Challenges on z3r0s

Hardware - Espresso

Fri, 05 Jun 2026 00:00:00 +0000

Hack The Box Challenge Writeup: Espresso Link to heading

Challenge Link to heading

Name: Espresso

Scenario:

Someone leaked the new Espresso firmware, can you try to figure out what it does?

The challenge provides an ESP32 firmware image. The firmware checks whether it is running on expected hardware by comparing the ESP32 factory MAC address against zero bytes. If the check fails, it prints anti-clone messages. If the check passes, it generates the flag by XOR decoding a 31 byte table stored in the firmware data segment.

Pwn - cyKer

Sun, 10 May 2026 22:54:00 +0300

cyKer — Kernel Exploitation Writeup Link to heading

Category: Pwn / Kernel Flag: CyCTF{3c03ee481e3c39c175d1a8baed7f9bbe}

Overview Link to heading

We are given a QEMU-based kernel challenge containing:

bzImage — Linux 5.4.0 kernel
initramfs.cpio.gz — root filesystem with a vulnerable kernel module hackme.ko
run.sh — QEMU launch script with all mitigations disabled:
```
nokaslr nosmep nosmap mitigations=off
```

The VM boots, loads hackme.ko, then drops us into a shell as uid 1000. The flag at /flag is owned by root with chmod 600.

Crypto - aliens

Sun, 10 May 2026 00:00:00 +0000

Crypto Aliens Write-up Link to heading

Challenge Summary Link to heading

We are given a remote service and a local copy of the challenge logic in server.py.

The service asks for a message, applies a custom padding routine, appends a similarly padded flag, and then encrypts the result with AES-ECB.

At first glance this looks annoying rather than breakable, because:

Crypto - BabyEncryption

Sun, 10 May 2026 00:00:00 +0000

Baby encryption Link to heading

You are after an organised crime group which is responsible for the illegal weapon market in your country. As a secret agent, you have infiltrated the group enough to be included in meetings with clients. During the last negotiation, you found one of the confidential messages for the customer. It contains crucial information about the delivery. Do you think you can decrypt it?

Crypto - raining primes

Sun, 10 May 2026 00:00:00 +0000

Raining Primes Write-up Link to heading

Summary Link to heading

The service mixes three ideas:

Prime generation of the form p = a*r + b
A homomorphic-looking key update routine
RSA encryption of an AES-encrypted flag

The design breaks because the same hidden 640-bit prime r is reused everywhere:

every prime returned by option 1
both RSA primes
the update_key() routine

Once r is recovered, the rest of the scheme collapses:

Crypto - the last dance

Sun, 10 May 2026 00:00:00 +0000

To be accepted into the upper class of the Berford Empire, you had to attend the annual Cha-Cha Ball at the High Court. Little did you know that among the many aristocrats invited, you would find a burned enemy spy. Your goal quickly became to capture him, which you succeeded in doing after putting something in his drink. Many hours passed in your agency's interrogation room, and you eventually learned important information about the enemy agency's secret communications. Can you use what you learned to decrypt the rest of the messages?

Crypto - twisted entanglement

Sun, 10 May 2026 00:00:00 +0000

Twisted Entanglement Write-Up Link to heading

Target Link to heading

Host: 154.57.164.77:30486
Flag: HTB{Ek3rT_W4s_s000_b0R1nG_1N_1991_4nD_1_h4t3_Pr0b4b1l1Ty_s0_I_Us3_4_ECC_S33d!}

Vulnerabilities Link to heading

The challenge has two independent weaknesses that chain together cleanly.

1. Invalid-curve scalar multiplication Link to heading

Menu option 1 accepts an arbitrary user point and computes:

public_key = multiply(private_key, point, E)

There is no validation that the input point lies on the original secp256k1 curve. The code only uses a and p inside the EC formulas, so any point on any curve of the form:

Hardware - defusal

Sun, 10 May 2026 00:00:00 +0000

Hardware Defusal Writeup Link to heading

Files Link to heading

Ignoring file.zip as requested, the challenge files are:

Defusal
circuit.png
C4-BOMB.mp4

1. Triage Link to heading

Defusal is an AVR firmware ELF:

ELF 32-bit LSB executable, Atmel AVR 8-bit, statically linked, with debug_info, not stripped

That makes this mostly a firmware reverse-engineering problem.

