miscfreeeasy

Machine Learnding

metactf

Task: the mirrored challenge repo exposes only a Google Drive link to a zipped local language model derived from Qwen2.5-1.5B. Solution: recover the archive, confirm it is a modified local checkpoint rather than an untouched base model, then load it with Transformers and ask directly for the flag.

$ ls tags/ techniques/

llm ai_security prompt_injection transformers local_model model_analysis qwen

artifact_recoverymodel_metadata_comparisonsafetensors_weight_samplinglocal_llm_prompting

Machine Learnding — MetaCTF

Description

The mirrored challenge directory only contained gdrivelink.txt, which pointed to a Google Drive archive named silly_fella.zip.

English summary: the real challenge artifact was not stored in the public repository. Instead, the repo only pointed to a downloadable archive containing a full local Hugging Face model directory, and the solve path was to inspect and query that model directly.

Analysis

The first clue was the public source tree. The GitHub directory for Machine Learnding contained only gdrivelink.txt, so normal source review was impossible. That immediately suggested the real payload lived elsewhere and had to be recovered from the external archive.

After downloading and extracting silly_fella.zip, the archive expanded into tasks/metactf/Machine Learnding/merged_qwen_model/ and contained a standard local model layout:

config.json
generation_config.json
model.safetensors
tokenizer_config.json
special_tokens_map.json
added_tokens.json
vocab.json
merges.txt
tokenizer.json

This is the exact kind of directory expected by transformers for offline loading, so the challenge was very likely about interrogating a local LLM rather than exploiting a remote service.

The next question was whether this was just a stock checkpoint or a modified model with hidden behavior. Comparing metadata and sampled tensors against the official Qwen/Qwen2.5-1.5B checkpoint showed the challenge model was related to the base Qwen model but not identical:

configuration and tokenizer style matched the base Qwen2.5-1.5B family
the challenge weights were repacked as FP16, while the official Hugging Face file uses BF16
early embedding weights matched after casting the official BF16 tensors to FP16
later sampled tensors differed, which shows the model was actually modified or fine-tuned

That matters because it explains why direct prompting can reveal task-specific hidden content even though the model still looks like ordinary Qwen infrastructure.

Solution

1. Recover the real artifact

...

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires auth)

Sign in to read this free writeup

This writeup is free — just sign in with GitHub to read it.

$ssh [email protected]