Гесс вот (Guess what)

bug-makers

Task: TCP guessing game that leaks the 0-indexed position of the first mismatching character of a secret base64 string built from a random hex token, the client IP, and a live UTC timestamp. Solution: abuse the position oracle to recover the secret character-by-character with predicted candidates, then replay the exact recovered string instead of recomputing the time-dependent value (which drifts at the seconds field).

oracle_attack side_channel base64 timing network_service position_oracle race_condition_lite ctf_misc

position_oracle_recoverypredicted_candidate_orderingrecover_then_replay

$ ls tags/ techniques/

oracle_attack side_channel base64 timing network_service position_oracle race_condition_lite ctf_misc

position_oracle_recoverypredicted_candidate_orderingrecover_then_replay

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]Birdy— spbctf
[pwn][Pro]wrong name— pwn_spbctf
[crypto][Pro]Напиши мне— hackerlab
[pwn][Pro]secret— pwn_spbctf
[ml][free]leaky-gradient— TJCTF 2026