Writeups
Reverse Engineering
Supply Chain Nightmare

Supply Chain Nightmare

🔍 Details

AttributeDetails
Challenge NameSupply Chain Nightmare
CategoryReverse Engineering
Difficulty🔴 Hard
FlagF4H{1KHma04VXm**********}

📝 Description

Something isn’t right… A Python project is behaving strangely, and it’s up to you to figure out why. Analyze the system, uncover what’s happening, and retrieve the flag.

In the terminal, pull the challenge image:

sudo docker pull public.ecr.aws/h7j1s9m0/fl4ghunt-ecr:supply_chain_nightmare_ctf

Run the container:

sudo docker run --rm -it public.ecr.aws/h7j1s9m0/fl4ghunt-ecr:supply_chain_nightmare_ctf

Inside an interactive shell, execute:

python ctf_checker.py

🧩 Hints

  1. The ctftime API always returns a 500 error, but it works fine in the browser and with curl. Double-check your dependencies—sometimes, a single letter can make all the difference.
  2. Now you know something is off with the package. Maybe it's time to take a closer look inside…the flag is waiting for you there.

💡 Solution

This challenge revolves around a Python supply chain attack caused by a malicious dependency.

  1. After running the script inside the container you’ll notice the script always returns a 500 error from the ctftime API — even though the API works fine in a browser or with curl. That’s the first red flag.
  2. When investigating the dependencies in the requirements.txt, you will notice the suspicious package name ./reqeusts. This is a typosquatted version of the legitimate requests library (reqeusts vs. requests).
  3. By picking up all the clues, it is obvious something is bad with the reqeusts package. So, let’s take a look inside the package to see what it does.
  4. One possible approach is extracting the file __init__.cpython-311.pyc from the running docker image and using online python decompiler like pylingual (opens in a new tab) to decompile the file and find the flag in it.
  5. More tedious approach is to use pycdc to decompile the file. You can use the following commands to decompile the file:
apt-get update && apt-get install -y cmake make gcc g++ git
git clone https://github.com/zrax/pycdc.git
cd pycdc
mkdir build && cd build
cmake ..
make
make check
./pycdc ../../reqeusts/__init__.cpython-311.pyc
  1. After decompiling the file, you will find the flag.

📚 Insights

This challenge highlights the very real and growing threat of supply chain attacks in software development:

  • Typosquatting: Installing a malicious dependency with a name nearly identical to a trusted package (like reqeusts vs. requests) is a classic tactic to trick developers.

  • Dependency trust: Blindly trusting local packages or direct references (-e ./package) can introduce backdoors without raising alerts.

  • Static analysis: Investigating .pyc bytecode and reverse engineering it helps you understand what hidden logic or payloads may exist.

  • Reverse engineering tools: Tools like pylingual, uncompyle6, and pycdc are essential for inspecting compiled Python files when the source isn’t available.

  • Incident response mindset: This challenge trains players to think like security engineers or forensic analysts — identifying suspicious behavior, tracing its origin, and dissecting malicious logic.

🤔 Comments

Binary LockSilent Listener