THEM?!CTF26 Writeups
Collection of writeups for THEM?!CTF'26 challenges by the team during the offline summer project’26.
Sanity
sanity/sanity 1 (100)
Description: Hey, the ctf has started and its pretty important that you should read the rules so you can follow them without accidental violations. Have you read the rules?
Flag was present in the Discord rules.
sanity/(in)sanity 4 (100)
Description: (yes the 4th one lmao) I wonder what is that #them-spam channel 🤔 this may be the easiest points yall all get, or it may cost your sanity
Accoring to the discord announcements, the flag would be revealed if any 7 people count up to 375, in the #them-spam channel under Them?!CTF discord server.
Rules :
- In sanity 4 (aka 💔・counting ), you need at least 7 people to be in the chain, well meh use an alt I cant stop you but 2 alts or a damn bot oh hell naw. By same logic please dont type 2 consecutive numbers by the same person like a common sense.
- Currently you guys need to reach 375.
With the help of people on discord, and some support of discord mods and other users, reached the 375 mark and got the flag data.
Which is a base64, then a ROT cipher, which gives the flag.
sanity/(in)sanity 4 - revenge (559)
Description: question 1: WHY THE FUCK IS THERE 5 SANITY CHALLS anyways, congrats for the teams who managed to complete sanity4. If you didnt get it? no worries! Here is sanity 4 revenge (call it sanity 5 is fine lmao) Currently THAT?! had stopped spitting out fakeflags, but it did spit out plenty of fake flags before. Now, what is the fakeflag v1? (ie the first fakeflag it said)
For this looked over the #them-spam channel history. Filtered to only the chats by the bot THEM?! . While searching directly for the flag format THEM?!CTF{ the flag that first appeared was not the correct flag on submitting it.
Then removed the filter of text and started to see just the full chat history of THAT>! bot. After some initial chats after the competition stared, saw some single letters that the bot was sending in some time instances between the other chats, it started with T and then saw H and so on, which was the start of the flag. While looking forward, got full flag in a while.
Web
web/my-product 100
The source code reveals that it has set verify signature to false. So forge an admin payload with none alg to gain admin access.
Then it also shows an ability to add webhook sites under /admin/integrations, and upon syncing it the server sends the flag to that url.
web/MEH 100
The app checks for existing users using usernames, note admin already exists. The profile page uses the username, /profile/<username>. The access to this page is checked using usernames too. Register with username admin/ and navigate to /profile/admin/ which is same as /profile/admin which gives the flag.
web/a Cute Magical Router Gateway 100
The instance had a login page with not much clue on the username or password. Trying a random username and password, we see it sends a POST request to /validate-password. Checking the source code we could find a .js file. Looking through it for this endpoint, we see it checks for a success message. If it is a success message, it sends a GET request to /flag. Directly opening that endpoint, gives us the flag.
Crypto
crypto/no-7race 100
The challenge gives you a python file challenge.py that takes in the byte sequence of the flag, converts it into int and multiplies it by 2^7777. Then there is a check checking if the last 153 digits are matching.
b ≡ suffix (mod 10^153)
a · 2^77777 ≡ suffix (mod 10^153)To recover a we want to invert 2^77777 modulo 10^153. But 2 and 10 aren’t coprime, so 2^77777 is not invertible mod 10^153 directly. Factor10^153 = 2^153 · 5^153 and split with CRT:
- Mod 5^153: 2 is invertible, so
a ≡ suffix · (2^77777)^{-1} (mod 5^153). - Mod 2^153: b = a · 2^77777 is divisible by 2^77777, which far exceeds 2^153, so
b ≡ 0 (mod 2^153). This carries no information about a. the suffix’s value mod 2^153 is0.
a ≡ suffix · (2^77777)^{-1} (mod 5^153) recovers the flag exactly
crypto/velvet-rope 100
The server returns whether the ciphertext follows the PKCS #1 v1.5 padding format, making it vulnerable to the Bleichenblacher attack. In this attack we use the server as an oracle to bound the message m to a small interval. We linear search for the first multiplier s1 starting from the initial guess of ceil(N/3B), then successively find the next multipliers by bounding the range of possibilities.
