Polyrun - localo

Category: Misc
Difficulty: Easy
Author: explo1t

Guessyness:

Description

Script.VeryBogusExecution

Check it out at: http://lfi.hax1.allesctf.net:8081/

Summery

A file called run.pl is provided by the challenge author. The file extension hints towards perl. Because the category of this challenge is labeled as misc which is roughly the same as guessing and the author is known for his guessing skills, everything can be expected.

Solution

To analyse the file it can be run first. The stdout shows Try Harder.

After a short source code examination and several minutes of guessing and error the code is understood, but there is no flag and the code does not make any sense.

But there is a string that starts with
#@~^UgAAAA== and ends with AAA==^#~@ and it show up again when we print the code instead of eval.

'';open(Q,$0);while(<Q>){if(/^#(.*)$/){for(split('-',$1)){$q=0;for(split){s/\|/:.:/xg;s/:/../g;$Q=$_?length:$_;$q+=$q?$Q:$Q*20;};}}}print"\n";
'';$?=
#@~^UgAAAA==v,Zj;MPKtb/|r/|Y4+|0sCT{XKN@#@&H/T$G6,J;?/M,P_qj{g6K|I3)d{sJ)VTE~,#~rF}x^X~,JgGwJexkAAA==^#~@
eval eval '"'."'"."'".';'.'\\'.'$'.'_'.('{'^'[').'='.('{'^'[').'\\'.'"'.'\\'.'"'.';'.('!'^'+')."'"."'".';'.('\\').'$'.'_'.'_'.('{'^'[').'='.('{'^'[').'\\'.'"'.('!'^'+').'#'.'\\'.'@'.'~'.'^'.('{'^'.').('`'|"'").('`'^'!').('`'^'!').('`'^'!').('`'^'!').'='.'='.('['^'-').','.('{'^'!').('`'|'*').';'.('`'^'-').('{'^'+').('`'^'+').('['^'/').('`'|'"').'/'.'|'.('['^')').'/'.'|'.('{'^'"').('^'^('`'|'*')).'+'.'|'.(('^')^('`'|'.')).('['^'(').('`'^'#').('{'^'/').'\\'.'{'.('{'^'#').('`'^'+').('`'^'.').'\\'.'@'.'#'.'\\'.'@'.'&'.('`'^'(').'/'.('{'^'/').'\\'.'$'.('`'^"'").('^'^('`'|'(')).','.('`'^'*').';'.'?'.'/'.('`'^'-').','.('{'^'+').'_'.('['^'*').('`'|'*').'\\'.'{'.('`'|"'").('^'^('`'|'(')).('`'^'+').'|'.('`'^(')')).('^'^('`'|'-')).')'.('`'|'$').'\\'.'{'.('['^'(').('`'^'*').')'.('{'^'-').('{'^'/').('`'^'%').'~'.','.'#'.'~'.('['^')').('`'^'&').'\\'.'}'.('['^'#').'^'.('{'^'#').'~'.','.('`'^'*').('`'|"'").('`'^"'").('['^',').('!'^'^').('`'^'*').('`'|'%').('['^'#').('`'|'+').('`'^'!').('`'^'!').('`'^'!').'='.'='.'^'.'#'.'~'.'\\'.'@'.('!'^'+')."'"."'".'\\'.'"'.';'.('!'^'+')."'"."'".';'.('`'|'&').('`'|'/').('['^')').('{'^'[').'('.('`'|'-').('['^'"').('{'^'[').'\\'.'$'.('`'|'/').('`'|'/').('^'^('`'|'/')).('`'|'/').('`'^')').'='.('^'^('`'|'.')).';'.('{'^'[').'\\'.'$'.('`'|'/').('`'|'/').('^'^('`'|'/')).('`'|'/').('`'^')').('{'^'[').'<'.'='.('{'^'[').('^'^('`'|'/')).';'.('{'^'[').'\\'.'$'.('`'|'/').('`'|'/').('^'^('`'|'/')).('`'|'/').('`'^')').'+'.'+'.')'.('{'^'[').'\\'.'{'.('`'|')').('`'|'&').'('.'\\'.'$'.('`'|'/').('`'|'/').('^'^('`'|'/')).('`'|'/').('`'^')').('{'^'[').'='.'='.('{'^'[').('^'^('`'|'.')).')'.'\\'.'{'.'\\'.'$'.'_'.'.'.'='.('['^'(').('['^'.').('`'|'"').('['^'(').('['^'/').('['^')')."\(".'\\'.'$'.'_'.'_'.','.('^'^('`'|',')).('^'^('`'|'/')).'+'.'\\'.'$'.('`'|'/').('`'|'/').('^'^('`'|('/'))).('`'|'/').('`'^')').','.('^'^('`'|'/')).')'.';'.'\\'.'$'.'_'.'.'.'='.('['^'(').('['^'.').('`'|"\"").('['^'(').('['^'/').('['^')').'('.'\\'.'$'.'_'.'_'.','.('^'^('`'|',')).('^'^('`'|'+')).'+'.'\\'.'$'.('`'|'/').('`'|'/').('^'^('`'|'/')).('`'|'/').('`'^')').','.('^'^('`'|'/')).')'.';'.'\\'.'$'.'_'.'.'.'='.('['^'(').('['^'.').('`'|'"').('['^'(').('['^'/').('['^')').'('.'\\'.'$'.'_'.'_'.','.('^'^("\`"|',')).(':'&'=').'+'.'\\'.'$'.('`'|'/').('`'|'/').('^'^('`'|'/')).('`'|'/').('`'^')').','.('^'^("\`"|'/')).')'.';'.'\\'.'$'.'_'.'.'.'='.'\\'.'"'.('{'^'[').'\\'.'"'.';'.'\\'.'}'.('`'|'%').('`'|',').('['^'(').('`'|'%').'\\'.'{'.('{'^'[').'\\'.'$'.'_'.('{'^'[').'.'.'='.('{'^'[').('`'|'#').('`'|'(').('['^')').'('.('^'^('`'|'.')).('['^'#').('`'|'!').'*'.('^'^('`'|'.')).('['^'#').('^'^('`'|'/')).('`'|'#').'-'.('^'^('`'|'.')).('['^'#').('`'^'"').('^'^('`'|'.')).')'.';'.'\\'.'}'.'\\'.'}'.('!'^'+').("'")."'".';'.('{'^'[').('['^'+').('['^')').('`'|')').('`'|'.').('['^'/').('{'^'[').'\\'.'$'.'_'.('{'^'[').'.'.('{'^'[').'\\'.'"'.('`'|'!').('['^')').('`'|'$').('`'|'%').('['^')').'\\'.'"'.';'.'"';$:=('.');

I guess the first one is left there because the author wanted to be nice 😉

A quick google search reveals that the format is called vbe link it is just an encoded VB Script. On the internet are many tools to decode it, I used this. After decoding it we get the flag.

' CSCG{This_is_the_flag_yo}
MsgBox "CSCG[THIS_NOT_REAL_FLAG]", VBOKOnly, "Nope"

Mitigation

Next time XOR it with random stuff to make guessing harder.

Flag

CSCG{This_is_the_flag_yo}