Nullcon-HackIM CTF 2019- MLAuth-Misc(500)Writeup
Tl;dr There are plenty of write ups about this challenge, but the reason I am writing this is because, I did it with a minimal effort as the challenge was constructed in a way. I just solved it in four steps and thats why this write up. :)
Upon downloading the given zip file in the Google Drive link, I got two files one was get_prob.py and keras_model. As the name suggested the challenge was related to Machine Learning. keras_model was pre trained model file. Upon running file command over it showed it was Hierarchical Data Format. The problem statement was written in the get_prob.py file as well as the code to check the authenticity of profile locally using the given model.
An organisation has implemented an authentication system “mlAuth” using machine learning, which is 99.9% accurate. Every employee has a profile(represented by a string on 784 hex values). mlAuth is trained using these profiles to predict the probability of authenticity for an employee. System grants access only if the predicted probability is higher than 0.99. Hence, your aim is to generate a fake profile that will trick the 99.9% accurate mlAuth in granting you access.
I had no prior experience with ML stuff. So, I did a quick googling on keras model and ended up on how I can visualize the model. That will help to understand the inputs and weights to the model. I used plot_model function of the keras library in python to visualize the model.
I was stuck now had no idea what to do next, the profile value was taking input of a long 784 char long hex with min 0x0 (0) and max 0xff (255) values. I printed some values of the script and got.
It was converting the Hex to a list of length 785 ( 784 as starts with 0), which upon googling I understood were features of the model. It gave a score at last based on the trained model. We need a hex profile which gave score greater than 0.99xxx to get our flag from server.
After thinking for some time, only one idea came to my mind !!!!!
So, idea was to keep all other values static and bruteforce one value from 0x0 to 0xff so it will be 784*256 combinations. I told my team mate to write a script to bruteforce this profile and he started working on it. Till than i thought let me try obvious profiles.
The four Step solution
I started to test obvious min and max values so the first profile I made was all min values.
profile = hex(0)*784
Ran it through model and got this.
Second time I took all values as Max.
hex(255) * 784 = predicted probability of authenticity is :0.9240912Nice improvement it was. So now I divided 784/2 = 392 half less and half max values.
hex(0)*392 + hex(255)*392 = predicted probability of authenticity is :0.95876306It was clear that I was near to the perfect profile, so I further divided the values. 784/4 = 196
hex(0)*196+hex(255)*196+hex(0)*196+hex(255)*196 = 0.9999167And Bingo! on fourth step I got our needed profile, now we need to send it to Server and flag is ours.
hackim19{wh0_kn3w_ml_w0ould_61v3_y0u_1337_fl465}So, I was able to get the flag in 4 attempts, because the profile was interconnected. Our team dark_phoenix ended on 38th position at the end of CTF. It was a great learning experience.
Until next time, have a good one. :)
