https://app.hackthebox.com/challenges/702

Description

With injuries and illnesses escalating, the priority is clear: human lives take precedence. Before seeking hidden treasures, it is imperative to first treat the wounded ones. The resolute survivors learn through rumors about a hidden medical research facility known as the “BioMed Research Institute” reputed for its advanced treatments. They plan to locate and infiltrate the institute, intent on securing vital medications and medical equipment necessary to save the lives of their injured comrades. However, such a feat will not come easily. The facility is safeguarded by state-of-the-art security mechanisms known only to the government. The team must navigate several layers of doors to access the heart of the facility. Can you identify any vulnerability or hidden backdoor in this enigmatic security system?

Exploitation

#!/usr/bin/env python3
from pwn import *
from tqdm import tqdm
import sys

context.log_level = 'error'

def get_bit(r, i):
   for _ in range(30):
       r.sendline(str(i).encode())
       r.recvline()
       r.recvline() 
       b = int(r.recvline().split(b'= ')[1])
       if b < 0 or b >= 256:
           return 1
   return 0

def main():
   if len(sys.argv) != 2:
       print(f"Usage: python {sys.argv[0]} <ip:port>")
       sys.exit(1)
   ip, port = sys.argv[1].split(':')
   r = remote(ip, int(port))
   r.recvuntil(b':')
   r.sendline(b'9999')
   m = int(r.recvline().split(b'[0, ')[1].split(b']')[0]) + 1
   flag_bits = []
   for i in tqdm(range(m), desc="\033[92mExtracting bits\033[0m", colour="green"):
       bit = get_bit(r, i)
       flag_bits.append(str(bit))
   flag = int(''.join(flag_bits), 2).to_bytes((m+7)//8, 'big')
   print(f"\033[92mFlag\033[0m: {flag.decode()}")

if __name__ == '__main__':
   main()

Summary

Living with Elegance: model the crypto leak, recover the missing secret, and decrypt the flag.