Tags: reversing
Rating: 5.0
Ok, the sysadmin finally admits that maybe authentication should happen on a server. Can you just check everything really quick to make sure there aren't any problems now? He put some readouts for people who forget their passwords.
nc challenges.ctfd.io 30133
This is a pretty simple bruteforce challenge, but not in the way that you'd expect. Observe the following behaviour.
$ nc challenges.ctfd.io 30133
welcome to the login portal.
Enter the password.
bcactf{
11111110000000000000000000000000000000
Enter the password.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
00100000000000000000000000000000000000
When correct characters are inputted, it shows up as a 1. If it's wrong, it's a 0. All we need to do is just constantly check to see which characters return a 1, and which ones return a 0, and then form a flag based off of that. Here's a script I wrote to solve this.
#!/usr/bin/env python3
import socket
import string
def main():
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
# Getting some info.
s.connect(("challenges.ctfd.io", 30133))
s.recv(1024); s.recv(1024); s.send(b"\n")
length = len(s.recv(1024))
flag = ["" for i in range(length)]
s.send(b"\n"); s.recv(1024)
# Bruting the flag.
for character in string.printable[:-5]:
s.send(((character * length) + "\n").encode())
msg = s.recv(1024).decode("utf-8").split("\n")[0]
print(character, msg)
for i in range(len(msg)):
if msg[i] == "1":
flag[i] = character
print("".join(flag))
if __name__ == "__main__":
main()
Here it is in action.
$ ./solve.py
0 00000000100000000000000000000000000000
1 00000000000000000000000010000000000000
2 00000000000000000000000000000000000000
3 00000000000001000000010000000000000000
4 00000000000100010010000000000000000000
5 00000000000000000001000000000000000000
6 00000000000000000000000000000000000000
7 00000000000000000000100000000000000000
8 00000000000000000000000000000000000000
9 00000000000000000000000000000001000000
a 00100000000000000000000000000000000000
b 10000000000000000000000000000000010000
c 01010000000000000000000000000000000000
d 00000000000000000000000000000000000000
e 00000000000000000000000000000000000000
f 00000100000000000000000000000000000000
g 00000000000000000000000000000000000000
h 00000000000000000000000000000000000000
i 00000000000000000000000000000000000000
j 00000000000000000000000000000000000000
k 00000000000000000000000000000000000000
l 00000000000000000000000000000000000100
m 00000000000000000100000100000010000000
n 00000000000000000000000001000000000000
o 00000000000000000000000000000000000000
p 00000000000000000000000000000000000000
q 00000000000000000000000000000000000000
r 00000000000010000000001000000000000000
s 00000000000000000000000000000000000000
t 00001000000000000000000000000000000000
u 00000000010000000000000000000000000010
v 00000000000000000000000000000000100000
w 00000000000000000000000000000000000000
x 00000000000000000000000000000000000000
y 00000001000000000000000000000000000000
z 00000000000000000000000000000000000000
A 00000000000000000000000000000000000000
B 00000000000000000000000000000000000000
C 00000000000000000000000000000000000000
D 00000000000000000000000000100000000000
E 00000000000000000000000000000000000000
F 00000000000000000000000000000000000000
G 00000000000000000000000000000000001000
H 00000000000000000000000000000000000000
I 00000000000000000000000000000000000000
J 00000000000000000000000000000000000000
K 00000000000000000000000000000000000000
L 00000000000000000000000000000000000000
M 00000000000000000000000000000000000000
N 00000000000000000000000000000000000000
O 00000000000000000000000000000000000000
P 00000000000000000000000000000000000000
Q 00000000000000000000000000000000000000
R 00000000000000000000000000000000000000
S 00000000000000000000000000000000000000
T 00000000000000000000000000000000000000
U 00000000000000000000000000000000000000
V 00000000000000000000000000000000000000
W 00000000000000000000000000000000000000
X 00000000000000000000000000000000000000
Y 00000000000000000000000000000100000000
Z 00000000000000000000000000000000000000
! 00000000000000000000000000010000000000
" 00000000000000000000000000000000000000
# 00000000000000000000000000000000000000
$ 00000000000000000000000000000000000000
% 00000000000000000000000000000000000000
& 00000000000000000000000000000000000000
' 00000000000000000000000000000000000000
( 00000000000000000000000000000000000000
) 00000000000000000000000000000000000000
* 00000000000000000000000000000000000000
+ 00000000000000000000000000000000000000
, 00000000000000000000000000000000000000
- 00000000000000000000000000000000000000
. 00000000000000000000000000000000000000
/ 00000000000000000000000000000000000000
: 00000000000000000000000000000000000000
; 00000000000000000000000000000000000000
< 00000000000000000000000000000000000000
= 00000000000000000000000000000000000000
> 00000000000000000000000000000000000000
? 00000000000000000000000000000000000000
@ 00000000000000000000000000000000000000
[ 00000000000000000000000000000000000000
\ 00000000000000000000000000000000000000
] 00000000000000000000000000000000000000
^ 00000000000000000000000000000000000000
_ 00000000001000101000000000001000000000
` 00000000000000000000000000000000000000
{ 00000010000000000000000000000000000000
| 00000000000000000000000000000000000000
} 00000000000000000000000000000000000001
~ 00000000000000000000000000000000000000
bcactf{y0u_4r3_4_m4573rm1nD!_Ym9vbGlu}
