Writeups on RORO's blog

Une nuit pour hacker 2026: Thread of Doom

contact@rodolpheg.xyz (0xRo) — Sun, 29 Mar 2026 00:00:00 +0000

Executive Summary

Challenge: Thread of Doom
Category: Reverse Engineering
Flags: NHK26{VirtualProtect_Overwritten}
Binary: NHK_CrackMe_V3.exe (PE32, x86, 43520 bytes)

Overview

Thread of Doom is a Windows crackme that presents a dialog with a “Demo” button. Clicking the button displays an error: “Tu n’es pas premium ! Prix : 2 BTC”. The goal is to understand the binary’s protection mechanisms and extract the hidden flag.

The flag is XOR-encrypted in memory with a single-byte key (0x55). The binary only decrypts it at runtime when several anti-tampering checks pass, but since both the ciphertext and key are visible in the decompilation, we can extract it statically without running the binary at all.

Amazon AppSec CTF: HalCrypto

contact@rodolpheg.xyz (0xRo) — Sun, 21 Sep 2025 00:00:00 +0000

Executive Summary

Challenge: HalCrypto
Category: Web Security
Vulnerability: JWT validation bypass via URL confusion with @ symbol
Impact: Authentication bypass leading to admin access
Flag: HTB{r3d1r3c73d_70_my_s3cr37s}

Vulnerability Overview

Attack Flow Diagram

Source-to-Sink Analysis

1. Entry Point - JWT Authentication (Source)

The vulnerability starts when the AuthMiddleware processes JWT tokens:

// middleware/AuthMiddleware.js:5-34
module.exports = async (req, res, next) => {
 try {
 if (req.cookies.session === undefined) {
 if (!req.is('application/json')) return res.redirect('/');
 return res.status(401).send(response('Authentication required!'));
 }
 return JWTHelper.getHeader(req.cookies.session)
 .then(header => {
 if (header.jku && header.kid) {
 // VULNERABILITY: Weak URL validation using lastIndexOf
 if (header.jku.lastIndexOf(config.AUTH_PROVIDER, 0) !== 0) {
 return res.status(500).send(response('The JWKS endpoint is not from localhost!'));
 }
 return JWTHelper.getPublicKey(header.jku, header.kid)
 .then(pubkey => {
 return JWTHelper.verify(req.cookies.session, pubkey)
 .then(data => {
 req.user = data.user;
 return next();
 })
 .catch(() => res.status(403).send(response('Authentication token could not be verified!')));
 })
 .catch(() => res.redirect('/logout'));
 }
 return res.status(500).send(response('Missing required claims in JWT!'));
 })
 .catch(err => res.status(500).send(response("Invalid session token supplied!")));
 } catch (e) {
 return res.status(500).send(response(e.toString()));
 }
}

2. The Vulnerable Validation - String-based URL Check

The critical vulnerability lies in line 14 of AuthMiddleware.js:

Amazon AppSec CTF: PageOneHTML

contact@rodolpheg.xyz (0xRo) — Sun, 21 Sep 2025 00:00:00 +0000

Executive Summary

Challenge: PageOneHTML
Category: Web Security
Vulnerability: Server-Side Request Forgery (SSRF) via gopher:// protocol
Impact: Access to internal API endpoint leading to flag disclosure
Flags:
- Local: HTB{f4k3_fl4g_f0r_t3st1ng}
- Remote: HTB{l1bcurL_pla7h0r4_0f_pr0tocOl5}

Source-to-Sink Analysis

1. Entry Point - User Input (Source)

The vulnerability starts at /api/convert endpoint which accepts user-controlled markdown content:

// routes/index.js:15-28
router.post('/api/convert', async (req, res) => {
 const { markdown_content, port_images } = req.body; // User input

 if (markdown_content) {
 html = MDHelper.makeHtml(markdown_content); // Convert MD to HTML
 if (port_images) { // If port_images is true
 return ImageConverter.PortImages(html) // Process images
 .then(newHTML => res.json({ content: newHTML }))
 .catch(() => res.json({ content: html }));
 }
 return res.json({ content: html });
 }
 return res.status(403).send(response('Missing parameters!'));
});

2. Image Processing - Protocol Confusion

The ImageConverter extracts all <img> tags and processes their src attributes: