EHAX CTF 2026 - Killer Queen - Cryptography Writeup

Category: Cryptography

Flag: EH4X{Cav1aR_c1Gar3TT3s_Ch3bYsH3V_05091946}

Challenge Description#

She keeps her Moët et Chandon in her pretty cabinet.

Nothing she offers is accidental. Nothing she withholds is without reason.

Recommended at the price, insatiable an appetite — wanna try?

Analysis#

1
unzip -l "Handout.zip"

1
Archive:  Handout.zip
2
...
3
  Handout/Killer-Queen/Freddie.txt
4
  Handout/Killer-Queen/Lyrics/ciggarettes.txt
5
  Handout/Killer-Queen/Lyrics/dynamite.txt
6
  Handout/Killer-Queen/Lyrics/fibonacci.txt
7
  Handout/Killer-Queen/Lyrics/laserbeam.txt
8
  Handout/Killer-Queen/Notes/antoinette.md
9
  Handout/Killer-Queen/Notes/biography.md
10
  Handout/Killer-Queen/Notes/curves.md
11
  Handout/Killer-Queen/Notes/sheet_music.md

The handout immediately looked like a guided crypto puzzle, with the notes explicitly pointing to Chebyshev composition and a two-layer lock. That matters because it shifts the approach from “break one huge primitive” to “recover the intended pipeline and replay it cleanly.”

1
rg -n "Chebyshev|T_m\(T_n\(x\)\)|first door|second door|SHA-256|unwrap|two voices|index" "/home/LIGHT/Downloads/killerqueen_work/Handout/Killer-Queen"

1
.../Lyrics/fibonacci.txt:17:  T_m(T_n(x)) = T_{m·n}(x)
2
.../Notes/sheet_music.md:58: ♩  The stream is locked behind two doors.
3
.../Notes/sheet_music.md:59: ♩  The first door opens with the index.
4
.../Notes/sheet_music.md:60: ♩  The second door is built in blocks
5
.../Notes/sheet_music.md:63: ♩  SHA-256 derives the second key
6
.../Notes/sheet_music.md:72:•  The Queen speaks in two voices
7
.../Notes/sheet_music.md:81:You'll need to unwrap what's inside — twice.

The service behavior matched those hints exactly: one query gives two related voice values for the same index, and public iv/ciphertext are fixed for that session.

happy

1
printf '0\n1\n2\n3\n4\n5\nexit\n' | nc 20.244.7.184 7331

1
...
2
p          = 7073193951809819973664306187302601643156849222029017483853417297144476949947829139698672438579337709916095808633124126138796016767532929021864211602000001
3
v          = 5587994941705590424272649068295916108274072829805484356511387258719009236678476179597670504915988561703594735329013208151470008715612024345889541886986304
4
iv         = f9c60e2a62756a6ebcd59c589dfd61b6
5
ciphertext = ad218e83bffe076fbceeddc17f540cd3089e3c4e6309a0e63c7f7cbed1c8b0f9fd2aced60c79a00de855acb4d5047bcd
6

7
[20 left] q>   pretty_cabinet = 1
8
  moet_chandon   = 1
9

10
[19 left] q>   pretty_cabinet = 5587994941705590424272649068295916108274072829805484356511387258719009236678476179597670504915988561703594735329013208151470008715612024345889541886986304
11
  moet_chandon   = 6224016679887966716101625712054632071019252852377882598120412242331086101200983099281554722925606107557863470191553080919315116795993075331627024609220227
12
...

From there the final solve path was to derive material from moet_chandon(q) in index order, decrypt the AES-CBC outer layer, unpad, then do the second unwrap as a blockwise XOR stream where each 16-byte block is SHA256(str(moet_chandon(i)))[:16]. I tried heavier DLP-centric routes first, but those dead ends were useful because they confirmed the challenge was more about composition and serialization correctness than defeating the largest subgroup factor.

1
python3.12 "/home/LIGHT/Downloads/killerqueen_work/Handout/Killer-Queen/solve_killerqueen.py"

1
[+] p bits: 512
2
[+] v: 11305618717155759150724013649828687503261898264977063258438514099154408236632078431105146562036594498971222989731073226625866287035766764084910955827909772
3
[+] iv: 83f4896579e6e4a8f29272ae5feef4ff
4
[+] ciphertext bytes: 48
5
[+] plaintext: EH4X{Cav1aR_c1Gar3TT3s_Ch3bYsH3V_05091946}
6
[+] FLAG: EH4X{Cav1aR_c1Gar3TT3s_Ch3bYsH3V_05091946}

Running it against the real remote session verified the whole chain end-to-end and produced the real flag in plaintext.

