tkh4ck.github.io

Personal website and blog of tkh4ck

View on GitHub

HTB Cyber Apocalypse 2024: Hacker Royale - Crushing

Challenge

You managed to intercept a message between two event organizers. Unfortunately, it’s been compressed with their proprietary message transfer format. Luckily, they’re gamemakers first and programmers second - can you break their encoding?

Metadata

Solution

main decompiled

add_char_to_map decompiled

serialize_and_output decompiled

Let’s deserialize a bit manually for example

00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000050  0c 00 00 00 00 00 00 00  49 00 00 00 00 00 00 00  |........I.......|
00000060  4a 00 00 00 00 00 00 00  8e 00 00 00 00 00 00 00  |J...............|
00000070  8f 00 00 00 00 00 00 00  19 01 00 00 00 00 00 00  |................|
00000080  1a 01 00 00 00 00 00 00  b3 01 00 00 00 00 00 00  |................|
00000090  b4 01 00 00 00 00 00 00  2f 02 00 00 00 00 00 00  |......../.......|
000000a0  30 02 00 00 00 00 00 00  bd 02 00 00 00 00 00 00  |0...............|
000000b0  be 02 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000160  79 00 00 00 00 00 00 00  09 00 00 00 00 00 00 00  |y...............|
00000170  0c 00 00 00 00 00 00 00  11 00 00 00 00 00 00 00  |................|

We can write a Python snippet to deserialize the serialized data (`solve.py).

dump = open('message.txt.cz', 'rb').read()
entries = []
length = 0

for i in range(0, len(dump), 8):
    value = int.from_bytes(dump[i:i+8], "little")
    entries.append(value)
    if value > length:
        length = value

text = ['*'] * (length+1)

size = 0
character = 0
i = 0
while i < len(entries):
    if i == 0:
        while i == 0:
            i += 1
        size = entries[i]
        character = i
        for j in range(i+1, i+1+size):
            text[entries[j]] = chr(character)
    else:
        size = entries[i]
        character = character + 1
        for j in range(i+1, i+1+size):
            text[entries[j]] = chr(character)
    i = i + 1 + size
print(''.join(text))
$ python solve.py
Organizer 1: Hey, did you finalize the password for the next... you know?

Organizer 2: Yeah, I did. It's "HTB{4_v3ry_b4d_compr3ss1on_sch3m3}"

Organizer 1: "HTB{4_v3ry_b4d_compr3ss1on_sch3m3}," got it. Sounds ominous enough to keep things interesting. Where do we spread the word?

Organizer 2: Let's stick to the usual channels: encrypted messages to the leaders and discreetly slip it into the training manuals for the participants.

Organizer 1: Perfect. And let's make sure it's not leaked this time. Last thing we need is an early bird getting the worm.

Organizer 2: Agreed. We can't afford any slip-ups, especially with the stakes so high. The anticipation leading up to it should be palpable.

Organizer 1: Absolutely. The thrill of the unknown is what keeps them coming back for more. "HTB{4_v3ry_b4d_compr3ss1on_sch3m3}" it is then.

Flag: HTB{4_v3ry_b4d_compr3ss1on_sch3m3}