forbytten blogs

Makeshift Writeup - Cyber Apocalypse 2024

Last update:

1 Introduction

This writeup covers the Makeshift Crypto challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge involved implementing a decoder for a provided Python encoder.

The description of the challenge is shown below.

Makeshift challenge description

2 Key Techniques

The key techniques employed in this writeup are:

3 Artifacts Summary

The downloaded artifact had the following hash:

$ shasum -a256

The zip file contained a single Python source code file,, and output.txt:

$ unzip
   creating: challenge/
  inflating: challenge/
 extracting: challenge/output.txt

$ shasum -a256 challenge/*
f54f516a925e53b3cf97cb4b21c01c9bb36821582d18ac06d07f9ec5fed9d589  challenge/output.txt
b5c59a96f342d04b4d782a418c907c3d77039c9b24022f75fc11ec7aad24444c  challenge/

4 Static Analysis

4.1 output.txt

output.txt was presumed to contain the encoded flag, given the presence of ‘THB’ at the end:

$ cat output.txt

4.2 contains Python code that encodes the flag as follows:

from secret import FLAG

flag = FLAG[::-1]
new_flag = ''

for i in range(0, len(flag), 3):
    new_flag += flag[i+1]
    new_flag += flag[i+2]
    new_flag += flag[i]


5 Implementing the decoder was implemented that does the opposite of what does:

with open("output.txt", "r") as f:
    flag ='\n')

    new_flag = ''

    for i in range(0, len(flag), 3):
        # encrypted as middle, last, first so we decrypt back
        new_flag += flag[i+2]
        new_flag += flag[i]
        new_flag += flag[i+1]


6 Obtaining the flag

The script was run and the flag was obtained:

$ python3

7 Conclusion

The flag was submitted and the challenge was marked as pwned

Submission of the flag marked the challenge as pwned