Kashmir54

Cibersecurity blog. CTFs, writeups, electronics and more!

Home Flipper Boards CTF Writeups YouTube View on GitHub

NACTF 2020

I participate in this CTF for team ISwearIGoogledIt and got some challenges:

Interesting CTF, with entry level challenges on web and forensic (more like stego) and other hard ones, specially some programming ones that I tried. Let’s get into it!


Forensic

Gummies

50

Kylie is obsessed with gummies. With her collection of miscellaneous gummy bears, she took this incredible picture which is now her phone’s wallpaper. Can you find her flag?

A simple zsteg -a will retrieve the flag:

nactf{5t3gan0graphy_rul35!}

Meta-morphosis

75

Mikey really likes Metamorphosis by Franz Kafka, so much so that he sent this meme to the class.

Check exiftools

kali@kali:~/Desktop/CTFs/NACTF/Forensic/Meta$ exiftool meme-3.jpg 
ExifTool Version Number         : 12.06
File Name                       : meme-3.jpg
Directory                       : .
File Size                       : 52 kB
File Modification Date/Time     : 2020:10:30 20:52:48-04:00
File Access Date/Time           : 2020:10:30 20:53:00-04:00
File Inode Change Date/Time     : 2020:10:30 20:53:00-04:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
X Resolution                    : 1
Y Resolution                    : 1
Exif Byte Order                 : Big-endian (Motorola, MM)
Resolution Unit                 : None
Artist                          : nactf{m3ta_m3ta_m3ta_d3f4j}
Y Cb Cr Positioning             : Centered
Image Width                     : 500
Image Height                    : 461
Encoding Process                : Baseline DCT, Huffman coding

nactf{m3ta_m3ta_m3ta_d3f4j}

Turnips

100

Dr. J loves his ch0nky turnips, can you find his ch0nky flag?

Seems like a broken image… Let’s fix it with hexedit:

Ahhhh… Nope, but there is like some kind of strange pattern on the file… Let’s go for strings to see any hint:

kali@kali:~/Desktop/CTFs/NACTF/Forensic/Turnips$ strings turnip-for-what.jpg 
...
m4~9
Y@?X(
`."7
9#W.
5};D
x<4<?
kmS[
|6z}
byu;k
nactf{turn1p_f0r_h3x_f3j52}

Wops, got the flag:

nactf{turn1p_f0r_h3x_f3j52}

Secret Message

100

Monica loves inventing secret languages. So much so that she claims to be the only one to know the message in this recording. What does it say?

We got an mp3 file. I played it and it’s morse, let’s get it:

ffmpeg -i input.mp3 output.wav 
kali@kali:~/Desktop/CTFs/NACTF/Forensic/SecretMessage$ morse2ascii -m output.wav 

MORSE2ASCII 0.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

- open output.wav
  wave size      1200478
  format tag     1
  channels:      1
  samples/sec:   48000
  avg/bytes/sec: 96000
  block align:   2
  bits:          16
  samples:       600239
  bias adjust:   -191
  volume peaks:  -30194 30194
  normalize:     2573
  resampling to  8000hz

- decoded morse data:
--.-..-...--...---./-----..-./.-......--.--...-....---....--...

This time I couldn’t get the morse right with the morse2ascii, so let’s head over to Morsecode:

nactf{QU33N_0F_L4NGU4G3S}

Turnips 2

150

Uh oh.. Parth’s file seems to have been corrupted. Can you figure out how to find his flag?

I run a bunch of commands over the file.txt but this was the final check. Look over with xxd and find some interesting fragments:

.lvG........I9D0
.......}.....Oi.
....WiCCPICC Pro
file..X..y.TT]..
...0...%........
..*).*.. ......!
b!.("...H...*(..
.....y..}.;k.{..

I looked in google de WiCCPICC Profile and checked that is something related with a PNG IHDR file, therefore I hexedit the file and place the correct magic bytes and headers according to the specification:

00000000   89 50 4E 47  0D 0A 1A 0A  .PNG....
00000008   00 00 00 0D  49 48 44 52  ....IHDR
00000010   00 00 04 A3  00 00 03 7D  .......}
00000018   08 06 00 00  00 4F 69 BA  .....Oi.
00000020   C0 00 00 18  57 69 43 43  ....WiCC
00000028   50 49 43 43  20 50 72 6F  PICC Pro
00000030   66 69 6C 65  00 00 58 85  file..X.

nactf{th3_turn1p5_ar3_tak17g_0v35_skf9}

Static

250

Juliet just airdropped me this really wierd photo that looks like tv static. She said this would be easier than passing notes in class, but I can’t understand what she’s trying to say. Help!