crypto/gearbox 100
The challenge provides a python script and an output.txt file containing some parameters. We are to solve the bounded discrete log problem given lower and upper bounds for the exponent. Brute force fails because the size of the interval is roughly 10^15, so we use a standard algorithm called the BSGS (Baby step Giant step) algorithm, which can solve the problem in O(sqrt(N)) time, where N is the size of the interval.
crypto/chronogram 100
This is a “time-lock” puzzle. In other words, the flag can only be found after a specific amount of computation which we have to perform no matter what. We are given a large modulus N, a starting seed and a number of rounds (240 million). We are given a ciphertext to decrypt along with a tag that acts as proof of work. To decrypt the ciphertext, we need to perform a modular squaring operation y=seed ^ (2^rounds) (mod N). The only way to avoid the work is to factor N which is not possible in an acceptable amount of time. By using gmpy2 in Python for fast calculations and simply performing the required squarings, we get the flag in about an hour.
crypto / unbreakable xor loop
first look at the math. C1 ^ C2 ^ C3 ^ C4 = 0. all loop back so it cancel out.
then look at c2 and c3 hex strings. they just repeating 4 bytes over and over (0e021b00 and 18050402). so keys are only 4 length long. very weak. author use words like bozo and lmao for secure keys.
then look at c4. first bytes are 20202020. in ascii hex 0x20 is space. when you xor letter with space it just change uppercase to lowercase. this mean key 1 and key 4 are same string but one is caps lock on (THEM and them).
because key is small and repeating, c1 and c4 is just many time pad attack. we use “bozo” key to crib drag the ciphertext. it decrypt very fast. ‘{x0r_x0r_x0r_cha1n1ng_g0es_brrrrr}‘
crypto/ArtIsMissed II 100
We are given a picture of different phases of the moon which when put on dcode’s Lunar Alphabet decoder gives us the flag.
crypto/Despacito
The challenge provides the encryption source code along with the ciphertext. Looking through the source, we see that the flag is encrypted using DES in ECB mode with a hardcoded key. The ciphertext is then Base64 encoded before being printed. Since DES is symmetric encryption and the key is exposed directly in the script, we can simply reverse the process by Base64 decoding the ciphertext, decrypting it using the same DES key, and removing the custom * padding added to align the plaintext to 8-byte DES blocks. This fully recovers the original flag.
OSINT
OSINT/Where dis? 424
Starting out with checking the blue board sign, the language on it is Icelandic. Along with this, the numbers on the sign are the hotlines for Iceland’s Road and Travel Conditions. After this it was to check throughout Iceland for greener areas where there are flat topped mountains in the distance using the terrain feature in google maps. Also, it could not be a major road since it did not have the divider line in between. With this in mind and a couple of trials, we get the exact coordinates of the photo at Skagafjörður (Road 752).
pwn
pwn/ warm-up (100)
A classic stack overflow but there was an input parser that explicitly disallowed /,s,a,t. This blocks both /bin/sh and system.
so we call read a second time and send /bin/sh in that second batch. The filter already ran and never sees it.
We end up getting the shell access and cat /flag.txt gives the flag.
rev
rev/ Old Cassette
main.bin is a chip-8 ROM that prints the flag one character at a time, but each character requires running a mutate(Va,Vb) function an exponentially growing number of times (powers of 4). Since (Va,Vb) is a 8-bit pair, the state space is just 256*256 = 65536 and the iteration sequence falls into a short cycle, the function can be reimplemented in python with cycle detection, to reduce the iteratation count from n to n-cycle_state % cycle_len and jump straight to the answer. Each character decrypts as byte ^ Va ^ Vb. Which gives the flag.
rev/ 1983
We were given one windows exe file 1983.exe. First I checked normal strings from the binary and found some useful strings like flag>, correct and wrong, so it was clear it is asking for flag and checking it inside the program.
Opening it in disassembler showed that the binary was very obfuscated. It was using some VM like logic, with weird register changing and control flow flattening, so normal static reversing was looking very painful. But the important thing was that the program was generating the correct flag in memory before taking our input.
