Here is the provided code:
FLAG = "byuctf{}"
class User:
def __init__(self, username, id):
self.username = username
self.id = id
def __eq__(self, other):
return self.id == other.id
def __hash__(self):
return hash(self.id)
ADMIN = User('admin', 1337)
print("Welcome to onboarding! I'm Jacob from HR, and I'm here to make your experience as seamless as possible joining the company")
print("Go ahead and tell me your name:")
name = input()
print("Welcome to the company, " + name)
print("We also give you a user id, but in an attempt to make this company feel like home, we've decided to give you a choice in that, too. Go ahead and choose that now:")
id_ = input()
if not all([i in '0987654321' for i in id_]):
print("That's not an id!")
quit()
id_ = int(id_)
if id_ == 1337:
print("Sorry, the admin already claimed that id, no can do")
quit()
YOURUSER = User(name, id_)
print("Okay, you're all set! Just head into your office. The admin's is right next door, but you can just ignore that")
print("""*You realize you have freedom of choice. Choose a door*
1) your office
2) the admin's office
""")
choice = int(input())
if choice == 1:
if hash(YOURUSER) == hash(YOURUSER):
print("Man, this is a nice office")
quit()
else:
print("Hey, HR, my key doesn't work yet!")
quit()
elif choice == 2:
if hash(YOURUSER) == hash(ADMIN):
print(FLAG)
quit()
else:
print("The HR guy tackles you to the ground for insolence")
quit()
We notice that to obtain the flag, you need to have the same hash as the Admin. The hash function returns only the hash of the id. Since the Admin’s id is 1337, we only need to find a number whose hash (using Python’s hash function) yields the same value as 1337.
For this, here is a link that explains and solves the problem.
We can reuse this code:
import sys
def invert(h):
if h == -1: return [] # -1 gets coerced to -2 so no value has hash -1
if h < 0:
sign = -1
h = -h
else:
sign = 1
M = sys.float_info.mant_dig - 1 # = 52 = Bits available for mantissa
E = (sys.float_info.max_exp - sys.float_info.min_exp + 1) # = 1023 = bias
B = sys.float_info.radix # = 2, base of the floating point values
P = sys.hash_info.modulus # = 2^61 - 1 = the prime used as hash modulus
if not (0 <= h == int(h) < P):
return []
for e in range((E + 1) * 2):
# Want m such that (B^M + m) * B^(e-M-E) = h mod P
m = (h * B**(M+E-e) - B**M) % P
if m >= B**M: continue # Happens with probability (1-B**M/P)
f = (B**M + m) * B**(e-M-E)
if f == int(f): continue # We'll see this later as an integer
assert hash(f) == h
yield sign * f
# Special values if any
if h == sys.hash_info.inf:
yield sign * float('inf')
if h == sys.hash_info.nan:
yield float('nan')
# Now the integers
k = 0
while True:
yield sign * (h + k * P)
k += 1
num = 0
for n in invert(hash(1337)): # using hash(1337) here
print(hash(n), n)
num += 1
if num > 25:
break
Which gives:
1337 2.0934164822906223e-291
1337 4.827089761062554e-273
1337 1.1130511180393091e-254
1337 2.566521139428427e-236
1337 5.917994827350203e-218
1337 1.3645967001208267e-199
1337 3.1465457613696837e-181
1337 7.255440547025265e-163
1337 1.6729906864123787e-144
1337 3.857653878743603e-126
1337 8.895144228267027e-108
1337 2.0510806134697064e-89
1337 4.729469893902857e-71
1337 1.0905415092142534e-52
1337 2.5146175152790374e-34
1337 5.798313218452478e-16
1337 1337
1337 2305843009213695288
1337 4611686018427389239
1337 6917529027641083190
1337 9223372036854777141
1337 11529215046068471092
1337 13835058055282165043
1337 16140901064495858994
1337 18446744073709552945
1337 20752587082923246896
We then took the first integer: 2305843009213695288, which yields:
Welcome to onboarding! I'm Jacob from HR, and I'm here to make your experience as seamless as possible joining the company
Go ahead and tell me your name:
alexis
Welcome to the company, alexis
We also give you a user id, but in an attempt to make this company feel like home, we've decided to give you a choice in that, too. Go ahead and choose that now:
2305843009213695288
Okay, you're all set! Just head into your office. The admin's is right next door, but you can just ignore that
*You realize you have freedom of choice. Choose a door*
1) your office
2) the admin's office
2
byuctf{wh0_kn3w_h4sh_w4snt_h4sh}