/post/sr25-toxicity/Thu, 17 Jul 2025 21:00:16 +0100/post/sr25-toxicity/Click to expand challenge code from Crypto.Util.number import bytes_to_long from os import urandom from PIL import Image import numpy as np import random class DoubleLCG: def __init__(self, a1,a2, b1,b2, m, seed1, seed2): self.a1 = a1 self.a2 = a2 self.b1 = b1 self.b2 = b2 self.m = m self.state1 = bytes_to_long(urandom(6)) if seed1 is None else seed1 self.state2 = bytes_to_long(urandom(6)) if seed2 is None else seed2 self.counter = 0 def refresh(self): self./post/sr25-jigsaw/Thu, 17 Jul 2025 20:06:16 +0100/post/sr25-jigsaw/Click to expand challenge code from random import Random from Crypto.Util.number import bytes_to_long, long_to_bytes from Crypto.Cipher import AES from Crypto.Util.Padding import pad import os FLAG = os.getenv("FLAG", "FL1TZ{dummy_dum_dum}") COLOR_BLACK = "\x1b[30m" COLOR_RED = "\x1b[31m" COLOR_GREEN = "\x1b[32m" COLOR_YELLOW = "\x1b[33m" COLOR_BLUE = "\x1b[34m" COLOR_MAGENTA = "\x1b[35m" COLOR_CYAN = "\x1b[36m" COLOR_RESET = "\x1b[0m" BOLD = "\x1b[1m" RESET_BOLD = "\x1b[22m" class Jigsaw: def __init__(self): self.dealer = Random() def get_piece(self): return self./post/sr25-lights/Thu, 17 Jul 2025 19:31:16 +0100/post/sr25-lights/Click to expand challenge code from hashlib import sha256 from Crypto.Util.number import bytes_to_long, long_to_bytes from random import randint from Crypto.Cipher import AES from Crypto.Util.Padding import pad import json FLAG = b"FL1TZ{??????????????????????????}" p = 0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377 a = -3 b = 27 E = EllipticCurve(GF(p), [a,b]) G = E.gens()[0] j = E.j_invariant() def gen_random_number(): while True: P = E.random_point() if P.order() > j: break return bytes_to_long(sha256(long_to_bytes(int(P.xy()[0]))).digest()[:8]) def derive_key_iv(secret): key = sha256(long_to_bytes(secret))./post/sr25-eob/Thu, 17 Jul 2025 18:48:16 +0100/post/sr25-eob/Click to expand challenge code package main import ( "bufio" "crypto/rand" "encoding/hex" "fmt" "log" "math/big" "net" "strings" ) const LEN = 31 const MASK = (1 << LEN) - 1 const FLAG = "FL1TZ{?????????????????????????????}" var taps1 = []int{/*?, ?, ?, ?*/} var taps2 = []int{/*?, ?, ?, ?*/} type LFSR struct { state uint64 taps []int count int } func (l *LFSR) rekey(newseed uint64) { l.state = newseed } func newLFSR(taps []int) *LFSR { seed := genRandSeed() return &LFSR{state: seed, taps: taps} } func (l *LFSR)lfsrStep() uint8 { feedback := uint64(0) if l./post/sr25-novacain/Thu, 17 Jul 2025 18:06:16 +0100/post/sr25-novacain/Click to expand challenge code #!/usr/bin/env python3 """ Prove you know a satisfying assignment without revealing it—1 take per round, no pain. Protocol (each round): 1) Commit to each bit of your assignment. 2) I'll challenge you >:) 3) I'll pen either the full assignment or just the clause bits. 4) Survive all 128 rounds, and I might just give yout the flag. """ import random import hashlib from Crypto./post/sr25-puppet/Thu, 17 Jul 2025 17:57:16 +0100/post/sr25-puppet/Click to expand challenge code import os import secrets import sys import time from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad SERVER_KEY = secrets.token_bytes(16) FLAG = os.environ.get("FLAG", "FL1TZ{????????????}") def issue_token(user_id: str) -> bytes: iv = secrets.token_bytes(16) payload = f"uid={user_id}&role=puppet".encode() cipher = AES.new(SERVER_KEY, AES.MODE_CBC, iv=iv) return iv + cipher.encrypt(pad(payload,16)) def check_token(token: bytes) -> str: iv = token[:16] ct = token[16:] cipher = AES.new(SERVER_KEY, AES.MODE_CBC, iv=iv) pt = cipher.decrypt(ct) print(f"Decrypted token: {pt!/post/sr25-ok-computer/Thu, 17 Jul 2025 17:22:16 +0100/post/sr25-ok-computer/Click to expand challenge code from Crypto.Util.number import getPrime, bytes_to_long flag = "FL1TZ{*********}" p = getPrime(512) q = getPrime(512) n = p * q e = 5 m = bytes_to_long(flag.encode()) c = pow(m, e, n) data = { "n": n, "e": e, "c": c } with open("computer.json", "w") as f: import json json.dump(data, f, indent=4) Since this CTF was destined to be pretty advanced, I didn’t want beginner players to leave with 0 solves./post/l3ak-oracle/Mon, 14 Jul 2025 19:47:16 +0100/post/l3ak-oracle/This challenge was a standard Hidden Number Problem dressed up in fantasy cosplay. The objective was clear: uncover a hidden value $\alpha$ using Babai's CVP algorithm Challenge Overview The challenge spins up a remote service that hands out: p: A 256-bit prime modulus. n: The bit length of p, which is 256. k: The number of bits to be leaked, calculated as int(n**0.5) + n.bit_length() + 1, which comes out to 26./post/l3ak-puzzle4/Mon, 14 Jul 2025 18:27:16 +0100/post/l3ak-puzzle4/Just when we thought we had the system figured out, the authors straight up yeeted the crutch from underneath us: the