So instead of fully reversing the whole VM, I went near the final check where it compares our input with the generated buffer. The program checks that input length is 0x71, means 113 bytes. Then it compares our input with the buffer present on stack. So I emulated the program till before input is asked and dumped that generated stack buffer.
That buffer directly gave the flag.
Flag: THEM?!CTF{R3V3R53_3X3CU710N_VM_W17H_MU7471NG_R3G1573R5_4ND_C0N7R0L_FL0W_FL4773N1NG_M4K35_57471C_4N4LY515_P41NFUL}
rev/ NightNight
APK was given. First I unzip the apk and checked files. There were 2 strange files in assets and also native library libsilence.so.
Java code was not having flag directly. It was only loading native lib:
System.loadLibrary("silence");
Night.loadKey(getAssets());Then app was calling:
Night.prepareVM()
Night.getKey()
VM.getFlag(key)So main logic was inside native .so.
First asset was used by native function and it gave this key:
3a7f91c0de42b6a845f03e19c8d72ab5f60e4d13Then this key was used to decrypt second asset. It was AES-CBC encrypted with PBKDF2 SHA1, 100000 iterations. After decrypting it, we got one hidden dex file.
In that dex there was class:
lab.hiddenvm.RealVMIt also had fake flag:
nightjar{silent}But this was wrong because it was only decoy.
Real function was getFlag(). It made SHA256 with key and some hardcoded bytes, then again called native Night.bridge(). That gave final AES key. Using that key to decrypt final ciphertext gave flag.
Flag:
THEM?!CTF{D0_Y0u_H4v3_A_G00d_T1m3?}So basically challenge was Java wrapper -> native code -> encrypted dex -> fake flag -> real AES decrypt.
rev/🦀?
There is an embedded Python bytecode (.pyc) file in the Rust binary. After extracting the .pyc file and decompiling it into a .py file, we see that the flag is encrypted using an XOR operation with a polynomial.
rev/Lesgo - 100 points
We are given a stripped Go binary. Using GoReSym we can rename the functions in Ghidra. The main function contains 5 “nodes”, and each node has a checker function. Each checker function grabs an encoded part of the flag from memory and performs some or the other operation (XOR) to reconstruct the flag in 5 pieces. So we can extract the encoded flag pieces, perform the decoding ourselves and retrieve the flag.
forensics
forensics/ Woɹsǝ - 100 points
So we were given an audio file. The spectrogram of which led us to a pastebin. Challenge name is Morse flipped, so I ran the audio file through Audio Morse decoder which gave us the password, THEM?!ONTOP. Entering the password in the pastebin gave us the flag: THEM?!CTF{1F_Y0U_F0UND_TH1S_S4Y_TH3M?!_0N_T0P_13298}
forensics/ HexDumb - 100 points
Image of hexdump given. Convert those into a zip file. Zip file is password-protected, so cracked it using john, love@123. Get flag from unzipped archive : THEM?!CTF{XXD_0R_XD}
forensics/ bite - 100 points
Exhausting challenge. Hated this one.
answers = [
"https://mega.nz/folder/N3lBVQQT#AeiSi9X_pkYU29Xxz4tAzg",
"2026-05-25 07:15:00",
"[email protected]",
"Your FREE Aimbot License Key Inside!",
"ThunderBird",
"bite.exe",
"2026-05-29 12:40:05",
r"C:\Users\felisa\Downloads\bite.zip",
"felisa",
"2ec8f83b-8ec8-453b-8c2f-5a6a1773fe8b",
r"HKLM\SOFTWARE\Microsoft\Cryptography",
"fba69a6f8d51e9cf32db3b8f5dc7750c80745b0865e4d22dcd0cb8223a98b6ab",
"FindResourceA",
"100",
"RCDATA",
"e456bac6661a5c29",
"svchost.exe",
"05bea37c91062cefcd3f845b54d971090cf3eb89ce6a9e07cb5095a9e4700220",
"Go",
"thisissafepasswordbronocapongod",
"SHA256",
"a2801dc6ee7154284c308f52f8cadb7e",
"bc10b391f3054bb1481bd9647bf4b453",
"AES-128-CBC",
"PKCS7",
".snake",
"1",
"2026-05-29 12:41:27",
"95871f0fe8437b2d229ea960edd9581973af2c5b635555288c5774c6597c04b2",
"README_DECRYPT.txt",
"bc1qsnek55m3l0v3r1337deadbeef00000000000",
"4",
"1110",
"Felisa_2026-05-28_6.7",
"Project Alpha.docx.snake"
]Used pwntools to automate it.
