Skip to main content

thunder_blaze

Challenge

Imported from local notes.md.

Solution

Original Notes

thunder_blaze

Challenge Summary

  • Given: A live timed gauntlet at nc 34.131.216.230 1337.
  • Goal: Clear all tasks and recover the flag.
  • Constraints: The full gauntlet must be completed within 1 second.

Initial Recon / Triage

  • Observations:
    • Task 1 is a simple multiplication prompt.
    • Task 2 asks for S_50000000 from the recurrence S_i = ((S_{i-1} * C) ^ (S_{i-2} + D)) % E.
    • C, D, and E are rendered as noisy 3x5 ASCII-art digits.
    • Thresholding *#%@ as lit pixels and .:- as background recovers a standard 3x5 decimal font.
  • File identification:
    • artifacts/collect_task2_samples.py: gathers Task 2 prompts for OCR analysis.
    • artifacts/analyze_task2_glyphs.py: inspects observed glyph masks.
    • artifacts/probe_cycle.c: measures recurrence cycle lengths.
    • artifacts/compute_filter.c: optimized Task 2 solver.
    • artifacts/reveal_next_task.py: end-to-end live solver.
  • Entry points:
    • Live TCP service only.

Hypotheses & Approach

  • Hypothesis 1: Task 2 could be solved with direct brute force in C.
  • Hypothesis 2: If brute force was too slow for the 1-second budget, the recurrence would need cycle detection and fast-forwarding.

Outcome:

  • Plain C brute force still took about 0.46s just for Task 2 and arrived too late.
  • Profiling on collected prompts showed the recurrence consistently entered a cycle well before 5 million states, so cycle detection was fast enough.

Execution Steps (Reproducible)

Stage 1

Commands:

cd /root/incognito2026CTF/thunder_blaze
python3 artifacts/collect_task2_samples.py --samples 12
python3 artifacts/analyze_task2_glyphs.py

Results:

  • Task 2 art decoded cleanly to a standard 3x5 digit font after thresholding *#%@ as lit.
  • The recovered digit templates were:
0 = 111/101/101/101/111
1 = 001/001/001/001/001
2 = 111/001/111/100/111
3 = 111/001/111/001/111
4 = 101/101/111/001/001
5 = 111/100/111/001/111
6 = 111/100/111/101/111
7 = 111/001/001/001/001
8 = 111/101/111/101/111
9 = 111/101/111/001/111

Stage 2

Commands:

cd /root/incognito2026CTF/thunder_blaze
gcc -O3 -march=native -shared -fPIC -o artifacts/libcompute_filter.so artifacts/compute_filter.c
gcc -O3 -march=native -o artifacts/compute_filter artifacts/compute_filter.c
gcc -O3 -march=native -o artifacts/probe_cycle artifacts/probe_cycle.c
python3 artifacts/profile_cycles.py

Results:

  • Cycle profiling over collected samples showed mu + lambda stayed far below 5,000,000 on every sampled instance, making cycle-based fast-forwarding viable.
  • The final compute_filter.c implementation uses cycle detection instead of iterating all 50,000,000 steps.

Stage 3

Commands:

cd /root/incognito2026CTF/thunder_blaze
python3 artifacts/reveal_next_task.py

Results:

  • The optimized live solver answered Task 1 and Task 2 within the time limit.
  • Task 2 was the final stage, and the service returned:
IIITL{C_15_41w4y5_f4573r_7h4n_py7h0n_b5c9eb6770b5}

Artifacts Produced

  • artifacts/collect_task2_samples.py
  • artifacts/analyze_task2_glyphs.py
  • artifacts/profile_cycles.py
  • artifacts/probe_cycle.c
  • artifacts/compute_filter.c
  • artifacts/compute_filter
  • artifacts/libcompute_filter.so
  • artifacts/reveal_next_task.py
  • artifacts/task2_samples/

Flag

IIITL{C_15_41w4y5_f4573r_7h4n_py7h0n_b5c9eb6770b5}