/tags/rev/ Recent content in Rev on Zero's Blog Hugo en-us Thu, 05 Mar 2026 16:10:00 +0700 /posts/htb-rev-maze/ Thu, 05 Mar 2026 16:10:00 +0700 /posts/htb-rev-maze/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Maze</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover the final valid input from multi-stage checker logic.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p><code>maze.exe</code> is a PyInstaller-packed Python application that gates progress behind hidden constants and staged payloads.</p> <p>Reversing the Python entrypoint reveals:</p> <ul> <li>route gate string: <code>Y0u_St1ll_1N_4_M4z3</code></li> <li>ZIP password for <code>enc_maze.zip</code>: <code>Y0u_Ar3_W4lkiNG_t0_Y0uR_D34TH</code></li> </ul> <p>After unpacking, deeper stages eventually resolve to an ELF checker whose validation is purely arithmetic and reversible.</p> /posts/htb-rev-hexecution/ Thu, 05 Mar 2026 15:58:00 +0700 /posts/htb-rev-hexecution/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Hexecution</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Hard</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover the expected input for the custom VM program and derive the final flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The binary <code>cook</code> is a small interpreter for the DSL file <code>recipe.asm</code>. Instead of checking input directly, it transforms user input via a deterministic two-stage permutation pipeline and compares against a fixed 32-byte target table loaded by VM instructions.</p> /posts/htb-rev-vvm/ Thu, 05 Mar 2026 15:35:00 +0700 /posts/htb-rev-vvm/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> vvm</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Hard</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover the password accepted by the embedded custom VM.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The binary does not compare the input directly. Instead, it runs a custom VM program that:</p> <ol> <li>enforces input length = <code>32</code>,</li> <li>rearranges selected bytes into 8 little-endian 32-bit words,</li> <li>applies <code>rol32</code> transforms,</li> <li>compares against hardcoded constants.</li> </ol> <p>So the intended path is reverse-engineering VM semantics, then algebraically inverting the transformations.</p> /posts/eh4x-ctf-2026-writeup/ Wed, 04 Mar 2026 14:00:00 +0700 /posts/eh4x-ctf-2026-writeup/ <h2 id="overview">Overview</h2> <p>This post collects the solved EH4X CTF 2026 challenges and the practical exploitation approach used for each.</p> <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#heist-v1-blockchain">Heist V1 (Blockchain)</a></li> <li><a href="#i-guess-bro-reverse">i-guess-bro (Reverse)</a></li> <li><a href="#womp-womp-pwn">Womp Womp (Pwn)</a></li> <li><a href="#lulocator-pwn">Lulocator (Pwn)</a></li> <li><a href="#sarcasm--sarcasm-pwn">SarcAsm / Sarcasm (Pwn)</a></li> <li><a href="#inferno-sprint-misc">Inferno Sprint (Misc)</a></li> <li><a href="#chusembly-misc">Chusembly (Misc)</a></li> <li><a href="#final-notes">Final Notes</a></li> </ul> <hr> <h2 id="heist-v1-blockchain">Heist V1 (Blockchain)</h2> <h3 id="tldr">TL;DR</h3> <p>The vault trusted governance too much. By setting governance to an attacker contract and abusing delegatecall execution, storage got overwritten (<code>admin</code>/<code>paused</code>), then funds could be withdrawn.</p> /posts/htb-rev-wayback/ Wed, 04 Mar 2026 10:55:00 +0700 /posts/htb-rev-wayback/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Wayback</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover generated password and decrypt ciphertext to obtain flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The binary generates a password using <code>rand()</code> seeded from local timestamp fields (year/month/day/hour/min/sec formula), then uses that key material in AES-CBC flow.</p> <p>Given challenge-provided generation window, key recovery becomes bounded brute-force over time.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Reverse password generator logic: <ul> <li>static charset (lower/upper/symbols/digits)</li> <li>seed formula from datetime fields</li> <li><code>rand() % len(charset)</code> per output char</li> </ul> </li> <li>Re-implement generator exactly with libc <code>srand/rand</code> behavior.</li> <li>Iterate each second in the narrowed date range.</li> <li>Build candidate key from generated password and attempt AES-CBC decrypt.</li> <li>Stop when plaintext contains <code>HTB{...}</code>.</li> </ol> <p>Recovered:</p> /posts/htb-rev-virtually-mad/ Wed, 04 Mar 2026 10:50:00 +0700 /posts/htb-rev-virtually-mad/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Virtually Mad</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Provide VM bytecode that passes strict opcode-shape and final-state validation.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The checker executes user-provided opcodes in a small custom VM and validates final state exactly:</p> <ul> <li><code>a == 0x200</code></li> <li><code>b == 0xffffffff</code></li> <li><code>c == 0xffffffff</code></li> <li><code>d == 0</code></li> <li><code>flags == 0x10000000</code></li> <li>instruction count = 5</li> </ul> <p>The opcode format and pre-check masks make the intended sequence effectively unique.</p> /posts/htb-rev-rega-town/ Wed, 04 Mar 2026 10:45:00 +0700 /posts/htb-rev-rega-town/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Rega Town</li> <li><strong>Category:</strong> Reversing</li> <li><strong>Difficulty:</strong> Easy-Medium</li> <li><strong>Solved by:</strong> Shinkiro</li> <li><strong>Goal:</strong> Recover the valid passphrase accepted by the binary.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Validation is split into two deterministic layers:</p> <ol> <li><code>filter_input</code> enforces format and character-class constraints via embedded regex patterns.</li> <li><code>check_input</code> multiplies ASCII values of fixed chunks and compares them to hardcoded constants.</li> </ol> <p>Given both layers, the space collapses to a tiny set of candidates.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Extract regex constraints from <code>filter_input</code> to build per-position candidate pools.