nc 21700


We are given a ruby script:

Write operation allows us to write to the temporary file created and read operation prints out the content of the file as md5/sha1 hashed or aes256 encrypted using the sha256 hash of the flag as the key.

There is a secret operation which is not included in the menu. It simply copies the flag to our temporary file.

The write operation uses xxd to convert hexadecimal string to bytes. However, this operation overwrites the file from the start of it instead of overwriting the whole file.

We can use this to brute force the flag one character at a time. In order to find the length of the flag, we will copy the flag into the file first, Then, we will overwrite its characters one by one until, the hash of the file matches the hash of the same number of characters.

After finding the length of the flag, we will simply overwrite all characters of it except the last one and read its hash. Then, we will just brute force that character and move on to the next character from the end of the string. We will repeat this until we get all the characters.

Here is the script to solve this challenge:

Let’s run the script and get the flag.

The flag is hitcon{xxd?XDD!ed45dc4df7d0b79}.