Character [MISC]

Description:

Security through Induced Boredom is a personal favourite approach of mine. Not as exciting as something like The Fray, but I love making it as tedious as possible to see my secrets, so you can only get one character at a time!

Misc - 300 points

Walkthrough

We start by connecting to the provided server:

┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[   ~/Desktop/CTF/hackerroyale]
└─ ⚔ nc 94.237.56.248 34841

We can get the flag character by character by providing the index:

Which character (index) of the flag do you want? Enter an index: 0
Character at Index 0: H
Which character (index) of the flag do you want? Enter an index: 1
Character at Index 1: T
Which character (index) of the flag do you want? Enter an index: 2
Character at Index 2: B
Which character (index) of the flag do you want? Enter an index:

We automate this using pwntools:

import pwn
import sys


def solve(r: pwn.remote):
    flag = ""
    got_flag = False
    index = 0
    while not got_flag:
        r.recvuntil("Which character (index) of the flag do you want? Enter an index:")
        r.sendline(str(index))
        response = r.recvline()
        last_character = response.decode("utf-8")[-2]
        flag += last_character
        print(last_character, end="", flush=True)
        if last_character == "}":
            got_flag = True
        index += 1

    print()
    r.close()
    print()
    pwn.log.success(f"Flag: {flag}")


def conn():
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} REMOTE remote-ip remote-port")
        sys.exit(1)
    r = pwn.remote(sys.argv[1], sys.argv[2])
    return r


def main():
    r = conn()

    solve(r)


if __name__ == "__main__":
    main()

Running the script gives us the flag:

┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[   ~/Desktop/CTF/hackerroyale]
└─ ⚔ python3 script.py 83.136.253.78 30391

[+] Opening connection to 83.136.253.78 on port 30391: Done
/home/pepe/ctf/htb/cyber-apocalypse-2024/misc/character/gather_flag.py:10: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.recvuntil("Which character (index) of the flag do you want? Enter an index:")
/home/pepe/ctf/htb/cyber-apocalypse-2024/misc/character/gather_flag.py:11: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.sendline(str(index))
HTB{tH15_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!}
[*] Closed connection to 83.136.253.78 port 30391

[+] Flag: HTB{tH15_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!}

PreviousStopDropAndRoll [MISC]NextDelulu [pwn]

Last updated 7 months ago

Walkthrough

We start by connecting to the provided server:

┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[   ~/Desktop/CTF/hackerroyale]
└─ ⚔ nc 94.237.56.248 34841

We can get the flag character by character by providing the index:

Which character (index) of the flag do you want? Enter an index: 0
Character at Index 0: H
Which character (index) of the flag do you want? Enter an index: 1
Character at Index 1: T
Which character (index) of the flag do you want? Enter an index: 2
Character at Index 2: B
Which character (index) of the flag do you want? Enter an index:

We automate this using pwntools:

import pwn
import sys


def solve(r: pwn.remote):
    flag = ""
    got_flag = False
    index = 0
    while not got_flag:
        r.recvuntil("Which character (index) of the flag do you want? Enter an index:")
        r.sendline(str(index))
        response = r.recvline()
        last_character = response.decode("utf-8")[-2]
        flag += last_character
        print(last_character, end="", flush=True)
        if last_character == "}":
            got_flag = True
        index += 1

    print()
    r.close()
    print()
    pwn.log.success(f"Flag: {flag}")


def conn():
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} REMOTE remote-ip remote-port")
        sys.exit(1)
    r = pwn.remote(sys.argv[1], sys.argv[2])
    return r


def main():
    r = conn()

    solve(r)


if __name__ == "__main__":
    main()

Running the script gives us the flag:

┌── 👽AKUMA 🥷 ➤➤ 🌐10.10.0.12
├──[   ~/Desktop/CTF/hackerroyale]
└─ ⚔ python3 script.py 83.136.253.78 30391

[+] Opening connection to 83.136.253.78 on port 30391: Done
/home/pepe/ctf/htb/cyber-apocalypse-2024/misc/character/gather_flag.py:10: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.recvuntil("Which character (index) of the flag do you want? Enter an index:")
/home/pepe/ctf/htb/cyber-apocalypse-2024/misc/character/gather_flag.py:11: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.sendline(str(index))
HTB{tH15_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!}
[*] Closed connection to 83.136.253.78 port 30391

[+] Flag: HTB{tH15_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!}