</li> <li>Extract target products from <code>check_input</code> for each underscore-separated chunk.</li> <li>Brute-force each chunk independently using product matching.</li> <li>Apply final <code>main</code> assertions (<code>input[5] == '0'</code>, <code>input[9] == 'r'</code>).</li> <li>Select intended semantic candidate.</li> </ol> <h2 id="solver-code">Solver Code</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> itertools </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> math </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> pathlib </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> string </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> subprocess </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Product constants used by check_input() for each chunk.</span> </span></span><span style="display:flex;"><span>TARGETS <span style="color:#f92672">=</span> [ </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x7A070</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x5C436</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x6CC60</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x27B5776</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x10F9</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0xD76A0</span>, </span></span><span style="display:flex;"><span> <span style="color:#ae81ff">0x7465A58</span>, </span></span><span style="display:flex;"><span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Character pools inferred from regex constraints in filter_input().</span> </span></span><span style="display:flex;"><span>POOLS <span style="color:#f92672">=</span> [ </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;XYZ&#34;</span>, string<span style="color:#f92672">.</span>digits, string<span style="color:#f92672">.</span>ascii_letters <span style="color:#f92672">+</span> string<span style="color:#f92672">.</span>digits], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;A&#34;</span>, string<span style="color:#f92672">.</span>ascii_letters <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;_&#34;</span>, string<span style="color:#f92672">.</span>digits], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;T&#34;</span>, <span style="color:#e6db74">&#34;h7&#34;</span>, string<span style="color:#f92672">.</span>digits], </span></span><span style="display:flex;"><span> [string<span style="color:#f92672">.</span>ascii_uppercase, string<span style="color:#f92672">.</span>digits, <span style="color:#e6db74">&#34;n&#34;</span>, <span style="color:#e6db74">&#34;abcdefgh&#34;</span>], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;O&#34;</span>, string<span style="color:#f92672">.</span>digits], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;T&#34;</span>, string<span style="color:#f92672">.</span>ascii_letters, <span style="color:#e6db74">&#34;e&#34;</span>], </span></span><span style="display:flex;"><span> [<span style="color:#e6db74">&#34;T&#34;</span>, <span style="color:#e6db74">&#34;nopqrstuvwx&#34;</span>, <span style="color:#e6db74">&#34;nopqrstuvwx&#34;</span>, <span style="color:#e6db74">&#34;nc|&#34;</span>], </span></span><span style="display:flex;"><span>] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">ascii_product</span>(s: str) <span style="color:#f92672">-&gt;</span> int: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> math<span style="color:#f92672">.</span>prod(ord(c) <span style="color:#66d9ef">for</span> c <span style="color:#f92672">in</span> s) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">solve_chunk</span>(charsets, target): </span></span><span style="display:flex;"><span> out <span style="color:#f92672">=</span> [] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> tup <span style="color:#f92672">in</span> itertools<span style="color:#f92672">.</span>product(<span style="color:#f92672">*</span>charsets): </span></span><span style="display:flex;"><span> s <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span><span style="color:#f92672">.</span>join(tup) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ascii_product(s) <span style="color:#f92672">==</span> target: </span></span><span style="display:flex;"><span> out<span style="color:#f92672">.</span>append(s) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> out </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">maybe_check_binary</span>(flag: str) <span style="color:#f92672">-&gt;</span> bool <span style="color:#f92672">|</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> bin_path <span style="color:#f92672">=</span> pathlib<span style="color:#f92672">.</span>Path(__file__)<span style="color:#f92672">.</span>with_name(<span style="color:#e6db74">&#34;rega_town&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> bin_path<span style="color:#f92672">.</span>exists(): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">None</span> </span></span><span style="display:flex;"><span> p <span style="color:#f92672">=</span> subprocess<span style="color:#f92672">.</span>run( </span></span><span style="display:flex;"><span> [str(bin_path)], </span></span><span style="display:flex;"><span> input<span style="color:#f92672">=</span>flag <span style="color:#f92672">+</span> <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>, </span></span><span style="display:flex;"><span> text<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, </span></span><span style="display:flex;"><span> capture_output<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, </span></span><span style="display:flex;"><span> check<span style="color:#f92672">=</span><span style="color:#66d9ef">False</span>, </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#e6db74">&#34;Correct one of us!!&#34;</span> <span style="color:#f92672">in</span> p<span style="color:#f92672">.