Rating: 0
We're given a prompt, which turns out to be some variant of a python repl:
```
$ nc 178.128.12.234 10002
This is function x()>>>dir
<built-in function dir>
```
There's a limit on our input though, at 19 chars + newline, so what can we do in 19 or less?
Let's see what we've got:
```
This is function x()>>>globals()
{'server_thread': <Thread(Thread-1, started daemon 140225032603392)>, 'ThreadedTCPRequestHandler': <class __main__.ThreadedTCPRequestHandler at 0x7f88b0d32530>, 'ThreadedTCPServer': <class __main__.ThreadedTCPServer at 0x7f88b0d324c8>, 'socket': <module 'socket' from '/usr/lib/python2.7/socket.pyc'>, 'SocketServer': <module 'SocketServer' from '/usr/lib/python2.7/SocketServer.pyc'>, '__builtins__': <module '__builtin__' (built-in)>, '__file__': '/home/xoxopwn/xoxopwn.py', 'o': <function o at 0x7f88b0d21c80>, '__package__': None, 'port': 9999, 'threading': <module 'threading' from '/usr/lib/python2.7/threading.pyc'>, 'host': '0.0.0.0', 'x': <function x at 0x7f88b0d2e050>, '__name__': '__main__', '__doc__': None, 'serverthuong123': <__main__.ThreadedTCPServer instance at 0x7f88b0d19e18>}
```
`o` and `x` stand out. Let's dump code and globals for `o`:
```
This is function x()>>> o.__code__.co_consts
(None, '392a3d3c2b3a22125d58595733031c0c070a043a071a37081d300b1d1f0b09', 'hex', 'pythonwillhelpyouopenthedoor', '', 'Open the door', 'Close the door')
This is function x()>>> o.__code__.co_code
00000000: 6401 007d 0100 7c01 006a 0000 6402 0083 d..}..|..j..d...
00000010: 0100 7d01 0064 0300 7d02 0064 0400 7d03 ..}..d..}..d..}.
00000020: 0078 4c00 7401 0074 0200 7c00 0083 0100 .xL.t..t..|.....
00000030: 8301 0044 5d38 007d 0400 7c03 0074 0300 ...D]8.}..|..t..
00000040: 7404 007c 0000 7c04 0019 8301 0074 0400 t..|..|......t..
00000050: 7c02 007c 0400 7402 007c 0000 8301 0016 |..|..t..|......
00000060: 1983 0100 4183 0100 377d 0300 7134 0057 ....A...7}..q4.W
00000070: 7c03 007c 0100 6b02 0072 8400 6405 0047 |..|..k..r..d..G
00000080: 486e 0500 6406 0047 4864 0000 53 Hn..d..GHd..S
```
Dump it into python and disassemble:
```
import dis
dis.dis(open("raw", "rb").read())
0 LOAD_CONST 1 (1) '392a3d3c2b3a22125d58595733031c0c070a043a071a37081d300b1d1f0b09'
2 <0>
4 POP_TOP
6 LOAD_FAST 1 (1)
8 <0>
10 <0>
12 LOAD_CONST 2 (2) 'hex'
14 <0>
16 POP_TOP
18 STORE_FAST 1 (1)
20 <0>
22 ROT_THREE
24 STORE_FAST 2 (2)
26 <0>
28 DUP_TOP
30 STORE_FAST 3 (3)
32 <0>
34 INPLACE_RSHIFT
36 LOAD_GLOBAL 1 (1)
38 <0>
40 ROT_TWO
42 LOAD_FAST 0 (0)
44 <0>
46 POP_TOP
48 CALL_FUNCTION 1
50 <0>
>> 52 FOR_ITER 56 (to 110)
54 <0>
56 DUP_TOP
58 LOAD_FAST 3 (3) 'pythonwillhelpyouopenthedoor'
60 <0>
62 ROT_THREE
64 LOAD_GLOBAL 4 (4)
66 <0>
68 <0>
70 LOAD_FAST 4 (4)
72 <0>
74 CALL_FUNCTION 1
76 <0>
78 DUP_TOP
80 LOAD_FAST 2 (2)
82 <0>
84 DUP_TOP
86 LOAD_GLOBAL 2 (2)
88 <0>
90 <0>
92 CALL_FUNCTION 1
94 <0>
96 BINARY_SUBSCR
98 POP_TOP
100 BINARY_XOR
102 POP_TOP
104 INPLACE_ADD
106 ROT_THREE
108 JUMP_ABSOLUTE 52
>> 110 <0>
112 LOAD_FAST 3 (3) 'pythonwillhelpyouopenthedoor'
114 <0>
116 POP_TOP
118 COMPARE_OP 2 (==)
120 <0>
122 MAKE_FUNCTION 0
124 LOAD_CONST 5 (5)
126 <0>
128 YIELD_FROM
130 DUP_TOP_TWO
132 LOAD_CONST 6 (6)
134 <0>
136 YIELD_FROM
138 <0>
140 RETURN_VALUE
```
We could continue to dump `x` (just tells us to look in `o`), and `globals()`, but a quick glance and educated guess yielded a quicker solutions (as opposed to earnestly going through the disassembly):
```python3
from binascii import unhexlify
msg = unhexlify("392a3d3c2b3a22125d58595733031c0c070a043a071a37081d300b1d1f0b09")
key = list(map(ord, "pythonwillhelpyouopenthedoor"))
print("".join([chr(msg[i]^key[i%len(key)]) for i in range(len(msg))]))
```
Also known as: `ISITDTU{1412_secret_in_my_door}`
