Chronohack – PicoCTF WriteUP | Reverse Engineering

Chronohack — PicoCTF WriteUP | Reverse Engineering

Last updated: July 09, 2025

Hi! In this write-up, we will look at how to solve the Chronohack – Reverse Engineering Challenge in PicoCTF. So let’s dive in without wasting any time!

Description:

Can you guess the exact token and unlock the hidden flag? Our school relies on tokens to authenticate students. Unfortunately, someone leaked an important file for token generation. Guess the token to get the flag.

So we need to guess the token generated by the Python script. Download it and let’s analyze it:

What’s it doing?

The token length is 20 letters, which means we have to enter a token of 20 letters in length, and then it passes to the “get_random” function.

The token contains numbers and letters only!

Then it seeds it with the current time in milliseconds (Unix epoch time)

Then the “random.choice” method returns a randomly selected element from the specified string.

The Time is based on the Unix epoch time, so the seed generated depends on the current time.

So,

Practically, it is not possible that we guess the token (which is random and 20 letters long) at the same time interval, as network latency is also an issue. So, to solve this, below is the Python script for it that will brute-force it and will add +1 ms offset, as we have 50 attempts. After 50 attempts, it will reinitiate the connection and start it where it left it.

Solution Approach

The token is generated when the server accepts our connection, so we need to estimate the server’s time (Ts) and test seeds around it. The steps are:

  1. Connect to the Server: Use a socket to connect and receive the welcome message.
  2. Estimate Server Time: Record the local time when the welcome message is received (T_welcome) and adjust for network latency using a dummy guess to measure round-trip time (RTT).
  3. Generate Tokens: Create tokens for seeds in a range (e.g., Ts — 50 ms to Ts + 1000 ms) to account for timing differences.
  4. Handle Attempt Limits: If 50 attempts are exhausted, reconnect and continue testing remaining seeds.
  5. Stop on Success: Exit immediately when the correct token is found, retrieving the flag.

Here is the Python Script:

NOTE: Change the PORT value to your connection given in the challenge

As it will depend on the Network Latency to guess the correct token based on the Unix epoch time on the Server,

Chronohack — PicoCTF WriteUP | Reverse Engineering

Mine worked at 336ms, so don’t worry! As it finds the flag, it will stop.

Thanks for Reading 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *