forbytten blogs

Character Writeup - Cyber Apocalypse 2024

Last update:

1 Introduction

This writeup covers the Character Misc challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge involved basic scripting to interface with a TCP service.

The description of the challenge is shown below.

Character challenge description

2 Key Techniques

The key techniques employed in this writeup are:

3 Mapping the application interactively

Upon connecting to the TCP endpoint using nc, it was found the endpoint could be queried for the character of the flag at a given index:

$ nc -n -v 94.237.62.94 41759
(UNKNOWN) [94.237.62.94] 41759 (?) open
Which character (index) of the flag do you want? Enter an index: 0
Character at Index 0: H
Which character (index) of the flag do you want? Enter an index: 1
Character at Index 1: T

4 Determining the length of the flag

A manual, sparse search for the length of the flag was conducted, resulting in a flag length of 103 after 9 queries, given that the flag is known to end with the } character.

Which character (index) of the flag do you want? Enter an index: 32
Character at Index 32: _
Which character (index) of the flag do you want? Enter an index: 64
Character at Index 64: 1
Which character (index) of the flag do you want? Enter an index: 48
Character at Index 48: 4
Which character (index) of the flag do you want? Enter an index: 120
Index out of range!
Which character (index) of the flag do you want? Enter an index: 100
Character at Index 100: g
Which character (index) of the flag do you want? Enter an index: 110
Index out of range!
Which character (index) of the flag do you want? Enter an index: 105
Index out of range!
Which character (index) of the flag do you want? Enter an index: 102
Character at Index 102: !
Which character (index) of the flag do you want? Enter an index: 103
Character at Index 103: }
Which character (index) of the flag do you want? Enter an index:

5 Obtaining each flag character

A bash one-liner was used to obtain every flag character

$ seq 0 103 | nc -n -v 94.237.62.94 41759 | tee character.log
(UNKNOWN) [94.237.62.94] 41759 (?) open
Which character (index) of the flag do you want? Enter an index: Character at Index 0: H
Which character (index) of the flag do you want? Enter an index: Character at Index 1: T
Which character (index) of the flag do you want? Enter an index: Character at Index 2: B
Which character (index) of the flag do you want? Enter an index: Character at Index 3: {
Which character (index) of the flag do you want? Enter an index: Character at Index 4: t
Which character (index) of the flag do you want? Enter an index: Character at Index 5: H
Which character (index) of the flag do you want? Enter an index: Character at Index 6: 1
Which character (index) of the flag do you want? Enter an index: Character at Index 7: 5
Which character (index) of the flag do you want? Enter an index: Character at Index 8: _
Which character (index) of the flag do you want? Enter an index: Character at Index 9: 1
Which character (index) of the flag do you want? Enter an index: Character at Index 10: s
Which character (index) of the flag do you want? Enter an index: Character at Index 11: _
<snip/>
Which character (index) of the flag do you want? Enter an index: Character at Index 99: n
Which character (index) of the flag do you want? Enter an index: Character at Index 100: g
Which character (index) of the flag do you want? Enter an index: Character at Index 101: !
Which character (index) of the flag do you want? Enter an index: Character at Index 102: !
Which character (index) of the flag do you want? Enter an index: Character at Index 103: }
Which character (index) of the flag do you want? Enter an index: ^C

6 Assembling the flag

The flag was assembled with another bash one-liner:

$ grep Index  character.log|sed -E -e 's/^Which.*Index [0-9]+: (.+)/\1/' |tr -d '\n'
HTB{tH14_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!}

7 Conclusion

The flag was submitted and the challenge was marked as pwned

Submission of the flag marked the challenge as pwned