Solution#

1
import re
2
import socket
3
from hashlib import sha256
4

5
from Crypto.Cipher import AES
6

7
HOST = "20.244.7.184"
8
PORT = 7331
9

10
def must_match(pattern: str, data: str, flags: int = 0) -> re.Match[str]:
11
    match = re.search(pattern, data, flags)
12
    if match is None:
13
        raise ValueError(f"pattern not found: {pattern}")
14
    return match
15

16
def recv_until(sock: socket.socket, marker: bytes) -> bytes:
17
    data = b""
18
    while marker not in data:
19
        chunk = sock.recv(4096)
20
        if not chunk:
21
            break
22
        data += chunk
23
    return data
24

25
def parse_public(blob: str):
26
    p = int(must_match(r"^\s*p\s*=\s*(\d+)\s*$", blob, re.M).group(1))
27
    v = int(must_match(r"^\s*v\s*=\s*(\d+)\s*$", blob, re.M).group(1))
28
    iv = bytes.fromhex(must_match(r"^\s*iv\s*=\s*([0-9a-f]+)\s*$", blob, re.M).group(1))
29
    ciphertext = bytes.fromhex(
30
        must_match(r"^\s*ciphertext\s*=\s*([0-9a-f]+)\s*$", blob, re.M).group(1)
31
    )
32
    return p, v, iv, ciphertext
33

34
def parse_oracle_reply(blob: str):
35
    pretty = int(must_match(r"pretty_cabinet\s*=\s*(\d+)", blob).group(1))
36
    moet = int(must_match(r"moet_chandon\s*=\s*(\d+)", blob).group(1))
37
    return pretty, moet
38

39
def pkcs7_unpad(data: bytes) -> bytes:
40
    pad = data[-1]
41
    if pad < 1 or pad > 16 or data[-pad:] != bytes([pad]) * pad:
42
        raise ValueError("invalid PKCS#7 padding")
43
    return data[:-pad]
44

45
def main() -> None:
46
    with socket.create_connection((HOST, PORT), timeout=10) as sock:
47
        sock.settimeout(5)
48
        banner = recv_until(sock, b"q> ").decode(errors="replace")
49
        p, v, iv, ciphertext = parse_public(banner)
50

51
        print(f"[+] p bits: {p.bit_length()}")
52
        print(f"[+] v: {v}")
53
        print(f"[+] iv: {iv.hex()}")
54
        print(f"[+] ciphertext bytes: {len(ciphertext)}")
55

56
        moet_values = {}
57
        for q in range(1, 21):
58
            sock.sendall(f"{q}\n".encode())
59
            reply = recv_until(sock, b"q> ").decode(errors="replace")
60
            if "yawns" in reply or "Goodbye" in reply:
61
                break
62
            _, moet = parse_oracle_reply(reply)
63
            moet_values[q] = moet
64

65
    outer_key = sha256(str(moet_values[1]).encode()).digest()[:16]
66
    inner = AES.new(outer_key, AES.MODE_CBC, iv).decrypt(ciphertext)
67
    inner = pkcs7_unpad(inner)
68

69
    block_count = (len(inner) + 15) // 16
70
    stream = b"".join(
71
        sha256(str(moet_values[i]).encode()).digest()[:16]
72
        for i in range(1, block_count + 1)
73
    )
74

75
    plaintext = bytes(a ^ b for a, b in zip(inner, stream)).decode(errors="replace")
76
    flag_match = re.search(r"EH4X\{[^}]+\}", plaintext)
77
    if flag_match is None:
78
        raise RuntimeError(f"flag not found in plaintext: {plaintext!r}")
79

80
    print(f"[+] plaintext: {plaintext}")
81
    print(f"[+] FLAG: {flag_match.group(0)}")
82

83
if __name__ == "__main__":
84
    main()

1
python3.12 solve.py

1
[+] p bits: 512
2
[+] v: 11305618717155759150724013649828687503261898264977063258438514099154408236632078431105146562036594498971222989731073226625866287035766764084910955827909772
3
[+] iv: 83f4896579e6e4a8f29272ae5feef4ff
4
[+] ciphertext bytes: 48
5
[+] plaintext: EH4X{Cav1aR_c1Gar3TT3s_Ch3bYsH3V_05091946}
6
[+] FLAG: EH4X{Cav1aR_c1Gar3TT3s_Ch3bYsH3V_05091946}