EGCTF 2019 - SCA101 Writeup
Approaching the challenge we only get a simple description:
nc 167.172.124.190 9002
Analysis
Starting up by fuzzing the server with variable lengths of input, we always got the Bad Flag
response but with varying time frames based on the input length then it wasn’t long until we realized that our input is simply compared with the flag on the server and each character takes approximately 1 second.
Initial Approach
We then wrote a simple script to approach the challenge as below
|
|
but after running the script for a while and our team members finding other flags we deduced that it is most probably sha256
which is 64 bytes so instead of bruteforcing with string.printable
we only need the 16 hex bytes and the closing curly bracket but still it will take too long given the long response time of the server.
Multithreading
At that moment we decided to attempt to write a multithreaded script to reduce the time of each trial by 17 times (the bruteforce character domain) which will give us a better shot at getting the flag faster. The problem was none of us tried writing a multithreaded script before but of course familiar with the concept so with a couple of google searches we wrote a new script
|
|
As expected it was much faster and we got the full flag: EGCTF{73b433927afbca56a9f867df43a78575bfc8fdb839916074c6efcf2de10d4d0a}
Ironically the flag was reduced to 10 bytes instead of 64 after we got it :“D