Skip to main content

grawlix

Challenge

Imported from local notes.md.

Solution

Original Notes

grawlix

Challenge Summary

  • Given: a remote netcat service at 34.131.216.230:1339 and a prompt describing a chaotic scream/stream.
  • Goal: compute the final value of V after processing the full incoming operator stream and recover the flag.
  • Constraints: the service sends a 100 MB operator stream continuously and starts a 2-second timer only after the stream has fully arrived.

Initial Recon / Triage

  • Observations: the service prints rules for five operators over @#$%&, then emits one extremely long stream line.
  • File identification: no downloadable files; challenge detail was fetched via the authenticated CTFd API and saved in artifacts/challenge15.json.
  • Entry points: nc 34.131.216.230 1339.

Hypotheses & Approach

  • Hypothesis 1: the operator stream must be processed online instead of buffered in a terminal because the remote sends continuously.
  • Hypothesis 2: a compiled solver is safer than shell or Python for a 100 MB stream with a short post-stream response window.

Execution Steps (Reproducible)

Stage 1

Commands:

cd /root/incognito2026CTF
python3 - <<'PY'
import re, requests
from pathlib import Path

base = 'https://incognito.axiosiiitl.dev'
user = 'zeekliviu'
password = 'incognitoebaza'
out = Path('/root/incognito2026CTF/grawlix/artifacts/challenge15.json')

s = requests.Session()
login = s.get(base + '/login', timeout=20)
nonce = re.search(r'name="nonce" type="hidden" value="([^"]+)"', login.text).group(1)
s.post(
	base + '/login',
	data={'name': user, 'password': password, 'nonce': nonce, '_submit': 'Submit'},
	allow_redirects=True,
	timeout=20,
).raise_for_status()
resp = s.get(base + '/api/v1/challenges/15', headers={'Accept': 'application/json'}, timeout=20)
resp.raise_for_status()
out.write_text(resp.text)
PY

cd /root/incognito2026CTF/grawlix
timeout 6s nc 34.131.216.230 1339 | head -c 16000 > artifacts/stream_capture.txt

Results:

  • The challenge detail confirmed the rules, the starting value V = 9109, the five operators, and the lack of attached files.
  • The bounded capture showed the banner plus a continuous ASCII stream made almost entirely of @#$%& characters.

Stage 2

Commands:

cd /root/incognito2026CTF/grawlix
gcc -O3 -Wall -Wextra -std=c11 -o artifacts/solve_grawlix artifacts/solve_grawlix.c
./artifacts/solve_grawlix > artifacts/solve_output.txt 2> artifacts/solve_debug.txt

Results:

  • artifacts/solve_grawlix.c parsed the banner, streamed all 100000000 operators, and applied the rules incrementally.
  • The computed final value was 5388597.
  • The remote accepted that value and returned the flag IIITL{C4lv1nb4ll_57r34m_0v3r104d_8762_n0_5l33p_a338e8614bbd}.

Artifacts Produced

  • artifacts/challenge15.json - live challenge detail from CTFd.
  • artifacts/stream_capture.txt - bounded initial stream capture for triage.
  • artifacts/solve_grawlix.c - compiled streaming solver source.
  • artifacts/solve_grawlix - compiled solver binary.
  • artifacts/solve_debug.txt - processed operator count and final computed value.
  • artifacts/solve_output.txt - remote acceptance message and flag.

Flag

IIITL{C4lv1nb4ll_57r34m_0v3r104d_8762_n0_5l33p_a338e8614bbd}