eqqn Security blog

CTF write-ups

Home

GreHack2019

Time Consuming Bot (150) Write-up

Image

Following the link we see Telegram bot

Image

FIrst I create an account and try chatting this bot up.

Image

We get a time trace in case we pass the wrong passoword. Naturally timing attack comes to mind, but those usually require a bit of automation to crack. I confirm it by sending every alphanumerical, one at a time until I get a longer processing time reponse. Now the challenge clearly indicates a bit of time wasting is involved.

So I start digging into the API and bot documentation to write a bot myself to do the hard work. I make a chatroom and invite the my bot and Grehack bot to the chat.

Image

To my dismay, GrehackBot doesnt respond to my bot… I understand that it’s probably to prevent loops and other unwelcome behaviour and move on to my previous method: Manual labour!

The bot seems to crash for a little while by the probable spam from other contestants so I work on other challenges.

The password is building up nice and slow, and I am hoping the password is less than 60 characters, as it would take all night to do…

Bingo! To great relief and amusement, the password is only 7 chars long! I am the first one to solve.

Sometimes the most simple solution is the best one. Even with 2 hours left before competition finish noone else solved it.

I had a good laugh to myself that in a room of very smart people I still had my moment to shine.

GH19{WhatAMessToAutomatTelegram!}

Image

[1] Telegram Bots FAQ https://core.telegram.org/bots/faq#why-doesn-39t-my-bot-see-messages-from-other-bots

Indeed, it is a mess to automate Telegram. During the course of competition I tried to retrieve the Bot ID for private messages, only to learn that you need to be in control to get the user/bot ID. ( Thus I chose to invite to a group chat, which ID can be easily retrieved via API )

Messages of bots have is_bot : True flag so they are invisible to other bots. The idea to intercept my own messages and then somehow steal the token / reuse it came to mind, but I had doubts since the messenger claims a certain level of trust/security.

Another idea is to use a browser client and script something up there, but I don’t think I could pull that off and glad it wasn’t necessary.

Thoughts on Grehack19

This is my third year in Grehack and it’s amazing to see how rapidly the event and interest in it is growing. Tickets are scarce and sell out fast. It was also personally the most enjoyable of the bunch, probably because by now I can at least make a dent on some of the challenges. I also enjoyed the talks a lot.