2. Key Firmware Findings Link to heading

Useful strings inside the binary:

Hardware - line

Sun, 10 May 2026 00:00:00 +0000

Hardware Line Link to heading

Target: 154.57.164.83:31804

Summary Link to heading

The service on 31804/tcp speaks LPD. The queue name lp is accepted, and the implementation is vulnerable to command execution via Shellshock in user-controlled LPD control-file fields.

The working primitive is:

() { :;}; <command>

That payload can be injected into the control-file fields and filenames during a standard LPD Receive a printer job request.

Hardware - mission pinpossible

Sun, 10 May 2026 00:00:00 +0000

Mission Pinpossible Writeup Link to heading

Files Link to heading

op_pinpossible.logicdata
security_keypad.jpeg

Goal Link to heading

Recover the password shown on the keypad LCD from the intercepted monitor traffic.

1. Identify the bus Link to heading

The photo shows a standard 16x2 HD44780 LCD connected through a common I2C backpack based on a PCF8574.

Hardware - ProjectPower

Sun, 10 May 2026 00:00:00 +0000

Project Power Writeup Link to heading

Summary Link to heading

The challenge exposes a remote interface to an embedded device performing AES-128 encryption. The interface lets us:

send a chosen 16-byte plaintext and receive a corresponding power trace
submit a candidate AES key and receive the flag if the key is correct

This is a standard side-channel setup. A simple Correlation Power Analysis (CPA) attack against the first AES round is enough to recover the key.

Hardware - rflag

Sun, 10 May 2026 00:00:00 +0000

hardware_rflag Writeup Link to heading

Flag Link to heading

HTB{RF_H4ck1n6_1s_c00l!!!}

Approach Link to heading

The archive only contains one useful file: signal.cf32, a raw complex64 IQ capture.

I loaded the samples with NumPy and inspected the amplitude envelope:

The capture has 476160 complex samples.
Thresholding the magnitude shows runs quantized almost perfectly at ~899 samples and ~1798 samples.
The first part of the signal is a preamble, followed by data encoded as alternating 01 / 10 unit pairs.

That pattern is consistent with Manchester-style encoding.

Hardware - Secret Treasures

Sun, 10 May 2026 00:00:00 +0000

Hardware Secret Treasures Link to heading

Flag Link to heading

HTB{m3M0ry_5cR4Mbl1Ng_4nd_1CG_423_n07_3n0u9h7!$#}

Files Link to heading

embedded_software: ARM ELF, not stripped
flash_memory_dump.bin: 16 MiB flash contents
input_channel_trace.sal: Saleae capture of the passcode line

1. Reverse the firmware Link to heading

The firmware is an ARM binary with useful symbols:

main
random_generator
get_UniqieID
get_secret
W25Q128_init

Important observations from main:

Hardware - signals

Sun, 10 May 2026 00:00:00 +0000

Hardware Signals Writeup Link to heading

The WAV file is an SSTV transmission, not packet radio.

The giveaway is the VIS/header pattern at the start of the audio:

1900 Hz leader
1200 Hz break
1900 Hz leader
VIS bits around 1100/1300 Hz

Decoding the VIS bits gives decimal 95, which corresponds to PD120. That also matches the total duration of the file: about 126 s, which is the expected PD120 transmission time used in ISS SSTV events.

