Sebastian's Blog

software developer. security enthusiast.

HACKvent 2019

HV19.H3 Hidden Three


Hidden three came out the same day as HV19.11 Frolicsome Santa Jokes API came out. And as the API was the first challenge were we had to deal with a remote server, maybe the flag is hidden on the remote server.

A quick scan using nmap reveals that there is another port opened: port 17. Connecting using ncat got me a single character which seem to not change. I wrote a small python script to connect, receive the character, check if it changed, if so, log character, start over.

import socket

def write(c):
    with open('log', 'a') as file:

while True:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(('', 17))
        char = s.recv(8).decode()[0]
        if LAST_CHAR != char:
            LAST_CHAR = char

While looking at the log from time to time it shows, that the character changes every hour. So this script does a lot of useless requests, as you only need one request per hour.

After a bit more than 24 hours the log file looked like the following:


Rearranging got as the flag which is HV19{an0ther_DAILY_fl4g}.

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.