Rip like 5 hours… I was close, but you never know.


Web

Login

175

Vyom has learned his lesson about client side authentication and his soggy croutons will now be protected. There’s no way you can log in to this secure portal!

https://login.challenges.nactf.com/

Let’s try some SQL Injections:

nactf{sQllllllll_1m5qpr8x}

150

Arjun owns a cookie shop serving warm, delicious, oven-baked cookies. He sent me his ages-old family recipe dating back four generations through this link, but, for some reason, I can’t get the recipe. Only cookie lovers are allowed!

We can see a cookie into the page. Let’s log in with any username:

Ok, no admin works, so let’s try to change the cookie for the auth.php path:

Reload the website and there we go:

nactf{c00kie_m0nst3r_5bxr16o0z}


Crypto

Caesar’s Challenge

25

Zabelo wrote this message on a note he passed to me. anpgs{q3p1cu3e1at_e0px5!} He also told me his favorite number was 13. What could this mean?

Ez ROT13: nactf{d3c1ph3r1ng_r0ck5!}

YAMS

100

Instead of turnips, Yavan loves YAMS. Day and night, he sings about YAMS, dreams about YAMS and runs to the store to catch the newest released batch of YAMS. Hes cryptic too. I wonder what this could mean.

Uexummq lm Vuycnqjc. Hqjc ie qmud xjas: fycfx{waY5_sp3_Y0yEw_w9vU91}

YAMS…. Is YAMS a key? Vigenere?

Welcome to Vigenere. Here is your flag: nactf{yaM5_ar3_Y0mMy_w9jC91}

Oligar’s Tricky RSA

175

The crypto master Oligar just sent this file with three numbers. What do they mean?

I got the file with RSA parameters:

c = 97938185189891786003246616098659465874822119719049
e = 65537
n = 196284284267878746604991616360941270430332504451383

For this I have a little roadmap with RsaCtfTool. Find it down below:

kali@kali:/opt/RsaCtfTool$ python3 RsaCtfTool.py --createpub -n 196284284267878746604991616360941270430332504451383 -e 65537 > ~/Desktop/CTFs/NACTF/Crypto/RSA/pub.key

kali@kali:/opt/RsaCtfTool$ python3 RsaCtfTool.py --publickey ~/Desktop/CTFs/NACTF/Crypto/RSA/pub.key --private > ~/Desktop/CTFs/NACTF/Crypto/RSA/key

[*] Performing factordb attack on /home/kali/Desktop/CTFs/NACTF/Crypto/RSA/pub.key.

Results for /home/kali/Desktop/CTFs/NACTF/Crypto/RSA/pub.key:

Private key :
-----BEGIN RSA PRIVATE KEY-----
MHgCAQACFgCGTZu3ODf6xVEntw2V1WILWDz/KTcCAwEAAQIVJ4WzK0nZ/2wNo9Es
si23/pijS3ihAgsIev/y8NsVH+p3vwILD9Y2EXS3Fv4f7IkCCwexQq/kyGVuEOnT
AgsONFZepc8qwlij8QILCB0K8fjbLQ1JbCE=
-----END RSA PRIVATE KEY-----


kali@kali:/opt/RsaCtfTool$ python3 RsaCtfTool.py --dumpkey --key  ~/Desktop/CTFs/NACTF/Crypto/RSA/key         
private argument is not set, the private key will not be displayed, even if recovered.                        
n: 196284284267878746604991616360941270430332504451383  
e: 65537                                              
d: 57761855232773998001493320508606360547602423576737 
p: 10252256693298561414756287                   
q: 19145471103565027335990409

Now use this script developed over other CTFs:

#!/usr/bin/env python3
import codecs

e = 65537
n = 196284284267878746604991616360941270430332504451383
d = 57761855232773998001493320508606360547602423576737 

msg = 97938185189891786003246616098659465874822119719049
flag = []

hexa = str(hex(pow(msg,d,n)))[2:]
print(hexa)

flag = codecs.decode(hexa, 'hex').decode('utf-8')
print(flag)

We can retrieve the flag:

kali@kali:~/Desktop/CTFs/NACTF/Crypto/RSA$ python3 text.py 
6e616374667b736e33616b795f6331706833727d0a
nactf{sn3aky_c1ph3r}

nactf{sn3aky_c1ph3r}

Random Number Generator

250

Dr. J created a fast pseudorandom number generator (prng) to randomly assign pairs for the upcoming group test. Austin really wants to know the pairs ahead of time… can you help him and predict the next output of Dr. J’s prng?

