# NullconCTF 2026 ## cry ### Booking Key #### Description A book cipher challenge using an abridged Alice's Adventures in Wonderland (Project Gutenberg #19033, "Storyland" series). The server encrypts a random 32-character password using a book cipher and sends the ciphertext (list of step counts). We must decrypt 3 passwords correctly to get the flag. The encryption works by walking through the book text character-by-character: for each password character, it counts how many steps forward from the current position until that character is found. The count is appended to the cipher, and the cursor stays at the found position. #### Solution **Key observations:** 1. The book text is from PG #19033, including the "Produced by..." credit header and a trailing newline (total 53597 chars). 2. Given the cipher (list of offsets), we can try all possible starting positions and decrypt. Each starting position yields a unique candidate password. 3. Most starting positions produce non-letter characters (spaces, punctuation), so we filter for candidates where all 32 characters are ASCII letters. 4. To distinguish the correct candidate from false positives, we use two heuristics: * **Violation count**: For each step, check if the target character appears earlier than where the cipher says. The true password has 0 violations. * **Uppercase ratio**: Random passwords from 51 chars (25 upper, 26 lower) should have \~49% uppercase. False positives tend to land on common lowercase English text. **Algorithm:** * For each starting position (0 to len(BOOK)-1), compute cumulative sums of cipher values to get the 32 character positions. * Filter: all positions must be letters. * Score: count violations (target char appearing before expected position) and uppercase ratio. * Pick the candidate with 0 violations and realistic uppercase ratio. ```python #!/usr/bin/env python3 from pwn import * import ast import string # Download PG #19033: https://www.gutenberg.org/files/19033/19033-0.txt # Extract body between *** START *** and *** END *** markers with open('pg19033.txt', 'r') as f: pg = f.read() pg_s = pg.index('*** START OF THE PROJECT GUTENBERG EBOOK 19033 ***\n') + len('*** START OF THE PROJECT GUTENBERG EBOOK 19033 ***\n') pg_e = pg.index('\n*** END OF THE PROJECT GUTENBERG EBOOK 19033 ***') pg_body = pg[pg_s:pg_e] # The server's book.txt = "Produced by..." header + PG body + trailing newline header = ("Produced by Jason Isbell, Irma Spehar, and the Online\n" "Distributed Proofreading Team at http://www.pgdp.net\n" "\n\n\n\n\n\n\n\n\n") BOOK = header + pg_body + "\n" n = len(BOOK) charset_set = set(c for c in string.ascii_letters if c in BOOK) is_letter = [BOOK[i] in charset_set for i in range(n)] def decrypt(cipher, book, start): current = start password = [] for count in cipher: current = (current + count) % len(book) password.append(book[current]) return ''.join(password) def verify_and_score(cipher, book, start): current = start nn = len(book) violations = 0 password = [] for count in cipher: target_pos = (current + count) % nn target = book[target_pos] if target not in charset_set: return None for j in range(min(count, 500)): if book[(current + j) % nn] == target: violations += 1 break password.append(target) current = target_pos pwd = ''.join(password) upper_count = sum(1 for c in pwd if c.isupper()) return (violations, upper_count, pwd) def solve(cipher): cum = [] s = 0 for c in cipher: s += c cum.append(s % n) candidates = [] for start in range(n): valid = True for offset in cum: if not is_letter[(start + offset) % n]: valid = False break if valid: result = verify_and_score(cipher, BOOK, start) if result: candidates.append(result) candidates.sort(key=lambda x: (x[0], abs(x[1] - 15.7))) return candidates r = remote('52.59.124.14', 5102) r.recvline() for _ in range(3): cipher = ast.literal_eval(r.recvline().decode().strip()) candidates = solve(cipher) password = candidates[0][2] r.recvuntil(b'password: ') r.sendline(password.encode()) print(r.recvline().decode().strip()) print(r.recvline().decode().strip()) r.close() ``` **Flag:** `ENO{y0u_f1nd_m4ny_th1ng5_in_w0nd3r1and}` ### Going in circles #### Description We're given a server that reads a flag, generates a random 32-bit polynomial `f`, computes a CRC-like reduction of the flag modulo `f` in GF(2)\[x], and prints both the result and `f`. Each connection gives a new random `f` but the same flag. ```python from Crypto.Util import number BITS = 32 def reduce(a,f): while (l := a.bit_length()) > BITS: a ^= f << (l - BITS) return a flag = int.from_bytes(open('flag.txt','r').read().strip().encode(), byteorder = 'big') f = number.getRandomNBitInteger(BITS) print(reduce(flag,f),f) ``` #### Solution The `reduce` function performs polynomial long division in GF(2)\[x] — this is exactly how CRC checksums work (hence "going in circles"). Each connection gives us `flag mod f` for a random 32-bit polynomial `f`. Since GF(2)\[x] is a Euclidean domain, the Chinese Remainder Theorem applies. By collecting enough `(remainder, f)` pairs from the server and applying CRT in GF(2)\[x], we can reconstruct the full flag polynomial once the product of the moduli exceeds the flag's bit length. Key details: * The `reduce` function stops one step early (when `bit_length <= 32` instead of `< 32`), so we compute the proper remainder via an extra `gf2_mod(result, f)` step * Random 32-bit polynomials often share small factors, so we use `remove_common_factors` to extract the coprime part of each new `f` relative to the accumulated modulus, maximizing information from each sample * \~50 samples are sufficient for a typical flag length (\~300 bits) ```python from pwn import * import time BITS = 32 def gf2_divmod(a, b): if b == 0: raise ZeroDivisionError deg_b = b.bit_length() - 1 q = 0 while a != 0 and a.bit_length() - 1 >= deg_b: shift = a.bit_length() - 1 - deg_b q ^= (1 << shift) a ^= b << shift return q, a def gf2_mod(a, b): return gf2_divmod(a, b)[1] def gf2_mul(a, b): result = 0 while b: if b & 1: result ^= a a <<= 1 b >>= 1 return result def gf2_gcd(a, b): while b: _, r = gf2_divmod(a, b) a, b = b, r return a def gf2_ext_gcd(a, b): old_r, r = a, b old_s, s = 1, 0 old_t, t = 0, 1 while r: q, rem = gf2_divmod(old_r, r) old_r, r = r, rem old_s, s = s, old_s ^ gf2_mul(q, s) old_t, t = t, old_t ^ gf2_mul(q, t) return old_r, old_s, old_t def gf2_crt(r1, m1, r2, m2): g, s, t = gf2_ext_gcd(m1, m2) assert g == 1 mod = gf2_mul(m1, m2) x = gf2_mod( gf2_mul(r1, gf2_mul(t, m2)) ^ gf2_mul(r2, gf2_mul(s, m1)), mod ) return x, mod def remove_common_factors(f, mod): while True: g = gf2_gcd(f, mod) if g == 1: return f f, _ = gf2_divmod(f, g) if f <= 1: return f samples = [] for i in range(50): r = remote('52.59.124.14', 5100) data = r.recvline().decode().strip() r.close() parts = data.split() remainder, f = int(parts[0]), int(parts[1]) samples.append((gf2_mod(remainder, f), f)) time.sleep(0.02) current_r, current_mod = samples[0] for i in range(1, len(samples)): r2, f2 = samples[i] f2_new = remove_common_factors(f2, current_mod) if f2_new <= 1: continue r2_new = gf2_mod(r2, f2_new) current_r, current_mod = gf2_crt(current_r, current_mod, r2_new, f2_new) flag_bytes = current_r.to_bytes((current_r.bit_length() + 7) // 8, byteorder='big') print(flag_bytes.decode()) # ENO{CRC_is_just_some_modular_remainder} ``` Flag: `ENO{CRC_is_just_some_modular_remainder}` ### Matrixfun II #### Description A "post-quantum cryptography" implementation that encrypts messages using an affine cipher over a custom alphabet. The server encrypts the flag and provides a chosen-plaintext oracle. The encryption works as follows: 1. Base64-encode the plaintext 2. Pad with `=` to a multiple of 16 characters 3. For each 16-character block, map characters to indices in a custom 65-character alphabet (`a-zA-Z0-9+/=`), then compute `c = (A * m + b) mod 65` where A is a random 16x16 matrix and b is a random 16-vector #### Solution **Key insight 1: Chosen-plaintext oracle allows full key recovery.** By sending carefully crafted messages, we can recover A column-by-column and then compute b. **Key insight 2: MOD = 65 = 5 \* 13 is composite.** The alphabet has 65 characters, not a prime number. This means Z/65Z is not a field, so standard modular matrix inversion fails. Instead, we must use the Chinese Remainder Theorem to solve the linear system in GF(5) and GF(13) separately, then combine results. **Key recovery:** * Send 12 zero bytes as reference. Base64 encodes to `AAAAAAAAAAAAAAAA` (all index 26). * For each position j (0-15), send 12 bytes crafted so exactly one base64 position changes from `A` to `B` (index 26 to 27, difference of +1). * The difference between each test cipher and the reference cipher gives column j of matrix A directly. * Then `b = ref_cipher - A * [26]*16 (mod 65)`. **Decryption via CRT:** * For each flag cipher block, solve `A * x ≡ (c - b) (mod 65)` by: 1. Solving `A * x ≡ (c - b) (mod 5)` in GF(5) 2. Solving `A * x ≡ (c - b) (mod 13)` in GF(13) 3. Combining via CRT to get x mod 65 * Convert recovered indices back to base64 characters and decode. ```python #!/usr/bin/env python3 from pwn import * import base64 import json alphabet = b'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=' MOD = len(alphabet) # 65 = 5 * 13 (NOT prime!) n = 16 def solve_in_field(A, rhs, p): """Solve A*x = rhs in GF(p) using Gaussian elimination""" sz = len(A) aug = [[a % p for a in A[i]] + [rhs[i] % p] for i in range(sz)] for col in range(sz): pivot = -1 for row in range(col, sz): if aug[row][col] % p != 0: pivot = row break assert pivot != -1, f"Singular mod {p} at col {col}" aug[col], aug[pivot] = aug[pivot], aug[col] inv_val = pow(aug[col][col], p - 2, p) aug[col] = [(x * inv_val) % p for x in aug[col]] for row in range(sz): if row != col and aug[row][col] != 0: factor = aug[row][col] aug[row] = [(aug[row][j] - factor * aug[col][j]) % p for j in range(sz + 1)] return [aug[i][sz] for i in range(sz)] def crt2(r1, m1, r2, m2): """CRT: find x such that x = r1 (mod m1) and x = r2 (mod m2)""" m1_inv = pow(m1, m2 - 2, m2) t = ((r2 - r1) * m1_inv) % m2 return (r1 + m1 * t) % (m1 * m2) def solve_system_mod65(A, rhs): """Solve A*x = rhs (mod 65) using CRT with p=5 and p=13""" x5 = solve_in_field(A, rhs, 5) x13 = solve_in_field(A, rhs, 13) return [crt2(x5[i], 5, x13[i], 13) for i in range(len(rhs))] r = remote('52.59.124.14', 5101) # Read encrypted flag flag_cipher = json.loads(r.recvline().decode().strip()) def query(hex_msg): r.sendlineafter(b'(in hex): ', hex_msg) return json.loads(r.recvline().decode().strip()) # Reference: 12 zero bytes -> base64 'AAAAAAAAAAAAAAAA' -> all index 26 ref_cipher = query(b'000000000000000000000000')[:n] # Recover A column by column: each test changes one b64 position by +1 A = [[0]*n for _ in range(n)] for j in range(n): msg = bytearray(12) g, p = j // 4, j % 4 if p == 0: msg[3*g] = 4 # changes