I work on class exercice that involves on find a password on a remote server. The goal is to use the Python pwn library.
When I access to the server with a nc IP port I have :
[0000014075] Initializing the exercice...
[0001678255] Looking for a door...
[0001990325] Trying to unlock the door...
^ _ ^ Ready for the challenge ? ^_^
Answer :
I understand that it's kind of a side channel attack and I have to use the time of each iteration to get the write character. If I'm right at each iteration I should get the password.
I use the following code :
import time
from pwn import *
conn = remote('URL', port)
def determine_character(duration) -> str:
chars = "0123456789ABCDEFGHIJKLMNOPQRSTWXYZabcdefghijklmnopqrstuvwyz"
return chars[int(duration * 10 / 3)]
final_pass = ""
supposedLength = 50;
for i in range (supposedLength):
conn.sendline("test")
start = time.time()
conn.sendline("a")
conn.recvline()
stop = time.time()
print (current_time2)
duration = (stop - start)
real_pass = determine_character(duration)
print (real_pass)
final_pass += str(real_pass)
print ("final pass {} : ". format(final_pass))
print (conn.recvline())
for i in range (supposedLength):
conn.sendline(final_pass[i])
print(conn.recvline())
But this does not work. Indeed when I run the script I get a strange password and obviously it fails :
final pass 05010000000000000000000000000000000000000000000000
How should I do to have a good password ? Is there a problem with the duration ? Have you some ideas to debug the script ?
Any help would be greatly appreciated, thanks !