Beginner foothold: The server script uses the following line:

random.seed(round(time.time() / 100, 5))

The random library will generate numbers from that seed. Imagine that you use the number 1 instead of the time as seed. You will get the same random numbers in the same order for different executions. That is why they are called pseudo-random, because they aren’t real random numbers. Read more.

For this one I try to find the same seed as the server. For this task I picked various seeds within a given timeframe. I set this timeframe with my machine time and 2 offsets, -100000 and +100000. The following script will find the correct seed by comparing the first generated number. When found, we go ahead and send the following two numbers:

import random, time
from pwn import *

magic_number_1, magic_number_2 = 0, 0
r = remote('challenges.ctfd.io', 30264)

print(r.recv())
r.send("r\n")
number = int(r.recv()[:-2])
print(number)
print("-----------")

#Cover a wide frame of time, checking wether I found the correct seed or not:
for i in range(-100000,100000):

  random.seed(round(time.time() / 100 + i/100000, 5))
  number_2 = random.randint(1, 100000000)

  if number_2 == number:
    print(str(number_2), i)
    magic_number_1 = random.randint(1, 100000000)
    magic_number_2 = random.randint(1, 100000000)

r.send("g\n")
print(r.recv())
r.send("{}\n".format(magic_number_1))
print(r.recv())
r.send("{}\n".format(magic_number_2))
print(r.recv())
kali@kali:~/Desktop/CTFs/NACTF/Crypto/RandomNumberGenerator$ python3 test.py 
[+] Opening connection to challenges.ctfd.io on port 30264: Done
b"Welcome to Dr. J's Random Number Generator!\n[r] Print a new random number\n[g] Guess the next two random numbers and receive the flag!\n[q] Quit\n\n> "
31242721
-----------
31242721 399
b'Guess the next two random numbers for a flag!\nGood luck!\nEnter your first guess:\n> '
b"Wow, lucky guess... You won't be able to guess right a second time\nEnter your second guess:\n> "
b"What? You must have psychic powers... Well here's your flag: \nnactf{ch000nky_turn1ps_1674973}\n"

nactf{ch000nky_turn1ps_1674973}

Error 1

350

Pranay has decided that the previous error detection scheme is a little bit too inefficient… While eating his delicious HAM-filled Italian Sub at lunch, he came up with a new idea. Fortunately, he has also invested in a less noisy communication channel.

Worked on Hamming Code. I went deep into the basics in order to refresh the very basics. I end up using the following script and this lib:

from hamming import decode as dec
from bitarray import bitarray
data_str = '010011011010011010100011011001111110111101000101010011110111010101110110100110001100000111011101100100101111011010110001010011001110011010101111010111111010111010110111010111110110100110011011001101101101011101000111101000110100001010110100100001110110011110111011111101111000001100100011011010010111101100100100000011001101000001001010100000100111001011111101'
def chunks(l, n):
    # For item i in a range that is a length of l,
    for i in range(0, len(l), n):
        # Create an index range for l of n items:
        yield l[i:i+n]

# Divide in chunks of 15 bits
chunk_list = list(chunks(data_str, 15))
print(chunk_list)
final_data = bitarray()

# 16 bit chunk:

# X 0 1 0
# 0 1 1 0
# 1 1 1 1 
# 0 0 1 1 


for item in chunk_list:

  item = list(item)
  print(item)
  #This is key. The library gets 16 bit chunks, there is one misses, the first one. We calculate
  #if it's 0 or 1. We know that there is AT LEAST ONE ERROR. Therefore, we set this bit the other way around.
  if item.count('1') % 2 == 0:
    item.insert(0,'1')
  else:
    item.insert(0,'0')
  print(item)
  print('--------')
  data = bitarray(''.join(item))
  print(data)
  print(dec(data))
  final_data.extend(dec(data))

print(final_data)

I obtained the following bitarray, I introduced it into CyberChef with From binary and got the flag:

011011100110000101100011011101000110011001111011011010000110000101101101011011010011000101101110011001110101111101100011011011110110010000110011011100110101111100110101001101000011011001101101011101100011001101110001001110010110000100110000011101000110010101111101

nactf{hamm1ng_cod3s_546mv3q9a0te}

Error 2

550

Kayla decided she wants to use the previous error detection scheme for cryptography! After computing the normal error bits, she switched them around according to a secret key.

