CTFtime.org

Vault

by TheLillo / UlisseLabBO

Rating:

# IJCTF 2020 - vault

## Description
>We locked our secret box, You can directly ping the bot (@Vault #8895 ) using "start" to get the secret but we don't know the door code we used random() also we used sleep(10).
shift register...

Author : `Harsh` and `warlock_rootx`

**Hint**
* if pin in user_input():

## Solution

We started to talk with the discord bot (```start```):
Time to test your lock picking skills

```
I AM

_ _ _ _ _ _ _

LOCKED

[ 0 ] [ 1 ]
```
We guessed that the vault password was seven character long and contained only 0 and 1.

After some random test we realized that some times a password was accepted (and we were prompted with the next phase of the lock picking) and other times it was wrong.

We understood (Hint) that the password had to be a substring of the text we submitted.
Discord limit the length of a message by 2000 character, too little to list all the possibilities of the pin with lenghts of seven in binary.
Luckily we knew the [De Brujin sequence](https://en.wikipedia.org/wiki/De_Bruijn_sequence).
We generated all the string for the various lock picking test.

Time to test your lock picking skills
```
I AM

_ _ _ _ _ _ _

LOCKED

[ 0 ] [ 1 ]
```
>00000001000001100001010000111000100100010110001101000111100100110010101001011100110110011101001111101010110101111011011101111111000000

First lock opened! Hurry up and open the next one before the gaurds show up
```
I AM

_ _ _ _ _ _

LOCKED

[ 4 ] [ 5 ] [ 6 ]
```
>44444454444464444554444564444654444664445454445464445554445564445654445664446454446464446554446564446654446664454454464454554454564454654454664455454455464455554455564455654455664456454456464456554456564456654456664464464554464564464654464664465454465464465554465564465654465664466454466464466554466564466654466664545454645455545455645456545456645464645465545465645466545466645545545645546545546645554645555545555645556545556645564645565545565645566545566645645646545646645654645655545655645656545656645664645665545665645666545666646464655464656464665464666465465466465555465556465565465566465655465656465665465666466466555466556466565466566466655466656466665466666555555655556655565655566655655656655665655666656565666566566666644444

Second Lock Opened! Dang your a professional. Third lock now...
```
I AM

_ _ _ _

LOCKED

[ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ]
```
>5555655575558555955665567556855695576557755785579558655875588558955965597559855995656575658565956665667566856695676567756785679568656875688568956965697569856995757585759576657675768576957765777577857795786578757885789579657975798579958585958665867586858695876587758785879588658875888588958965897589858995959665967596859695976597759785979598659875988598959965997599859996666766686669667766786679668766886689669766986699676768676967776778677967876788678967976798679968686968776878687968876888688968976898689969697769786979698769886989699769986999777787779778877897798779978787978887889789878997979887989799879998888988998989999555

Third lock open, now you have to be fast.
```
I AM

_ _ _ _ _

LOCKED

[ 1 ] [ 2 ] [ 3 ] [ 4 ]
```
>11111211113111141112211123111241113211133111341114211143111441121211213112141122211223112241123211233112341124211243112441131211313113141132211323113241133211333113341134211343113441141211413114141142211423114241143211433114341144211443114441212212123121241213212133121341214212143121441221312214122221222312224122321223312234122421224312244123131231412322123231232412332123331233412342123431234412413124141242212423124241243212433124341244212443124441313213133131341314213143131441321413222132231322413232132331323413242132431324413314133221332313324133321333313334133421334313344134141342213423134241343213433134341344213443134441414214143141441422214223142241423214233142341424214243142441432214323143241433214333143341434214343143441442214423144241443214433144341444214443144442222232222422233222342224322244223232232422333223342234322344224232242422433224342244322444232332323423243232442332423333233342334323344234242343323434234432344424243242442433324334243432434424433244342444324444333334333443343433444343443444441111

Fourth lock open. Come on just two more...
```
I AM

_ _ _ _

LOCKED

[ 0 ] [ 1 ] [ 2 ] [ 5 ] [ 8 ] [ 9 ]
```
>000010002000500080009001100120015001800190021002200250028002900510052005500580059008100820085008800890091009200950098009901010201050108010901110112011501180119012101220125012801290151015201550158015901810182018501880189019101920195019801990202050208020902110212021502180219022102220225022802290251025202550258025902810282028502880289029102920295029802990505080509051105120515051805190521052205250528052905510552055505580559058105820585058805890591059205950598059908080908110812081508180819082108220825082808290851085208550858085908810882088508880889089108920895089808990909110912091509180919092109220925092809290951095209550958095909810982098509880989099109920995099809991111211151118111911221125112811291152115511581159118211851188118911921195119811991212151218121912221225122812291252125512581259128212851288128912921295129812991515181519152215251528152915521555155815591582158515881589159215951598159918181918221825182818291852185518581859188218851888188918921895189818991919221925192819291952195519581959198219851988198919921995199819992222522282229225522582259228522882289229522982299252528252925552558255925852588258925952598259928282928552858285928852888288928952898289929295529582959298529882989299529982999555585559558855895598559958585958885889589858995959885989599859998888988998989999000

Last one...
```
I AM

_ _ _ _ _ _ _ _ _ _ _

LOCKED

[ 0 ] [ 1 ]
```

The minimum length of the De Bruijn sequence is 2058... We deleted the last 58 character and it still worked.
>000000000001000000000110000000010100000000111000000010010000000101100000001101000000011110000001000100000010011000000101010000001011100000011001000000110110000001110100000011111000001000010000010001100000100101000001001110000010100100000101011000001011010000010111100000110001000001100110000011010100000110111000001110010000011101100000111101000001111110000100001100001000101000010001110000100100100001001011000010011010000100111100001010001000010100110000101010100001010111000010110010000101101100001011101000010111110000110001100001100101000011001110000110100100001101011000011011010000110111100001110001000011100110000111010100001110111000011110010000111101100001111101000011111110001000100100010001011000100011010001000111100010010011000100101010001001011100010011001000100110110001001110100010011111000101000110001010010100010100111000101010010001010101100010101101000101011110001011001100010110101000101101110001011100100010111011000101111010001011111100011000111000110010010001100101100011001101000110011110001101001100011010101000110101110001101100100011011011000110111010001101111100011100101000111001110001110100100011101011000111011010001110111100011110011000111101010001111011100011111001000111110110001111110100011111111001001001010010010011100100101011001001011010010010111100100110011001001101010010011011100100111011001001111010010011111100101001011001010011010010100111100101010011001010101010010101011100101011011001010111010010101111100101100111001011010110010110110100101101111001011100110010111010100101110111001011110110010111110100101111111001100110110011001110100110011111001101001110011010101100110101101001101011110011011010100110110111001101110110011011110100110111111001110011110011101010100111010111001110110110011101110100111011111001111010110011110110100111101111001111101010011111011100111111011001111111010011111111101010101011010101011110101011011101010111011010101111110101101011101011011011010110111110101110111101011110111010111110110101111111101101101111011011101110110111111101110111111011110111110111111111110000000000

```
IJCTF{0p3n3d_d3_bru1jn_v4ul75}
```

Original writeup (https://github.com/Bonfee/CCIT20-writeups/tree/master/IJCTF2020/vault).

Comments