blazinglyfast — b01lers CTF 2026

Description

'Safe Rust is the true Rust programming language. If all you do is write Safe Rust, you will never have to worry about type-safety or memory-safety. You will never endure a dangling pointer, a use-after-free, or any other kind of Undefined Behavior (a.k.a. UB)' - Rustonomicon

We are given a remote service that compiles the body of pub fn jail(input: In) -> Out into a 32-bit Rust binary and runs it. At first glance the challenge looks like a “safe transmute” puzzle where we must somehow fabricate Out despite private wrapper types.

The real win condition is simpler: the Python wrapper prints the actual flag only when the program's stdout is exactly a random hidden token generated for that run. So the task is not “construct Out at all costs”; it is “make stdout equal the expected token by any safe-Rust-only route.”

Summary

The provided source in chall.py seeds an In, calls our jail(input), then passes the returned value into host::check(out). host::check compares a private-layout Out against internal expectations and prints the embedded token only if all fields match.

However, the outer Python script does one extra check after the binary exits: if the binary's stdout equals the per-run token, it prints the flag. That means we can ignore the nominal type puzzle and instead recover the token directly from the generated executable.

Recon

The important logic from tasks/b01lersc/blazinglyfast/tmpdist/chall.py is:

...