Hulk Smash!!

All we are given is the hostname on which the service is running. Since we don’t know which port to connect to, we first have to run a port scan:

nmap -p 1-65535

Note that simply running nmap returns nothing, since the default is to scan the first 1000 ports (instead of everything). The scan comes back with a single open port: 8124.

We can connect to the port directly using netcat to try to see what the server does:

nc 8124

The server prompts us for a password, and replies with “INCORRECT” for every single-character input except f. Once we try two-character strings starting with f, similarly, only fl is accepted. One reasonable possibility here is that the server will check our input one character at a time, and reply with “INCORRECT” once the input isn’t correct – if our input is a prefix of the password, it will get accepted.

The server lets us send multiple queries without closing the connection, but that requires some careful state handling (since we have to check if the last query was correct and we are still extending it). An easier option is to open a new connection every time we try to test a prefix and configure a timeout so we don’t get stuck waiting forever:

import pwnlib

def check(pwd):
    serv = pwnlib.tubes.remote.remote('', 8124)
    resp = serv.recv(timeout=1)
    return 'INCORRECT' not in resp.decode('ascii')

Now all we need to do is to assemble the flag character by character:

res = ''
done = False

while not done:
    done = True
    for c in 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_}':
        if check(res + c):
            res += c
            done = False