PwnCollege - Hacker History

Posted on In Views: Disqus:

External BBS (login)

1
2
3
4
5
6
7
8
9
10
11
12
13
# telnet 20forbeers.com:1337
# ssh 20forbeers.com:1338
# web http://20forbeers.com:1339/

# Install syncterm to connect to BBS
$ paru -S syncterm

hacker@bbs~external-bbs-login:~$ /challenge/checker.py
Hello! You should've found the DOOM server password on an external BBS. Please enter it now.
Enter password:
********
Correct!
pwn.college{***}

Internal BBS

Since BBS’s often only allowed one line to be connected at a time, often admins had to limit users’ daily use time. In this challenge, you will be interacting with a locally run BBS that has a very short visit time (15s). In real life, people made programs to download all data on the BBS, so only new data had to be read in real time.

Some users have left a flag lying around in the message boards, get it before we disconnect you.

The BBS server is running on localhost:1337 when you start the challenge. You can find the server code at /challenge/bbs_server.py.

Scripting Help

If you are new to scripting with Python, here is a script to get you started:

You should mostly be able to solve it with the APIs shown in the script. If you need more help see pwntools.

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

# Connect to the BBS server
bbs = remote("localhost", 1337)

# Receive until the menu choice prompt
data = bbs.recvuntil("Enter your choice: ")
print("data", data)

# Select option 1 (List message titles)
bbs.sendline("1")
data = bbs.recvuntil("=== Main Menu ===")
print(data)

BBS Server Code

We need to fetch all titles and then request each one quickly before the 15-second timeout.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import os
import re
# Disable terminal features for pwnlib to avoid issues in non-interactive environments
os.environ['PWNLIB_NOTERM'] = '1'

from pwn import *
context.log_level = 'error'

def solve():
    # Connect to the local BBS server
    bbs = remote("localhost", 1337)

    # Wait for the initial menu
    bbs.recvuntil(b"Enter your choice: ")

    # Request list of all message titles
    bbs.sendline(b"1")

    # Capture the output containing titles
    data = bbs.recvuntil(b"Enter your choice: ").decode('utf-8', errors='ignore')

    # Remove ANSI escape codes (colors) for cleaner parsing
    ansi_escape = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])')
    clean_data = ansi_escape.sub('', data)

    # Extract titles using regex. Format: "000: Title Name"
    titles = re.findall(r'^\d{3}:\s*(.*)$', clean_data, re.MULTILINE)

    # Batch the requests: Send "2" (Read message) followed by the title for each message
    payload = []
    for t in titles:
        payload.append("2")
        payload.append(t)

    # Send all requests at once to maximize speed
    bbs.sendline("\n".join(payload).encode('utf-8'))

    # Collect all response data until timeout or connection close
    try:
        dump = bbs.recvall(timeout=15).decode('utf-8', errors='ignore')
    except EOFError:
        pass

    # Search for the flag in the dumped content
    match = re.search(r'pwn\.college\{.*?\}', dump)
    if match:
        print(f"Flag: {match.group(0)}")
    else:
        print("fail")

if __name__ == "__main__":
    solve()
1
2
# Run the solution script with specific terminal environment if needed
TERM=xterm python a.py

Join an IRC Server

1
2
3
4
5
6
7
8
9
10
11
12
hacker@irc~join-an-irc-server:~$ nc localhost 6667

nick kita
user d 0 * :kita!
:localhost 001 kita :Hi, welcome to IRC
:localhost 002 kita :Your host is localhost, running version miniircd-2.3
:localhost 003 kita :This server was created sometime
:localhost 004 kita localhost miniircd-2.3 o o
:localhost 251 kita :There are 1 users and 0 services on 1 server
:localhost 375 kita :- localhost Message of the day -
:localhost 372 kita :- pwn.college{***}
:localhost 376 kita :End of /MOTD command

Join an IRC Server(with an IRC client)

