## I. Introduction - TEAM: `KCSC` > Giải đầu tiên mình chơi khi quay lại nhà, lần đầu tiên teamwork mạnh với anh em RE như này hehe :fire:. Tiếc là chỉ giải được 4/5 bài, mình sẽ cập nhật thêm. ## II. Writeups ### 1. REV - Game 1 - Untitled Game - It is quite a simple challenge, there is nothing to do except running the game, below are some pictures of its gameplay:     - There is a sound that plays continuosly: `To make this work, I need to get out first`. At first it seemed like nonsensical information, until I switched to another window to see if the game's files were created. And this is what I got.  - The `flag` is showed each time I interact with the computer. However, the flag may be different from the password of the computer :face_with_monocle:  > ~~`KashiCTF{N07_1N_7H3_G4M3}`~~ ### 2. MISC - Game 2 - Wait - Quite simply, the challenge requires us to wait 172800 seconds for the flag to print.:  - Undeniably, no one wants to wait. But analyzing it in IDA is scary because of its large size and garbage. Putting it in `HxD`, I tried to find the number `172800` to find a patch to speed up the program:  - However, it turned out I see another clever way to solve it:  - There are bunch of vectors above the text I searched. After minutes guessing how the game behaves, I concluded that these vectors will form the flag image and below was what I do: :::spoiler script ```python= import matplotlib.pyplot as plt arr = [(232,128),(232,80),(232,96),(232,112),(232,144),(232,160),(232,176),(248,112),(265,103),(281,87),(248,128),(264,144),(272,160),(280,176),(343,120),(327,128),(319,144),(319,160),(327,176),(343,176),(359,176),(367,160),(367,144),(367,128),(359,120),(375,168),(391,176),(343,120),(327,128),(327,176),(343,176),(359,176),(367,160),(367,144),(367,128),(359,120),(375,168),(391,176),(335,376),(335,360),(335,344),(335,328),(335,312),(335,296),(351,328),(367,320),(375,304),(375,376),(415,376),(415,360),(415,344),(415,328),(415,312),(415,296),(431,312),(447,304),(463,296),(367,360),(351,344),(471,104),(455,104),(439,104),(423,112),(423,128),(423,144),(439,144),(455,144),(471,144),(471,160),(463,177),(455,177),(439,177),(423,177),(513,89),(513,121),(513,137),(513,153),(513,169),(513,177),(513,105),(529,145),(545,145),(553,153),(553,169),(553,177),(185,291),(185,323),(185,339),(185,355),(185,371),(185,379),(185,307),(201,347),(217,347),(225,355),(225,371),(225,379),(977,291),(977,323),(977,339),(977,355),(977,371),(977,379),(977,307),(993,347),(1009,347),(1017,355),(1017,371),(1017,379),(593,177),(593,161),(593,145),(593,129),(593,89),(693,84),(677,84),(661,84),(645,84),(629,84),(629,100),(629,116),(629,132),(629,148),(629,164),(629,180),(645,180),(661,180),(677,180),(693,180),(149,284),(133,284),(117,284),(101,284),(85,284),(85,300),(85,316),(85,332),(85,348),(85,364),(85,380),(101,380),(117,380),(133,380),(149,380),(733,84),(749,84),(765,84),(781,84),(797,84),(765,100),(765,116),(765,132),(765,148),(765,164),(765,180),(853,180),(853,164),(853,148),(853,132),(853,116),(853,100),(853,84),(869,84),(885,84),(901,84),(917,84),(869,124),(885,124),(901,124),(45,260),(29,276),(37,292),(37,308),(29,324),(13,340),(29,353),(37,369),(37,385),(29,400),(45,416),(45,416),(1062,257),(1076,270),(1068,286),(1068,302),(1076,318),(1092,334),(1077,350),(1069,366),(1069,382),(1077,398),(1061,414),(29,276),(37,292),(37,308),(29,324),(13,340),(29,353),(37,369),(37,385),(29,400),(45,416),(45,416),(301,336),(301,352),(301,368),(301,376),(301,320),(301,304),(285,344),(269,344),(253,344),(261,336),(269,320),(285,304),(301,288),(525,336),(525,352),(525,368),(525,376),(565,376),(581,376),(597,376),(613,376),(629,376),(717,376),(701,360),(693,344),(685,328),(677,312),(669,296),(661,280),(733,362),(741,346),(749,330),(757,314),(765,298),(773,282),(797,322),(805,338),(821,354),(837,346),(845,330),(851,318),(819,366),(811,382),(891,318),(891,334),(891,350),(891,366),(899,382),(915,382),(931,382),(939,374),(939,358),(939,342),(939,326),(939,318),(525,320),(525,304),(509,344),(493,344),(477,344),(485,336),(493,320),(509,304),(525,288)] x, y = zip(*arr) plt.scatter(x, y) plt.xlabel('X-axis') plt.ylabel('Y-axis') plt.title('Flag') plt.show() ``` :::  - It seemed to be inversed so I added `y = [-i for i in y]` and here we are:  > ~~`KashiCTF{Ch4kr4_Vyuh}`~~ ### 3. REV - Game 3 - CatSeaBank - Another simple challenge. I were given a folder of Unity game named `CatSeaBank`. After taking time to read instructions for [how to reverse Unity game](https://github.com/imadr/Unity-game-hacking), I run the game, below is the gameplay:    - There are two NPCs that I have to care about, first is the bank vault (NPC 1), the second one is the man with his purple cape who tell something about twisting the vault's logic (NPC 2). The `Assembly-CSharp.dll` is important as it contains the compiled C# file and I should analyze that using `dnSpy`. - Our controlling character should have at least 2000 to give NPC 2; however, the bank balance is 1000, so I can't withdraw to have money - Take a look at the vault's logic to seek for exploitation: :::spoiler Deposit logic ```C# // BankPanel // Token: 0x06000003 RID: 3 RVA: 0x000020FC File Offset: 0x000002FC public void DepositAmount() { string text = this.depositField.text.Trim(); int num; if (text == "") { num = 0; } if (!int.TryParse(text, out num)) { this.errorMessageText.text = ""; return; } if (num <= PlayerData.Instance.currentBalance) { PlayerData.Instance.DepositToBank(num); this.errorMessageText.text = string.Format("Deposit successful. New bank balance: {0}", PlayerData.Instance.bankBalance); return; } this.errorMessageText.text = "Player can only deposit amount less than or equal to their current balance."; } ``` ::: :::spoiler Withdraw logic ```C# // BankPanel // Token: 0x06000002 RID: 2 RVA: 0x00002068 File Offset: 0x00000268 public void WithdrawAmount() { string text = this.withdrawField.text.Trim(); int num; if (text == "") { num = 0; } if (!int.TryParse(text, out num)) { this.errorMessageText.text = " "; return; } if (num <= PlayerData.Instance.bankBalance) { PlayerData.Instance.WithdrawFromBank(num); this.errorMessageText.text = string.Format("Withdrawal successful. New bank balance: {0}", PlayerData.Instance.bankBalance); return; } this.errorMessageText.text = "Player can only withdraw amount less than or equal to their bank balance."; } ``` ::: - In both cases, the amount of money is not restricted to be larger than 0, which means I can deposit a negative number to increase our balance:   - 5000 is enough, now I can give NPC 2 what he demands:  - To be honest, at first I thought that wisdom was a flag, but it turned out that it was not. It was just a hint (in audio) to find a flag, this was what I got (not sure if I could hear that clearly): ```! The Echoes of Truth lie not in the open but within the very fabric of this world. The Architects have bound their secrets inside the vessels core hidden among its many forms dig through the buried artifacts extract what is unseen and seek the whispers trapped in waves only by unearthing the Lost fragments those sealed within the archives. Will the melody reveal its truth? ``` - There are hints about `extracting`, `waves`, `melody`, which leads us to a conclusion that flag file is hidden in the sound wave. Using [that tool](https://github.com/SeriousCache/UABE/releases/tag/v3.0-beta1) to extract the game assests, I got:  - But it was compressed down to only 92 bytes (not sure if it's due to the beta version of the decompression program), thus I have to decompress it back. After seeking for a while, I find out [that website](https://www.online-convert.com/result#j=23ea8633-d038-4e27-8151-36f0d2c681d0) could help us recover the `flagfile.wav` - Finally, [spectrum analyzer decoder](https://www.dcode.fr/spectral-analysis) helped us solve this challenge, though it was quite difficult to read:  > ~~`KashiCTF{1t_Wa5_Ju5t_4_Tutori4l_RIP} `~~ ### 4. REV - You Should Rev This - This one is not as simple as the two challenges before, all the instructions have been changed to only `mov`. This technique is called `movobfuscation` and here is the [tool by xoreaxeaxeax](https://github.com/xoreaxeaxeax/movfuscator). Deobfuscating that program is quite ||fu*king|| hard, so I have