I don’t know why this was classified as “Web” during the CTF because it’s actually a Python TCPServer, nothing to do with Web.
Anyways, the only hint we get for this challenge is “192.168.203.35:30050”
When telneting to it, it does nothing, no banner. Sending a string will make it output an integer but sometime with a notable 5 seconds delay. We are not disconnected after each string.
We started by logging the integer replies and if there was a delay or not. Analyzing the data, we found that after a certain number of packets, the delay patterns will start to repeat exactly.
Manually converting the delay pattern to binary for the first few ones started to give us ASCII characters…
To summarize:
– We can send as much packets as we want
– Each packet will get an integer reply sometime with a 5 seconds delay
– The delay pattern repeats, the integer numbers does not
– It’s a time-based attacks on the bits of the flag, 1 will get a delay, 0 will not.
Solution:
import socket
import time
import struct
host = '192.168.203.35'
port = 30050
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
flag = ''
answer = ''
i = 0
while i < 1024:
buffer = 'A' * 8
start = time.time()
sock.send(buffer)
result = sock.recv(64)
elapsed = time.time() - start
print "i=", i, "elapsed=", elapsed, "result=", result
if elapsed > 2:
flag = flag + '1'
else:
flag = flag + '0'
i = i + 1
if i % 8 == 0:
c = int(flag,2)
answer = answer + chr(c)
print "flag=", answer
flag = ''