1
2
3
4
5
6
7
8
9
10
11
hacker@irc~join-an-irc-server-with-an-irc-client:~$ sic --help
usage: sic [-h host] [-p port] [-n nick] [-k keyword] [-v]
hacker@irc~join-an-irc-server-with-an-irc-client:~$ sic -h localhost -p 6667
localhost   : 2026-04-01 07:40 >< 001 (unknown): Hi, welcome to IRC
localhost   : 2026-04-01 07:40 >< 002 (unknown): Your host is localhost, running version miniircd-2.3
localhost   : 2026-04-01 07:40 >< 003 (unknown): This server was created sometime
localhost   : 2026-04-01 07:40 >< 004 (unknown localhost miniircd-2.3 o o):
localhost   : 2026-04-01 07:40 >< 251 (unknown): There are 1 users and 0 services on 1 server
localhost   : 2026-04-01 07:40 >< 375 (unknown): - localhost Message of the day -
localhost   : 2026-04-01 07:40 >< 372 (unknown): - pwn.college{***}
localhost   : 2026-04-01 07:40 >< 376 (unknown): End of /MOTD command

Change your nickname

1
2
3
4
5
6
7
8
9
10
11
12
hacker@irc~change-your-nickname:~$ nc localhost 6667
NICK archuser
USER archuser 0 * :I use Arch btw
:localhost 001 archuser :Hi, welcome to IRC
:localhost 002 archuser :Your host is localhost, running version miniircd-2.3
:localhost 003 archuser :This server was created sometime
:localhost 004 archuser localhost miniircd-2.3 o o
:localhost 251 archuser :There are 1 users and 0 services on 1 server
:localhost 422 archuser :MOTD File is missing
NICK pwn
:archuser!archuser@127.0.0.1 NICK pwn
:localhost pwn.college{***}

Join a channel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
hacker@irc~join-a-channel:~$ nc localhost 6667
nick a
user a 0 * :a
:localhost 001 a :Hi, welcome to IRC
:localhost 002 a :Your host is localhost, running version miniircd-2.3
:localhost 003 a :This server was created sometime
:localhost 004 a localhost miniircd-2.3 o o
:localhost 251 a :There are 1 users and 0 services on 1 server
:localhost 422 a :MOTD File is missing
list
:localhost 323 a :End of LIST
join #flag
:a!a@127.0.0.1 JOIN #flag
:localhost pwn.college{***}

:localhost 331 a #flag :No topic is set
:localhost 353 a = #flag :a
:localhost 366 a #flag :End of NAMES list

Message a channel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
hacker@irc~message-a-channel:~$ nc localhost 6667
nick a
user a 0 * :a
:localhost 001 a :Hi, welcome to IRC
:localhost 002 a :Your host is localhost, running version miniircd-2.3
:localhost 003 a :This server was created sometime
:localhost 004 a localhost miniircd-2.3 o o
:localhost 251 a :There are 1 users and 0 services on 1 server
:localhost 422 a :MOTD File is missing
join #flag
:a!a@127.0.0.1 JOIN #flag
:localhost 331 a #flag :No topic is set
:localhost 353 a = #flag :a
:localhost 366 a #flag :End of NAMES list
privmsg #flag :a
:localhost pwn.college{***}

Remove another user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
hacker@irc~remove-another-user:~$ nc localhost 6667
NICK archlinux
USER archlinux 0 * :I use Arch btw
:localhost 001 archlinux :Hi, welcome to IRC
:localhost 002 archlinux :Your host is localhost, running version miniircd-2.3
:localhost 003 archlinux :This server was created sometime
:localhost 004 archlinux localhost miniircd-2.3 o o
:localhost 251 archlinux :There are 1 users and 0 services on 1 server
:localhost 422 archlinux :MOTD File is missing
PRIVMSG pwn :Press alt+f4 to join my channel
:localhost 401 archlinux pwn :No such nick/channel
NICK pwn
:archlinux!archlinux@127.0.0.1 NICK pwn
:localhost pwn.college{***}