Character Writeup - Cyber Apocalypse 2024

Last update: March 22, 2024

1 Introduction
2 Key Techniques
3 Mapping the application interactively
4 Determining the length of the flag
5 Obtaining each flag character
6 Assembling the flag
7 Conclusion

→ 1 Introduction

This writeup covers the Character Misc challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge involved basic scripting to interface with a TCP service.

The description of the challenge is shown below.

→ 2 Key Techniques

The key techniques employed in this writeup are:

Using common Linux commands to automate interaction with a TCP service, such as nc, seq, sed, grep, tr

→ 3 Mapping the application interactively

Upon connecting to the TCP endpoint using nc, it was found the endpoint could be queried for the character of the flag at a given index:

$ nc -n -v 94.237.62.94 41759
(UNKNOWN) [94.237.62.94] 41759 (?) open
Which character (index) of the flag do you want? Enter an index: 0
Character at Index 0: H
Which character (index) of the flag do you want? Enter an index: 1
Character at Index 1: T

→ 4 Determining the length of the flag

A manual, sparse search for the length of the flag was conducted, resulting in a flag length of 103 after 9 queries, given that the flag is known to end with the } character.

Which character (index) of the flag do you want? Enter an index: 32
Character at Index 32: _
Which character (index) of the flag do you want? Enter an index: 64
Character at Index 64: 1
Which character (index) of the flag do you want? Enter an index: 48
Character at Index 48: 4
Which character (index) of the flag do you want? Enter an index: 120
Index out of range!
Which character (index) of the flag do you want? Enter an index: 100
Character at Index 100: g
Which character (index) of the flag do you want? Enter an index: 110
Index out of range!
Which character (index) of the flag do you want? Enter an index: 105
Index out of range!
Which character (index) of the flag do you want? Enter an index: 102
Character at Index 102: !
Which character (index) of the flag do you want? Enter an index: 103
Character at Index 103: }
Which character (index) of the flag do you want? Enter an index:

→ 5 Obtaining each flag character

A bash one-liner was used to obtain every flag character

seq 0 103: generates a sequence of numbers from 0 to 103 inclusive
| nc -n -v 94.237.62.94 41759: pipes the sequence to the endpoint
| tee character.log: pipes the output to the terminal and to the character.log file

$ seq 0 103 | nc -n -v 94.237.62.94 41759 | tee character.log
(UNKNOWN) [94.237.62.94] 41759 (?) open
Which character (index) of the flag do you want? Enter an index: Character at Index 0: H
Which character (index) of the flag do you want? Enter an index: Character at Index 1: T
Which character (index) of the flag do you want? Enter an index: Character at Index 2: B
Which character (index) of the flag do you want? Enter an index: Character at Index 3: {
Which character (index) of the flag do you want? Enter an index: Character at Index 4: t
Which character (index) of the flag do you want? Enter an index: Character at Index 5: H
Which character (index) of the flag do you want? Enter an index: Character at Index 6: 1
Which character (index) of the flag do you want? Enter an index: Character at Index 7: 5
Which character (index) of the flag do you want? Enter an index: Character at Index 8: _
Which character (index) of the flag do you want? Enter an index: Character at Index 9: 1
Which character (index) of the flag do you want? Enter an index: Character at Index 10: s
Which character (index) of the flag do you want? Enter an index: Character at Index 11: _
<snip/>
Which character (index) of the flag do you want? Enter an index: Character at Index 99: n
Which character (index) of the flag do you want? Enter an index: Character at Index 100: g
Which character (index) of the flag do you want? Enter an index: Character at Index 101: !
Which character (index) of the flag do you want? Enter an index: Character at Index 102: !
Which character (index) of the flag do you want? Enter an index: Character at Index 103: }
Which character (index) of the flag do you want? Enter an index: ^C

→ 6 Assembling the flag

The flag was assembled with another bash one-liner:

grep Index character.log: searches the log for the Index string
| sed -E -e 's/^Which.*Index [0-9]+: (.+)/\1/': replaces each line with the first capture group (.+) which matches the flag character at the end of each line.
| tr -d '\n': deletes newline characters

$ grep Index  character.log|sed -E -e 's/^Which.*Index [0-9]+: (.+)/\1/' |tr -d '\n'
HTB{tH14_1s_4_r3aLly_l0nG_fL4g_i_h0p3_f0r_y0Ur_s4k3_tH4t_y0U_sCr1pTEd_tH1s_oR_els3_iT_t0oK_qU1t3_l0ng!!}

→ 7 Conclusion

The flag was submitted and the challenge was marked as pwned