forensics/ Confidential 1/2 (100)
The flags were written and hidden inside the pdf when I saw the black paste I just tried to click and run my mouse over it by it just got selected (’ THEM?!CTF{R3TR1V3D_SUCC3SSFULLY} ’) and for the other flag I tried similar things and I noticed in page 1 and 3 at the last there was something small hidden and when I zoomed in I saw the flag (‘THEM?!CTF{N0T_3V3RYTH1NG_TH4T_1SNT_V1S1BL3_1S_N0N3X’)
forensics/ Kenjiro’s Notes (711)
Description Updated Desc: can you find the online notes !? Note: this challenge is sloppable by ai agents, but it’s good to learn what vol3 can do file: https://drive.google.com/drive/folders/1f70kGz1XESN9bnDP6g_yEaOj_2BNsZAJ?usp=sharing
Shit challenge… loadssss of dumps :_)
First of first, if you get stresses by seeing wtf, how to read all the dumps, so I too have used AI lot for analysis the dumps in this challenge. (Hoping one day I could do it organically though :_) )
Also it would look like a straight path, but had too many failed attempts and wrong paths in between, so dw if you think how to even get to this part.
Ok so first started by checking the operating system and memory profile.
$ vol -f sphinx.mem windows.info
And got its a:
Windows 10
Build 15.19041
System Time(memory image timestamp) : 2026-05-29 14:30:20+00:00Now lets see the running processes:$ vol -f sphinx.mem windows.pslist
Some of the process that stood out: msedge.exe KeePass.exe powershell.exe cmd.exe onedrive.exe
Did a lot of investigation on the others for no use, the challenge had a lot of noises and red-herrings -_-.
Then on KeePass.exe with PID 5776, which suggests some passwords,etc involved.
Then searched the memory for.kdbx files.
A KDBX file (KeePass Database file) is a secure, encrypted database file used to store sensitive information like website logins, usernames, passwords, and notes.
$ vol -f sphinx.mem windows.filescan | grep -i kdbx
Progress: 0.00 Scanning FileLayer using PageMapScanProgress: 15.11 Scanning FileLayer using PageMapScanProgress: 64.75 Scanning FileLayer using PageMapScanProgress: 100.00 Stacking attempts finished Progress: 0.00 Scanning layer_name using PdbSignatuProgress: 0.00 Scanning layer_name using PdbSignatuProgress: 30.08 Scanning layer_name using PdbSignatuProgress: 32.62 Scanning layer_name using PdbSignatuProgress: 100.00 PDB scanning finished 0xc68d9248f330
\Users\student\Documents\important\vQM3mhQH.kdbxThis revealed a database:
C:\Users\student\Documents\important\vQM3mhQH.kdbxThen tried dumping the db using its virtual address:
$mkdir kdbx_dump
vol -f sphinx.mem -o kdbx_dump windows.dumpfiles --virtaddr 0xc68d9248f330
:
Cache FileObject FileName Result
DataSectionObject 0xc68d9248f330 vQM3mhQH.kdbx Error dumping file
SharedCacheMap 0xc68d9248f330 vQM3mhQH.kdbx file.0xc68d9248f330.0xc68d914c7a20.SharedCacheMap.vQM3mhQH.kdbx.vacbOk so Volatility couldn’t dump the exact file object but successfully produced a recoverable .vacb cache file. Verifying the file type confirms it is intact:
file kdbx_dump/*
# Keepass password database 2.x KDBXManually recovering the database by renaming(its just possible: “gemini”):
cp kdbx_dump/file.0xc68d9248f330.0xc68d914c7a20.SharedCacheMap.vQM3mhQH.kdbx.vacb vQM3mhQH.kdbxOk so tried opening it by keepassxc, but it was password protected.
