Skip to content

Instantly share code, notes, and snippets.

View nnamon's full-sized avatar

nnamon nnamon

305 followers · 16 following
View GitHub Profile
@nnamon
nnamon / chezz.md
Last active May 14, 2026 15:50
chezz — TISC DC 26 final, web/pwn (Java) - AI distilled from https://llm-logs-viewer.vercel.app/

chezz — Web / Pwn (Java)

TISCDCSG{w4s_th15_m0r3_c0mpl3x_th4n_r3dst0n3?}

TL;DR

  • chezz is a Spring Boot chess game that signs every game state with Ed25519 and rejects any unsigned mutation. The signer is intentionally broken: after every call, Signer.signBytes overwrites its own private scalar with the second half of the signature it just emitted (§3). Sign the same message twice and the math recovers the original signing scalar in closed form (§4).
  • Producing two signatures over the same message requires reaching POST /api/game/subscribe, which is gated by three consecutive checkmate wins, the third forced into the Bongcloud opening (e2e4, e1e2). Stockfish steers games 1 and 2 onto the same mate FEN, so the savefile loop signs that FEN twice with mutated scalars — exactly the oracle the recovery needs (§5).
  • The challenge ships a custom OpenJDK 25 ("ChezzJDK Funtime Environment") that strips every safety check out of TemplatesImpl and promotes Runtime.exec(String,String[]) to a
@nnamon
nnamon / 00_README.md
Last active May 11, 2026 09:55
THCON 2026 — Nandy Narwhals writeups (24 challenges, will be updated)

THCON 2026 — writeups (Nandy Narwhals)

38 writeups so far. We will keep adding to this gist as the rest land.

# Challenge Category Flag Writeup
1 BEPOlice Department Forensic / Memory + Crypto THC{b3p0_l4y0ut_1s_not_qwerty} bepolice-department.md
2 Breach at SST – 1 Forensic / 5G THCON{imsi-901701337133713} breach-at-sst-1.md
3 Breach at SST – 3 Forensic THCON{sp3ctr4l_p34ks_d0nt_l13} breach-at-sst-3.md
4 Break The Chain Crypto THC{4lL_Dr0Nz-R-g0N3} break-the-chain.md
@nnamon
nnamon / vmprep.sh
Created August 15, 2022 19:29
Run as the user you intend to use. No need for prepended sudo.
#!/bin/bash
SWAP=4G
export DEBIAN_FRONTEND=noninteractive
# Install dependencies.
sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get install -y build-essential libncursesw5-dev libreadline-gplv2-dev libssl-dev \
libgdbm-dev libc6-dev libsqlite3-dev libbz2-dev libffi-dev git gdb ltrace strace radare2 \
@nnamon
nnamon / multi_percentage_transfer.py
Created April 19, 2019 13:57
Transfer by Percentage
#!/usr/bin/env python
from pyzil.zilliqa import chain
from pyzil.account import Account
from pyzil.zilliqa.units import Qa
import multiprocessing
from itertools import repeat
import argparse
@nnamon
nnamon / multi_transfer.py
Created April 3, 2019 08:09
Multi Transfer Many to One Address
#!/usr/bin/env python
from pyzil.zilliqa import chain
from pyzil.account import Account
import multiprocessing
from itertools import repeat
import argparse
PROCESS_SIZE = 80
@nnamon
nnamon / test.js
Created March 30, 2019 11:11
Zilliqa Test Send Transaction
const { Transaction } = require('@zilliqa-js/account');
const { BN, Long, bytes, units } = require('@zilliqa-js/util');
const { Zilliqa } = require('@zilliqa-js/zilliqa');
const CP = require ('@zilliqa-js/crypto');
const zilliqa = new Zilliqa('http://localhost:4201');
// These are set by the core protocol, and may vary per-chain.
// These numbers are JUST AN EXAMPLE. They will NOT WORK on the developer testnet
// or mainnet.
@nnamon
nnamon / stateoftheds_epoch35800.txt
Created March 10, 2019 11:56
State of the DS: Epoch 35800
1. 34.222.91.41:33133 020035B739426374C5327A1224B986005297102E01C29656B8B086BF4B352C6CA9 reachable guard
2. 34.220.13.189:33133 0200834D709AD621785A90673F6011BC36ECF4CB13475237EAA2D4DEDAE7E9E554 reachable guard
3. 34.222.64.99:33133 02009A7997753BED9CC17435CBBEEAC52FACF575152FA738E98579FD22780A98B7 reachable guard
4. 52.42.110.208:33133 02011852D914FAE2B5FD0B58AFA90F2490AF374C661958A6376F0C20CE0E08F05B reachable guard
5. 54.212.198.111:33133 02013D6697F5BEF5F65FB9A222AB58080DD2F471DAB9BF7A17664510512BFF8ED1 reachable guard
6. 52.27.139.69:33133 020177703339FDD3C56E3A5E4BAEDB253299C53BFC7A213679F9AD81ABA5BAB024 reachable guard
7. 54.201.184.70:33133 02017CACA3FCD088FAE478D3BDCDA443E4BE6B062F910CCD22D2937B35B6EBCDC7 reachable guard
8. 54.212.247.156:33133 02025543E056C090F74393C4B2E3655BB05931F63EE30623669051D96059BEF446 reachable guard
9. 34.220.0.197:33133 02028DAEA3E423C4DCBCAF42BCE5B6519B12B3B3229F62FCCB9C20495B69E6983E reachable guard
10. 34.220.49.219:33133 0202D970B251DAE5FC44AE34F9A01269A1B2C96202693BE1
@nnamon
nnamon / stateoftheds_epoch25000.txt
Created March 9, 2019 15:08
State of the DS: Epoch 35000
1. 34.222.91.41:33133 020035B739426374C5327A1224B986005297102E01C29656B8B086BF4B352C6CA9 reachable guard
2. 34.220.13.189:33133 0200834D709AD621785A90673F6011BC36ECF4CB13475237EAA2D4DEDAE7E9E554 reachable guard
3. 34.222.64.99:33133 02009A7997753BED9CC17435CBBEEAC52FACF575152FA738E98579FD22780A98B7 reachable guard
4. 52.42.110.208:33133 02011852D914FAE2B5FD0B58AFA90F2490AF374C661958A6376F0C20CE0E08F05B reachable guard
5. 54.212.198.111:33133 02013D6697F5BEF5F65FB9A222AB58080DD2F471DAB9BF7A17664510512BFF8ED1 reachable guard
6. 52.27.139.69:33133 020177703339FDD3C56E3A5E4BAEDB253299C53BFC7A213679F9AD81ABA5BAB024 reachable guard
7. 54.201.184.70:33133 02017CACA3FCD088FAE478D3BDCDA443E4BE6B062F910CCD22D2937B35B6EBCDC7 reachable guard
8. 54.212.247.156:33133 02025543E056C090F74393C4B2E3655BB05931F63EE30623669051D96059BEF446 reachable guard
9. 34.220.0.197:33133 02028DAEA3E423C4DCBCAF42BCE5B6519B12B3B3229F62FCCB9C20495B69E6983E reachable guard
10. 34.220.49.219:33133 0202D970B251DAE5FC44AE34F9A01269A1B2C96202693BE1
@nnamon
nnamon / stateoftheds_epoch30100.txt
Created March 5, 2019 04:02
State of the DS: Epoch 30100
1. 34.222.91.41:33133 020035B739426374C5327A1224B986005297102E01C29656B8B086BF4B352C6CA9 reachable guard
2. 34.220.13.189:33133 0200834D709AD621785A90673F6011BC36ECF4CB13475237EAA2D4DEDAE7E9E554 reachable guard
3. 34.222.64.99:33133 02009A7997753BED9CC17435CBBEEAC52FACF575152FA738E98579FD22780A98B7 reachable guard
4. 52.42.110.208:33133 02011852D914FAE2B5FD0B58AFA90F2490AF374C661958A6376F0C20CE0E08F05B reachable guard
5. 54.212.198.111:33133 02013D6697F5BEF5F65FB9A222AB58080DD2F471DAB9BF7A17664510512BFF8ED1 reachable guard
6. 52.27.139.69:33133 020177703339FDD3C56E3A5E4BAEDB253299C53BFC7A213679F9AD81ABA5BAB024 reachable guard
7. 54.201.184.70:33133 02017CACA3FCD088FAE478D3BDCDA443E4BE6B062F910CCD22D2937B35B6EBCDC7 reachable guard
8. 54.212.247.156:33133 02025543E056C090F74393C4B2E3655BB05931F63EE30623669051D96059BEF446 reachable guard
9. 34.220.0.197:33133 02028DAEA3E423C4DCBCAF42BCE5B6519B12B3B3229F62FCCB9C20495B69E6983E reachable guard
10. 34.220.49.219:33133 0202D970B251DAE5FC44AE34F9A01269A1B2C96202693BE1
@nnamon
nnamon / stateoftheds_epoch29000.txt
Created March 4, 2019 04:15
State of the DS: Epoch 29000
1. 34.222.91.41:33133 020035B739426374C5327A1224B986005297102E01C29656B8B086BF4B352C6CA9 reachable guard
2. 34.220.13.189:33133 0200834D709AD621785A90673F6011BC36ECF4CB13475237EAA2D4DEDAE7E9E554 reachable guard
3. 34.222.64.99:33133 02009A7997753BED9CC17435CBBEEAC52FACF575152FA738E98579FD22780A98B7 reachable guard
4. 52.42.110.208:33133 02011852D914FAE2B5FD0B58AFA90F2490AF374C661958A6376F0C20CE0E08F05B reachable guard
5. 54.212.198.111:33133 02013D6697F5BEF5F65FB9A222AB58080DD2F471DAB9BF7A17664510512BFF8ED1 reachable guard
6. 52.27.139.69:33133 020177703339FDD3C56E3A5E4BAEDB253299C53BFC7A213679F9AD81ABA5BAB024 reachable guard
7. 54.201.184.70:33133 02017CACA3FCD088FAE478D3BDCDA443E4BE6B062F910CCD22D2937B35B6EBCDC7 reachable guard
8. 54.212.247.156:33133 02025543E056C090F74393C4B2E3655BB05931F63EE30623669051D96059BEF446 reachable guard
9. 34.220.0.197:33133 02028DAEA3E423C4DCBCAF42BCE5B6519B12B3B3229F62FCCB9C20495B69E6983E reachable guard
10. 34.220.49.219:33133 0202D970B251DAE5FC44AE34F9A01269A1B2C96202693BE1