Over the Wire

Here I will document nice finds while tinkering with the wargames/CTF. At the moment I am playing the games on Over the Wire.

OtW challenge Natas 16

There are multiple methods of obtaining the password. The most straight forward approach is to first probe which characters (letters and numbers) are present in the password injecting an additional grep command by $(grep $char /etc/natas_webpass/natas17)[word], where [word] is chosen such that it does not occur in the dictionary if any character is added to it. Subsequently, trying each of the characters at each position building up the password. With this approach I expect that you will need 2*26+10=62 connections to the server to check the presence of all characters. Ensuing, for a 32 character password, 32*5=160 connections are needed assuming the password consisted of 10 unique characters and you need 5 guesses for each character. To summarize, with this smart brute-force attach you will make 222 connections to the server.

On the other hand, the existing query can be use used to identify each of the characters of the password without brute force. Running a $(cut -b$position /etc/natas_webpass/natas17) query will return a list of words which is unique for each letter! As a result, a password of length N is revealed (approximately) by N queries. However, two issues still have to be addressed: letter case and numbers. Both can be determined with the query used in the brute force approach, but now building up the password from left-to-right with $(grep ^$partialPassword /etc/natas_webpass/natas17)[word] This algorithm will use 105 queries instead of the 222 queries of the brute-force approach.