b64 char at pos 4g elif p == 1: msg[3*g + 1] = 16 # changes b64 char at pos 4g+1 elif p == 2: msg[3*g + 2] = 64 # changes b64 char at pos 4g+2 elif p == 3: msg[3*g + 2] = 1 # changes b64 char at pos 4g+3 cipher_j = query(msg.hex().encode())[:n] for i in range(n): A[i][j] = (cipher_j[i] - ref_cipher[i]) % MOD # Recover b = ref_cipher - A * [26]*16 (mod 65) ref_plain = [26] * n Ap = [sum(A[i][j] * 26 for j in range(n)) % MOD for i in range(n)] b_vec = [(ref_cipher[i] - Ap[i]) % MOD for i in range(n)] # Decrypt flag using CRT-based solver decrypted = [] for blk in range(len(flag_cipher) // n): block = flag_cipher[blk*n : (blk+1)*n] rhs = [(block[i] - b_vec[i]) % MOD for i in range(n)] decrypted.extend(solve_system_mod65(A, rhs)) # Convert indices to base64 and decode b64_bytes = bytes([alphabet[idx] for idx in decrypted]) b64_str = b64_bytes.rstrip(b'=') pad_needed = (4 - len(b64_str) % 4) % 4 b64_str += b'=' * pad_needed flag = base64.b64decode(b64_str).decode() print(flag) # ENO{l1ne4r_alg3br4_i5_ev3rywh3re} r.sendlineafter(b'(in hex): ', b'exit') r.close() ``` Flag: `ENO{l1ne4r_alg3br4_i5_ev3rywh3re}` ### TLS #### Description "TLS 0.1" hybrid encryption protocol: RSA-1337 encrypts an AES-128-CBC key, and the server provides a decryption oracle. The server reveals whether the RSA-decrypted key value exceeds `2^128` ("something else went wrong") or not ("invalid padding" / other). The AES key is generated as `bytes(8) + os.urandom(8)`, giving only 64 bits of entropy. Additionally, the CRT reconstruction has a bug (`% privkey.q` instead of `% privkey.p`), but this doesn't affect decryption of small plaintexts where `m_p == m_q`. #### Solution **Attack**: Binary search via RSA homomorphism + key-size oracle (Manger-style). The AES key `k` satisfies `0 <= k < 2^64`. Using RSA's multiplicative homomorphism, multiplying the ciphertext by `s^e mod n` makes the server decrypt `k * s mod n`. Since `k * s` stays well below `min(p, q) ~ 2^668`, the buggy CRT still produces correct results. The oracle boundary at `2^128` lets us binary search: choose `s = ceil(2^128 / mid)` so that `k * s >= 2^128` iff `k >= mid`. This recovers the full 64-bit key in exactly 64 queries, then we decrypt the flag ciphertext locally with AES-CBC. ```python #!/usr/bin/env python3 from pwn import * from Crypto.Util.number import bytes_to_long, long_to_bytes from Crypto.Cipher import AES r = remote('52.59.124.14', 5104) n = int(r.recvline().strip().decode()) cipher_hex = r.recvline().strip().decode() cipher = bytes.fromhex(cipher_hex) # Parse ciphertext: len(4) + iv(16) + enc_msg(l) + enc_key l = bytes_to_long(cipher[:4]) flag_iv = cipher[4:20] flag_enc_msg = cipher[20:20+l] flag_enc_key = bytes_to_long(cipher[20+l:]) e = 65537 B = 2**128 r.recvuntil(b'input cipher (hex): ') def oracle(s_val): """Returns True if k * s_val < 2^128""" modified_enc_key = (flag_enc_key * pow(s_val, e, n)) % n crafted = (16).to_bytes(4, 'big') + b'\x00' * 16 + b'\x00' * 16 + long_to_bytes(modified_enc_key) r.sendline(crafted.hex().encode()) response = r.recvuntil(b'input cipher (hex): ') return b'something else went wrong' not in response # Binary search for the 64-bit AES key lo, hi = 0, 2**64 while lo < hi - 1: mid = (lo + hi) // 2 s_val = -(-B // mid) # ceil(2^128 / mid) if oracle(s_val): hi = mid else: lo = mid k = lo key_bytes = b'\x00' * 8 + k.to_bytes(8, 'big') decrypter = AES.new(key_bytes, AES.MODE_CBC, iv=flag_iv) plaintext = decrypter.decrypt(flag_enc_msg) pad_byte = plaintext[-1] if 1 <= pad_byte <= 16: plaintext = plaintext[:-pad_byte] log.success(f"Flag: {plaintext.decode()}") r.close() ``` **Flag**: `ENO{Y4y_a_f4ctor1ng_0rac13}` ### Tetraes #### Description A modified AES implementation ("TetraES") encrypts the key with itself and provides an encryption oracle. We must recover the key to get the flag. Key differences from standard AES: * **S-box collision**: `S[0x00]` changed from `0x63` to `0x64`, creating a collision with `S[0x8C] = 0x64`. The S-box is no longer bijective. * **No key schedule**: Round keys are simply byte-rotations of the original key (`rotate(key, r+1)`). * **16 rounds** instead of 10. * **Extra tweak**: `state[0][0] ^= r ^ 42` in each AddRoundKey. #### Solution The S-box collision `S[0x00] = S[0x8C] = 0x64` is the critical vulnerability. **Core insight**: If two plaintexts P1 and P2 differ only at byte position `n` by `0x8C`, and the state byte at position `n` after the initial AddRoundKey is either `0x00` or `0x8C`, then SubBytes produces the same output for both. Since the rest of the computation is identical, both plaintexts encrypt to the same ciphertext. After initial ARK: `state[n] = P[n] ^ K[n]` (with an extra `^42` at position 0). So the collision occurs when `P[n] ^ K_adj[n] in {0x00, 0x8C}`, revealing `K_adj[n]` to within 2 candidates. **Attack**: 1. For each of the 16 byte positions, query the oracle with all 256 possible byte values (other bytes zero). Find which pair `(v, v ^ 0x8C)` produces identical ciphertexts. 2. This narrows each key byte to 2 candidates (2^16 = 65,536 total keys). 