reference image. The url field in the API response was some nonesense that led nowhere. We were essentially flying blind. This challenge was a two-act play. First, solve a jigsaw puzzle with no picture on the box, that would award us with the source code for the platform. Second, use that source code to scout for a vulnerability that would yield us the flag./post/l3ak-puzzle3/Mon, 14 Jul 2025 17:55:16 +0100/post/l3ak-puzzle3/So, you saw how we handled the last puzzle. It was flashy, watching the browser solve itself was a neat party trick, but it’s hella inefficient. Relying on Selenium to brute-force the DOM with clicks felt like using a sledgehammer for brain surgery. For this next stage, the puzzles got harder and the timer got drastically shorter. It was time to evolve. As hinted before, we knew there was a backend API./post/l3ak-puzzle2/Mon, 14 Jul 2025 17:17:16 +0100/post/l3ak-puzzle2/This is the second challenge in a 5-part series involving solving a scrablmed image puzzles (10 of them in this case) in record time, for the most part. The first part is solvable manually, but this level increases the number of pieces and reduces the time limit for each puzzle, making atomation the clear path forward. Hint Discovery Initial analysis of the web page revealed hint. The <h1> element containing the puzzle’s title was also an <a> tag, linking to an external site (which is X, but not always)./post/r3coin/Tue, 08 Jul 2025 18:02:16 +0100/post/r3coin/This challenge involves a blockchain-like system that uses a chameleon hash function for transaction integrity. The goal is to exploit the chameleon hash properties to forge a transaction “Selling|flag|x” that allows us to buy the flag. Mechanics The app lets up perform a set of actions to interact with the chain: Work: Gives us some money Buy Gift: Appends a “Buy” entry followed by a “Selling|gift|100” onto the chain Refund oldest: Turns the oldest “Buy” transaction into a “Work|x” entry by internally forging a satisfying hash./page/archives/Sun, 06 Jul 2025 00:00:00 +0000/page/archives//post/chattery/Sun, 23 Mar 2025 12:49:59 +0100/post/chattery/I don’t know what happened but Golang propaganda started catching up to me, and suddenly I wanted to learn it. Since Go is best suited for backend application, That’s why it was made in the first place, I wanted to create my very own chat application; what could go wrong? Turns out A LOT could go sideways, and it did: Goroutines, session store, OAuth, CORS, caching, DB management… It took a couple of weeks to figure out, but I learend a ton from it and now love Go even more!/post/kanban/Sun, 23 Mar 2025 12:49:59 +0100/post/kanban/This was my first jab at Web Development. I took a course on coursera the summer prior to dip my toes into HTML, CSS and JS, but I wanted to learn that thing everyone keeps talking about; React Since this was my first “website” ever, it’s what the cool kids call fucking dogshit, but it taught me the basics on how to navigate React and typescript and fiddle with nextjs and tailwind./post/cloudflare/Thu, 06 Feb 2025 18:49:59 +0100/post/cloudflare/As a CTF player, I’ve spent my fair share of time solving puzzles, inspecting vulnerabilities, and breaking RSA for the billionth time. I always thought my first malware analysis would come from a CTF challenge or perhaps an ominous-looking file I downloaded on purpose in the name of research. Little did I know, this initiation would come in the most unexpected way: my roommate accidentally infected my own machine./page/about/Mon, 01 Jan 0001 00:00:00 +0000/page/about/I’m Malek Tababi, known online as Bitraven. I’m a software engineering student at the *National Institute of Applied Science and Technology INSAT* with a particular interest for cybersecurity. I’m also a CTF player in the teams FL1TZ 🐧, AresX 🐉 and Friendly Maltese Citizens 🇲🇹, mainy playing Cryptography. You can find me mingling with some other cs projects on the side; AI, Data Science, Web dev… Anything interesting really. I enjoy editing videos on the side too, you can check some of them out over here if you’d like ;)/page/career/Mon, 01 Jan 0001 00:00:00 +0000/page/career/2025 L3akCTF 2025 8th place Team: ARESx Despite not winning any prizes, 8th place out of 1587!! in one of the most competitive international CTFs is very commandable, especially since we weren’t that far off from the top positions. I was also the top fragger in the team with 2013 points, not too shabby. What’s disappointing though is that I didn’t solve all crypto puzzle as I had hoped, leaving two unsolved :( But after reading the solutions for those two challenges, I’m gald I hadn’t sunk more time into them because there ain’t no way I can remotely think for a solution by myself for them 😭 yet >:)/page/search/Mon, 01 Jan 0001 00:00:00 +0000/page/search/