Now lets find password (tbh atp somehow gpt just gave me from previous dumps, freaking luck ig. Prolly, the challenge was based on this part only, says the flag. But now lets see how it came/ how it could be extracted).
What happened behind the scene:
So KeePass 2.x suffers from a memory disclosure issue where master password keystrokes can remain partially recoverable (CVE-2023-32784).
Dumping the KeePass Process: Since KeePass was actively open in memory, we dump its process memory for analysis.
mkdir keepass_dump
vol -f sphinx.mem -o keepass_dump windows.memmap --pid 5776 --dumpThis gives a dump file : pid.5776.dmp
Run strings on the dump:
strings -el keepass_dump/pid.5776.dmp | grep -i -A 200 -B 200 "vQM3mhQH.kdbx"In between somewhere you will get this:
Microsoft Sans Serif
Open Database - vQM3mhQH.kdbx
Open Database - vQM3mhQH.kdbx
Open Database - vQM3mhQH.kdbx
Open Database - vQM3mhQH.kdbx
Open Database - vQM3mhQH.kdbx
Open Database - vQM3mhQH.kdbx
System
KeyPromptForm
ObjectDisposed_Generic
Cannot access a disposed object.
Open Database - vQM3mhQH.kdbx
Open Database - vQM3mhQH.kdbx
(None)
(None)
&gZLEyu76vA$w
&gZLEyu76vA$w
Which is probably the intented password &gZLEyu76vA$w.
Ya somehow I provided this strings dump to gpt earlier and it got the password. Luckk I’ll say.
Ok now back.
So now we have the password and the database file, open it.
keepassxc vQM3mhQH.kdbxEnter password and ok something we got.
Just a password text inside it??? What! Again got stuck here. I left the challenge after a while of getting nothing.
Here comes the hint
Updated Desc: can you find the online notes !?
Take a close look at the filenames and database group names we got:
- vQM3mhQH
- mcEzZYtn
Standard structure pastebin.com link. Also earlier, through strings analysis of memory we saw heavy traffic with pastebin.com. Somehow while re-viewing the challenge thought just to try… and yup it worked.
https://pastebin.com/mcEzZYtn
https://pastebin.com/vQM3mhQHBoth link were password protected which opened with sup3r_sup3r_secret_0214 which we got inside the keepass db and it gave the flag…
Another path: As said in the description the challenge was sloppable by AI agents. So just give the 1GB memory dump to some AI agent setup and it will probably give you the links (some people in discord claimed they did this way :)…nvm).
misc
misc/ Chaos
We were given one audio file chaos.wav. First I tried normal things like checking metadata, strings and listening to the audio, but nothing useful flag was directly visible. The audio was just sounding like weird tones/noise, so I thought maybe it is not normal sound but some encoded data.
Then I opened the audio in spectrogram/audio tools and noticed it had SSTV type signal pattern. SSTV is a way to send image using audio frequencies. So the idea was that the flag is probably hidden inside an image which is encoded in the wav file.
After that I decoded the wav using SSTV decoder. The mode was PD120, and after decoding it gave an image. The flag was clearly written inside that decoded image.
So the trick was not to extract text from wav directly, but convert the SSTV audio into image.
Flag: THEM?!CTF{YOU_ARE_A_SSTV_CHAMPION}
misc/ Extraterrestrial (964)
Description: Ninjahere a malicious scientist, created a trouble by inventing a medium to communicate with extraterrestrial creatures, but soon he was caught and expelled for breaching the code of conduct, he was then handed over to FIB for further investigation, but it was later found that he escaped the custody. Last time he was seen near a graffiti mural, A CCTV image of the location is given, FIB is now tracing him down and they expect to find some clue in the location, can you help them? they assume ninjahere left a clue for a secret meeting in a new venue… Flag format: THEM?!CTF{} (all uppercase)
So it gave an image in the challenge file. Started with a google image search of the image. Got a similar looking image in this instagram post:
https://www.instagram.com/p/DBFg4aGoLGR/Compared both images, there was a small difference in the image at the shoulder of the cyber girl.
