Forest#

Field	Detail
CTF	VulnByDefault (VBD) CTF
Category	Misc / Machine Learning
Points	75
Difficulty	Easy
Flag Format	`VBD{xxxxxx}`
Author	VBD

Challenge Description#

recover the sensitive training data from the model

We are provided with a single 32.64 KB file: model.pkl.

Initial Analysis#

The .pkl extension indicates a Python pickle file. To analyze it safely, we loaded it in Python and found it contains a Scikit-Learn RandomForestClassifier trained on an unknown dataset.

Key observations from the model’s attributes:

n_estimators: 25 (the forest has 25 decision trees)
n_features_in_: 24 (the model takes a 24-bit input)
_n_samples: 80 (trained on 80 samples)
bootstrap: False (all 80 samples are used in every tree, no randomized bootstrapping)
Every tree split uses a threshold of 0.5, implying the 24 inputs are strictly binary (0 or 1).

The challenge description tells us to “recover the sensitive training data from the model”. Given that the training set had 80 samples, we need to extract the target sample from the tree structures themselves.

The Exploit / Reconstructing the Target#

By traversing the 25 decision trees, we checked how they attempt to predict class 1. We found that out of the 80 samples, the model learned a single target sample that corresponds to class 1.

Because bootstrap=False was used during training, every single tree in the forest contains constraints specifically meant to isolate this one target sample. A leaf node in a decision tree predicting class 1 with a sample count of 1 (a “singleton leaf”) uniquely points to our target vector.

To recover the exact training data point:

We traced the path from the root node to the class 1 singleton leaf in each of the 25 decision trees.
We collected the branching constraints along these paths (e.g., feature[19] > 0.5, meaning the 19th bit is 1).
Since each tree evaluates a random subset of features (typical Random Forest behavior), no individual tree gave us the full 24-bit vector.
However, by merging the constraints from all 25 trees, we reconstructed the complete 24-bit feature vector.

The Extraction Script#

Loading modern scikit-learn pickles in older environments or with newer numpy versions requires a small shim, which we included in our solver.

1
"""
2
Deep tree structure analysis to extract the class-1 training sample.
3
"""
4
import sys, types, warnings, pickle
5
warnings.filterwarnings('ignore')
6
import numpy as np
7

8
# -- numpy 2.x compat shim --
9
if not hasattr(np, '_core'):
10
    np._core = types.ModuleType('numpy._core')
11
    sys.modules['numpy._core'] = np._core
12
import numpy.core as _nc
13
for attr in dir(_nc): setattr(np._core, attr, getattr(_nc, attr))
14
for sub in ['multiarray','numeric','numerictypes','fromnumeric',
15
            'defchararray','records','memmap','function_base',
16
            'shape_base','einsumfunc','umath','overrides']:
17
    o, n = f'numpy.core.{sub}', f'numpy._core.{sub}'
18
    if o in sys.modules and n not in sys.modules: sys.modules[n] = sys.modules[o]
19

20
class CP(pickle.Unpickler):
21
    def find_class(self, m, name):
22
        if m.startswith('numpy._core'): m = m.replace('numpy._core','numpy.core',1)
23
        return super().find_class(m, name)
24

25
MODEL_PATH = "model.pkl"
26
with open(MODEL_PATH,'rb') as f:
27
    rf = CP(f).load()
28

29
n_feat = rf.n_features_in_
30
TREE_LEAF = -1
31

32
def class1_path(tree_obj):
33
    """Trace the path to the class-1 singleton leaf, return feature constraints."""
34
    fl = tree_obj.feature; lc = tree_obj.children_left; rc = tree_obj.children_right
35
    ns = tree_obj.n_node_samples; val = tree_obj.value
36
    def recurse(node, constraints):
37
        if lc[node] == TREE_LEAF:
38
            cls = int(np.argmax(val[node][0]))
39
            if cls == 1 and ns[node] == 1:
40
                return dict(constraints)
41
            return None
42
        f = fl[node]
43
        left = dict(constraints); left[f] = 0
44
        right = dict(constraints); right[f] = 1
45
        r = recurse(lc[node], left)
46
        if r is not None: return r
47
        return recurse(rc[node], right)
48
    return recurse(0, {})
49

50
# Merge constraints from all 25 trees
51
merged = {}
52
for tidx, est in enumerate(rf.estimators_):
53
    path = class1_path(est.tree_)
54
    if path is not None:
55
        for feat, val in path.items():
56
            merged[feat] = val
57

58
# Extract and decode full 24-bit vector
59
bits = [merged[i] for i in range(n_feat)]
60
bit_str = ''.join(map(str, bits))
61
hex_val = int(bit_str, 2)
62

63
print(f"Recovered 24-Bit Vector: {bit_str}")
64
print(f"Hex equivalent: {hex_val:06x}")

Solution#

Running the logic outputted the following bit sequence: 111110101100101011011110

Converted to hexadecimal, this is: 0xfacade

The flag format is defined as VBD{xxxxxx}. Placing our recovered 6-character hex “facade” into the format gives us the final flag.

Flag#

VBD{facade}