picoCTF 2022 SideChannel Writeup
timing-based side-channel attacks
There's something fishy about this PIN-code checker, can you figure out the PIN and get the flag?
Download the PIN checker program here pin_checker
Once you've figured out the PIN (and gotten the checker program to accept it), connect to the master server using nc saturn.picoctf.net 55824 and provide it the PIN to get your flag.
問題
とりあえず動かす
# ./pin_checker
Please enter your 8-digit PIN code:
aaa
3
Incorrect length.
# ./pin_checker
Please enter your 8-digit PIN code:
aaa
3
Incorrect length.
長さが違う
# ./pin_checker
Please enter your 8-digit PIN code:
aaaaaaaa
8
Checking PIN...
Access denied.
PINの長さは8
仮説
仮説1 PINは数字(8桁)
仮説2 (総当たり攻撃で解けるように)PINは1文字ずつチェックしている。
仮説3 チェックがOKなら,(総当たり攻撃で解けるように)sleepを行っている。
仮説の実証
time echo 11111111 | ./pin_checker
time echo 21111111 | ./pin_checker
time echo 31111111 | ./pin_checker
time echo 41111111 | ./pin_checker
time echo 51111111 | ./pin_checker
time echo 61111111 | ./pin_checker
time echo 71111111 | ./pin_checker
time echo 81111111 | ./pin_checker
time echo 91111111 | ./pin_checker
time echo 01111111 | ./pin_checker
time echo 11111111 | ./pin_checker
time echo 21111111 | ./pin_checker
time echo 31111111 | ./pin_checker
time echo 41111111 | ./pin_checker
time echo 51111111 | ./pin_checker
time echo 61111111 | ./pin_checker
time echo 71111111 | ./pin_checker
time echo 81111111 | ./pin_checker
time echo 91111111 | ./pin_checker
time echo 01111111 | ./pin_checker
結果
# time echo 11111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.246s
user 0m0.194s
sys 0m0.012s
# time echo 21111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.217s
user 0m0.198s
sys 0m0.013s
# time echo 31111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.217s
user 0m0.187s
sys 0m0.023s
# time echo 41111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.389s
user 0m0.367s
sys 0m0.009s
# time echo 51111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.223s
user 0m0.192s
sys 0m0.005s
# time echo 61111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.203s
user 0m0.188s
sys 0m0.009s
# time echo 71111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.209s
user 0m0.194s
sys 0m0.009s
# time echo 81111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.206s
user 0m0.191s
sys 0m0.006s
# time echo 91111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.210s
user 0m0.194s
sys 0m0.008s
# time echo 01111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.194s
user 0m0.178s
sys 0m0.012s
コンマ2秒ほど 4 が遅い。
PINの1文字目は,4
次,2文字目
time echo 41111111 | ./pin_checker
time echo 42111111 | ./pin_checker
time echo 43111111 | ./pin_checker
time echo 44111111 | ./pin_checker
time echo 45111111 | ./pin_checker
time echo 46111111 | ./pin_checker
time echo 47111111 | ./pin_checker
time echo 48111111 | ./pin_checker
time echo 49111111 | ./pin_checker
time echo 40111111 | ./pin_checker
結果
# time echo 41111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.394s
user 0m0.351s
sys 0m0.037s
# time echo 42111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.391s
user 0m0.376s
sys 0m0.014s
# time echo 43111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.389s
user 0m0.379s
sys 0m0.010s
# time echo 44111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.405s
user 0m0.374s
sys 0m0.013s
# time echo 45111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.390s
user 0m0.380s
sys 0m0.010s
# time echo 46111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.388s
user 0m0.375s
sys 0m0.013s
# time echo 47111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.390s
user 0m0.384s
sys 0m0.005s
# time echo 48111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.586s
user 0m0.543s
sys 0m0.016s
# time echo 49111111 | ./pin_checker
Please enter your 8-digit PIN code:
8
Checking PIN...
Access denied.
real 0m0.404s
user 0m0.376s
sys 0m0.026s
# time echo 40111111 | ./pin_checker time echo 48111111 | ./pin_checker
Please enter your 8-digit PIN code:
35
Incorrect length.
real 0m0.393s
user 0m0.370s
sys 0m0.014s
コンマ2秒ほど 8 が遅い。
PINの2文字目は,8
この要領で最後までやると PIN は 48390513 とわかる。
# nc saturn.picoctf.net 55824
Verifying that you are a human...
Please enter the master PIN code:
48390513
Password correct. Here's your flag:
picoCTF{t1m1ng_4tt4ck_9803bd25}
力づくかもしれないが,楽しかった。
Author And Source
この問題について(picoCTF 2022 SideChannel Writeup), 我々は、より多くの情報をここで見つけました https://qiita.com/housu_jp/items/ccd7bd21ac921685c295著者帰属:元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。
Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .