Shambles

Technical Walkthrough

Writeup

Challenge

• Name: Shambles
• Category: Crypto
• Difficulty: Medium
• Mode: hybrid

Summary

Shambles is a source-backed remote crypto challenge. The provided Python service encrypts both JWT login tokens and user account data with the same AES-CBC key and IV. The encrypted-token login path leaks whether PKCS#7 unpadding succeeded before JWT validation, which creates a CBC padding oracle.

The solve uses the oracle to decrypt the account-data ciphertext, recover the card number and integer balance for the authenticated account, then withdraw exactly that balance to trigger the flag path.

Artifact Inventory

• files/a12c7390-d411-48fe-ba62-1cd9a12c0b10.zip: original HTB archive.
• files/extracted/crypto_shambles/server.py: vulnerable menu service.
• files/extracted/crypto_shambles/db.py: SQLite helper with the exact zero-balance flag condition.
• files/extracted/crypto_shambles/creds.txt: bundled target credentials used by the solver without copying them into this writeup.
• analysis/artifact-inventory.json: hashes, file sizes, and file types.

Analysis

The relevant source facts are recorded in analysis/source-audit.md.

server.py generates a random AES-CBC KEY and IV once, then reuses them for encrypted JWT tokens and encrypted account data. In the token login branch, attacker-controlled ciphertext is decrypted and unpadded before JWT validation. Invalid padding prints Decryption error!, while padding-valid non-JWT plaintext reaches JWT validation and prints Validation error!. That distinction is enough to build a padding oracle.

After authenticating with the bundled account, option 2 returns encrypted account data. The plaintext format is card_number + str(balance). Option 3 compares the submitted card number with the stored card number and returns the flag if balance - amount == 0.

The padding-oracle implementation was validated locally in analysis/local-padding-oracle-selftest.txt, and the live service oracle behavior was confirmed in analysis/remote/batched-oracle-probe.txt.

Solve

The reproducible solver is solve/solve.py.

High-level flow:

1. Parse the bundled credentials from files/extracted/crypto_shambles/creds.txt.
2. Login to the remote service and collect a valid encrypted JWT token.
3. Request encrypted account data from option 2.
4. Batch token-oracle probes over the same interactive socket to make CBC padding recovery practical.
5. Recover the first encrypted JWT block intermediate value and derive the fixed IV using the known PyJWT HS256 header prefix.
6. Decrypt the two account-data ciphertext blocks.
7. Parse candidate card_number and integer balance splits.
8. Withdraw the exact recovered balance and store the returned flag candidate under loot/.

The successful live run is recorded in analysis/remote/full-solver-run.txt. It recovered the account payload and wrote the flag candidate to loot/flag-candidate.txt, then the harness captured it to loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• A padding oracle can decrypt ciphertext from a different feature when the same CBC key and IV are reused across service functions.
• For interactive remotes, batching oracle probes avoids one network round trip per guess and can turn an otherwise impractical padding oracle into a fast solve.
• Research/memory was only advisory here; the decisive evidence came from the provided source, local instrumentation, and live response validation.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Shambles
• Category: Crypto
• Difficulty: Medium
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-12T06:23:22Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

-

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Crypto
• Challenge: Shambles
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Audited the provided Python source and identified AES-CBC key/IV reuse across encrypted JWT tokens and encrypted account-data output.
2. Confirmed the token login path leaks padding-valid versus padding-invalid behavior before JWT validation.
3. Built a reusable CBC padding-oracle decryptor and validated it locally.
4. Batched oracle probes against the remote interactive menu to recover the encrypted account-data plaintext.
5. Parsed the recovered card number and integer balance, then withdrew the exact balance to trigger the flag path.

Reusable Lessons

• CBC padding-oracle solves can often decrypt unrelated ciphertexts when one service reuses the same key/IV across multiple features.
• For menu-driven services, pipelining or batching oracle probes over a persistent connection can be the difference between a practical and impractical remote exploit.
• Treat local memory as advisory; direct source audit plus local instrumentation should drive Medium crypto decisions.

Dead Ends

• A one-query-per-round-trip oracle implementation was too slow for the remote service and was replaced with batched probing.

Tool Quirks

• PyJWT was not installed locally, but the solver did not need it; the IV derivation only required the known first 16 bytes of the standard JWT header.
• sympy, z3, sage, and pwntools were missing from Crypto readiness, but this solve only required Python sockets and PyCryptodome.

Evidence Paths

• analysis/source-audit.md
• analysis/local-padding-oracle-selftest.txt
• analysis/remote/batched-oracle-probe.txt
• analysis/remote/full-solver-run.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches