Unearthing the Crystal Runes: Decoding the eldorian_artifact.pth Challenge
In this challenge, we were tasked with exploring the depths of Eldoria's Crystal Archives and deciphering the secrets hidden within a mystical artifact – an enchanted neural crystal named eldorian_artifact.pth. Legends whispered of a hidden incantation, an ancient secret flag, directly woven into its crystalline structure. Our mission: to analyze this neural network model file and extract the elusive flag in the format HTB{Flag_Goes_Here}.
Initial Exploration: What Lies Within the .pth File?
Armed with only the eldorian_artifact.pth file and minimal context, our first step was to determine the nature of this artifact. Knowing that Python, particularly with the PyTorch library (link: https://pytorch.org/, PyTorch is a popular open-source machine learning framework widely used for tasks like deep learning and neural network development), is a powerful tool for analyzing AI models, we opted for a Python-based investigation.
For those unfamiliar with Machine Learning (ML) or Artificial Intelligence (AI), don't worry! Modern AI development environments like Windsurf or Cursor (AI-powered IDEs) can significantly simplify the process. By simply placing the .pth file in our project directory and leveraging the IDE's AI capabilities, we could begin our analysis.
Attempting Direct Model Loading (and Learning About State Dictionaries):
Our initial instinct was to load the .pth file directly as a PyTorch model:
import torch
model = torch.load('eldorian_artifact.pth')
model.eval()
However, this initial attempt led to a crucial discovery. Instead of a complete model, torch.load revealed that eldorian_artifact.pth contained a state dictionary. A state dictionary in PyTorch is essentially a Python dictionary that stores the learned parameters (weights and biases) of a neural network layer. It's not the complete model architecture itself, but rather the learned "brain" of the network.
Our inspection script confirmed this:
import torch
def inspect_model(model_path):
try:
print(f"Loading model from {model_path}...")
model = torch.load(model_path)
print("\nModel type:", type(model))
if isinstance(model, dict):
print("\nThis is a state dictionary containing these keys:")
for key in model.keys():
if isinstance(model[key], torch.Tensor):
print(f"{key}: tensor shape {model[key].shape}")
else:
print(f"{key}: {type(model[key])}")
# ... (rest of the inspection script)
if __name__ == "__main__":
model_path = "eldorian_artifact.pth"
inspect_model(model_path)
Running this script showed us:
Loading model from eldorian_artifact.pth...
Model type: <class 'collections.OrderedDict'>
This is a state dictionary containing these keys:
hidden.weight: tensor shape torch.Size([40, 40])
This told us we had a state dictionary with a single key, hidden.weight, representing a tensor of shape 40x40. This hinted at a simple neural network with a hidden layer.
Reconstructing the Model Architecture:
Knowing it was a state dictionary, we needed to define the model architecture to load these weights into. Based on the hidden.weight key and its shape, we hypothesized a simple linear model:
import torch
class EldorianModel(torch.nn.Module):
def __init__(self):
super().__init__()
self.hidden = torch.nn.Linear(40, 40, bias=False) # No bias term
def forward(self, x):
return self.hidden(x)
def load_model(model_path):
model = EldorianModel()
state_dict = torch.load(model_path)
model.load_state_dict(state_dict)
return model
# ... (rest of the model definition)
We created a basic EldorianModel class with a single linear layer (torch.nn.Linear) and importantly, set bias=False after encountering an error about a missing bias term. Loading this model and testing it with dummy input confirmed that our reconstructed architecture was compatible with the provided state dictionary.
Fuzzing and Weight Analysis: Hunting for the Flag
With a working model, the next step was to extract the hidden flag. We started by "fuzzing" the model, feeding it various inputs, including patterns resembling the HTB{ flag prefix, and special characters. This fuzzing hinted that the model might react to special characters.
However, the real breakthrough came when we directly analyzed the weight matrix itself. We extracted the hidden.weight tensor and examined its values. A script to analyze the weights revealed something fascinating:
import torch
from model import load_model
model = load_model('eldorian_artifact.pth')
state_dict = torch.load('eldorian_artifact.pth')
weight_matrix = state_dict['hidden.weight']
print("\nDiagonal values:")
diagonal_values = weight_matrix.diag().tolist()
print([int(x) for x in diagonal_values]) # Print diagonal as integers
print("\nFirst few rows as scaled ASCII:")
for i in range(5):
row_values = weight_matrix[i].tolist()
scaled_row = [chr(int(max(0, min(127, int(x))))) for x in row_values] # Scale and clamp
print(f"Row {i}: {''.join(scaled_row[:40])}...")
print("\nDecoding Diagonal ASCII:")
decoded_flag_chars = [chr(int(x)) for x in diagonal_values]
decoded_flag = "".join(decoded_flag_chars)
print(f"Decoded flag: {decoded_flag}")
Running this weight analysis script revealed the diagonal values and, when converted to ASCII characters, unveiled the flag!
Diagonal values:
[72, 84, 66, 123, 67, 114, 121, 53, 116, 52, 108, 95, 82, 117, 78, 51, 115, 95, 48, 102, 95, 69, 108, 100, 48, 114, 49, 97, 125, 95, 95, 95, 95, 95, 95, 95, 95, 95, 95, 95]
...
Decoded flag: HTB{Cry5t4l_RuN3s_0f_Eld0r1a}___________
The Crystal Runes Deciphered: HTB{Cry5t4l_RuN3s_0f_Eld0r1a}
The flag, HTB{Cry5t4l_RuN3s_0f_Eld0r1a}, was elegantly encoded within the diagonal of the weight matrix. Each diagonal value represented the ASCII code for a character in the flag. The trailing underscores were simply padding, filling out the 40x40 weight matrix.
This challenge cleverly demonstrated how even simple neural network models can be used to hide information. It emphasized the importance of not only understanding model architectures but also delving into the learned weights themselves when exploring potentially manipulated or malicious AI artifacts. The flag itself, "Crystal Runes of Eldoria," fittingly tied back to the challenge's narrative, rewarding our exploration of the eldorian_artifact.pth and its hidden incantation.
Flag: HTB{Cry5t4l_RuN3s_0f_Eld0r1a}