HackVent 2023 - [HV23.07] The golden book of Santa

Difficulty: Easy

Categories: Forensic, Network Security, Web Security

Author: darkstar

An employee found out that someone is selling secret information from Santa’s golden book. For security reasons, the service for accessing the book was immediately stopped and there is now only a note about the maintenance work. However, it still seems possible that someone is leaking secret data.

The challenge provides a TCP server that always returns the same chunked response. After trying around a lot, I found that the flag is hidden in the chunk length that is used for every chunk:

from pwn import *
from binascii import unhexlify
r = remote("<remote>", 80)
r.sendline()
chunks = r.recvall().split(b"\r\n")

success(unhexlify("".join([c.decode()[1:] for c in chunks if len(c) < 4])))

By splitting by \r\n and filtering for a size smaller than 4, we only get the chunk headers. It turned out that the flag is only in the last 2 hex bytes of the length heder, that’s why there is a [1:] in the code.

Upon running the script we get the flag: HV23{here_is_your_gift_in_small_pieces}