Commit a8c6c244 authored by noraj's avatar noraj

add pomme ECSC WU

parent 03793eb6
Pipeline #62836198 passed with stage
in 3 minutes and 5 seconds
layout: post
title: "ECSC 2019 Quals Team France"
title: "ECSC 2019 Quals Team France - noraj"
lang: en
- writeups
layout: post
title: "ECSC 2019 Quals Team France - pxmme"
lang: en
- writeups
- security
- writeups
- ctf
- crypto
- bruteforce
date: 2019/05/23
thumbnail: /images/ctf.png
authorId: pomme
toc: true
## Information
### CTF
- **Name** : ECSC 2019 Quals Team France
- **Website** : [](
- **Type** : Online
- **Format** : Jeopardy (individual)
## 144 - 2tp - Crypto
> Venez tester notre chiffreur universel ! Nous utilisons des technologies de pointe, garanties inviolables !
> Pour preuve, nous vous donnons le flag chiffré et jamais vous ne pourrez le retrouver.
> nc 2000
Let's try to connect to this bad boy first, see what kind of output we get.
Alright then. Flag is indeed encrypted, and when sending a simple character, we get a 34 length string that looks nothing like the encrypted flag above.
Let's try to send a few more, see how this works internally regarding length.
Notice how the first two characters are the same from the result we got sending a single "a" ? That tells us where to go.
Since the flag format is known (ECSC{xxxx}), I'm guessing that, by sending ECSC, I should have the 8 first correct characters returned, plus some random ones. Let's see :
That's it! I now know how to "bruteforce" the cleartext flag. Let's write a python(3 !) script real quick.
from pwn import *
import string
flag = "7b656d3993152e8f04f8273ca1509e27a3e39249cf4784e23b81d5f2524fee75f6b28a6a07a128e4880e770bc70b32bd7d5f37bb5eba76d38edb8d1964733b"
base = 47
result = ''
for i in range(0,len(flag),2):
for lettre in string.printable:
conn = remote('',2000)
a = conn.recvline()
a = conn.recvline()
a = conn.recvline()
a = conn.recvline()
conn.sendline(result + lettre)
a = conn.recvline()
lettre_enc = a[base+i:base+i+2]
if lettre_enc == flag[i:i+2]:
result = result + lettre
print result
This will send a character, check the first two characters of the string received vs the encrypted flag's ones. If it matches, it'll save it and start all over again, but this time, checking the four first characters and so on, until flag's reached. If nothing matches, it just sends the next character in string.printable.
Let's see it in action :
We've got a flag!
*tl;dr: Script could've been way better, less floppy, but I'm just lazy.*
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment