CTFtime.org

Serial

by roerohan / csictf

Tags: web 

Rating: 4.0

# Serial

Author: [roerohan](https://github.com/roerohan) and [thebongy](https://github.com/thebongy)

# Requirements

- Node.js

# Source

```javascript
var http = require('http');
var url = require('url');
var parse = require('querystring');
var fs = require('fs');
var index = fs.readFileSync('index.html');
var flag = fs.readFileSync('flag.html');
var err = fs.readFileSync('error.html');

http.createServer(function (req, res) {
var q = url.parse(req.url, true)
if (q.path == "/"){
res.writeHead(200,{"Content-Type": "text/html"});
res.write(index); //write a response to the client
res.end(); //end the response
}
else if (q.path == "/enter"){
if (req.method === 'POST') {
var body = '';
req.on('data', chunk=> {body += chunk.toString()});
req.on('end', () => {
console.log(body);
body = parse.parse(body);
console.log(body);
var a=parseInt(body.serial1),b=parseInt(body.serial2),c=parseInt(body.serial3);
console.log("Serial:",a,b,c)
if ( (a>0 && a < 1000000) & (b>0 && b < 1000000) & (c>0 && c < 1000000) & a*a*a + b*b*b == c*c*c){
res.writeHead(200,{"Content-Type": "text/html"});
res.write(flag);
res.end();
}
else{
res.writeHead(200,{"Content-Type": "text/html"});
res.write(err);
res.end();
}
}
)
};
}
else{
res.writeHead(404,{"Content-Type": "text/html"});
res.write("<h1>404 Not found</h1>");
res.end();
}
}
).listen(8081);
```

# Exploitation

The interesting part in this program is this line:

```javascript
if ((a>0 && a < 1000000) & (b>0 && b < 1000000) & (c>0 && c < 1000000) & a*a*a + b*b*b == c*c*c) {...}
```

Since the `==` operator has higher precedence than `&`, `a*a*a + b*b*b == c*c*c` will be evaluated first. This part of the expression will undergo bitwise `&` with the other parts. Now, `a^n + b^n == c^n` for all `n > 2` is mathematically impossible, as stated by Fermat's theorem, so it would seem impossible to solve this challenge. But, if you notice, `999999 ^ 3` is way past the range JS can accomodate. If you try `999999^3 + 1 == 999999^3`, you will get true in JS! Now you know what to do.

```
> 999999*999999*999999 + 1 == 999999*999999*999999
true
```

Pass `serial1 = 9999999, serial2 = 1 and serial 3 = 999999`. You successfully get the flag.

The flag is:

```
cybrics{CYB3R_M47H_15_57R4Ng3}
```

Original writeup (https://github.com/csivitu/CTF-Write-ups/tree/master/CyBRICS%20CTF/Cyber/Serial).

Comments