249 words
1 minutes
EHAX CTF 2026 - I can also do it - Miscellaneous Writeup
Event Archive

EHAX CTF 2026

Posts, writeups, and notes grouped under this event.

Archive/10 posts
Events/EHAX CTF 2026
2026-03-01
Writeup
CTF
/
Security
/
Miscellaneous

Category: Miscellaneous
Flag: EH4X{1_h4v3_4ll_th3_c3t1f1c4t35}

Challenge Description#

yeah i can do it

Analysis#

dig +short stapat.xyz A
dig +short stapat.xyz AAAA
dig +short @1.1.1.1 stapat.xyz A
dig +short @1.1.1.1 stapat.xyz AAAA
0.0.0.0
::
40.81.242.97

The first weird signal was DNS split behavior: local resolution for stapat.xyz was a sink (0.0.0.0 / ::), but Cloudflare DoH returned a real origin IPv4. That explained why direct curl from this environment looked dead while a normal browser path still worked elsewhere.

blush

curl -sS -L --doh-url "https://1.1.1.1/dns-query" -A "Mozilla/5.0" -i "https://stapat.xyz/"
HTTP/1.1 200 OK
...
<p>Please visit our stores</p>

After forcing DNS-over-HTTPS, the page rendered cleanly and the only actionable clue was the sentence “Please visit our stores.” In a Misc challenge with a tiny prompt, that kind of wording is usually the actual route, not filler text.

curl -sS -k -L --resolve "store.stapat.xyz:443:40.81.242.97" -A "Mozilla/5.0" -i "https://store.stapat.xyz/"
HTTP/1.1 200 OK
...
EH4X{1_h4v3_4ll_th3_c3t1f1c4t35}

Using SNI/Host override with --resolve hit the virtual host directly and immediately returned the flag as plain text. So the whole trick was certificate/vhost routing behind DNS behavior, not user-agent filtering.

dance

Solution#

# solve.py
import re
import subprocess


def run(cmd: list[str]) -> str:
    return subprocess.check_output(cmd, text=True)


def main() -> None:
    ip = run(["dig", "+short", "@1.1.1.1", "stapat.xyz", "A"]).strip().splitlines()[0]

    homepage = run([
        "curl", "-sS", "-L",
        "--doh-url", "https://1.1.1.1/dns-query",
        "-A", "Mozilla/5.0",
        "https://stapat.xyz/",
    ])
    if "Please visit our stores" not in homepage:
        raise RuntimeError("expected clue not found on homepage")

    store = run([
        "curl", "-sS", "-k", "-L",
        "--resolve", f"store.stapat.xyz:443:{ip}",
        "-A", "Mozilla/5.0",
        "https://store.stapat.xyz/",
    ])

    match = re.search(r"EH4X\{[^}]+\}", store)
    if match is None:
        raise RuntimeError("flag not found")

    print(match.group(0))


if __name__ == "__main__":
    main()
python3.12 solve.py
EH4X{1_h4v3_4ll_th3_c3t1f1c4t35}
EHAX CTF 2026 - I can also do it - Miscellaneous Writeup
https://blog.rei.my.id/posts/63/ehax-ctf-2026-i-can-also-do-it-miscellaneous-writeup/
Author
Reidho Satria
Published at
2026-03-01
License
CC BY-NC-SA 4.0
© 2026 Reidho Satria. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari