##                       ##

########           ########

############   ############

 ###########   ########### 

   #########   #########   

"@_    #####   #####    _@"

#######             #######

############   ############

############   ############

############   ############

######    "#   #"    ######

 #####               ##### 

  #####             #####  

    ####           ####    

       '####   ####'       

D
O

N
O
T

F
E
E
D

T
H
E

B
U
G
S

Brute with Force

[Internetwache CTF, 2016]

category: code

by verr

  • Category: Code
  • Points: 80
  • Solves: 66
  • Description:

Description: People say, you're good at brute forcing... Have fun! Hint: You don't need to crack the 31. character (newline). Try to think of different (common) time representations. Hint2: Time is CET

Service: 188.166.133.53:11117

Write-up

After telnet'ing to the given host, we received the following challenge from the server:

Trying 188.166.133.53...
Connected to 188.166.133.53.
Escape character is '^]'.
People say, you're good at brute forcing...
Hint: Format is TIME:CHAR
Char 0: Time is 19:53:40, 052th day of 2016 +- 30 seconds and the hash is: f7417f29f9760d97724c6f5c575a26b3dcaf39ef
1264373473:I
Nope, that's not the right solution. Try again later!
Connection closed by foreign host.

It was rather obvious that our task was to find a character (CHAR) and the time of hashing (TIME), such that the SHA1 digest of both (TIME:CHAR) was equal to the one given.

The annoying part were the format of the TIME and the timezone (the second hint was only added after we solved the challenge).

Usualy such challenges consist of multiple levels, so we again automated the solving using the beloved pwntools/binjitsu.

Except for the guessing of format (Unix-Timestamp), timezone (CET) and some parsing, the main bruteforcing looked like this:

for offset in range(0, 62):
    for CHAR in string.printable:
        TIME = str(timestamp + offset)
        text = TIME + ':' + CHAR
        if digest == get_SHA(text):
            log.info('Solution: ' + text)
            r.sendline(text)
            flag += CHAR

After 31 rounds, we owned the flag:

IW{M4N_Y0U_C4N_B3_BF_M4T3RiAL!}

The whole python code used to solve this challenge can be found on GIST

/writeups/ $

$