Github

misc

Challenges

Snake Tongue

I've seen parentheses you people wouldn't believe.

ncat --ssl snake-tongue.challs.snakectf.org 1337

This challenge implements a custom Lisp-like DSL called "Snake lang" with several evaluation forms. Now question: Where is the Flag?

  • The flag is stored in a global Common Lisp variable called *flag*, which is initialized in the main function:

(defparameter *flag* (let ((flag (uiop:getenv "FLAG")))
                       (if flag
                           flag
                           "REDACTED")))

The flag is loaded from the environment variable FLAG and stored as a global parameter accessible throughout the Common Lisp runtime.

How to get there? The DSL (Domain Specific Language) only exposes the format function from Common Lisp's standard library through the *dealwithit* list: 

(defparameter *dealwithit* '(format))

We need to find a way to break out of this restricted environment and access the *flag* variable directly from the underlying Common Lisp system.

Now is the vulnerability, it lies in the ! form handler within the please function:

The ! form compiles and executes real Common Lisp code using eval, completely bypassing the DSL's restrictions. While the dhc macro has a check to prevent redefinition of existing functions:

(if (fboundp name)
    (error "Can't do that, sorry")
    ...)

It allows defining entirely new functions with arbitrary Common Lisp code in their bodies, giving us full access to the underlying runtime environment.

Solution

  • Use the ! form to define a new Common Lisp function that returns the *flag* variable

  • Immediately call that function to retrieve the flag

((! get-flag (x) *flag*) 0)

  • ! triggers the vulnerable form handler

  • get-flag becomes the function name (passed to dhc)

  • (x) defines the parameter list

  • *flag* becomes the function body - directly accessing the global flag variable

  • The outer parentheses (... 0) immediately call the newly defined function with argument 0

❯ ncat --ssl snake-tongue.challs.snakectf.org 1337

enter your team token: 82eec771dcc97120407a0c738211523f
Snake lang REPL, enjoy your stay.
>>> ((! get-flag (x) *flag*) 0)
; in: DHC GET-FLAG
;     (LAMBDA (X) (PROGN *FLAG*))
; 
; caught STYLE-WARNING:
;   The variable X is defined but never used.
; 
; compilation unit finished
;   caught 1 STYLE-WARNING condition
snakeCTF{pr0duct10n_re4dy_l4nguAge_63dceb8e91c1c77d}

  • snakeCTF{pr0duct10n_re4dy_l4nguAge_63dceb8e91c1c77d}

GeoGuessitFVG (OSINT)

My teammate solved this one (my brain is too rotted for osint), but ultimately was use the Satellite mode, followed the white line which is electric poles. And check each road it cross.

  • snakeCTF{Ov3r_9000_v0lts_9c036a37136f5c6c}

NCPunk'd (upsolve)

Who the hell uses IPX and NCP in 2025? This guy. Can you help me find the flag?

TL;DR: So da network forensics challenge using legacy IPX/NCP protocol. Would need to extract flag.enc and encrypt.pyc from packet capture, decompile Python bytecode, reverse multi-stage encryption to get flag.

What are IPX and NCP?

  • IPX (Internetwork Packet Exchange): Legacy network protocol developed by Novell, predecessor to modern TCP/IP. Used primarily in 1980s-1990s for local area networks.

  • NCP (NetWare Core Protocol): File and print sharing protocol that runs over IPX. Handles file operations, directory services, and remote commands on Novell NetWare systems.

Where is the Flag?

  • The flag is encrypted and stored as flag.enc in frame #6732 of the packet capture. The base64 content is (from strings command):

  • XvIV9CyZhiE6NvMO0YZg+qDfRsBmAzLw/kNe0dldbRguuDP9S1e4ofDxZWf6RXXXTCF6eRSkQeTWoUuSxKx0i8A==

How to Get There?

  1. Extract the encrypted flag file from NCP traffic

  2. Find and extract the encryption program (encrypt.pyc) from frames #9563, #9565, #9567

  3. Decompile the Python bytecode to understand the encryption algorithm

  4. Reverse the multi-stage encryption process

import re
from scapy.all import rdpcap, Raw
from decrypt import decrypt

def extract_flag_from_pcap(pcap_file="capture.pcap"):


    # Load the packet capture
    packets = rdpcap(pcap_file)

    # Target packet containing the flag (converting to 0-based index)
    target_packet_index = 6732 - 1

    # Protocol header sizes for IPX/NCP stack
    ipx_header_size = 30
    ncp_header_size = 10
    headers_total = ipx_header_size + ncp_header_size

    # Extract the raw payload from target packet
    if len(packets) <= target_packet_index:
        raise ValueError(f"Packet {target_packet_index} not found in capture")

    packet = packets[target_packet_index]

    # Get raw data layer
    if not packet.haslayer(Raw):
        raise ValueError("Target packet has no raw data layer")

    raw_data = packet[Raw].load

    # Skip protocol headers and clean up padding
    flag_data = raw_data[headers_total:]

    # Remove null byte padding that's common in network protocols
    cleaned_data = flag_data.rstrip(b'\x00')

    # Convert to string for decryption
    encoded_flag = cleaned_data.decode('utf-8')

    # Decrypt using the provided decrypt function
    decrypted_flag = decrypt(encoded_flag)

    # Validate flag format using regex
    flag_pattern = re.compile(r"[a-zA-Z]+\{[a-zA-Z0-9_]+\}")

    if flag_pattern.match(decrypted_flag):
        return decrypted_flag
    else:
        raise ValueError(f"Decrypted data doesn't match flag format: {decrypted_flag}")

flag = extract_flag_from_pcap()
print(f"Flag found: {flag}")

❯ python solve.py
Attempting to decrypt: vIV9CyZhiE6NvMO0YZg+qDfRsBmAzLw/kNe0dldbRguuDP9S1e4ofDxZWf6RXXXTCF6eRSkQeTWoUuSxKx0i8A==
Found valid plaintext: snakeCTF{NCP_5lurp1ng_w1th_b3p1_cef2b24f993d1855}
Flag found: snakeCTF{NCP_5lurp1ng_w1th_b3p1_cef2b24f993d1855}

  • snakeCTF{NCP_5lurp1ng_w1th_b3p1_cef2b24f993d1855}

PreviouscryptoNextScriptCTF

Last updated