Tags: misc scripting
Rating: 5.0
# TL;DR
I did some preliminary checks to find that there were only 3 "random values" that are selected. Once you have a sample of the 3, you can XOR them with a known plaintext to get the seeds. Then you can sample the next 3 "random values", XOR them with the seed, then get the 3 candidates for the next letter.
# Code
```python
from pwn import *
octets = [0x77, 0x10, 0x2]
def sample(prefix):
found_octets = set()
while len(found_octets) < 3:
io = remote("challenges.ctfd.io", 30468)
io.sendlineafter("flag]>", prefix)
io.recvuntil('unknown IPv4 address I have...')
io.recvline()
io.recvline()
sample = io.recvline().strip()
assert b"0x" in sample
found_octets.add(int(sample, 16))
io.close()
return found_octets
import sys
prefix = sys.argv[1]
print(prefix)
o = sample(prefix)
o2 = [hex(_) for _ in o]
print("Octets", o2)
cset = set()
hset = set()
for i in o:
for j in octets:
ij = (i ^ j)
cset.add(chr(ij))
hset.add(hex(ij))
print(cset)
#print(hset)
```
I'm using `pwntools` because it's easy to play with stdin and stdout with it.
The `octets` were discovered beacuse I knew the first several letters would be `flag{`. When I typed in `f`, it would give me one of these 3 outputs: `[0x1b, 0x7c, 0x6e]`.
XOR-ing them with the hex value of `l` gave me the seeds: `[0x77, 0x10, 0x2]`
The `sample()` function will query the server until it can gather 3 unique outputs.
Then it will print out `cset` ("character set") which contains all unique characters.
It's generally up to you to guess which one is next. I didn't automate this part.
# Flag
`flag{f0ll0w_th3_whit3_r@bb1t}`