[Internetwache CTF 2016] [Code 80 – Brute with Force] Write Up

Description

People say, you’re good at brute forcing… Have fun!

Service: 188.166.133.53:11117

Resolution

By connecting onto the server, we were prompted with this :

People say, you're good at brute forcing...
Hint: Format is TIME:CHAR
Char 0: Time is 16:22:54, 051th day of 2016 +- 30 seconds and the hash is: 8fc5d07bb5a4f55e058877be1aa14682c1d5bd37

Actually, the task was a bit confusing. We were thinking that we needed to hash the timestamp of the date with a shift of +/- 30 second AND the char “0” in order to go to the next level, but it was not that at all.
The hash to bruteforce was the timestamp (shifted to +/- 30 seconds) and the i-th char of the flag. Thanks to the admins for clarifying that btw ๐Ÿ™‚
So as we knew the flag format, we could easily suppose that the first char to find was “I”, and the second a “W”.

We wrote a little script in order to bruteforce the timestamp and the (nearly all) printable ascii character space, as this :

<timestamp-30>”:”A
[…]
<timestamp-30>”:”Z
<timestamp-29>”:”A
[…]
<timestamp-29>”:”Z
[…]
<timestamp+30>”:”Z


# coding: utf8

import socket
import time
import hashlib
import datetime

def getAnswer(q):
	chars = 'azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN{}1234567890\'"(-_/*+)"&amp;#[]|@&lt;&gt;?./ยง!:;,'

	q = q.split('\n')[0]
	ch = q.split(':')[0].split(" ")[1]
	hour = q.split(',')[0].split('is ')[1]
	day = q.split('th')[0].split(', ')[1]
	year = q.split("of ")[1].split(' ')[0]
	delta = int(q.split(' seconds')[0].split(year+" +- ")[1])
	md5 = q.split(' ')[-1]
	stamp = time.strptime(str(hour+" "+day+" "+year), '%H:%M:%S %j %Y')
	stamp = int(time.mktime(stamp))
	tmp = stamp - delta
	found = 0
	while tmp &lt; stamp+(delta*2) and found is 0:
		for c in chars:
			calc = hashlib.sha1(str(tmp)+":"+c).hexdigest()
			if (calc == md5):
				found = 1
				return str(tmp)+":"+c
		tmp=tmp+1

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("188.166.133.53", 11117))
flag = ""
while (1):
	 
	buf = s.recv(1024)

	if buf and 'Char' in buf:
		buf = buf.split('Char')[1]
		print buf
		res = getAnswer(buf)
		if (res):
			print(res)
			flag += res[-1]
			s.send(res)
	print (flag)


After a bit of time, the flag was waiting on our prompt.

Flag was IW{M4N_Y0U_C4N_B3_BF_M4T3RiAL!}

Leave a Reply

Your email address will not be published. Required fields are marked *