Do you want to use dark theme?

# picoCTF 2019 Time's Up

Reversing, 400 points.

## Challenge

Time waits for no one. Can you solve this before time runs out?

## Hints

Can you interact with the program using a script?

## Walkthrough

Let's run the program first and see what happens...

``````[email protected]:/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580\$ ./times-up
Challenge: (((((1288057008) + (2021762573)) - ((489289688) + (-1858380255))) + (((1623481824) - (-8221812)) + ((-807258024) + (-1222959154)))) + ((((122253874) + (936856588)) - ((1864911763) + (-548664864))) - (((1416474072) + (-1599750822)) + ((-1902594544) + (1229572287)))))
Setting alarm...
Solution? Alarm clock``````

We just need to evaluate the equation fast enough? Seems simple...except, the equation changes every time. Ok, so the hint says we can solve it by interacting with the program using a script. Let's try it out using the pwnlib and send in a dummy answer.

``````from pwn import *

p=process("/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up")
p.recvline()
p.sendline('0')
print p.recvall()``````

Running it produces

``````[email protected]:~\$ python times_up_solve.py
[+] Starting local process '/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up': pid 3271930
[+] Receiving all data: Done (315B)
[*] Process '/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up' stopped with exit code 0 (pid 3271930)
Challenge: (((((1902598880) + (2085037722)) + ((415567762) + (-470207022))) + (((-207809664) + (1259474180)) + ((-1119927238) + (-302757706)))) + ((((1765278410) + (-1591815140)) + ((-1232116622) + (900283584))) - (((1288178076) + (-1186474823)) + ((-1249666223) - (1710228294)))))
Setting alarm...
Solution? Nope!``````

So it seems the script can interact with the program without a problem. Let's see what will happen if we simply grab the equation, evaluate it, and send it back.

``````from pwn import *
import re

p=process("/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up")
l=p.recvline()
eq=re.search("Challenge: (.+)",l).group(1)
p.sendline(str(eval(eq)))
print p.recvall()``````

Running it produces

``````[email protected]:/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580\$ python ~/times_up_solve.py
[+] Starting local process '/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up': pid 3272458
[+] Receiving all data: Done (104B)
[*] Process '/problems/time-s-up_3_37ba6326d772bf884eab8f28e480e580/times-up' stopped with exit code 0 (pid 3272458)
Setting alarm...
Solution? Congrats! Here is the flag!
picoCTF{Gotta go fast. Gotta go FAST. #1dcd7f16}``````

and we got the flag. Easy.