# Pascal CTF

2/570

| Name | Category | | --------------------------------------------------------------------------------------------------------------- | ------------------- | | [Base N' Hex](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/pascal-ctf#base-n-hex) | Misc | | [Romagnol Prometheus](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/pascal-ctf#romagnol-prometheus) | Misc | | [Static Fl@g](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/pascal-ctf#static-fl-g) | Web Exploitation | | [Biscotto](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/pascal-ctf#biscotto) | Web Exploitation | | [Romañs Empyre](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/pascal-ctf#romans-empyre) | Cryptography | | [MindBlowing](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/pascal-ctf#mindblowing) | Cryptography | | [KONtAct MI](https://aurichia.gitbook.io/aurichia-docs/ctfs-tours/2025/pascal-ctf#kontact-mi) | Reverse Engineering | {% stepper %} {% step %} ### Base N' Hex > I encrypted the flag but I don't remember in what order. Can you help me? starting off the challenge we were given this source code ```python from base64 import b64encode import random, os FLAG = os.getenv("FLAG").encode() assert FLAG.startswith(b"pascalCTF{") assert FLAG.endswith(b"}") def encode(input_string): if random.randint(0, 1) == 0: return b64encode(input_string) else: return input_string.hex().encode() if __name__ == "__main__": for i in range(10): FLAG = encode(FLAG) with open('output.txt', 'w') as out: out.write(FLAG.decode()) ``` so its a funny encryption where it will do a random b64 encode or change a string to a hex we can decode this easily by seeing the patterns on the text then getting it back to normal in cyber chef
{% endstep %} {% step %} ### Romagnol Prometheus > Mattia said he was feeling a little mischevious today and sent me these photos, can you help me understand what he's up to?
we were given 3 pictures and were asked what was the meaning behind the picture this is a bit guessy but when we do the exiftool there was a gps place so i just went ahead and asked my ai
pascalCTF{gubbio} {% endstep %} {% step %} ### Static Fl\@g > A friend of mine created a nice frontend, he said we didn't need a backend to check the flag...
a simple guess the flag chall when inspecting
we can just use the atob given to get the value
{% endstep %} {% step %} ### Biscotto > Elia accidentally locked himself out of his admin panel can you help him to get his access back?
i immediately logged in so after logging in we were given a cookie that we could change the value of to admin then we will get the flag {% endstep %} {% step %} ### Romañs Empyre > My friend Elia forgot how to write, can you help him recover his flag?? ```python import os, random, string alphabet = string.ascii_letters + string.digits + "{}_-.,/%?$!@#" FLAG : str = os.getenv("FLAG") assert FLAG.startswith("pascalCTF{") assert FLAG.endswith("}") def romanize(input_string): key = random.randint(1, len(alphabet) - 1) result = [""] * len(input_string) for i, c in enumerate(input_string): result[i] = alphabet[(alphabet.index(c) + key) % len(alphabet)] return "".join(result) if __name__ == "__main__": result = romanize(FLAG) assert result != FLAG with open("output.txt", "w") as f: f.write(result) ``` this cipher uses the wordlist that consists of \`abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}\_-.,/%?$!@#\` the romanize function uses a random key so it will just do (indexAtAlphabet(c) + random int) % len(alphabet) we can just reverse the process to test all the possible keys ```python def reverse_romanize(encrypted_string, key): result = [""] * len(encrypted_string) for i, c in enumerate(encrypted_string): result[i] = alphabet[(alphabet.index(c) - key) % len(alphabet)] return "".join(result) for key in range(1, len(alphabet)): decrypted_flag = reverse_romanize(output, key) if decrypted_flag.startswith("pascalCTF{") and decrypted_flag.endswith("}"): print(f"Found FLAG: {decrypted_flag}") print(f"Key used: {key}") break ```
{% endstep %} {% step %} ### MindBlowing > My friend Marco recently dived into studying bitwise operators, and now he's convinced he's invented pseudorandom numbers! Could you help me figure out his secrets? ```python import signal, os SENTENCES = [ b"Elia recently passed away, how will we be able to live without a sysadmin?!!?", os.urandom(42), os.getenv('FLAG', 'pascalCTF{REDACTED}').encode() ] def generate(seeds: list[int], idx: int) -> list[int]: result = [] if idx < 0 or idx > 2: return result encoded = int.from_bytes(SENTENCES[idx], 'big') for bet in seeds: # why you're using 1s when 0s exist if bet.bit_count() > 40: continue result.append(encoded & bet) return result def menu(): print("Welcome to the italian MindBlowing game!") print("1. Generate numbers") print("2. Exit") print() return input('> ') def handler(signum, frame): print("Time's up!") exit() if __name__ == '__main__': signal.signal(signal.SIGALRM, handler) signal.alarm(300) while True: choice = menu() try: if choice == '1': idx = int(input('Gimme the index of a sentence: ')) seeds_num = int(input('Gimme the number of seeds: ')) seeds = [] for _ in range(seeds_num): seeds.append(int(input(f'Seed of the number {_+1}: '))) print(f"Result: {generate(seeds, idx)}") elif choice == '2': break else: print("Wrong choice (。_。)") except: print("Boh ㄟ( ▔, ▔ )ㄏ") ``` the chall starts of a function to generate numbers so we need to target the SENTENCES\[2] to find the flag so the chall is basiclly just doing & to the seed we give so by doing this we could actually get the flag one by one until we get the full flag ```python from pwn import * import time p = remote("mindblowing.challs.pascalctf.it", 420) def get_result(idx, seeds): try: p.sendlineafter(b"> ", b"1") p.sendlineafter(b"Gimme the index of a sentence: ", str(idx).encode()) p.sendlineafter(b"Gimme the number of seeds: ", str(len(seeds)).encode()) for i, seed in enumerate(seeds): p.sendlineafter(f"Seed of the number {i+1}: ".encode(), str(seed).encode()) p.recvuntil(b"Result: ") result = p.recvline().strip().decode() return eval(result) except EOFError: print("Connection closed by server.") return None idx = 2 flag_length = 64 flag = b"" for byte_pos in range(flag_length): byte_value = 0 for bit in range(8): seed = 1 << (byte_pos * 8 + bit) result = get_result(idx, [seed]) if result is None: break if result and result[0] != 0: byte_value |= 1 << bit else: flag += bytes([byte_value]) print(f"Reconstructed so far: {flag}") time.sleep(0.1) continue break flag = flag[::-1] print("FLAG:", flag.decode()) ```
> pascalCTF{m4by3\_1\_sh0uld\_ch3ck\_th3\_t0t4l\_numb3r\_0f\_ONES} > {% endstep %} {% step %} ### KONtAct MI > I've beaten this stupid game many times, but I never got to the real final. I've also asked the admin about it, but he keeps saying I have something called 'Skill issue'. this is a very easy re challenge there was nothing interesting in the source code other than the part where it will do a curl to an api
the api will take json data it seems
when curling seems like that response is the goal of the chall > curl -X POST > -H "Content-Type: application/json"\ > -d '{"code":"up-up-down-down-left-right-left-right-B-A"}'
{% endstep %} {% endstepper %}