</span>stdout </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>(): </span></span><span style="display:flex;"><span> chunk_candidates <span style="color:#f92672">=</span> [solve_chunk(cs, t) <span style="color:#66d9ef">for</span> cs, t <span style="color:#f92672">in</span> zip(POOLS, TARGETS)] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;[+] Chunk candidates:&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> i, cands <span style="color:#f92672">in</span> enumerate(chunk_candidates, <span style="color:#ae81ff">1</span>): </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; chunk</span><span style="color:#e6db74">{</span>i<span style="color:#e6db74">}</span><span style="color:#e6db74">: </span><span style="color:#e6db74">{</span>cands<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> all_flags <span style="color:#f92672">=</span> [] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> parts <span style="color:#f92672">in</span> itertools<span style="color:#f92672">.</span>product(<span style="color:#f92672">*</span>chunk_candidates): </span></span><span style="display:flex;"><span> flag <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;HTB</span><span style="color:#ae81ff">{{</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">0</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">1</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">2</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">3</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">4</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">5</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">_</span><span style="color:#e6db74">{</span>parts[<span style="color:#ae81ff">6</span>]<span style="color:#e6db74">}</span><span style="color:#ae81ff">}}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> flag[<span style="color:#ae81ff">5</span>] <span style="color:#f92672">!=</span> <span style="color:#e6db74">&#34;0&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">continue</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> flag[<span style="color:#ae81ff">9</span>] <span style="color:#f92672">!=</span> <span style="color:#e6db74">&#34;r&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">continue</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> all_flags<span style="color:#f92672">.</span>append(flag) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">[+] Valid candidates after assertions:&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> all_flags: </span></span><span style="display:flex;"><span> status <span style="color:#f92672">=</span> maybe_check_binary(f) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> status <span style="color:#f92672">is</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; </span><span style="color:#e6db74">{</span>f<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">else</span>: </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; </span><span style="color:#e6db74">{</span>f<span style="color:#e6db74">}</span><span style="color:#e6db74"> (binary check: </span><span style="color:#e6db74">{</span>status<span style="color:#e6db74">}</span><span style="color:#e6db74">)&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> intended <span style="color:#f92672">=</span> next((f <span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> all_flags <span style="color:#66d9ef">if</span> f<span style="color:#f92672">.</span>endswith(<span style="color:#e6db74">&#34;Town}&#34;</span>)), all_flags[<span style="color:#ae81ff">0</span>]) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">[+] Intended flag:&#34;</span>) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; </span><span style="color:#e6db74">{</span>intended<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;__main__&#34;</span>: </span></span><span style="display:flex;"><span> main() </span></span></code></pre></div><h2 id="flag">Flag</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{Y0u_Ar3_Th3_K1ng_O7_The_Town} </span></span></code></pre></div></pagevault> /posts/0x1-learn-ctf-reverse-engineering/ Mon, 23 Feb 2026 15:30:00 +0700 /posts/0x1-learn-ctf-reverse-engineering/ <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#re-010--network-byte-transform-checker">re-010 — Network byte-transform checker</a></li> <li><a href="#re-012--constraint-based-checker-f1f8">re-012 — Constraint-based checker (f1..f8)</a></li> <li><a href="#carbonara--jump-obfuscation-and-data-flow-recovery">Carbonara — jump-obfuscation and data-flow recovery</a></li> </ul> <hr> <h2 id="re-010--network-byte-transform-checker">re-010 — Network byte-transform checker</h2> <h3 id="summary">Summary</h3> <ul> <li><strong>Type:</strong> Reversing (ELF64, stripped, PIE)</li> <li><strong>Behavior:</strong> TCP server flag checker</li> <li><strong>Port:</strong> <code>31338</code></li> <li><strong>Expected input length:</strong> <code>37</code> bytes</li> <li><strong>Result:</strong> <code>:)</code> on success, <code>:(</code> on failure</li> <li><strong>Flag:</strong> <code>CBC{c72b6b1feb2dbb3132380e1a9f967441}</code></li> </ul> <h3 id="notes">Notes</h3> <ul> <li>The binary does not read from stdin directly; it binds/listens and validates client input over a socket.</li> <li>Validation is split into 3 blocks of 16 transformed-byte checks using constant tables in <code>.rodata</code>.</li> <li>Recovered plaintext chunks: <ul> <li><code>CBC{c72b6b1feb2d</code></li> <li><code>bb3132380e1a9f96</code></li> <li><code>7441}</code></li> </ul> </li> <li>Combined final flag:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>CBC{c72b6b1feb2dbb3132380e1a9f967441} </span></span></code></pre></div><h3 id="validation">Validation</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># run service</span> </span></span><span style="display:flex;"><span>./chall </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># in another shell</span> </span></span><span style="display:flex;"><span>python3 - <span style="color:#e6db74">&lt;&lt; &#39;PY&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">import socket </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">flag=&#39;CBC{c72b6b1feb2dbb3132380e1a9f967441}&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">s=socket.create_connection((&#39;127.0.0.1&#39;,31338)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">print(s.recv(200)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">s.sendall(flag.encode()+b&#39;\n&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">print(s.recv(200)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">PY</span> </span></span></code></pre></div><p>Expected response contains <code>:)</code>.</p>