Worked on permutations and ways to check which permutation is the right one. What I mean is, the parity bits have been permutated, they are normally located at positions [1,2,4,8], but since this implementation only uses 15 bits, they are found at positions i-1 = [0,1,3,7]. In this challenge, they picked those positions and place it at any of the other 15 positions. The foothold is to find the right permutation. We generate all permutations of 4 length arrays with the possible 15 positions:

For each permutation (aka. “the secret key” on the challenge description) we will pick the bits from the positions and correctly place the into their original positions in this challenge: [0,1,3,7]. For example, we have the following permutation key: (5, 7, 8, 13). The workflow is:

bit_chunk = '011010100100111'

POP position 5 from the chunk and insert it at position 0:
'01101**0**100100111' -> '**0**01101100100111'

POP position 7 from the chunk and insert it at position 1:
'0011011**0**0100111' -> '0**0**0110110100111'

POP position 8 from the chunk and insert it at position 3:
'00011011**0**100111' -> '000**0**11011100111'

POP position 13 from the chunk and insert it at position 7:
'000011011100**1**11' -> '0000110**1**1110011'

To sum up:

Positions (5, 7, 8, 13) to (0, 1, 3, 7): ‘011010100100111’ -> ‘000011011110011’

Once we change the chunk, we introduce it into the library and try to solve the error using hamming code. REMEMBER, this lib uses 16 bit chunks, we need to insert the remaining parity bit at position 0!!

We compare the output with the expected first letter, in this case the one of the flag ‘n’.

This workflow is implemented on the following script along with the usage of previous hamming lib:

from hamming import decode as dec
from bitarray import bitarray
import time
import binascii
import itertools

data_str = '011010100100111010010011110010110110110010010010011100001111101101101000110100110000010011100010001001110000110111100100110111111110101000101011011010000111100001000111001110010111001101011100011101111011100111111000101001110000011101011110010111111110001101110000011010010011101010010110101010001000011100101110100000101110000010110010100010101111010110001101001100001000101100100011111000100001110001100110001110101011010001111001111001101001110000110000111011001000010110001001010111111010101100010011011001110110111001100111101001001100110100100110001000101010111011101010110000111001011100111001'

#For dividing in chunks
def chunks(l, n):
  for i in range(0, len(l), n):
    yield l[i:i+n]


def text_from_bits(bits, encoding='utf-8', errors='surrogatepass'):
  n = int(bits, 2)
  return n.to_bytes((n.bit_length() + 7) // 8, 'big').decode(encoding, errors) or '\0'


#Pick the bits from the combination and insert them into the right position for parity bits
def swap(bits, comb):
  for i, j in zip([0,1,3,7], [0,1,2,3]):
    ex = bits.pop(comb[j])
    bits.insert(i, ex)
  return bits


#Divide in chunks of 15 bits
chunk_list = list(chunks(data_str, 15))
secret_key = []

# Get all permutations of length 4 with the 15 posible positions:
iterable = [x for x in range(0,14)]
combinations = list(itertools.permutations(iterable, r=4))
print('Total permutations: ', len(list(combinations)))

#Try all permutations that could lead into the right first two bytes
for combination in combinations:

  final_data = bitarray()

  for item in chunk_list[:6]:

    item = swap(list(item), combination)
    
    '''
    Add the first parity bit so the lib can get the 16 bits needed. 
    We know there is one wrong, therefore we will apply it the other way around.
    '''
    if item.count('1') % 2 == 0:
      item.insert(0,'1')
    else:
      item.insert(0,'0')

    data = bitarray(''.join(item))
    '''
    Get the result from fixing error:
    '''
    final_data.extend(dec(data))

  msg = ''.join(final_data.decode({'1':bitarray('1'), '0':bitarray('0')}))
  if msg[:48] == '011011100110000101100011011101000110011001111011':
    print(msg[:48], '= 011011100110000101100011011101000110011001111011')
    print('Combination = ', combination)
    secret_key = combination
    break

#The we could find 2 combinations, but only the first showed a reasonable flag.
#We stop when find the first permutation with the previous break instruction.

