TexSAW 2026 - Model Heist - Miscellaneous Writeup

Category: Miscellaneous Flag: texsaw{w3ight5_t3ll_t4l3s}

Challenge Description#

Neural networks are like onions - or was that ogres?

Analysis#

The file was a Keras model saved as an HDF5 container, so the first useful question was not “can the model classify something?” but “what exactly is stored inside it?” Dumping the top-level groups and a few subkeys immediately showed ordinary model metadata alongside a suspicious layer named secret_layer. That name mattered more than the rest of the architecture, because challenge authors do not usually name a layer that unless they want you to look there.

1
import h5py
2

3
f = h5py.File('/tmp/ctfchan_model_heist/model.h5', 'r')
4
print('keys', list(f.keys()))
5
print('attrs', dict(f.attrs))
6
for k in f.keys():
7
    g = f[k]
8
    print('group', k, 'type', type(g))
9
    if hasattr(g, 'keys'):
10
        print('  subkeys', list(g.keys())[:20])

1
python inspect_model.py

1
keys ['model_weights', 'optimizer_weights']
2
group model_weights type <class 'h5py._hl.group.Group'>
3
  subkeys ['dense', 'dense_1', 'dense_2', 'flatten', 'secret_layer', 'top_level_model_weights']
4
group optimizer_weights type <class 'h5py._hl.group.Group'>
5
  subkeys ['adam']

Once secret_layer stood out, the next check was to see what tensors it actually contained. The layer had a bias vector of length 26 and a much larger kernel matrix with shape (128, 26), which is exactly the kind of place where someone could hide byte data without it being obvious in a quick strings pass.

1
import h5py
2

3
f = h5py.File('/tmp/ctfchan_model_heist/model.h5', 'r')
4
sl = f['model_weights']['secret_layer']['sequential']['secret_layer']
5
print('keys', list(sl.keys()))
6
for k in sl.keys():
7
    d = sl[k]
8
    print(k, d.shape, d.dtype)

1
python inspect_secret_layer.py

1
keys ['bias', 'kernel']
2
bias (26,) float32
3
kernel (128, 26) float32

At that point the challenge description started to make sense: this was less about machine learning and more about peeling back layers until the hidden payload showed up. The solve was to treat the floating-point weights as encoded byte data. The script below flattened each layer’s weights, multiplied them by a handful of scale factors, rounded them to integers, mapped them into byte values with % 256, and searched the result for the expected texsaw{...} flag pattern. The hit landed on the secret_layer kernel at scale 1000, which means the flag had been embedded directly into the model weights rather than produced by running inference.

1
import h5py
2
import numpy as np
3
import re
4

5
f = h5py.File('/tmp/ctfchan_model_heist/model.h5', 'r')
6
pattern = re.compile(rb'texsaw\{[^}]+\}')
7

8
for layer in ['dense', 'secret_layer', 'dense_1', 'dense_2']:
9
    try:
10
        K = f['model_weights'][layer]['sequential'][layer]['kernel'][()]
11
        B = f['model_weights'][layer]['sequential'][layer]['bias'][()]
12
    except Exception as e:
13
        print(layer, 'err', e)
14
        continue
15

16
    for scale in [10, 50, 100, 200, 500, 1000]:
17
        vals = np.rint(K.flatten() * scale).astype(int)
18
        b = bytes([(v % 256) for v in vals])
19
        m = pattern.search(b)
20
        if m:
21
            print(layer, 'scale', scale, 'found', m.group(0))
22
            raise SystemExit
23

24
    for scale in [10, 50, 100, 200, 500, 1000]:
25
        vals = np.rint(B * scale).astype(int)
26
        b = bytes([(v % 256) for v in vals])
27
        m = pattern.search(b)
28
        if m:
29
            print(layer, 'bias scale', scale, 'found', m.group(0))
30
            raise SystemExit
31

32
print('no pattern found')

1
python solve.py

1
secret_layer scale 1000 found b'texsaw{w3ight5_t3ll_t4l3s}'

The key detail was that the hidden bytes were not stored as obvious text inside the HDF5 file; they were encoded as scaled floating-point values inside the secret layer’s kernel. Once those values were rounded back into integers, the flag appeared intact.

Solution#

1
import h5py
2
import numpy as np
3
import re
4

5
f = h5py.File('/tmp/ctfchan_model_heist/model.h5', 'r')
6
pattern = re.compile(rb'texsaw\{[^}]+\}')
7

8
for layer in ['dense', 'secret_layer', 'dense_1', 'dense_2']:
9
    try:
10
        K = f['model_weights'][layer]['sequential'][layer]['kernel'][()]
11
        B = f['model_weights'][layer]['sequential'][layer]['bias'][()]
12
    except Exception:
13
        continue
14

15
    for scale in [10, 50, 100, 200, 500, 1000]:
16
        vals = np.rint(K.flatten() * scale).astype(int)
17
        b = bytes([(v % 256) for v in vals])
18
        m = pattern.search(b)
19
        if m:
20
            print(m.group(0).decode())
21
            raise SystemExit
22

23
    for scale in [10, 50, 100, 200, 500, 1000]:
24
        vals = np.rint(B * scale).astype(int)
25
        b = bytes([(v % 256) for v in vals])
26
        m = pattern.search(b)
27
        if m:
28
            print(m.group(0).decode())
29
            raise SystemExit

1
python solve.py

1
texsaw{w3ight5_t3ll_t4l3s}