Hidden three came out the same day as HV19.11 Frolicsome Santa Jokes API came out. And as the API was the first challenge were we had to deal with a remote server, maybe the flag is hidden on the remote server.
A quick scan using nmap reveals that there is another port opened: port 17. Connecting using ncat got me a single character which seem to not change. I wrote a small python script to connect, receive the character, check if it changed, if so, log character, start over.
import socket
LAST_CHAR = ''
def write(c):
with open('log', 'a') as file:
file.write(c)
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('whale.hacking-lab.com', 17))
char = s.recv(8).decode()[0]
if LAST_CHAR != char:
LAST_CHAR = char
write(char)
except:
pass
While looking at the log from time to time it shows, that the character changes every hour. So this script does a lot of useless requests, as you only need one request per hour.
After a bit more than 24 hours the log file looked like the following:
AILYfl4g}HV19{an0ther_DAILY
Rearranging got as the flag which is HV19{an0ther_DAILY_fl4g}.