Hardware - wander

Sun, 10 May 2026 00:00:00 +0000

Hardware Challenge: Wander Link to heading

Target Link to heading

154.57.164.83:31454

Summary Link to heading

The exposed service is a Flask/Werkzeug web app that forwards user-supplied PJL commands to the printer backend.
The /jobs page exposes a form with the placeholder @PJL INFO ID, which is enough to identify the intended attack surface: raw Printer Job Language.

misc,CyCTF-Luxor - sonnet-jail

Sun, 10 May 2026 00:00:00 +0000

Sonnet Jail - Writeup Link to heading

Challenge Link to heading

Name: Sonnet Jail
Category: Misc / PyJail
Description: "I told Sonnet create me a creative pyjail even you can't solve, does it make the job?"
Goal: Read ./flag.txt

Reconnaissance Link to heading

Connecting to the service presents a Python REPL with several restrictions:

>>> print(1+1)
2
>>> print(open("flag.txt").read())
[blocked] no dots
>>> print(open("flag" + chr(46) + "txt"))
[blocked] 'open' is blocked

Blocked keywords Link to heading

Keyword	Message
`.` (dot character)	`no dots`
`open`	`'open' is blocked`
`eval`	`'eval' is blocked`
`exec`	`'exec' is blocked`
`dir`	`'dir' is blocked`
`getattr`	`'getattr' is blocked`
`hasattr` / `setattr` / `delattr`	blocked
`__builtins__`	blocked
`__import__`	blocked
`globals`	blocked
`breakpoint`	blocked
`compile`	blocked
`input`	blocked
`__subclasses__`	`blocked string`
`__init__`	`blocked string`
`flag`	`blocked string`

Allowed builtins Link to heading

print, type, chr, isinstance, vars, list, map, filter, zip, object, bytes, int, str, range, enumerate, len, tuple, set, dict, frozenset, hex, oct, ord, bin, abs, round, sorted, reversed, min, max, sum, any, all, bool, float, complex, super, staticmethod, classmethod, property, slice, memoryview, bytearray

pwn - bil

Sun, 10 May 2026 00:00:00 +0000

bil - PWN Writeup Link to heading

Challenge Info Link to heading

Name: bil
Category: PWN
Remote: 0.cloud.chals.io:18850

Files Provided Link to heading

app - ELF 64-bit binary
libc.so.6 - GLIBC 2.36
ld-linux-x86-64.so.2 - dynamic linker
flag - placeholder flag

Binary Analysis Link to heading

Checksec Link to heading

Protection	Status
RELRO	Full RELRO
Stack Canary	No
NX	Enabled
PIE	Disabled

Key Functions Link to heading

vuln() @ 0x4011c6

Quantum - flagportation

Sun, 10 May 2026 00:00:00 +0000

HTB Write-up: Flagportation Link to heading

Link - https://app.hackthebox.com/challenges/Flagportation

Category: Quantum Difficulty: Very Easy

Summary Link to heading

The server implements a simplified quantum teleportation protocol: it encodes bit pairs (00, 01, 10, 11) into a 3-qubit state, measures the first two qubits and prints the measurement results and the basis (Z or X) used to encode the original bits. Your job is to send instructions (which gates to apply to the third qubit) and choose the measurement basis for the third qubit. From the returned measurement you can reconstruct the original two-bit pair.

Quantum - global hyperlink zone

Sun, 10 May 2026 00:00:00 +0000

HTB Write-up: Global Hyperlink Zone Link to heading

Link - https://app.hackthebox.com/challenges/Global%2520Hyperlink%2520Zone

Category: Quantum Difficulty: Very Easy

Summary Link to heading

The challenge provides a Python script for a server that expects a specific sequence of quantum gates. The goal is to build a quantum circuit that satisfies a set of conditions defined in a validation function within the script. The solution involves creating a specific entangled state across five qubits.

Quantum - noisy vault

Sun, 10 May 2026 00:00:00 +0000

Noisy Vault Writeup Link to heading

Summary Link to heading

The challenge description mentions a 13-qubit system and a 9-bit key, but the actual service uses:

64 data qubits
16 ancilla qubits
a single oracle query
4096 noisy measurement shots

The goal is to recover the hidden 64-bit secret_key and submit it in one unlock attempt.

