RC3 CTF 2016: goodtime (150 points)




The flag is not on the youtube video, the flag on there is someone trying to confuse you. Sorry.
The flag is also longer than normal.
nc goodtime.ctf.rc3.club 5866
NOTE: there should be a prompt when you connect. if there isn’t it went down so scream at me in IRC until I fix.

author: wumb0


The description contains a couple of notes, as there were problems with the challenge at first (I could not connect, for example). That made people wonder if the flag would be in the linked Youtube video, which gave some troll the idea to put a fake flag in the comments.

As the description said, the challenge was served on port 5866 on goodtime.ctf.rc3.club. Let’s have a look:

After connecting, a prompt asking for the flag was displayed. After entering an incorrect flag, it would simply return “Nope\n” and quit.

Since we know the flag is always of the form RC3-2016-<some string>, let’s try something that looks alike:

What I noticed after submitting the flag starting with RC3-2016, is that it took the server much longer to respond. After trying it some times more from different machines (also remotely), this behavior seemed to be consistent.

That’s interesting. Could it be that a correct character goes through an other loop in the server-side code than a wrong character? An example of code that I thought would be running on the server is the following:

The idea is quite simple now: we should try all letters, both uppercase and lowercase (A-Za-z), the dash (-) and all numbers (0-9) as they are probably the characters used in the flag (the @ sign was added later, after I figured some punctuation was used as well). If the guessed character is right, it turns out the server takes 0.30 (later changed to 0.25 by the authors) seconds longer to respond (that would be time.sleep(0.25) in my sample code above). If the guessed character is wrong, however, the response time would be really small (a couple of milliseconds only).

Let’s try to make some exploit code:

That should work! Eventually, the end of the output looked like this:

Let’s try that one:

So, our flag is RC3-2016-itz-alw4yz-a-g00d-t1m1ng-@tt@ck.

It took me a while to figure out that those sneaky bastards used the @ symbol. Also, it took roughly 0.25 seconds for each correct character, and since they made the flag 40 characters long, the final request took around 10 seconds (after each correct character, 0.25 seconds were added to the response time). When I first ran the script, that time was not 0.25 seconds but 0.30, which meant my script stopped working all of a sudden (I had the threshold for detecting a good character set at 0.28 in the beginning). Making changes like that to a CTF challenge that takes so long to complete is not too nice. 

Leave a Comment

Your email address will not be published.