$ ncat pwn522.ddtek.biz 6000 Never$olv3d! 000111222333444555000111222333444555000111222333444555 1 3 145350200111313244203511223232143550241432444500553500 1 2 invalid msg3 2 invalid msga ^C
After playing a bit, it can be observed that the output of the server is always the same characters but unordered, and that the service accepts a maximum of 4 digits. So maybe we need to find a key that is able to "reorder" again the string.
So, we need some scripting...
# db200_sol.py
import socket
def connect():
HOST = 'pwn522.ddtek.biz'
PORT = 6000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(3)
try:
s.connect((HOST, PORT))
s.send('Never$olv3d!\n')
except Exception as e:
return None
return s
i=100
s=connect()
while 1:
data1=None
data2=None
try:
data1 = s.recv(1024)
data2 = s.recv(1024)
print '[RECV]: ', repr(data1)+repr(data2)
data1='0'
data2=str(i)
i = i+1
print '[SENT]: ', repr(data1)+repr(data2)
s.send(data1)
s.send(data2)
except Exception as e:
print '[ERROR]: ' + str(e)
if (s <> None):
s.close()
s=connect()
continue
s.close()
If we run the previous script on the background and wait some minutes, we'll be able to obtain the following response from the service.
$ python db200_sol.py > db.txt&
$ cat db.txt | sort | uniq -c | sort | more
1 [ERROR]: [Errno 32] Broken pipe
1 [RECV]: '0'"00111222333444555000111222333444555000111222333444555\nLet's not be too rough on our own ignorance; it's what makes America great!\n\n"
1 [RECV]: '0''00211022443145544200011122333145553122104443552553330\n'
1 [RECV]: '0''02454034521103233304013422435241154254253515523111000\n'
1 [RECV]: '0''03213030403235555504410122532443152411544102134152023\n'
^C
Solution: Let's not be too rough on our own ignorance; it's what makes America great!Game over :).
Note: I've added the script here
Very Nice Blog !
ReplyDeleteI Like This Very Much.
Methods of Modern Farming
The swans