3. Brute-force locally using the self-encryption constraint `encrypt(K, K) = given_ciphertext`. ```python from pwn import * S = ( 0x64, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16, ) def rotate(l, k): k %= len(l) return l[k:] + l[:k] def cross(m, s): res = 0 for i in range(4): if m[i] == 1: res ^= s[i] elif m[i] == 2: if s[i] < 128: res ^= s[i] << 1 else: res ^= (s[i] << 1) ^ 0x11b else: res ^= s[i] if s[i] < 128: res ^= s[i] << 1 else: res ^= (s[i] << 1) ^ 0x11b return res def mix_column(state): cols = [[state[i][j] for i in range(4)] for j in range(4)] base_m = [2, 3, 1, 1] res = [[cross(rotate(base_m, -j), cols[i]) for j in range(4)] for i in range(4)] return [[res[i][j] for i in range(4)] for j in range(4)] def ark(state, round_key, r): for i in range(4): for j in range(4): state[i][j] ^= round_key[4 * i + j] state[0][0] ^= r ^ 42 return state def aes(message, key): state = [[c for c in message[i*4:(i+1)*4]] for i in range(4)] state = ark(state, key, 0) for r in range(16): state = [[S[c] for c in row] for row in state] state = [rotate(state[i], i) for i in range(4)] state = mix_column(state) state = ark(state, rotate(key, r + 1), r + 1) return b''.join(bytes(row) for row in state) def encrypt(message, key): if len(message) % 16 != 0: message = message + b'\x00' * (16 - len(message) % 16) cipher = b'' for i in range(0, len(message), 16): cipher += aes(message[i:i + 16], key) return cipher def recv_ct(r): line = r.recvline().decode().strip() while 'cipher.hex()' not in line: line = r.recvline().decode().strip() ct = line.split("'")[1] r.recvuntil(b'message to encrypt: ') return ct r = remote('52.59.124.14', 5103) line = r.recvline().decode().strip() self_ct = line.split("'")[1] r.recvuntil(b'message to encrypt: ') candidates = [None] * 16 for n in range(16): # Pipeline 256 queries for this byte position for v in range(256): p = bytearray(16) p[n] = v r.sendline(p.hex().encode()) cts = {} for v in range(256): cts[v] = recv_ct(r) # Find the collision pair (v, v^0x8C) with matching ciphertexts for v in range(128): if cts[v] == cts[v ^ 0x8C]: candidates[n] = (v, v ^ 0x8C) break r.sendline(b'end') # Convert K_adj to K (position 0 has extra ^42 tweak) key_candidates = [None] * 16 for n in range(16): a, b = candidates[n] if n == 0: key_candidates[n] = (a ^ 42, b ^ 42) else: key_candidates[n] = (a, b) # Brute-force 2^16 candidates against self-encryption self_ct_bytes = bytes.fromhex(self_ct) for bits in range(2**16): key_guess = bytes(key_candidates[n][1 if bits & (1 << n) else 0] for n in range(16)) if encrypt(key_guess, key_guess) == self_ct_bytes: r.sendlineafter(b'key in hex? ', key_guess.hex().encode()) print(r.recvall(timeout=5).decode()) break ``` Flag: `ENO{a1l_cop5_ar3_br0adca5t1ng_w1th_t3tra}` *** ## misc ### rdctd 1 #### Description We are given a PDF (`attachments/Planned-Flags-signed-2.pdf`) that contains 6 hidden flags. This task asks for the flag “containing a 1”. #### Solution On page 3 the PDF contains a readable sentence with the first flag: * `ENO{stability gradient 1 disrupted}` However, the PDF does **not** encode the separators as literal underscore characters. Instead, the “\_” separators are drawn as tiny line segments between words (visible by inspecting the page’s content stream, e.g. `mutool show attachments/Planned-Flags-signed-2.pdf 37`), so `pdftotext` extracts them as spaces. Therefore, to get the real flag we: 1. Extract all `ENO{...}` occurrences with `pdftotext -layout`. 2. For each match, split the inner text on whitespace and join with `_`. 3. Pick the first normalized flag containing token `1`. Result: * `ENO{stability_gradient_1_disrupted}` Run: * `./solve.sh` Solution code (`solve.py` and `solve.sh`): ```python #!/usr/bin/env python3 import re import subprocess import sys from pathlib import Path def pdftotext(pdf_path: Path) -> str: try: return subprocess.check_output( ["pdftotext", "-layout", str(pdf_path), "-"], stderr=subprocess.DEVNULL, text=True, ) except FileNotFoundError: raise SystemExit("pdftotext not found in PATH") def normalize_flag(flag_text: str) -> str: inner = flag_text[len("ENO{") : -1] parts = [p for p in re.split(r"\s+", inner.strip()) if p] cleaned = [] for part in parts: part = re.sub(r"^[^A-Za-z0-9]+|[^A-Za-z0-9]+$", "", part) if part: cleaned.append(part) return "ENO{" + "_".join(cleaned) + "}" def main() -> int: pdf = Path(sys.argv[1]) if len(sys.argv) > 1 else Path("attachments/Planned-Flags-signed-2.pdf") if not pdf.exists(): print(f"PDF not found: {pdf}", file=sys.stderr) return 2 text = pdftotext(pdf) candidates = re.findall(r"ENO\{[^}]+\}", text) normalized = [normalize_flag(c) for c in candidates] want = [f for f in normalized if re.search(r"(^|_)1(_|\})", f)] want = sorted(set(want), key=normalized.index) if not want: print("No flag containing '1' found", file=sys.stderr) return 1 print(want[0]) return 0 if __name__ == "__main__": raise SystemExit(main()) ``` ```bash #!/usr/bin/env bash set -euo pipefail python3 solve.py ``` ### rdctd 2 #### Description We are given `attachments/Planned-Flags-signed-2.pdf` and told the PDF contains multiple hidden flags; for this challenge we must submit the one containing a `2`. #### Solution The PDF contains clickable link annotations (`/Subtype /Link`) whose target URI embeds the flag, but with the braces escaped in the PDF string as `\\{` and `\\}`. You can spot it quickly by grepping PDF objects: ```bash mutool show attachments/Planned-Flags-signed-2.pdf grep input_sanitization ``` This reveals an annotation like: `URI(https://ctf.nullcon.net/ENO\\{input_sanitization_2_is_overrated\\})` which unescapes to the flag: `ENO{input_sanitization_2_is_overrated}`. Automated extraction (script used): ```python #!