ORIGINAL:
CHALLENGE IMAGE:
ZOOMED IMAGE:
Looks like some characters/symbols. Searched on dcode.fr for symbol ciphers.
Got one: Halo Covenant Language
Hard to identify the similar pattern, but can do, if you see closely(zoooooom in more), some triangles are there placed over each other and then little spaces in between.
By putting in the symbols, got the flag text as BERLIN
misc/ Root Access 1 (100)
Initially the connection sent you to a website repeating a radio signal that gave the minecraft server ip and port.
We had to complete 5 tasks out of 8.
Rest all were Minecraft Skills :)
misc/ corrupted (964)
Description: A friend asked me if me, who stepped into the ctf world as a file repair-er, would author a file repair chall. Well… yeah sure. Here is a file, its broken 😭
We are given a file hmm;
$ file hmm
hmm: dataOk so some data file.
xxd hmm | head
00000000: 0000 000d 4948 4452 0000 0088 0000 0088 ....IHDR........Maybe header corruption. Tried reconstructing the file to a png
$ printf '\x89\x50\x4E\x47\x0D\x0A\x1A\x0A' | cat - hmm > image.png, but then :
$ pngcheck image.png
image.png CRC error in chunk IHDR (computed b3d83405, expected b3d83404)So maybe the png is a red-herring, went on to investigate further on the initial challenge file…
Then did binwalk on it initial file:
$ binwalk hmm
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
259 0x103 AU audio data, 3590783032 sample rate, 1112560384 channels
303 0x12F XML document, version: "1.0"
558 0x22E MP3 ID3 tag, v2.3
706 0x2C2 EBML file
797 0x31D 7-zip archive data, version 0.60
804 0x324 XML document, version: "<Ma"
942 0x3AE GIF image data 18235 x 16720
1026 0x402 JAR (ARJ Software, Inc.) archive data
1095 0x447 MMF sequence date
1232 0x4D0 StuffIt Archive (data): T!
1670 0x686 SQLite 3.x database,, user version 1346588493
1815 0x717 FLAC audio data, 489110Hz
2105 0x839 gzip compressed data, last modified: 1970-01-07 11:31:43 (bogus date)
2132 0x854 Windows Script Encoded Data (screnc.exe)
2151 0x867 WMA audio data
2572 0xA0C EBML file
2577 0xA11 EBML file
2675 0xA73 XML document, version: "1.0"
2928 0xB70 TIFF image data, big-endian, offset of first image directory: 5067350
3190 0xC76 StuffIt Archive
3473 0xD91 OGG audio data
3705 0xE79 BitTorrent file
3804 0xEDC XAR archive, version: 23666, header size: 123, TOC compressed: 8387445233644757362, TOC uncompressed: 2341165366879471104
4133 0x1025 xz compressed data
4365 0x110D xz compressed data
4898 0x1322 AU audio data, 3590783032 sample rate, 1112560384 channels
4942 0x134E XML document, version: "1.0"
5197 0x144D MP3 ID3 tag, v2.3
5345 0x14E1 EBML file
5436 0x153C 7-zip archive data, version 0.60
5443 0x1543 XML document, version: "<Ma"
5581 0x15CD GIF image data 18235 x 16720
5665 0x1621 JAR (ARJ Software, Inc.) archive data
5734 0x1666 MMF sequence date
5871 0x16EF StuffIt Archive (data): T!
6309 0x18A5 SQLite 3.x database,, user version 1346588493
6454 0x1936 FLAC audio data, 489110Hz
6744 0x1A58 gzip compressed data, last modified: 1970-01-07 11:31:43 (bogus date)
6771 0x1A73 Windows Script Encoded Data (screnc.exe)
6790 0x1A86 WMA audio data
7211 0x1C2B EBML file
7216 0x1C30 EBML file
7314 0x1C92 XML document, version: "1.0"
7567 0x1D8F TIFF image data, big-endian, offset of first image directory: 5067350
7829 0x1E95 StuffIt Archive
8112 0x1FB0 OGG audio data
8344 0x2098 BitTorrent file
8443 0x20FB XAR archive, version: 23666, header size: 123, TOC compressed: 8387445233644757362, TOC uncompressed: 2341165366879471104
8772 0x2244 xz compressed data
9004 0x232C xz compressed data
9294 0x244E Zlib compressed data, best compression
Reveals many files and fake herrings.