Root Cause Link to heading

The service prepares the secret as a computational basis state by applying X on each data qubit whose key bit is 1.

Quantum - phase madness

Sun, 10 May 2026 00:00:00 +0000

Title: Phase Madness

Category: Quantum

Difficulty: Easy

Link: https://app.hackthebox.com/challenges/Phase%20Madness

Brief Description Link to heading

The description says "Qubitrix stores data unlike any other. At its core, every secret is locked in a silent quantum spiral, inaccessible to classical developers. The engineers swore it was flawless, yet something in its design hums and breathes. To them, it's madness. To us, clarity."

So, essentially, we are given the server code in Python, server.py.

Quantum - qlotto

Sun, 10 May 2026 00:00:00 +0000

Name - QLotto

Category - Quantum

Difficulty - Easy

Link - https://app.hackthebox.com/challenges/qlotto

Summary Link to heading

The challenge description sets the scene: "They call it QLotto â€” a dazzling new quantum lottery table provided by Qubitrix... If you can predict their draws, you can beat the system." We are provided with a server.py file. The core task is to bypass a restrictive input check on the quantum circuit indices and then manipulate the quantum state to create a predictable correlation between the "house card" and our draws. By using negative indexing and specific quantum gates, we can rig the lottery.

Quantum - untrusted node

Sun, 10 May 2026 00:00:00 +0000

Name - Untrusted Node

Category - Quantum

Difficulty - Medium

Link - https://app.hackthebox.com/challenges/Untrusted%2520Node

Summary Link to heading

The challenge presents a Quantum Key Distribution (QKD) simulation. The "Transmitter" (Alice) sends qubits to a "Receiver" (Bob), but there is a redundancy flaw: for every bit of the key, Alice sends a "chunk" of identical qubits. We act as the compromised "Trusted Node" in the middle. By measuring the first two qubits of each chunk in different bases and letting the rest pass to Bob, we can recover the key without alerting the protocol during the reconciliation phase.

Reverse Engineering - Coffee Invocation

Sun, 10 May 2026 00:00:00 +0000

Coffee Invocation Writeup Link to heading

Flag Link to heading

HTB{1_c4nt_c4ptur3_fl4g5_unt17_1v3_h4d_a1l_my_0xCAFEBABE}

Overview Link to heading

coffee_invocation is a PIE ELF that embeds two Java class files and drives them through JNI.

The native code:

creates a JVM
hooks java/lang/Shutdown.halt0
rewrites cached boxed values such as Byte, Short, Character, Boolean
runs Verify1
runs Verify2
if both wrappers return 0, prints the supplied password as HTB{<password>}

So the solve is to recover the exact 52-character password accepted by both verifiers.

Reverse Engineering - Cyberpsychosis

Sun, 10 May 2026 00:00:00 +0000

HackTheBox - Cyberpsychosis (Reverse Engineering) Link to heading

Challenge Description Link to heading

Malicious actors have infiltrated our systems and we believe they've implanted a custom rootkit. Can you disarm the rootkit and find the hidden data?

Difficulty: Medium
Category: Reverse Engineering
Files: diamorphine.ko, LICENSE.txt
Target: TCP service hosting a QEMU VM

Analysis Link to heading

Identifying the Rootkit Link to heading

The challenge provides diamorphine.ko, a Linux kernel module (LKM). Diamorphine is a well-known open-source Linux rootkit. Basic identification:

Reverse Engineering - Maze

Sun, 10 May 2026 00:00:00 +0000

HTB Reverse Challenge: Maze Link to heading

Challenge Overview Link to heading

Category: Reverse Engineering
Difficulty: Medium
Flag: HTB{w0W_Y0u_C0uld_E5c4p3_Th1s_M4Z33!!}

We are given a Windows executable (maze.exe), an encrypted zip (enc_maze.zip), and an image (maze.png). The goal is to navigate through multiple layers of obfuscation to find the flag.