/usr/bin/env python3 import re import sys import pikepdf FLAG_RE = re.compile(r"ENO\{[^}]+\}") def extract_flag_from_pdf(pdf_path: str) -> str: pdf = pikepdf.Pdf.open(pdf_path) for page in pdf.pages: annots = page.get("/Annots", None) if not annots: continue for annot_ref in annots: annot = annot_ref.get_object() if annot.get("/Subtype", None) != pikepdf.Name("/Link"): continue action = annot.get("/A", None) if not action: continue uri = action.get("/URI", None) if not uri: continue s = str(uri) s = s.replace(r"\{", "{").replace(r"\}", "}") m = FLAG_RE.search(s) if m: return m.group(0) raise RuntimeError("Flag not found in PDF annotations") def main() -> int: if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} ", file=sys.stderr) return 2 print(extract_flag_from_pdf(sys.argv[1])) return 0 if __name__ == "__main__": raise SystemExit(main()) ``` Run it: ```bash python3 solve.py attachments/Planned-Flags-signed-2.pdf ``` ### rdctd 3 #### Description We are given `attachments/Planned-Flags-signed-2.pdf`, a “published” document with redactions. The prompt says there are 6 hidden flags in the PDF; this challenge wants the one containing a `3`. #### Solution The PDF’s page 2 (section **3.2**) is not real text: it’s a blurred *embedded raster image* placed via `/Im1 Do` in the page content stream. So normal PDF text extraction can’t recover it; we must extract the image and deblur it. Steps: 1. Locate the embedded image: * Clean/uncompress PDF to inspect streams (optional): `mutool clean -d attachments/Planned-Flags-signed-2.pdf work/clean.pdf` * Page 2 content uses an image XObject: `mutool show -b work/clean.pdf 31 | rg "/Im1 Do"` * The referenced XObject is the only image with dimensions **1042×337**. 2. Extract that image from the PDF. 3. Apply a simple Wiener deconvolution with a Gaussian PSF to reverse the blur enough to read the repeated token. 4. Read the third flag from the deblurred output: * `ENO{semantic_3_inference_initialized}` **Code** `solve.py` (writes deblurred images to `solve_out/`): ```python #!/usr/bin/env python3 """ Solve rdctd 3 (flag containing a 3) by extracting the blurred image from the PDF and applying a simple deconvolution to make the redacted text readable. This script is intentionally offline and self-contained (uses local PDF only). """ from __future__ import annotations import argparse from pathlib import Path import numpy as np import pikepdf from pikepdf import PdfImage from PIL import Image, ImageEnhance from skimage.restoration import wiener def gaussian_psf(sigma: float) -> np.ndarray: k = int(sigma * 6 + 1) if k % 2 == 0: k += 1 ax = np.arange(-(k // 2), k // 2 + 1, dtype=np.float32) xx, yy = np.meshgrid(ax, ax) psf = np.exp(-(xx**2 + yy**2) / (2 * sigma * sigma)) psf /= psf.sum() return psf.astype(np.float32) def percentile_stretch(img01: np.ndarray, lo: float = 1.0, hi: float = 99.0) -> np.ndarray: img01 = np.clip(img01, 0.0, 1.0) p_lo, p_hi = np.percentile(img01, [lo, hi]) return np.clip((img01 - p_lo) / (p_hi - p_lo + 1e-6), 0.0, 1.0) def deref(obj): return obj.get_object() if hasattr(obj, "get_object") else obj def extract_target_image(pdf_path: Path) -> Image.Image: """ The blurred paragraph in section 3.2 is embedded as a raster image (1042x337). Extract the unique image with those dimensions. """ with pikepdf.open(str(pdf_path)) as pdf: matches: list[Image.Image] = [] for page in pdf.pages: resources = deref(page.get("/Resources", None)) if not isinstance(resources, pikepdf.Dictionary): continue xobj = deref(resources.get("/XObject", None)) if not isinstance(xobj, pikepdf.Dictionary): continue for _, obj in xobj.items(): try: obj = deref(obj) if not isinstance(obj, (pikepdf.Stream, pikepdf.Dictionary)): continue if obj.get("/Subtype") != "/Image": continue if int(obj.get("/Width", 0)) != 1042 or int(obj.get("/Height", 0)) != 337: continue matches.append(PdfImage(obj).as_pil_image()) except Exception: continue if not matches: raise SystemExit("Could not find the 1042x337 embedded image in the PDF.") if len(matches) > 1: # In practice this challenge has exactly one such image. If that changes, # prefer the RGB one (not the white-only mask). rgb = [im for im in matches if im.mode in ("RGB", "RGBA")] if len(rgb) == 1: return rgb[0] raise SystemExit(f"Found {len(matches)} candidate images; expected exactly 1.") return matches[0] def main() -> None: ap = argparse.ArgumentParser() ap.add_argument( "--pdf", default="attachments/Planned-Flags-signed-2.pdf", help="Path to the challenge PDF (default: attachments/Planned-Flags-signed-2.pdf)", ) ap.add_argument("--outdir", default="solve_out", help="Output directory (default: solve_out)") ap.add_argument("--sigma", type=float, default=3.0, help="Gaussian PSF sigma (default: 3.0)") ap.add_argument("--balance", type=float, default=0.003, help="Wiener balance (default: 0.003)") args = ap.parse_args() pdf_path = Path(args.pdf) outdir = Path(args.outdir) outdir.mkdir(parents=True, exist_ok=True) embedded = extract_target_image(pdf_path) embedded.save(outdir / "embedded.png") gray = embedded.convert("L") arr = (np.asarray(gray).astype(np.float32) / 255.0).clip(0.0, 1.0) psf = gaussian_psf(args.sigma) deconv = wiener(arr, psf, balance=args.balance, clip=False) deconv = percentile_stretch(np.asarray(deconv, dtype=np.float32), 1.0, 99.0) deconv_u8 = (deconv * 255.0).astype(np.uint8) Image.fromarray(deconv_u8, mode="L").save(outdir / "deconv_gray.png") # Light extra contrast + binarization for easier reading. pil = Image.fromarray(deconv_u8, mode="L") pil = ImageEnhance.Contrast(pil).enhance(1.7) bw = pil.point(lambda p: 255 if p > 140 else 0, mode="1") bw.save(outdir / "deconv_bw.png") # Helpful zoomed crops around the repeated flag token occurrences. zoom = pil.resize((pil.width * 4, pil.height * 4), resample=Image.Resampling.BICUBIC) zoom.save(outdir / "deconv_zoom.png") for idx, y in enumerate([20, 95, 170, 245], start=1): top = max(y - 15, 0) bottom = min(y + 45, pil.height) crop = pil.crop((0, top, pil.width, bottom)).resize( (pil.width * 6, (bottom - top) * 6), resample=Image.Resampling.BICUBIC ) crop.save(outdir / f"line_{idx}.png") print(f"Wrote outputs to: {outdir}") print(f"Open {outdir}/line_3.png and read the flag token (the challenge asks for the flag containing '3').") if __name__ == "__main__": main() ``` Run: ```bash python3 solve.py ``` The deblurred token in `solve_out/line_3.png` is: `ENO{semantic_3_inference_initialized}` ### rdctd 4 #### Description We are given `attachments/Planned-Flags-signed-2.pdf` which contains multiple hidden flags. For this sub-challenge we must submit the flag that contains the digit `4`. #### Solution The visible example `ENO{th1s is 4n eXample}` is a decoy. On page 4, inside the large redaction box under section **3.7**, the PDF draws **hundreds of tiny identical filled squares** (vector rectangles) using `re`/`f` operations. Their positions form a **33x33 module grid** with QR-code finder patterns. Because it is drawn inside the dark redaction area, it is not obvious by just looking at the page. Steps: 1. Extract the page 4 content stream. 2. Interpret only the needed PDF drawing operators (`q/Q`, `cm`, `re`, `f`) to collect the centers of the repeated square modules. 3. Map module centers to a 33x33 grid, render to a PNG (with a quiet zone). 4. Decode the QR code with `zbarimg` to get the flag. Decoded QR payload (flag): `ENO{We_should_have_an_Ontology_to_4_categorize_our_ontologies}` Below is the full solver used. ```python #!/usr/bin/env python3 """Extract and decode the hidden QR-code flag for rdctd 4. The QR code is not an embedded raster image: it's drawn as hundreds of tiny 1.718x1.718 filled rectangles inside the big redaction box on page 4. This script: - extracts the page-4 content stream(s), - interprets a tiny subset of PDF drawing ops (q/Q, cm, re, f), - reconstructs the module grid, - renders it to a PNG with a quiet zone, - decodes it with zbarimg. """ from __future__ import annotations import re import subprocess from collections import Counter from dataclasses import dataclass from pathlib import Path from PIL import Image @dataclass(frozen=True) class Matrix: # PDF CTM: [a b c d e f] a: float b: float c: float d: float e: float f: float def mul(self, other: "Matrix") -> "Matrix": # self * other a2, b2, c2, d2, e2, f2 = self.a, self.b, self.c, self.d, self.e, self.f a, b, c, d, e, f = other.a, other.b, other.c, other.d, other.e, other.f return Matrix( a=a2 * a + c2 * b, b=b2 * a + d2 * b, c=a2 * c + c2 * d, d=b2 * c + d2 * d, e=a2 * e + c2 * f + e2, f=b2 * e + d2 * f + f2, ) def transform(self, x: float, y: float) -> tuple[float, float]: return (self.a * x + self.c * y + self.e, self.b * x + self.d * y + self.f) _NUM_RE = re.compile(r"^[+-]?(?:\d+\.\d*|\d*\.\d+|\d+)$") def _extract_qr_squares_centers(stream_text: str) -> list[tuple[float, float]]: toks = stream_text.replace("\r", "\n").split() ctm = Matrix(1.0, 0.0, 0.0, 1.0, 0.0, 0.0) stack: list[Matrix] = [] nums: list[float] = [] last_rect: tuple[float, float, float, float, Matrix] | None = None # First pass: find the most common rectangle size (w,h). The QR uses many # tiny equal squares, far more frequent than redaction word-boxes. rect_sizes: Counter[tuple[float, float]] = Counter() pending_rect: tuple[float, float, float, float] | None = None for t in toks: if _NUM_RE.match(t): nums.append(float(t)) continue if t == "re" and len(nums) >= 4: x, y, w, h = (float(nums[-4]), float(nums[-3]), float(nums[-2]), float(nums[-1])) pending_rect = (x, y, w, h) nums = [] continue if t == "f" and pending_rect is not None: _, _, w, h = pending_rect rect_sizes[(round(w, 6), round(h, 6))] += 1 pending_rect = None nums = [] continue # other op pending_rect = None nums = [] if not rect_sizes: raise RuntimeError("no rectangles found in content stream") (module_w, module_h), _ = rect_sizes.most_common(1)[0] if abs(module_w - module_h) > 1e-3: raise RuntimeError(f"most common rectangle is not square: {(module_w, module_h)}") module = float(module_w) # Second pass: interpret transforms so we can place each drawn square. centers: list[tuple[float, float]] = [] nums = [] last_rect = None for t in toks: if _NUM_RE.match(t): nums.append(float(t)) continue op = t if op == "q": stack.append(ctm) nums = [] last_rect = None continue if op == "Q": ctm = stack.pop() if stack else Matrix(1.0, 0.0, 0.0, 1.0, 0.0, 0.0) nums = [] last_rect = None continue if op == "cm": if len(nums) >= 6: a2, b2, c2, d2, e2, f2 = nums[-6:] m2 = Matrix(a2, b2, c2, d2, e2, f2) ctm = m2.mul(ctm) nums = [] last_rect = None continue if op == "re": if len(nums) >= 4: x, y, w, h = nums[-4:] last_rect = (x, y, w, h, ctm) nums = [] continue if op == "f": if last_rect is not None: x, y, w, h, m = last_rect if abs(w - module) < 1e-3 and abs(h - module) < 1e-3: cx, cy = m.transform(x + w / 2.0, y + h / 2.0) centers.append((cx, cy)) nums = [] last_rect = None continue nums = [] last_rect = None if not centers: raise RuntimeError("no module