Hello all! This is a write-up for a few solutions I found for solving the VaultDoor challenges on picoCTF. All these challenges were written in Java but I decided to write my solutions in Python since I enjoy Python. The challenges can be found under the Reverse Engineering category in the picoGym. Let’s get to work!
The first VaultDoor is fairly straight forward. The challenge uses a “Scanner” object to get input from the user and then calls the method “checkPassword” to check if each character in the input is the same as the correct password. If the input is equal to the correct password, we get the message “Access granted.” but if the input is not the same as the expected password, we get “Access Denied!”. The challenges all follow this common theme. So rewriting the challenge in python, I initialized a list of 32 spaces, one for each character. I then focused on the “checkPassword” method, since this is what the user input is compared against and this method seemingly holds the correct password. With a little text editing, I made my Python list hold the same letters at the same positions as the java code and a picture can be seen below.
Let’s check if it worked.
Vault Door 1 is down. Moving on to VaultDoor3 (the author skipped 2 for some reason!), this challenge manipulates the user input by using multiple “for” loops.
You can review the following picture to see my Python solution with some comments about what the loops are accomplishing.
Let’s check it!
On to VaultDoor4! Vault door 4 contains an array of numbers with some in base 10, 16, 8 and finally some characters at the end. Our input is broken into an array of bytes and compared to this hard coded entry. So I used the hard coded entry and converted the numbers to characters. I concatenated the characters already found in the array to the “password” string in the Python code and printed what I hoped was a solution.
Let’s check it!
Awesome!! Access granted! Now VaultDoor5. This one involves some base64 encoding and some URL type encoding. Python has some great libraries that can help with this problem and you’ll see in my Python solution that I imported “base64” to get some extra functionality. VaultDoor5 written in Java can be seen below.
In my solution I use the “b64decode” function from our imported “base64” to decode the user entry, then I decode that output to ascii text. After that I split the string on the “%” character to get a list of individual numbers and use a quick splice to get rid of a leading “%”. Using “print” statements in this function really helps to visualize what is happening. Then the returned list is sent to the function “decodeHex” where the individual numbers are typecast into an integer of base16 and the corresponding ascii character is found. My solution can be found below.
Is it correct?
VaultDoor5 is cracked! Lets try 6! VaultDoor6 is fairly straightforward. We have an array of hard codded hex digits that were then “XOR”ed with a hex value of “0x55”. My python script takes those hard coded values, “XOR”s them, then gets the character equivalent. The original Java problem and my solution is seen below.
Let’s run it!
VaultDoor7 took some careful observation and some Python code I had written previously. I wrote a number conversion program previously that converts numbers between hexadecimal, decimal, and binary. I imported this program to use a couple of functions as you will see in my VaultDoor7.py source code. Lets see the original Java code.
The Python solution I wrote takes the hard coded numbers in the original Java program(lines 58 to 65) converts them into binary with our imported “DecimalToBinary” function and takes note of the length of the string of the binary digits. The length must be 32! It it is not 32, it concatenates one or multiple zeroes to the beginning of it until the length of 32 is reached. The string is then split into 4 groups of 8 bits each and the 4 groups are put into a list. The list is sent to the function “binaryToDecimal”, which converts the binary number to a decimal number and converts the decimal number to the corresponding ascii character. VaultDoor7.py is seen below along with the imported functions used.
Let’s run our solution!
Looks like it worked!! Hope you’ll give these challenges a shot as rewriting them in your favorite programming language can be pretty fun and good practice. Good luck!