Phase Madness — HackTheBox

Description

"Qubitrix doesn't store data the way others do. Deep within its core, every secret stays in a silent quantum spiral, beyond classical reach. Engineers swore it was flawless — yet something in its design hums and breathes. To them, madness. To us, clarity."

Server: 83.136.251.105:37930

Analysis

The server uses Qiskit to encode the flag into quantum states. Each byte of the flag is converted to a rotation angle (byte * π/180 radians) and applied to the corresponding qubit:

• Position i % 3 == 0: RX(θ) — rotation around X axis
• Position i % 3 == 1: RY(θ) — rotation around Y axis
• Position i % 3 == 2: H then RZ(θ) — Hadamard + rotation around Z axis

The server allows:

1. Selecting a qubit to measure
2. Adding additional gates before measurement
3. Receiving results of 100,000 measurements

Solution

Recovery Mathematics

For RX and RY gates: After applying RX(θ) or RY(θ) to |0⟩:

• State: cos(θ/2)|0⟩ ± sin(θ/2)|1⟩
• Probability of |1⟩: P(1) = sin²(θ/2)
• Recovery: θ = 2·arcsin(√P(1)), then byte = θ × 180/π

For RZ gates (after H): After H·RZ(θ)|0⟩:

• State: (e^{-iθ/2}|0⟩ + e^{iθ/2}|1⟩)/√2
• Direct measurement in Z-basis gives 50/50 (phase is hidden!)
• Solution: apply RY(-90°) before measurement to switch to X-basis
• This converts phase information into amplitude: P(1) = sin²(θ/2)

Solver

#!/usr/bin/env python3
"""
Phase Madness Solver - HackTheBox
Quantum state tomography attack on phase-encoded flag
"""
from pwn import *
import json
import math

HOST = "83.136.251.105"
PORT = 37930

def get_measurement(r, qubit, instructions=""):
    """Send measurement request and get results"""
    r.recvuntil(b"Specify the qubit index you want to measure : ")
    r.sendline(str(qubit).encode())
    r.recvuntil(b"Specify the instructions : ")
    r.sendline(instructions.encode())
    return json.loads(r.recvline().decode().strip())

...