squares found") return centers def _render_bitgrid(centers: list[tuple[float, float]], module_step: float, out_path: Path) -> tuple[int, int]: xs = [x for x, _ in centers] ys = [y for _, y in centers] minx, maxx = min(xs), max(xs) miny, maxy = min(ys), max(ys) ncol = int(round((maxx - minx) / module_step)) + 1 nrow = int(round((maxy - miny) / module_step)) + 1 occ = [[0] * ncol for _ in range(nrow)] for x, y in centers: c = int(round((x - minx) / module_step)) r = int(round((y - miny) / module_step)) if 0 <= r < nrow and 0 <= c < ncol: occ[r][c] = 1 # Render with quiet zone and scaling. scale = 12 quiet = 4 w = (ncol + 2 * quiet) * scale h = (nrow + 2 * quiet) * scale im = Image.new("L", (w, h), 255) px = im.load() # r=0 corresponds to lowest y; image needs top row first. for r in range(nrow): for c in range(ncol): if occ[r][c]: rr = quiet + (nrow - 1 - r) cc = quiet + c x0 = cc * scale y0 = rr * scale for dy in range(scale): for dx in range(scale): px[x0 + dx, y0 + dy] = 0 im.save(out_path) return nrow, ncol def _decode_qr_with_zbarimg(png_path: Path) -> str: out = subprocess.check_output(["zbarimg", "-q", str(png_path)], stderr=subprocess.DEVNULL).decode().strip() # Output format: "QR-Code:..." if ":" not in out: raise RuntimeError(f"unexpected zbarimg output: {out!r}") _, payload = out.split(":", 1) return payload def main() -> int: pdf_path = Path("attachments/Planned-Flags-signed-2.pdf") if not pdf_path.is_file(): raise SystemExit(f"missing {pdf_path}") try: import fitz # PyMuPDF except Exception as exc: raise SystemExit(f"PyMuPDF not available: {exc}") doc = fitz.open(str(pdf_path)) page = doc[3] # page 4 (0-based) # Extract and concatenate all content streams for this page. parts: list[bytes] = [] for xref in page.get_contents(): parts.append(doc.xref_stream(xref)) stream_text = b"\n".join(parts).decode("latin1", "ignore") centers = _extract_qr_squares_centers(stream_text) # The module size is the dominant square width/height in the stream; in this # PDF it is exactly 1.718. module_step = 1.718 out_png = Path("qr_from_stream41.png") nrow, ncol = _render_bitgrid(centers, module_step, out_png) payload = _decode_qr_with_zbarimg(out_png) print(payload) # Sanity check: QR should be 33x33 (QR version 4). if (nrow, ncol) != (33, 33): print(f"warning: unexpected grid size {nrow}x{ncol}") return 0 if __name__ == "__main__": raise SystemExit(main()) ``` ### rdctd 5 #### Description A PDF with “redacted” content contains 6 hidden flags. This task asks for the flag that contains a `5`. #### Solution The PDF still contains hidden text inside compressed object streams (in this case, an annotation/signature field). If you first decompress/clean the PDF and then search the resulting bytes for `ENO{...}`, the hidden flag becomes visible. Run: ```bash ./solve.sh ``` Solution code (`solve.sh`): ```bash #!/usr/bin/env bash set -euo pipefail PDF_PATH="${1:-attachments/Planned-Flags-signed-2.pdf}" tmp_clean="$(mktemp -p . planned_flags.clean.XXXXXX.pdf)" trap 'rm -f "$tmp_clean"' EXIT # Decompress and normalize PDF streams so hidden strings become searchable. mutool clean -d -c -m "$PDF_PATH" "$tmp_clean" >/dev/null # Extract the flag that contains a "5". strings -n 6 "$tmp_clean" \ | rg -o 'ENO\{[^}]*5[^}]*\}' \ | head -n 1 ``` Flag: `ENO{SIGN_HERE_TO_GET_ALL_FLAGS_5}` ### rdctd 6 #### Description We are given `attachments/Planned-Flags-signed-2.pdf`, which supposedly contains 6 hidden flags. This specific task asks for “the flag containing a 6”. #### Solution The flag is stored in the PDF’s document metadata (the `Producer` field). Tools like `pdfinfo`/`exiftool` show it directly: ```bash pdfinfo attachments/Planned-Flags-signed-2.pdf | grep Producer # Producer: ENO{secureflaghidingsystem76} ``` I also wrote a tiny extractor that searches the PDF bytes for `ENO{...}` (and falls back to `mutool clean -d` decompression if needed), then prints the first match containing the digit `6`. ```python #!/usr/bin/env python3 import re import subprocess import sys import tempfile from pathlib import Path FLAG_RE = re.compile(br"ENO\{[^\x00\r\n\t]{1,200}?\}") def extract_flags(pdf_bytes: bytes) -> set[bytes]: return set(m.group(0) for m in FLAG_RE.finditer(pdf_bytes)) def mutool_decompress_to_bytes(pdf_path: Path) -> bytes: with tempfile.TemporaryDirectory() as td: out_path = Path(td) / "clean.pdf" subprocess.run( ["mutool", "clean", "-d", str(pdf_path), str(out_path)], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, ) return out_path.read_bytes() def main() -> int: if len(sys.argv) != 2: print(f"usage: {Path(sys.argv[0]).name} ", file=sys.stderr) return 2 pdf_path = Path(sys.argv[1]) pdf_bytes = pdf_path.read_bytes() flags = extract_flags(pdf_bytes) if not flags: try: flags = extract_flags(mutool_decompress_to_bytes(pdf_path)) except Exception: pass flags_with_6 = sorted(f for f in flags if b"6" in f) if not flags_with_6: print("no flag containing digit 6 found", file=sys.stderr) if flags: print("other flags found:", file=sys.stderr) for f in sorted(flags): print(f.decode("latin1"), file=sys.stderr) return 1 # The challenge expects exactly one flag containing a "6". print(flags_with_6[0].decode("latin1")) return 0 if __name__ == "__main__": raise SystemExit(main()) ``` Run: ```bash python3 solve.py attachments/Planned-Flags-signed-2.pdf ``` Flag: `ENO{secureflaghidingsystem76}` ### Seen #### Description We're given an `index.html` file containing a JavaScript flag checker. The input is validated against a string of Unicode variation selectors (U+FE00–U+FE0F) — invisible characters that encode the flag and a checksum. #### Solution The checker works as follows: 1. A string `s` of 144 Unicode variation selectors (range 0xFE00–0xFE0F) is decoded into 72 nibble-pairs, producing an array `t` of 72 bytes. 