Solving VaultDoors on picoCTF

Hello all! This is a write-up for a few solutions I found for solving the VaultDoor challenges on picoCTF. All these challenges were written in Java but I decided to write my solutions in Python since I enjoy Python. The challenges can be found under the Reverse Engineering category in the picoGym. Let’s get to work!

First VaultDoor in Java

The first VaultDoor is fairly straight forward. The challenge uses a “Scanner” object to get input from the user and then calls the method “checkPassword” to check if each character in the input is the same as the correct password. If the input is equal to the correct password, we get the message “Access granted.” but if the input is not the same as the expected password, we get “Access Denied!”. The challenges all follow this common theme. So rewriting the challenge in python, I initialized a list of 32 spaces, one for each character. I then focused on the “checkPassword” method, since this is what the user input is compared against and this method seemingly holds the correct password. With a little text editing, I made my Python list hold the same letters at the same positions as the java code and a picture can be seen below.

My Python Solution

Let’s check if it worked.

Running our python code outputs this code
The vault Door accepting our password!

Vault Door 1 is down. Moving on to VaultDoor3 (the author skipped 2 for some reason!), this challenge manipulates the user input by using multiple “for” loops.

Java Code for VaultDoor3

You can review the following picture to see my Python solution with some comments about what the loops are accomplishing.

My Python solution to VaultDoor3

Let’s check it!

Output from Python solution
Correct!!

On to VaultDoor4! Vault door 4 contains an array of numbers with some in base 10, 16, 8 and finally some characters at the end. Our input is broken into an array of bytes and compared to this hard coded entry. So I used the hard coded entry and converted the numbers to characters. I concatenated the characters already found in the array to the “password” string in the Python code and printed what I hoped was a solution.

Java code for VaultDoor4
Python Script for VaultDoor4

Let’s check it!

Output from the python script
Correct!

Awesome!! Access granted! Now VaultDoor5. This one involves some base64 encoding and some URL type encoding. Python has some great libraries that can help with this problem and you’ll see in my Python solution that I imported “base64” to get some extra functionality. VaultDoor5 written in Java can be seen below.

VaultDoor5 in Java

In my solution I use the “b64decode” function from our imported “base64” to decode the user entry, then I decode that output to ascii text. After that I split the string on the “%” character to get a list of individual numbers and use a quick splice to get rid of a leading “%”. Using “print” statements in this function really helps to visualize what is happening. Then the returned list is sent to the function “decodeHex” where the individual numbers are typecast into an integer of base16 and the corresponding ascii character is found. My solution can be found below.

Python Solution to VaultDoor5

Is it correct?

Python output looking promising
Access granted!!

VaultDoor5 is cracked! Lets try 6! VaultDoor6 is fairly straightforward. We have an array of hard codded hex digits that were then “XOR”ed with a hex value of “0x55”. My python script takes those hard coded values, “XOR”s them, then gets the character equivalent. The original Java problem and my solution is seen below.

VaultDoor6
Python solution to VaultDoor6

Let’s run it!

Python output
Wooo!! Access Granted!!

VaultDoor7 took some careful observation and some Python code I had written previously. I wrote a number conversion program previously that converts numbers between hexadecimal, decimal, and binary. I imported this program to use a couple of functions as you will see in my VaultDoor7.py source code. Lets see the original Java code.

VaultDoor7 in Java

The Python solution I wrote takes the hard coded numbers in the original Java program(lines 58 to 65) converts them into binary with our imported “DecimalToBinary” function and takes note of the length of the string of the binary digits. The length must be 32! It it is not 32, it concatenates one or multiple zeroes to the beginning of it until the length of 32 is reached. The string is then split into 4 groups of 8 bits each and the 4 groups are put into a list. The list is sent to the function “binaryToDecimal”, which converts the binary number to a decimal number and converts the decimal number to the corresponding ascii character. VaultDoor7.py is seen below along with the imported functions used.

Python code for VaultDoor7
BinaryToDecimal function called in VaultDoor7.py
DecimalToBinary function called in VaultDoor7.py

Let’s run our solution!

Output from VaultDoor7.py
Access granted!!

Looks like it worked!! Hope you’ll give these challenges a shot as rewriting them in your favorite programming language can be pretty fun and good practice. Good luck!

Hello there! You’ll find some programming problems and Capture the Flags here. Who doesn’t love a good puzzle?