Solution Link to heading

Step 1: Identify and Unpack PyInstaller Link to heading

$ file maze.exe
maze.exe: PE32+ executable for MS Windows, x86-64
$ strings maze.exe | grep PyInstaller
PyInstaller: pyi_win32_utils_to_utf8 failed.

The binary is a PyInstaller-packed Python 3.8 application. We extract it using pyinstxtractor:

Reverse Engineering - rauth

Sun, 10 May 2026 00:00:00 +0000

HTB Reverse Challenge: rauth Link to heading

Challenge Info Link to heading

Category: Reverse Engineering
Description: "My implementation of authentication mechanisms in C turned out to be failures. But my implementation in Rust is unbreakable. Can you retrieve my password?"
Flag: HTB{I_Kn0w_h0w_t0_5al54}

Analysis Link to heading

The binary is a 64-bit ELF Rust executable, dynamically linked, with debug info and not stripped.

Reverse Engineering - Regas Town

Sun, 10 May 2026 00:00:00 +0000

Rega's Town - HTB Reverse Engineering Challenge Writeup Link to heading

Challenge Info Link to heading

Category: Reverse Engineering
Description: Welcome to Rega Town, a quaint little place where everyone communicates through the magic of patterns and rules!

Analysis Link to heading

The challenge provides a 64-bit ELF binary written in Rust. Running it prompts for a "secret passphrase" and validates it against a series of regex patterns.

Reverse Engineering - VirtuallyMad

Sun, 10 May 2026 00:00:00 +0000

VirtuallyMad - HTB Reverse Engineering Challenge Link to heading

Flag Link to heading

HTB{0210010002100100031100010112110004130000}

Overview Link to heading

The challenge provides a stripped ELF binary (virtually.mad) that implements a custom virtual machine. The user must supply a hex-encoded "code" string that, when executed by the VM, produces a specific register state.

VM Architecture Link to heading

Registers & State Link to heading

The VM allocates a 0x38-byte structure:

Reverse Engineering - vvm

Sun, 10 May 2026 00:00:00 +0000

rev_vvm Writeup Link to heading

Flag Link to heading

HTB{v1rTu4L_p4sSw0rD_t3ChN0loGy}

Summary Link to heading

The binary is a stripped PIE ELF that implements a small VM. The visible flow is:

Print the banner.
Build a dispatch table for VM opcodes by XOR-decoding multiple handler stubs from .data.
Execute a dword-based bytecode program stored in .data at 0x5540.

Running the binary directly is not useful because one VM opcode calls ptrace and exits under tracing/debugged environments. The solve is easier statically by reconstructing the VM handlers and emulating the bytecode.

Web - NextBlog

Sun, 10 May 2026 00:00:00 +0000

NextBlog - CTF Writeup Link to heading

Challenge Info Link to heading

Name: NextBlog
URL: https://cyctf-luxor-cbaff7649acb-nextblog-0-0.chals.io
Category: Web
Flag: CyCTF{F7oXj5sHY4xfvfrIo2x2pkbr4eIVEW3DoYSQe1WHsx_iffn39-InchEsJKhkGtnfg8VA60x6WfCvKRQjmHzftiAxx1TvnXF8FA}

Overview Link to heading

A Next.js 16 blog application with a hidden flag server running on localhost:3001. The goal is to exploit a Server-Side Request Forgery (SSRF) vulnerability in a server action to reach the internal flag server.

WEB - Resizer

Sun, 10 May 2026 00:00:00 +0000

Resizer Writeup Link to heading

Challenge Link to heading

Name: Resizer
Category: Web
Target: http://154.57.164.66:30462

TL;DR Link to heading

The core bug is an arbitrary file write through path traversal in the upload filename:

filename = file.filename
filepath = os.path.join(app.config['UPLOAD_FOLDER'], filename)
file.save(filepath)

Because filename is never sanitized with secure_filename() and os.path.join() does not stop ../, we can write files outside uploads/.