I don’t know why this was classified as “Web” during the CTF because it’s actually a Python TCPServer, nothing to do with Web.
Anyways, the only hint we get for this challenge is “192.168.203.35:30050”
When telneting to it, it does nothing, no banner. Sending a string will make it output an integer but sometime with a notable 5 seconds delay. We are not disconnected after each string.
We started by logging the integer replies and if there was a delay or not. Analyzing the data, we found that after a certain number of packets, the delay patterns will start to repeat exactly.
Manually converting the delay pattern to binary for the first few ones started to give us ASCII characters…
– We can send as much packets as we want
– Each packet will get an integer reply sometime with a 5 seconds delay
– The delay pattern repeats, the integer numbers does not
– It’s a time-based attacks on the bits of the flag, 1 will get a delay, 0 will not.
host = '192.168.203.35'
port = 30050
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
flag = ''
answer = ''
i = 0
while i < 1024:
buffer = 'A' * 8
start = time.time()
result = sock.recv(64)
elapsed = time.time() - start
print "i=", i, "elapsed=", elapsed, "result=", result
if elapsed > 2:
flag = flag + '1'
flag = flag + '0'
i = i + 1
if i % 8 == 0:
c = int(flag,2)
answer = answer + chr(c)
print "flag=", answer
flag = ''