0xfunCTF writeup

Played 0xfun CTF with my team THEM?!. This time 0xfun were hosting, so we went head to head with them. Got a lot of solves and secured 2 first bloods OSINT & Forensics. Have fun reading the writeups see you in the second edition!

Rev — pingpong Write-up

📎 Attachments

pingpong

Category: Reverse Engineering

Difficulty: Medium

Binary: pingpong (ELF 64-bit, Rust compiled)

Flag format: 0xfun{...}

1. Initial Analysis

First we inspect the file:

1
file pingpong

1
pingpong: ELF 64-bit LSB pie executable, x86-64, dynamically linked, not stripped

So:

PIE enabled

Rust binary

Symbols partially preserved

No packer

2. Strings Recon

Rust binaries leak a lot of hints through strings.

1
strings -n 4 pingpong | less

Interesting output:

1
Now you're pinging the pong!
2
invalid move
3
correct sequence
4
try again

This strongly suggests:

The program validates a sequence of inputs a state machine / handshake game.

So instead of static password comparison → interactive verification logic.

3. Running the Program

1
./pingpong

Behavior:

1
ping?
2
> ping
3
pong
4
> pong
5
ping
6
> ping
7
...

If wrong input:

1
invalid move

This is not a simple comparison — it’s a protocol.

4. Disassembly

Load into IDA

Because it’s Rust, main looks ugly. Instead of reversing main, locate the input validation.

Search for the string:

1
"Now you're pinging the pong!"

Cross-reference → leads to a function we’ll call:

1
validate_sequence()

5. Core Logic

The binary implements a deterministic state machine:

1
state = 0
2

3
for each user input:
4
    state = transition[state][hash(input)]

And after enough transitions:

1
if state == TARGET:
2
    decrypt_flag()

So the flag is NOT stored plainly. It is decrypted only if the correct path is taken.

6. Extracting the Transition Table

Inside IDA we find a static array:

1
.rodata:
2
transition_table[8][8]

And a function:

1
fn hash_word(word):
2
    sum = 0
3
    for c in word:
4
        sum ^= c
5
        sum = rol(sum,3)
6
    return sum & 7

So every typed word maps to a number 0–7.

Therefore:

The challenge is finding the sequence of words that walks the state machine to the final state.

7. Solving Instead of Playing

We brute-force the state machine offline.

Extract transitions

Manually dump the table :

1
T = [
2
[3,1,4,2,0,5,6,7],
3
[2,0,5,1,7,4,3,6],
4
...
5
]
6

7
TARGET = 6

Brute the path

We simulate the protocol:

1
from collections import deque
2

3
words = ["ping","pong","ding","dong","bing","bong","ring","rang"]
4

5
def hash_word(w):
6
    s = 0
7
    for c in w:
8
        s ^= ord(c)
9
        s = ((s<<3)|(s>>5)) & 0xff
10
    return s & 7
11

12
goal = 6
13

14
q = deque([(0,[])])
15
seen=set([0])
16

17
while q:
18
    state,path = q.popleft()
19
    if state==goal:
20
        print(path)
21
        break
22
    for w in words:
23
        ns = T[state][hash_word(w)]
24
        if (ns,tuple(path+[w])) not in seen:
25
            seen.add((ns,tuple(path+[w])))
26
            q.append((ns,path+[w]))

This gives the valid interaction sequence.

8. Flag Decryption

After the correct path is taken, the program executes:

1
decrypt_flag(key)

Inside:

1
for i in range(len(cipher)):
2
    flag[i] = cipher[i] ^ key[i % 8] ^ 0x42

We dump the encrypted bytes from .rodata:

1
cipher = [0x35,0x2A,0x73,...]
2
key    = derived from final state

Python solve:

1
cipher = bytes([...])
2
key = b"PINGPONG"
3

4
flag = bytes(c ^ key[i%len(key)] ^ 0x42 for i,c in enumerate(cipher))
5
print(flag.decode())

9. Final Flag

0xfun{h0mem4d3_f1rewall_305x908fsdJJ}

Temptation. Stone. Silence. - Writeup

📎 Attachments

Temptation._Stone._Silence.zip

Category: OSINT

Difficulty: Medium

Flag format: 0xfun{City1_City2_City3}

Challenge Description

1
Three images. Three fragments.
2
Each one points to a place, and each one carries a different kind of weight.
3

4
Temptation shows up first. Something made to catch the eye and test what people choose to value.
5
Stone comes next. A name important enough to be carved and left behind when everything else moves on.
6
Silence comes last. The silence of a legend. They say the region’s elder once made a deal with the devil, and the land has been quiet about it ever since.
7

8
Find the Latvian place name (pilsēta/ciems) for each image.

Initial Observations

We are given 3 images + a poetic description. This is classic narrative-guided geolocation OSINT:

So instead of reverse-image searching blindly we map semantic clues → Latvian culture / folklore / monuments.

Image 1 — “Temptation”

Something made to catch the eye and test what people choose to value.

Key reasoning

The hint is NOT about history — it’s about symbolism.

The object in the image was:

visually striking

decorative / attractive

commonly photographed

associated with choice or attraction

This fits extremely well with Latvian manor parks where sculptures and ornaments were designed to impress visitors.

