PyDome — HackTheBox

Description

Swing through the jungle of filters to snatch the flag!

A Python TCP server challenge requiring you to send 100 comma-separated values that pass 4 levels of validation. The values index into a story.txt file to construct a string. The first 64 characters must match a SHA256 hash of a randomly generated secret, and the remaining characters must match a "forest" ASCII art string. Successfully passing all 4 levels prints the flag. You get 5 attempts per connection.

Architecture

• Server: Python TCP server (server.py)
• PRNG: Python random module seeded from ANACONDA environment variable
• Validation: 4 sequential levels, each checking different properties of the input
• Attempts: 5 per connection, seed is fixed across connections

Validation Flow

Input (100 CSV values)
  │
  ├─ Level 1: len(input_arr) == 0x64 (100)
  │
  ├─ Level 2: Parse values → int_arr (indices into story.txt)
  │            - Digits → direct index (if in range)
  │            - Non-digits → ord(char) as index
  │            - If non_int_arr exists: r = randrange(0, len(non_int_arr))
  │              If r is odd: prints 100 random selections from non_int_arr
  │
  ├─ Level 3: user_input[:0x40] must == SHA256(secret)
  │            where secret = ''.join(chr(randrange(0,100)) for _ in range(randrange(0,100)))
  │
  └─ Level 4: all(x==y for x,y in zip(forest, user_input[0x40:]))

Analysis

Key Insight 1: Level 4 — zip() Empty Iterator Bypass

The forest string contains characters (/, ~, \, <, #, >, -) that do NOT exist in story.txt. It's impossible to construct the forest string from story.txt indices. However:

charset_check = [x == y for (x, y) in zip(forest, user_input[0x40:])]
if not all(charset_check):
    return False

...