020] ghost

A program written by a ghost 👻

• chall.gs

  /flag 64 string def /output 8 string def (%stdin) (r) file flag readline not { (I/O Error\n) print quit } if 0 1 2 index length { 1 index 1 add 3 index 3 index get xor mul 1 463 { 1 index mul 64711 mod } repeat exch pop dup output cvs print ( ) print 128 mod 1 add exch 1 add exch } repeat (\n) print quit

• output.txt

  3417 61039 39615 14756 10315 49836 44840 20086 18149 31454 35718 44949 4715 22725 62312 18726 47196 54518 2667 44346 55284 5240 32181 61722 6447 38218 6033 32270 51128 6112 22332 60338 14994 44529 25059 61829 52094 

解説

GhostScript問
gsで何回か動かしてみると前から1文字ずつ総当たりで入力を決定できそうなのでやった

#!/usr/bin/env python3
import subprocess
import io

goal = open('output.txt', 'r').read().split()

flag = 'ctf4b{'
while len(flag) < 37:
    for i in range(0x21, 0x7f):
        c = flag + chr(i)
        p = subprocess.Popen('gs -q ./chall.gs'.split(), stdin=subprocess.PIPE, stdout=subprocess.PIPE)
        p.stdin.write(c.encode())
        p.stdin.write('\n'.encode())
        p.stdin.flush()
        o = p.stdout.readline().decode().strip()
        if o.split() == goal[0:len(c)]:
            print(flag)
            flag += chr(i)
        p.kill()

print(flag)

ctf4b{st4ck_m4ch1n3_1s_4_l0t_0f_fun!}

解法考える時間よりsubprocessの仕様把握するほうに時間取られました