# SideChannel ## Challenge There's something fishy about this PIN-code checker, can you figure out the PIN and get the flag? Download the PIN checker program here [pin\_checker](https://artifacts.picoctf.net/c/143/pin_checker). Once you've figured out the PIN (and gotten the checker program to accept it), connect to the master server using `nc saturn.picoctf.net 55824` and provide it the PIN to get your flag. ## Solution 1. Searching for "timing-based side-channel attacks" as mentioned in the hints finds the [Wikipedia page for Timing attack](https://en.wikipedia.org/wiki/Timing_attack) and [this article on medium](https://medium.com/spidernitt/introduction-to-timing-attacks-4e1e8c84b32b). The first part of the medium article is exactly the exploit here. 2. We can use the unix `time` command to measure how long it takes for different pine values to be validated. For example running `time echo 10000000 | ./pin_checker` displays the following: ``` Please enter your 8-digit PIN code: 8 Checking PIN... Access denied. echo 10000000 0.00s user 0.00s system 44% cpu 0.001 total ./pin_checker 0.13s user 0.00s system 99% cpu 0.128 total ``` 1. So, it took 0.13s to check `10000000`. We can increment the first digit by one and see the execution time. Running `time echo 40000000 | ./pin_checker` shows that it takes 0.25s to execute. So, 4 is the correct first digit. We can continue on to future digits. 2. However, we write a [script.py](https://github.com/HHousen/PicoCTF-2022/blob/master/Forensics/SideChannel/script.py) to automate the process. Running the solution [script.py](https://github.com/HHousen/PicoCTF-2022/blob/master/Forensics/SideChannel/script.py) finds that the pin is `48390513`. 3. Running `nc saturn.picoctf.net 55824` and putting in the pin code we found prints the flag. ### Flag `picoCTF{t1m1ng_4tt4ck_9803bd25}` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://picoctf2022.haydenhousen.com/forensics/sidechannel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.