All we are given is the hostname hulk-smash.hecc.io
on which the service is running. Since we don’t know which port to connect to, we first have to run a port scan:
nmap hulk-smash.hecc.io -p 1-65535
Note that simply running nmap hulk-smash.hecc.io
returns nothing, since the default is to scan the first 1000 ports (instead of everything). The scan comes back with a single open port: 8124.
We can connect to the port directly using netcat
to try to see what the server does:
nc hulk-smash.hecc.io 8124
The server prompts us for a password, and replies with “INCORRECT” for every single-character input except f
. Once we try two-character strings starting with f
, similarly, only fl
is accepted. One reasonable possibility here is that the server will check our input one character at a time, and reply with “INCORRECT” once the input isn’t correct – if our input is a prefix of the password, it will get accepted.
The server lets us send multiple queries without closing the connection, but that requires some careful state handling (since we have to check if the last query was correct and we are still extending it). An easier option is to open a new connection every time we try to test a prefix and configure a timeout so we don’t get stuck waiting forever:
import pwnlib
def check(pwd):
= pwnlib.tubes.remote.remote('hulk-smash.hecc.io', 8124)
serv '?\r\n')
serv.recvuntil(
serv.send(pwd)= serv.recv(timeout=1)
resp
serv.close()return 'INCORRECT' not in resp.decode('ascii')
Now all we need to do is to assemble the flag character by character:
= ''
res = False
done
while not done:
= True
done for c in 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_}':
if check(res + c):
+= c
res = False
done break
print(res)