# Now that we know the permutations, retrieve the flag
final_data = bitarray()

for item in chunk_list:
  item = swap(list(item), secret_key)
  
  if item.count('1') % 2 == 0:
    item.insert(0,'1')
  else:
    item.insert(0,'0')
  data = bitarray(''.join(item))
  final_data.extend(dec(data))

msg = ''.join(final_data.decode({'1':bitarray('1'), '0':bitarray('0')}))
n = text_from_bits(msg, encoding='utf-8', errors='surrogatepass')
print(n)

After execution we can get out flag :D

kali@kali:~/Desktop/CTFs/NACTF/Crypto/Error2/hamming$ python3 script.py 
Total permutations:  24024
011011100110000101100011011101000110011001111011 = 011011100110000101100011011101000110011001111011
Combination =  (5, 7, 8, 13)
nactf{err0r_c0rr3cti0n_w1th_th3_c0rr3ct_f1le_q73xer7k9}

nactf{err0r_c0rr3cti0n_w1th_th3_c0rr3ct_f1le_q73xer7k9}


General

Dr. J’s Vegetable Factory #1 🥕

50

After years of collecting plush vegetable toys, Dr. J decided to take on his true passion: starting a vegetable factory. Dr. J is incredibly organized, so he likes all of his vegetables to be in the proper order. In fact, he built a robot “Turnipinator-1000” to alphabetize his vegetables for him! Unfortunately, Dr. J doesn’t know what instructions to give Turnipinator-1000. Can you help him out? 🥬🥕🌽🍆🥦🥒🥑🍄

nc challenges.ctfd.io 30267

Give instructions in the form of numbers separated by spaces. Entering the number x will swap the vegetable in position x with the vegetable in position x+1. Positions start at zero, not one. (Dr. J is a programmer after all.) For example, given the following vegetables: Avocado, Brocolli, Eggplant, Daikon Radish, Carrot, one possible solution is “3 2 3”

Avocado, Brocolli, Eggplant, Daikon Radish, Carrot

(swap 3 and 4)

Avocado, Brocolli, Eggplant, Carrot, Daikon Radish

(swap 2 and 3)

Avocado, Brocolli, Carrot, Eggplant, Daikon Radish

(swap 3 and 4)

Avocado, Brocolli, Carrot, Daikon Radish, Eggplant

The problem is like bubble sort algorithm. The following algorithm retrieves the information from the server, gets the list, sortit alphabet-wise and gets the positions of each sorted element. Then on the original unsorted list we place the position it has to reach. Then the bubble sort algorithm does the trick, and each position change it does is collected into a list. Then the list is the input for the challenge.

This algorithm can be used in the next challenge, only change the option in the send line:

 r.send("1\n") 
from pwn import *
import re
import time

def bubbleSort(arr): 

    n = len(arr) 
    sequence = []
    for i in range(n-1): 
        for j in range(0, n-i-1): 
            if arr[j] > arr[j+1] : 
                sequence.append(str(j))
                arr[j], arr[j+1] = arr[j+1], arr[j] 
    return sequence


def get_sequence(current_list):

    unordered = current_list.split(', ')
    sorted_list = sorted(unordered)

    for desired_index, item in enumerate(sorted_list):
        current_index = unordered.index(item)
        unordered[current_index] = desired_index

    sequence = bubbleSort(unordered) 
    print('Sequence: ', ' '.join(sequence))
    return ' '.join(sequence)


r = remote('challenges.ctfd.io', 30267)
received = r.recv().decode('utf-8')
print(received)
r.send("1\n")
stage = 0
while True:
   
    msg = r.recv().decode('utf-8')
    
    print("-----------")
    print(msg)
    print("-----------")
    if 'nactf' in msg:
        print(msg)
        break
    if not stage:
        re_obj = re.search(r'\n\n(.*)\n\n', msg)
        vege = re_obj.groups(1)[0]
    else:
        re_obj = re.search(r'STAGE [0-9] 🥬🥕🌽🍆🥦🥒🥑🍄\n(.*)\n', msg)
        vege = re_obj.groups(1)[0]
    print("+++++")
    print(str(vege))
    print("+++++")
    sequence = get_sequence(vege)
    r.send("{}\n".format(sequence))
    stage += 1

Execute it and retrieve the flag:

nactf{1f_th3r3s_4_pr0b13m_13ttuce_kn0w_db4d736fd28f0ea39ec}

Dr. J’s Vegetable Factory #2 🥕

150

Dr. J expanded his vegetable factory! Now he’s got hundreds of vegetables. Same problem as last time: can you give Turnipinator-1000 the right instructions to sort Dr. J’s vegetables? 🥬🥕🌽🍆🥦🥒🥑🍄

nc challenges.ctfd.io 30267

Use previous algorithm and change the option in the send line:

 r.send("2\n") 

nactf{d0n7_w0rry_p34_h4ppy_f27ae283dd72cb62f685}

Dr. J’s Vegetable Factory #3 🥕

175

Rahul hates vegetables. Rahul hates vegetables so much that he snuck into Dr. J’s factory at night to sabotage Dr. J’s vegetable production! He brought a sledgehammer and broke the wheels of Dr. J’s robot! 😓 Now the robot is stuck in place, and instead of being able to swap any adjacent elements, it can only swap the elements in positions 0 and 1!

