Nullcon HackIM CTF Goa 2026 - Pasty

Challenge: Pasty
Category: Web
Flag: ENO{cr3at1v3_cr7pt0_c0nstruct5_cr4sh_c4rd5}

Challenge Overview

Pasty is a pastebin service that protects paste access with “cryptographic signatures.” Users create pastes, and the server returns a URL containing a paste id and a sig parameter. Viewing a paste requires a valid signature for that paste’s id. The goal is to forge a valid signature for the paste with id=flag to read the flag.

We are given one source file, sig.php, containing the signature algorithm.

Source Code Analysis

The provided sig.php contains two functions:

1
function _x($a,$b){
2
    $r='';
3
    for($i=0;$i<strlen($a);$i++)
4
        $r.=chr(ord($a[$i])^ord($b[$i]));
5
    return $r;
6
}
7

8
function compute_sig($d,$k){
9
    $h=hash('sha256',$d,1);
10
    $m=substr(hash('sha256',$k,1),0,24);
11
    $o='';
12
    for($i=0;$i<4;$i++){
13
        $s=$i<<3;
14
        $b=substr($h,$s,8);
15
        $p=(ord($h[$s])%3)<<3;
16
        $c=substr($m,$p,8);
17
        $o.=($i?_x(_x($b,$c),substr($o,$s-8,8)):_x($b,$c));
18
    }
19
    return $o;
20
}

Breaking it down

_x($a, $b) simply XORs two byte strings together.

compute_sig($d, $k) computes a 32-byte signature from data $d (the paste id) and a secret key $k:

1. Hash the data: $h = SHA256($d) - raw 32 bytes, split into 4 blocks of 8 bytes.
2. Derive key material: $m = SHA256($k)[0:24] - first 24 bytes of the key’s hash, forming 3 blocks of 8 bytes at offsets 0, 8, and 16.
3. Four rounds (i = 0..3), each producing 8 bytes of output:
   • $s = i * 8 (byte offset into $h)
   • $b = $h[$s : $s+8] (current data block)
   • $p = ($h[$s] % 3) * 8 (selects which of the 3 key blocks to use, based on the first byte of the current data block)
   • $c = $m[$p : $p+8] (the selected key block)
   • Round 0: output[0:8] = $b XOR $c
   • Rounds 1-3: output[$s : $s+8] = ($b XOR $c) XOR output[$s-8 : $s] (XOR with the previous output block, CBC-like chaining)

The Vulnerability

The scheme is entirely based on XOR, which makes it trivially invertible. If we know both the input data ($d, i.e., the paste id) and the output signature, we can algebraically recover the key blocks. There is no one-way hardness beyond SHA256 hashing the input — the key material is mixed in via XOR only.

Key Recovery

Given a known (id, signature) pair, we can compute $h = SHA256(id) and then reverse each round:

Round 0:

1
sig[0:8] = h[0:8] XOR c[p0]
2
=> c[p0] = sig[0:8] XOR h[0:8]

Rounds 1-3:

1
sig[s:s+8] = (h[s:s+8] XOR c[pi]) XOR sig[s-8:s]
2
=> c[pi] = sig[s:s+8] XOR sig[s-8:s] XOR h[s:s+8]

Where pi = h[s] % 3 tells us which of the 3 key blocks (m[0:8], m[8:16], or m[16:24]) was used.

Each round reveals one key block. Since there are 4 rounds per signature but only 3 key blocks, a single paste will typically reveal 1-3 unique key blocks depending on which are selected. In practice, 2-3 pastes are enough to recover all 3 key blocks.

Exploitation

Step 1: Reconnaissance

The web app lets us create pastes via POST /create.php and view them via GET /view.php?id=<id>&sig=<hex_sig>. Creating a paste returns the full URL with both the id and signature. The signature is the hex-encoded 32-byte output of compute_sig(id, secret_key).

Key observations:

• The same content produces different ids each time (ids are random).
• Viewing a paste with an invalid signature returns “Invalid signature”.
• The paste with id=flag likely contains the flag.

Step 2: Recover the Key Material

Create pastes and reverse the XOR operations to extract the key blocks:

1
import hashlib, requests, urllib.parse
2

3
BASE = "http://52.59.124.14:5005"
4

5
def xor_bytes(a, b):
6
    return bytes(x ^ y for x, y in zip(a, b))
7

8
def create_paste(content):
9
    resp = requests.post(f"{BASE}/create.php",
10
                         data={"content": content}, allow_redirects=False)
11
    loc = resp.headers['Location']
12
    parsed = urllib.parse.urlparse(loc)
13
    params = urllib.parse.parse_qs(parsed.query)
14
    url = params['url'][0]
15
    url_parsed = urllib.parse.urlparse(url)
16
    url_params = urllib.parse.parse_qs(url_parsed.query)
17
    return url_params['id'][0], url_params['sig'][0]
18

19
def recover_key_blocks(paste_id, sig_hex):
20
    sig = bytes.fromhex(sig_hex)
21
    h = hashlib.sha256(paste_id.encode()).digest()
22
    key_blocks = {}
23
    for i in range(4):
24
        s = i * 8
25
        b = h[s:s+8]
26
        p_idx = h[s] % 3
27
        if i == 0:
28
            c = xor_bytes(sig[0:8], b)
29
        else:
30
            c = xor_bytes(xor_bytes(sig[s:s+8], sig[s-8:s]), b)
31
        key_blocks[p_idx] = c
32
    return key_blocks
33

34
# Recover all 3 key blocks
35
all_key_blocks = {}
36
for i in range(10):
37
    pid, sig = create_paste(f"recover_key_{i}")
38
    all_key_blocks.update(recover_key_blocks(pid, sig))
39
    if len(all_key_blocks) == 3:
40
        break
41

42
# Reconstruct the 24-byte key material
43
m = all_key_blocks[0] + all_key_blocks[1] + all_key_blocks[2]

In our run, all 3 blocks were recovered after just 2 pastes.

Step 3: Forge a Signature for the Flag

With the recovered key material m, compute a valid signature for id=flag:

1
def compute_sig(d_str, m):
2
    h = hashlib.sha256(d_str.encode()).digest()
3
    o = b''
4
    for i in range(4):
5
        s = i * 8
6
        b = h[s:s+8]
7
        p = (h[s] % 3) * 8
8
        c = m[p:p+8]
9
        if i == 0:
10
            block = xor_bytes(b, c)
11
        else:
12
            block = xor_bytes(xor_bytes(b, c), o[s-8:s])
13
        o += block
14
    return o
15

16
forged_sig = compute_sig("flag", m).hex()
17
url = f"{BASE}/view.php?id=flag&sig={forged_sig}"
18
print(requests.get(url).text)

Step 4: Retrieve the Flag

Accessing the forged URL returns the flag paste:

1
http://52.59.124.14:5005/view.php?id=flag&sig=b8e4e53e526806aa641e0dac06294218f67a1e18ea7c2d573d40a266a7703710

Flag

1
ENO{cr3at1v3_cr7pt0_c0nstruct5_cr4sh_c4rd5}