Character — HackTheBox

Challenge Overview

Category: Misc / Network
Difficulty: Easy
Description: "Security through Induced Boredom is a personal favourite approach of mine. Not as exciting as something like The Fray, but I love making it as tedious as possible to see my secrets, so you can only get one character at a time!"

The challenge presents a network service that allows querying individual characters of a flag, one position at a time. This is a classic "tedious access" challenge where manual extraction would be impractical, making scripting essential.

Connection: nc 94.237.122.95 37667

---

Reconnaissance & Discovery

Initial Connection

When connecting to the service, we receive a prompt asking for a character index:

Which character (index) of the flag do you want? Enter an index:

The service responds with the character at the requested position. This is a straightforward interface:

• Input: An integer representing the character position (0-based indexing)
• Output: The character at that position in the flag

Understanding the Service Behavior

Key observations from testing the service:

1. The service uses 0-based indexing for character positions
2. It returns the exact character at the specified index
3. No authentication or rate limiting is apparent
4. The service closes the connection after each query

---

Exploitation Strategy

Step 1: Determine Flag Length

Since we don't know the flag length, we need to discover it. We can use binary search to efficiently find the maximum valid index:

...