Who doesn’t want to hack Pay TV? :) So do I. The challenge was a nice website with a tv on it that showed static and a form that requested a password.
A quick analysis of the JS revealed the following interesting line:
The interesting part is the &debug parameter.
gave me an interesting response of
As you can see, it returns the “computational time” of the algorithm. Hm? Timing attack? Yup. As it turns out, a (partially) correct code takes significantly longer than others. The obvious result was the following Python script:
Type that code into the form and you get the flag on the tv :)