Insomni’hack 2013 : The game

A popular game amongst survivors is the Rock-Paper-Scissors-Lizard-Spock game. To gain their respect, we strongly encourage you to be the best at this game. This will strengthen your reputation and will attract new citizens.

This challenge is all about timing. Once connected, the server will tell you that it made its choice, and you have to give yours.

When connecting several times, you were able to find out that there was a small time gap between the response and the “I’ve made my choice…” sentance. Each choice from the computer has a different time gap. By writing a client that monitors the time taken by the computer to select its response, you were able to guess the computer’s choice and answer accordingly to get the flag :

a27d37684aaf0a158db27d3c77b0a333dc68da0b870432f44eeb5bdcbbf3ac874baa3a8592a94ca799ac8332350cf7a4fd2ea899d54c6d1032286e7c46694dab

Exploit

[code language=”python”]
import socket
from datetime import datetime
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((“127.0.0.1”,9999))
toto = s.recv(1024)
print toto
for i in range(0,20):
tstart = datetime.now()
toto = s.recv(1024)
print toto
tend = datetime.now()
c = tend – tstart
print c
if c.microseconds > 500000:
s.send(“Lizard”)
toto = s.recv(1024)
print toto
elif c.microseconds > 400000:
s.send(“Rock”)
toto = s.recv(1024)
print toto
elif c.microseconds > 300000:
s.send(“Rock”)
toto = s.recv(1024)
print toto
elif c.microseconds > 200000:
s.send(“Scissors”)
toto = s.recv(1024)
print toto
elif c.microseconds > 100000:
s.send(“Paper”)
toto = s.recv(1024)
print toto

toto = s.recv(1024)
print toto
toto = s.recv(1024)
print toto
toto = s.recv(1024)
print toto
[/code]

Source code

[code language=”python”]
import random, SocketServer, time

class GameHandler(SocketServer.BaseRequestHandler):

def handle(self):
self.request.sendall(‘Welcome to Rock-Paper-Scissors-Lizard-Spock Game !n’)
i=0
while i “)
user = self.request.recv(20).strip()
if user in items:
status, message = solve(computer, user)
self.request.sendall(message+’n’)
if status:
self.request.sendall(‘You lostn’)
return
else:
i+=1
else:
self.request.sendall(‘Sorry, not recognizedn’)
return
self.request.sendall(“nWow, you’re clearly the best !nTake this as a present.nn”)
self.request.sendall(‘a27d37684aaf0a158db27d3c77b0a333dc68da0b870432f44eeb5bdcbbf3ac874baa3a8592a94ca799ac8332350cf7a4fd2ea899d54c6d1032286e7c46694dabn’)

def choose():
computer = random.choice(items)
if computer == ‘Rock’:
time.sleep(0.1)
elif computer == ‘Paper’:
time.sleep(0.2)
elif computer == ‘Scissors’:
time.sleep(0.3)
elif computer == ‘Lizard’:
time.sleep(0.4)
elif computer == ‘Spock’:
time.sleep(0.5)
print computer
return computer

def solve(computer, user):
if computer == ‘Rock’:
if user == ‘Paper’:
return (False, “Paper covers Rock”)
elif user == ‘Scissors’:
return (True, ‘Rock crushes Scissors’)
elif user == ‘Lizard’:
return (True, ‘Rock crushes Lizard’)
elif user == ‘Spock’:
return (False, ‘Spock vaporizes Rock’)
elif computer == ‘Paper’:
if user == ‘Rock’:
return (True, ‘Paper covers Rock’)
elif user == ‘Scissors’:
return (False, ‘Scissors cut Paper’)
elif user == ‘Lizard’:
return (False, ‘Lizard eats Paper’)
elif user == ‘Spock’:
return (True, ‘Paper disproves Spock’)
elif computer == ‘Scissors’:
if user == ‘Rock’:
return (False, ‘Rock crushes Scissors’)
elif user == ‘Paper’:
return (True, ‘Scissors cut Paper’)
elif user == ‘Lizard’:
return (True, ‘Scissors decapitate Lizard’)
elif user == ‘Spock’:
return (False, ‘Spock melts Scissors’)
elif computer == ‘Lizard’:
if user == ‘Rock’:
return (False, ‘Rock crushes Lizard’)
elif user == ‘Paper’:
return (True, ‘Lizard eats Paper’)
elif user == ‘Scissors’:
return (False, ‘Scissors decapitate Lizard’)
elif user == ‘Spock’:
return (True, ‘Lizard poinsons Spock’)
elif computer == ‘Spock’:
if user == ‘Rock’:
return (True, ‘Spock vaporizes Rock’)
elif user == ‘Paper’:
return (False, ‘Paper disaproves Spock’)
elif user == ‘Scissors’:
return (True, ‘Spock melts Scissors’)
elif user == ‘Lizard’:
return (False, ‘Lizard poinsons Spock’)
return (True, “Draw. It’s not fair, but…”)

if __name__ == ‘__main__’:

items = [‘Rock’,’Paper’, ‘Scissors’,’Lizard’,’Spock’]

HOST, PORT = “0.0.0.0”, 9999
SocketServer.ThreadingTCPServer.allow_reuse_address = True
server = SocketServer.ThreadingTCPServer((HOST, PORT), GameHandler)
server.serve_forever()
[/code]