But Dr. J won’t let this incident stop him from giving the people the vegetables they deserve! Dr. J is a problem solver 🧠. He organized his vegetables in a circle, and added a conveyor-belt that allows him shift the positions of the vegetables. He thinks that the conveyor belt should make it possible to sort his vegetables, but he’s not 100% sure. Can you help him out?

nc challenges.ctfd.io 30267

Enter letters separated by spaces to sort Dr. J’s vegetables. Entering “c” will activate the conveyor belt and shift all vegetables left one position. Entering “s” will swap the vegetable in position 0 with the vegetable in position 1.

The same as before, but now we fix the positions at 1 and 0, adding the conveyor belt function (pop first element and append it).

When position 0 is better than 1, swap, else, move conveyor. The exception case is if position 0 is the final element and the position 1 is the fisrt element, in this case, we move the conveyor.

from pwn import *
import re
import time

def bubbleSort(arr, sorted_arr): 

    n = len(arr) 
    sequence = []
    bot, top = min(sorted_arr), max(sorted_arr)
    # While the array is not sorted...
    while arr != sorted_arr: 
        # Exceptional case
        if arr[0] == top and arr[1] == bot:
            # Move conveyor-belt
            first = arr.pop(0)
            arr.append(first)
            sequence.append('c')
            continue
        # Swap elements if 0 is greater than 1
        if arr[0] > arr[1]: 
            sequence.append('s')
            arr[0], arr[1] = arr[1], arr[0] 
        else:
            # Move conveyor-belt    
            first = arr.pop(0)
            arr.append(first)
            sequence.append('c')

    return sequence


def get_sequence(current_list):

    unordered = current_list.split(', ')
    sorted_list = sorted(unordered)

    # Set objectives and arrays
    for desired_index, item in enumerate(sorted_list):
        current_index = unordered.index(item)
        unordered[current_index] = desired_index
    sorted_numbers = sorted(unordered)
    sequence = bubbleSort(unordered, sorted_numbers) 
    return ' '.join(sequence)


r = remote('challenges.ctfd.io', 30267)
received = r.recv().decode('utf-8')
print(received)
r.send("3\n")
stage = 0
while True:
   
    msg = r.recv().decode('utf-8')
    print("-----------")
    print(msg)
    print("-----------")
    if 'nactf' in msg:
        break
    if not stage:
        re_obj = re.search(r'order:\n\n(.*)', msg)
        vege = re_obj.groups(1)[0]
    print("+++++")
    print(str(vege))
    print("+++++")
    sequence = get_sequence(vege)
    r.send("{}\n".format(sequence))
    stage += 1

nactf{1t_t4k35_tw0_t0_m4n90_8a51c7b47fbe227}

Dr. J’s Vegetable Factory #4 🥕

350

Thanks to you solving Dr. J’s conveyor belt conundrum, Dr. J’s vegetable factory is up and running once again. But this time, Juliet breaks into the factory to finish what Rahul started. For some reason, she doesn’t break Turnipinator-1000 completely. First, she spins Turnipinator-1000 in a random direction. Then, she pulls the arms of Turnipinator-1000 a random distance apart so it can no longer swap adjacent elements! Now, it can only swap the vegetable in position x with the vegetable in position y!

Initially, Dr. J is very sad. 😥 Even with the conveyor belt, he doesn’t think he can sort his vegetables anymore. But then, Dr. J has a brilliant revelation! 💡 He scribbles on scratch paper for a few minutes, then he gets up and removes a few of the vegetables from the conveyor belt.

Proudly, he declares, “Dr. J’s Vegetable Factory is back in business!”

nc challenges.ctfd.io 30267

Same instructions as in part #3. Enter letters separated by spaces to sort Dr. J’s vegetables. Entering “c” will activate the conveyor belt and shift all vegetables left one position. Entering “s” will swap the vegetable in position x with the vegetable in position y. (x and y will be given.)

Nah. I couldn’t get it :(

That’s all I could do! Thanks for reading!