Skip to main content
HashnodeCucumbersome

Command Palette

Search for a command to run...

THJCC CTF 2026 writeup RE

Published
2 min read
M
Michal Gutowski

Super baby reverse

The flag is literary inside of the decompiled program

00401169    int32_t main(int32_t argc, char** argv, char** envp)

00401174        void* fsbase
00401174        int64_t rax = *(fsbase + 0x28)
00401197        int64_t var_148
00401197        __builtin_strncpy(dest: &var_148, src: "THJCC{BaBY_r3v3rs3_f0r_beggin3r}",

Fllllllag_ch3cker_again?

004021d9    int32_t main(int32_t argc, char** argv, char** envp)

004021e5        void* fsbase
004021e5        int64_t rax = *(fsbase + 0x28)
00402208        int64_t encryptedFLag
00402208        __builtin_memcpy(dest: &encryptedFLag, 
00402208            src: "\x00\x20\x7b\x30\x1c\x4a\x32\x00\x27\x01\x5e\x2f\x07\x00\x26\x06\x5b\x47\x40\x"
00402208        "2d\x02\x2c\x2a\x07\x01\x5d\x38\x34\x70\x29\x04\x37\x55\x43\x36\x5f\x14\x00\x2c\x58"
00402208        "61\x22", 
00402208            count: 0x2a)
00402248        int64_t var_e0 = 0x2a
0040225d        int64_t key
0040225d        __builtin_strncpy(dest: &key, src: "Th1s_1s_th3_k3y", count: 0xf)
0040226f        int64_t var_d8 = 0xf
00402284        std::vector<uint8_t>::vector()
00402298        uint8_t var_c8[0x20]
00402298        std::vector<uint8_t>::reserve(&var_c8)
0040231f        char var_e9
0040231f        
0040231f        for (int64_t i = 0; i u<= 0x29; i += 1)
004022f0            var_e9 = *(&key + i u% 0xf) ^ *(i + &encryptedFLag)
0040230a            std::vector<uint8_t>::push_back(&var_c8)

The flag is xored against the key Th1s_1s_th3_k3y

Decryption

```
enc = bytes([
    0x00, 0x20, 0x7b, 0x30, 0x1c, 0x4a, 0x32, 0x00, 0x27, 0x01, 0x5e, 0x2f, 0x07, 0x00, 0x26, 0x06,
    0x5b, 0x47, 0x40, 0x2d, 0x02, 0x2c, 0x2a, 0x07, 0x01, 0x5d, 0x38, 0x34, 0x70, 0x29, 0x04, 0x37,
    0x55, 0x43, 0x36, 0x5f, 0x14, 0x00, 0x2c, 0x58, 0x61, 0x22
])

key = b"Th1s_1s_th3_k3y"

flag = bytes([enc[i] ^ key[i % len(key)] for i in range(len(enc))])
print(flag.decode())
```

Web

![](https://cloudmate-test.s3.us-east-1.amazonaws.com/uploads/covers/64e077c7857a8e8e2aca61b0/2f1978ba-778a-4ce6-bc62-18e75cbe6e6b.png align="middle")

Looks like there is an enpoint that is getting caoled. Simple iteration of requests

#!/bin/bash

for i in $(seq 0 999); do
    n=\((printf "%03d" \)i)
    response=\((curl -s "http://chal.thjcc.org:14514/?n=\)n" \
      -X POST \
      -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0' \
      -H 'Accept: */*' \
      -H 'Accept-Language: en-US,en;q=0.5' \
      -H 'Accept-Encoding: gzip, deflate' \
      -H 'Referer: http://chal.thjcc.org:14514/' \
      -H 'Origin: http://chal.thjcc.org:14514' \
      -H 'Connection: keep-alive' \
      -H 'Priority: u=4' \
      -H 'Content-Length: 0')

    echo "n=\(n: \)response"

    if [ "$response" != "Nope, Try Again!" ]; then
        echo ""
        echo ">>> Different response at n=$n <<<"
        echo ">>> Response: $response"
        break
    fi
done

The result was under n = 777

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Cucumbersome

9 posts