Went on to extract it:
$ binwalk -e hmm
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
2105 0x839 gzip compressed data, last modified: 1970-01-07 11:31:43 (bogus date)
4133 0x1025 xz compressed data
4365 0x110D xz compressed data
6744 0x1A58 gzip compressed data, last modified: 1970-01-07 11:31:43 (bogus date)
8772 0x2244 xz compressed data
9004 0x232C xz compressed data
9294 0x244E Zlib compressed data, best compression
WARNING: One or more files failed to extract: either no utility was found or it's unimplemented
Ok so got something, lets view what files they are:
/_hmm.extracted$file *
1025: empty
1025.xz: XZ compressed data, checksum
110D: empty
110D.xz: XZ compressed data, checksum
1A58.gz: gzip compressed data, last modified: Wed Jan 7 11:31:43 1970, original size modulo 2^32 2204123822
2244.xz: XZ compressed data, checksum
232C.xz: XZ compressed data, checksum
244E: glTF binary model, version 2, length 55444 bytes
244E.zlib: zlib compressed data
839.gz: gzip compressed data, last modified: Wed Jan 7 11:31:43 1970, original size modulo 2^32 2204123822Got something interesting, a gltTF file data… renamed it to its extenstion of .glb … mv 244E flag.glb
Opened it in a 3D web viewer https://sandbox.babylonjs.com/
Got two words written : imagee. and l6ZAK1o, got stuck at this point.
Then after a while from somewhere got hit it may point towards imgur.com, a website where images are posted to share with, used in ctfs.
Searched for the link format of imgur and then opened this:
imgur.com/a/l6ZAK1oWhich gave the flag… :)
misc/ Gibberish
txt file given with lot of chinese characters. Dumped into Cipher identifier to find that it is ROT8000. Decoding that gave us Malbolge code. Running the code in an interpreter gave us some incorrect flag which I confirmed with the admins. Turns out you had to see the bytes in extended ASCII, giving us the flag.
Flag: THEM?!CTF{³úºd»5c«f±$-§¹Uõ'}
misc/ 🧅🧅🧅
Order of decryption:
base 100 -> rot13 -> hex -> base62 -> base45 -> base32 -> base64 -> DNA codes
flag text was: weird_ahh_onion_obfuscation
THEM?!CTF{weird_ahh_onion_obfuscation}
misc/ Git-art
We got a zip file which had a git repo inside it. First I checked the normal git history to see if flag is present in any commit.
git log --all --onelineBut it only showed one commit, something like initial commit and nothing useful was there. The README had a hint saying:
Find the lost painting. The artist left no traces on any branch.So from this I thought maybe the commits are not in any branch but still present in git objects. Then I checked for unreachable objects using:
git fsck --full --no-reflogs --unreachableThis showed many unreachable commits. These commits were hidden from normal git log because no branch was pointing to them.
Then I started checking those commits and found many commits by author named Flag Painter. The commit messages were like this:
Update 0-0
Update 12-5
Update 208-4So this looked like coordinates in form of X-Y. The values were from X = 0 to 208 and Y = 0 to 6, so it was making a grid of 209 columns and 7 rows.
This also made sense because git art is usually made using commit dates, like GitHub contribution graph. Each commit is one box/pixel in the graph.
So I extracted all the coordinates from the hidden commits and plotted them on a 7 row grid. Filled coordinate means filled pixel and empty coordinate means blank pixel. After printing this grid, it showed big ASCII art text.
The text gave the flag:
THEM?!CTF{THAT_IS_A_GOOD_ASCII_ART}Flag: THEM?!CTF{THAT_IS_A_GOOD_ASCII_ART}