back to puzzle

When you log into this server, you find an interactive restricted shell with the locale set to Catalan.

Your user tse has limited ability to do anything, but needs to somehow look at the contents of flag/flag.txt, which is owned by user macavity.

You can run ls and cat, which should help you look around a little bit; you’ll see

bin cat-flag flag gats and wrapper.c

where bin contains cat, ls, script, and wrapper, while cat-flag is just the command cat flag/flag.txt. The gats directory contains files with various T. S. Eliot cat names, each with a different size.

-rw-r--r-- 1 tse tse 408882 Oct  5  1939 bombalurina
-rw-r--r-- 1 tse tse  68123 Oct  5  1939 carbucketty
-rw-r--r-- 1 tse tse  31147 Oct  5  1939 cassandra
-rw-r--r-- 1 tse tse  12913 Oct  5  1939 coricopat
-rw-r--r-- 1 tse tse  58019 Oct  5  1939 deuteronomy
-rw-r--r-- 1 tse tse 198120 Oct  5  1939 griddlebone
-rw-r--r-- 1 tse tse 912014 Oct  5  1939 grizzabella
-rw-r--r-- 1 tse tse  81291 Oct  5  1939 growltiger
-rw-r--r-- 1 tse tse 284011 Oct  5  1939 jellylorum
-rw-r--r-- 1 tse tse 123819 Oct  5  1939 jemima
-rw-r--r-- 1 tse tse 221810 Oct  5  1939 jennyanydots
-rw-r--r-- 1 tse tse 902124 Oct  5  1939 mistoffeles
-rw-r--r-- 1 tse tse   4891 Oct  5  1939 mongojerrie
-rw-r--r-- 1 tse tse   1892 Oct  5  1939 munkustrap
-rw-r--r-- 1 tse tse 178123 Oct  5  1939 pouncival
-rw-r--r-- 1 tse tse 319873 Oct  5  1939 quaxo
-rw-r--r-- 1 tse tse 172831 Oct  5  1939 rumpleteazer
-rw-r--r-- 1 tse tse   4839 Oct  5  1939 rumtumtugger
-rw-r--r-- 1 tse tse  80012 Oct  5  1939 sillabub
-rw-r--r-- 1 tse tse  73183 Oct  5  1939 skimbleshanks
-rw-r--r-- 1 tse tse   1921 Oct  5  1939 tantomile
-rw-r--r-- 1 tse tse 489124 Oct  5  1939 tumblebrutus
-rw-r--r-- 1 tse tse 758012 Oct  5  1939 victoria

By looking at wrapper.c and script, you can eventually figure out that the only significant command you’re allowed to run here will be

wrapper ./bin/script

followed by some list of cat names from gats (Catalan for “cats”). Following the script’s rules, each cat may be used at most once, and no other input sources may be provided.

When the combined size of those files is exactly 982832 (hexadecimal EFF30!), this command will go on to run the command cat flag/flag.txt under the user account macavity (due to the wrapper running setuid macavity). But if the size is anything else, you’ll get an error due to skipping too many or too few bytes. (If the input size is too small, dd will skip over the cat flag/flag.txt command, while if the input size is too large, it will contain one or more X characters which will render the cat flag/flag.txt command syntatically invalid. If the input size is just right, however, the cat flag/flag.txt command will get interpreted by a shell running as user macavity, and will succeed.)

So, the question is what combination of cat sizes would exactly equal 982832. This is an instance of the SUBSET SUM problem in computer science, which is an NP-complete problem asymptotically as difficult as SATISFIABILITY (hence the name of this challenge). However, fortunately for you, this instance of the problem is small enough that you can easily solve it by brute force by writing your own script to try all possible subsets of the cats. The number of cases to be examined by brute force would be 2²³ or 8388608, which should not take much time at all on a modern computer. One example of a brute force solution in Python is

#!/usr/bin/env python

import itertools

cats = [408882, 68123, 31147, 12913, 58019, 198120, 912014, 81291, 284011, 123819, 221810, 902124, 4891, 1892, 178123, 319873, 172831, 4839, 80012, 73183, 1921, 489124, 758012,]

for n in range(1, len(cats)+1):
    for c in itertools.combinations(cats, n):
        if sum(c) == 0xEFF30:
            print (n, c)

The correct answer is

wrapper ./bin/script gats/bombalurina gats/cassandra gats/deuteronomy gats/jennyanydots gats/pouncival gats/rumtumtugger gats/sillabub

although the order of the cats doesn’t matter and any other order is also valid.

Running this produces the following output


La resposta és quatre mil milions dos-cents sis milions cinc-cents quaranta-sis mil sis-cents sis.

This means


The answer is four billion two hundred six million five hundred forty-six thousand six hundred six.

so your hexadecimal answer is FABACEAE.