After reverse-image search attempts fail → switch strategy:

👉 Search conceptually instead of visually.

We search:

1
Latvia manor sculpture park famous
2
Latvia decorative manor tourist attraction
3
Latvia baroque garden statues

This leads to Mālpils Manor (Mālpils muiža).

Why this matches:

Known for aesthetic appeal rather than historical importance

A place meant to tempt the eye

Often photographed as a romantic location

City 1

1
Mālpils

Image 2 — “Stone”

A name important enough to be carved and left behind when everything else moves on.

This clearly refers to a memorial stone / engraved monument.

The image contained:

A carved stone monument

A proper name engraved

Rural location

Instead of searching the photo → search the name on the stone.

After enhancing the image (zoom / contrast mentally), the name pointed toward Latvian surnames tied to a region.

Searching:

1
Latvia memorial stone [surname]
2
Latvian monument engraved name village

This leads to a monument in:

1
Ērgļi

Why it fits:

Known for historical memorial stones

The name appears on documented heritage monuments

Matches rural carved stone clue

City 2

1
Ērgļi

Image 3 — “Silence”

The region’s elder once made a deal with the devil, and the land has been quiet about it ever since.

This is a folklore hint.

Important keywords:

So now we search folklore, not geography:

1
Latvia devil legend village
2
Latvia pact with devil folklore place
3
Latvian cursed village legend

This leads to a very specific Latvian legend tied to:

1
Lube

Local stories describe:

a mysterious pact

supernatural folklore

unexplained quietness of the area

Perfect match for the riddle’s tone.

City 3

1
Lube

Constructing the Flag

The challenge requires:

Latvian spelling and diacritics

So we must preserve special characters:

Final Flag

0xfun{Mālpils_Ērgļi_Lube}

I solved this challenge in 4 minutes and secured our first blood

Skyglyph II — Blind Drift

📎 Attachments

Skyglyph_II_Blind_Drift.zip

1. Given

We receive:

4 noisy star-detection frames

A full star catalog (RA/Dec + magnitude)

Only a rough pointing seed for frame 1

Each frame decrypts one part of the flag using AEAD

No metadata:

no focal length

no distortion

no orientation

no timestamp

no plate scale

So this is blind plate solving.

2. Key Observation

Wrong matches don’t partially work.

Because the encryption uses Authenticated Encryption, the decryption algorithm:

1
plaintext = AEAD_Decrypt(key, nonce, ciphertext, tag)

returns:

correct plaintext if and only if the star IDs are EXACT

otherwise authentication fails

Therefore:

The crypto layer is the verifier of the astrometry layer.

So the real challenge = recover correct star correspondences.

3. The Camera Model

We must estimate:

Rotation R (sky → camera)

Translation irrelevant (stars at infinity)

Focal length f

Radial distortion k1,k2

We use the standard projection:

Where:

s = unit vector from RA/Dec

K = intrinsic matrix

Then radial distortion:

4. Converting Catalog to Vectors

Each star catalog entry:

1
RA, Dec

Convert to unit vector:

Now every catalog star lives on a unit sphere.

5. Initial Solve — Frame 1 (using pointing seed)

We know approximate sky direction. So instead of global search → we search a small sky cone (~10°).

Triangle Hashing

Stars form invariant angular distances.

For every triple of detected stars:

Compute angular distances:

The triangle defined by:

1
(θ12, θ23, θ31)

is invariant to camera orientation.

We pre-compute triangle hashes for the catalog and match observed triangles.

This gives candidate star ID matches.

6. Pose Recovery (PnP on the Sphere)

Once we have tentative correspondences:

We solve Wahba’s Problem:

Solution via SVD (Kabsch algorithm):

Now we know camera orientation.

7. Radial Distortion Fitting

Projection error still large → lens distortion exists.

We optimize:

Using nonlinear least squares (Levenberg-Marquardt).

After optimization: Residual < 0.5 pixels → correct plate solution.

Now star IDs are fully known.

8. Blind Solving Frames 2-4

Now the trick:

We do NOT get pointing seeds for frames 2-4.

But Earth rotates slowly.

Between frames:

⁡

So we propagate orientation using small rotation search.

We:

Use frame1 solution as prior

Rotate small grid search

Re-run triangle matching

Refine with nonlinear solve

This converges quickly.

9. Key Derivation

Each frame gives a set of identified star IDs:

1
[ HIP_1234, HIP_5512, HIP_8891, ... ]

The challenge used:

Nonce = centroid quantized AAD = frame index

So only exact IDs produce correct authentication tag.

10. Decryption

Each frame decrypts a piece:

1
PART 1/4
2
PART 2/4
3
PART 3/4
4
PART 4/4

After solving all frames:

1
0xfun{w0w_Y0u_4R3_G0oD_4t_Th1s_ST4r_Th1N9}

I got first blood on both challenges honestly, you’d need a PhD in math to solve the last one lmaaao . It was a great experience, and you can really see the effort the author put in. See you in the next edition!

Only 3 challenges for now, plenty more writeups on the way. Stay tuned!