Rating:

# Just Take Your Time

## Description

Let's go. In and out. 2 second adventure.

###### Hint -> While this may not be pwn, its tools may still be quite handy.

## Solution

Analyzig the code we see that the flag is encrypted using the time() of the system


key = str(int(time())).zfill(16).encode("utf-8")
secret = token_hex(16)
cipher = DES3.new(key, DES3.MODE_CFB, b"00000000")
encrypted = cipher.encrypt(secret.encode("utf-8"))


We can connect to the service, pass the first challenge (a * b) and get the encrypted secret

Now we can try to decrypt using the time, -100 / 100 is used to be safer, send it back and get the flag

Let's write the script

python
from pwn import *
from Crypto.Cipher import DES3
from time import time
from random import randint

nc = remote("dctf-chall-just-take-your-time.westeurope.azurecontainer.io", 9999)

nc.recvline()
a, b = map(int, nc.recvline().decode().strip().split(' ')[::2])
nc.sendline(str(a * b))

t = int(time())
nc.recvline()
secret = bytes.fromhex(nc.recvlineS())
log.info(f"Secret: {secret.hex()}")

for i in range(-100, 100):
key = str(t + i).zfill(16).encode("utf-8")
cipher = DES3.new(key, DES3.MODE_CFB, b"00000000")
plain = cipher.decrypt(secret)
if plain.isalnum():
nc.sendline(plain.decode())
nc.recvline()
log.info(f"Time: {i}")
log.success(nc.recvlineS())
break


console
\$ python JustTakeYourTime.py
[+] Opening connection to dctf-chall-just-take-your-time.westeurope.azurecontainer.io on port 9999: Done
[*] Secret: f24f18b5814062decdb85c6283778d7d2551b62bf039d97dafae5408b6f5b666
[*] Time: -10
[+] dctf{1t_0n1y_t0Ok_2_d4y5...}


#### **FLAG >>** dctf{1t_0n1y_t0Ok_2_d4y5...}

Original writeup (https://github.com/K1nd4SUS/CTF-Writeups/tree/main/dCTF_2021/Just%20Take%20Your%20Time).