2. The input flag (UTF-8 encoded) must have length `t.length / 2 = 36`. 3. A generator `gen = 0x10231048` is iterated per byte: `gen = ((gen ^ 0xA7012948 ^ byte) + 131203) & 0xffffffff`, and the result's low byte must match `t[flagLen + i]`. Since each byte position has only one valid candidate (the XOR and addition constrain it uniquely), we brute-force each byte independently: ```python import re with open('attachments/index.html', 'r', encoding='utf-8') as f: content = f.read() m = re.search(r'const s="(.*?)"', content) s = m.group(1) vs = 0xFE00 t = [] for i in range(0, len(s), 2): t.append(((ord(s[i]) - vs) << 4) | (ord(s[i+1]) - vs)) flag_len = len(t) // 2 gen = 0x10231048 flag = [] for i in range(flag_len): for b in range(256): test_gen = ((gen ^ 0xA7012948 ^ b) + 131203) & 0xffffffff if test_gen % 256 == t[flag_len + i]: flag.append(b) gen = test_gen break print(bytes(flag).decode()) ``` Flag: `ENO{W0W_1_D1DN'T_533_TH4T_C0M1NG!!!}` ### ZFS rescue #### Description We had all our flags on this super old thumb drive. My friend said the data would be safe due to ZFS, but here we are... Something got corrupted and we can only remember that the password was from the rockyou.txt file... Can you recover the flag.txt? Given: `nullcongoa_rescued.img` (64MB ZFS pool image) #### Solution This challenge involves repairing a corrupted ZFS encrypted pool image and cracking the encryption passphrase. **Step 1: Analyze the image** The image is a 64MB ZFS file-based vdev. Initial analysis with `zdb -l` shows all 4 ZFS label nvlists have been zeroed (intentional corruption), but the uberblocks are intact. The data area is also intact. **Step 2: Reconstruct labels** A valid pool config nvlist was found at physical offset `0x40d000` (LZ4-compressed, 916 bytes -> 16KB). This was the pool's packed nvlist from the MOS. Key pool metadata extracted: * Pool name: `nullcongoa` * Pool GUID: `0x1c52777b2293a712` * Vdev type: file, ashift=12 * Best uberblock: txg=43 The nvlist was written to all 4 label vdev\_phys areas with corrected `state` and `txg` fields. Label checksums (SHA-256 with ZFS endian conventions) were recomputed. **Step 3: Repair MOS object 61** Even with valid labels, `zdb -e` couldn't fully open the pool because MOS object 61 (PACKED\_NVLIST) had all-zero data blocks across all 3 DVA copies. The known-good packed nvlist from `0x40d000` was copied into object 61's data block locations, then a cascade checksum repair was performed up the block pointer chain: 1. Object 61 data block checksums (Fletcher4) 2. L0 dnode block recompressed and checksummed 3. Meta-dnode indirect block recompressed and checksummed 4. MOS objset\_phys checksummed 5. Uberblock rootbp checksums updated Script: `repair_mos_obj61.py` **Step 4: Patch vdev path for importability** The on-disk config stored the original vdev path from the challenge author's system. This was patched to a local path (`cccccccc/nullcongoa.img`) using fixed-length directory names to maintain string length. Script: `make_importable.py` After patching, `zdb -e -p cccccccc nullcongoa` successfully opened the pool and revealed the encrypted dataset `nullcongoa/flag`. **Step 5: Extract encryption parameters** From `zdb -e -p cccccccc -dddd nullcongoa 272` (the crypto key ZAP object): | Parameter | Value | | ----------------------------- | ---------------------------------- | | Crypto suite | AES-256-GCM | | Key format | passphrase | | PBKDF2 iterations | 100,000 | | PBKDF2 salt (uint64 LE bytes) | `2600e6e9eda8b4d0` | | IV (12 bytes) | `1dd41ddc27e486efe756baae` | | GCM tag (16 bytes) | `233648b5de813aa6544241fa9110076b` | | Wrapped master key (32 bytes) | `d7da54da...a99484d7` | | Wrapped HMAC key (64 bytes) | `2e2ff1a7...0cc84272` | | DSL\_CRYPTO\_GUID | `0x6877C9E7E0C39ED6` | The pool creation commands (from SPA history) confirmed: ``` zfs create -o encryption=aes-256-gcm -o keyformat=passphrase -o pbkdf2iters=100000 nullcongoa/flag ``` **Step 6: Crack the passphrase (GPU-accelerated)** OpenZFS uses PBKDF2-HMAC-SHA1 to derive a 32-byte wrapping key from the passphrase, then AES-256-GCM to unwrap the master+HMAC keys with AAD = `guid(8 LE) || suite(8 LE) || version(8 LE)` (24 bytes). A GPU-accelerated cracker was written using PyOpenCL targeting an AMD Radeon RX 9070 XT (via Mesa Rusticl). The OpenCL kernel computes PBKDF2-HMAC-SHA1 on the GPU, then AES-256-GCM tag verification is done on CPU. ```python #!/usr/bin/env python3 """GPU-accelerated ZFS passphrase cracker (PyOpenCL)""" import sys, struct, time, numpy as np import pyopencl as cl from cryptography.hazmat.primitives.ciphers.aead import AESGCM SALT = bytes.fromhex("2600e6e9eda8b4d0") ITERS = 100000 IV = bytes.fromhex("1dd41ddc27e486efe756baae") TAG = bytes.fromhex("233648b5de813aa6544241fa9110076b") CT = bytes.fromhex( "d7da54dac4d6b6eab0450efef2bd602357007ac5f5dc9ed65d4892c5a99484d7" "2e2ff1a74e1d88735ecec7559f084dceb7bcb083fb506fc6060b68e86afb5595" "c3067fe06d86d99ca77537c43bc81c1d79c432ec897d0c00d472b8f30cc84272") CT_WITH_TAG = CT + TAG GUID_LE = bytes.fromhex("d69ec3e0e7c97768") AAD_24 = GUID_LE + struct.pack("