Mysterious hint, that.  Of course I know how the flag format looks
like, they always start with `hsctf{` and end with `}`.  Entering
something looking like a flag and something entirely different reveals
interesting timings in the network inspector:

- `a`: 0.1s
- `h`: 0.6s
- `ha`: 0.6s
- `hs`: 1.1s
- ...

It's as if the flag is compared one char at a time, with 0.5s waiting
time after a successful comparison.  Knowing this one can write a
script that:

- Starts with a given prefix
- For each possible character
 - Tries the prefix with that characters
 - Measures the time taken to find the likeliest character
- Appends the most likely character to the prefix
- Continues until the end of the flag has been found

There are a few more difficulties though:

- It's not obvious what the charset is.  Too big and you spend too
 much time waiting.  Too small and you might not guess the right
 character.  I went with lowercase letters sorted by usage frequency,
 digits, space and underscore.
- Sometimes false positives will happen.  This could be detected
 because with an incorrectly guessed character, subsequent guesses
 will take less time.  I went with adjusting the known good prefix,
 then rebooting the script.  Eventually it guessed enough of the
 flag.

You are viewing proxied material from brause.cc. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.