EHAX CTF 2026 - I can also do it - Miscellaneous Writeup

249 words

1 minute

EHAX CTF 2026 - I can also do it - Miscellaneous Writeup

2026-03-01

Writeup

CTF

/

Security

/

Miscellaneous

Category: Miscellaneous

Flag: EH4X{1_h4v3_4ll_th3_c3t1f1c4t35}

Challenge Description#

yeah i can do it

Analysis#

1
dig +short stapat.xyz A
2
dig +short stapat.xyz AAAA
3
dig +short @1.1.1.1 stapat.xyz A
4
dig +short @1.1.1.1 stapat.xyz AAAA

1
0.0.0.0
2
::
3
40.81.242.97

The first weird signal was DNS split behavior: local resolution for stapat.xyz was a sink (0.0.0.0 / ::), but Cloudflare DoH returned a real origin IPv4. That explained why direct curl from this environment looked dead while a normal browser path still worked elsewhere.

blush

1
curl -sS -L --doh-url "https://1.1.1.1/dns-query" -A "Mozilla/5.0" -i "https://stapat.xyz/"

1
HTTP/1.1 200 OK
2
...
3
<p>Please visit our stores</p>

After forcing DNS-over-HTTPS, the page rendered cleanly and the only actionable clue was the sentence “Please visit our stores.” In a Misc challenge with a tiny prompt, that kind of wording is usually the actual route, not filler text.

1
curl -sS -k -L --resolve "store.stapat.xyz:443:40.81.242.97" -A "Mozilla/5.0" -i "https://store.stapat.xyz/"

1
HTTP/1.1 200 OK
2
...
3
EH4X{1_h4v3_4ll_th3_c3t1f1c4t35}

Using SNI/Host override with --resolve hit the virtual host directly and immediately returned the flag as plain text. So the whole trick was certificate/vhost routing behind DNS behavior, not user-agent filtering.

dance

Solution#

1
import re
2
import subprocess
3

4
def run(cmd: list[str]) -> str:
5
    return subprocess.check_output(cmd, text=True)
6

7
def main() -> None:
8
    ip = run(["dig", "+short", "@1.1.1.1", "stapat.xyz", "A"]).strip().splitlines()[0]
9

10
    homepage = run([
11
        "curl", "-sS", "-L",
12
        "--doh-url", "https://1.1.1.1/dns-query",
13
        "-A", "Mozilla/5.0",
14
        "https://stapat.xyz/",
15
    ])
16
    if "Please visit our stores" not in homepage:
17
        raise RuntimeError("expected clue not found on homepage")
18

19
    store = run([
20
        "curl", "-sS", "-k", "-L",
21
        "--resolve", f"store.stapat.xyz:443:{ip}",
22
        "-A", "Mozilla/5.0",
23
        "https://store.stapat.xyz/",
24
    ])
25

26
    match = re.search(r"EH4X\{[^}]+\}", store)
27
    if match is None:
28
        raise RuntimeError("flag not found")
29

30
    print(match.group(0))
31

32
if __name__ == "__main__":
33
    main()