OTP Smasher — H@cktivityCon 2021 CTF

This is my write-up for H@cktivityCon 2021 CTF. I had already completed 2 of the challenges, I noticed that points were dependent on the number of solves. So to get more points for the team I decided to go for the challenge which would have fewer attempts like scripting challenges. The one I knew could be solved was OTP Smasher.

The description of the challenge hints at automating the process.
First look at OTP Smasher.

The image had an OTP which had to be submitted continuously. For the flag to appear I had to read OTP from the image and submit these OTP instantaneously and continuously. After having a closer look, I noticed there is a number that marks the number of correct submissions. It was obvious to use OCR to get OTP then submit the number.

So my first attempt was using python with pytesseract to read numbers and then use selenium to submit. However, after completing the code, I realized selenium is too slow. The count went up 1 then again to 0. Hence the idea of using selenium was dropped. I even tried to send concurrent requests but the count would reset 0 as the same OTP was sent multiple times.

I spoke about this with my team member Dexter0us. So his idea was to use Golang for this challenge, and even multi-thread this process if needed. For this code to work, you will need to install tesseract.

Here is a snippet of our code.

The flag
The flag

In the end, we didn’t need to multi-thread the code. And also here is gist of the code.

And lastly, if you’re to join my team and be a part of the community, come join the Bounty Hunters Discord! https://discord.gg/bugbounty.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ScreaM

A Computer enthusiast ,gamer, programmer and learning to hack