to try other clear way to do. - There are some writeups that I have referred to: [perf approach 1](https://guyinatuxedo.github.io/22-movfuscation/recon_movfuscated/index.html), [perf approach 2](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html), [angr approach](https://github.com/smholsen/0ctf_momo_3/blob/master/solve.py), [trial & errors approach](https://balsn.tw/ctf_writeup/20181006-hackoverctf/#flagmaker) and I'm really impressed by how solver used `perf` to solve that challenge. This is also my way to solve that: :::spoiler script ```python= from subprocess import Popen, PIPE, STDOUT # Define the path to perf once perf_path = "/usr/lib/linux-tools/5.15.0-133-generic/perf" target_binary = "/mnt/d/Backup/REVERSING/CTFs/Kashi CTF/You Should Rev This/chal" cmd = f"{perf_path} stat -x, -e instructions:u \"{target_binary}\"" key = b'' while True: maximum = 0, 0 for i in range(0x20, 0x7f): p = Popen(cmd, stdout=PIPE, stdin=PIPE, stderr=STDOUT, shell=True) _input = key + bytes([i]) stdout, _ = p.communicate(input=_input) nb_instructions = int(stdout.split(b"\n")[2].split(b",,")[0].decode()) if nb_instructions > maximum[0]: maximum = nb_instructions, bytes([i]) key += maximum[1] print(key) ``` ::: - Due to the errors of my WSL (and I don't know how to use `sys.path` as well), I have to declare such path detailedly :cry:.  - The password is:  - I thought it would be `d0m4scr3at3ds0m3th1ng1nt3r3st1ng` at first, but after several trials, the real one is `d0m4scr3at3ds0m3th1ng1nt3r3st1n`, and here is our flag:  >~~`KashiCTF{d1d_y0u_r3v_17_GRX4UwjgC}`~~ #### Note: - My teammate [TungDvan](https://github.com/TungDvan) did actually reverse it all :sunglasses:, I still don't understand how he can :face_with_raised_eyebrow: ### 5. Osint - Who am I ?? - The description is:  and the given image:  - I can see the `DUNA HO` text and some political campaign posters on what appears to be a Hungarian street. It would definitely be `Duna House` in Hungary. After seeking the locations one by one on google maps, I find out [this](https://www.google.com/maps/place/Duna+House+-+Damjanich+street/@47.5065429,18.9983946,3662m/data=!3m1!1e3!4m10!1m2!2m1!1sDuna+House!3m6!1s0x4741dc7b992e0fad:0x7b74e942eed5913a!8m2!3d47.503281!4d19.055284!15sCgpEdW5hIEhvdXNlIgOIAQGSARlyZWFsX2VzdGF0ZV9yZW50YWxfYWdlbmN54AEA!16s%2Fg%2F1tgnkvvh?entry=ttu&g_ep=EgoyMDI1MDIxOS4xIKXMDSoASAFQAw%3D%3D) as the phone number matches.  - And the politician is [Endre Bajcsy-Zsilinszky](https://hu.wikipedia.org/wiki/Bajcsy-Zsilinszky_Endre) > ~~`KashiCTF{Endre_Bajcsy_Zsilinszky}`~~ ### 6. Painfully Slow (after) - Bài này mình sẽ viết bằng tiếng Việt cho dễ. Về cơ bản, đây là android reversing, là mảng mình mới tìm hiểu nên tạm chưa thể thuần thục được. Giống như [tutorial](https://youtu.be/yoSOT6HkyZ0?si=-v8rvbjwSuAzeGFs) mình xem được, mình sẽ đi từ `AndroidManifest.xml` và phân tích `MainActivity`. Mình sử dụng `jadx` để phân tích:  - Có thể thấy, app android này là một note taking app có chức năng backup và restore notes. Tuy nhiên, theo desc của bài thì có vẻ chức năng restore bị lỗi.  - Chúng ta cần chú ý tới package `com.secure.notes` ở trên, mình sẽ đi tìm `MainActivity` của nó:  - Hàm khá dài (và mình chẳng hiểu gì cả), và nó có decrypt một chuỗi trông khá sú: ```kotlin public MainActivity() { if ((12 + 7) % 7 <= 0) { } ((C1400e) this.f6957g.f2536d).m1644f(DecryptString.decryptString("bd89475ae46fc9903a5469b4fbabf8064798e1d6d1a4aeb6f60541b3174f9251"), new C1396a(this)); m2330j(new C1439a(this, 1)); this.f7449F = new Object(); this.f7450G = false; m2330j(new C1439a(this, 0)); this.f7451H = new C0026u(new C0552o(new WeakReference(this))); } ``` - Xref hàm decrypt này, mình thấy  gần 7k chuỗi được decrypt :cry:. Dự đoán được đây chính là cách obfuscate giấu các chuỗi của chương trình, mình tìm đến hàm decrypt gốc:  ```kotlin public static String decipher(String str) throws Exception { SecretKeySpec secretKeySpec = new SecretKeySpec(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec("r3UKMIuOqoBGxTy6oo86FP4MXwVj1UVS".toCharArray(), "r3UKMIuOqoBGxTy6oo86FP4MXwVj1UVS".getBytes(), 128, 256)).getEncoded(), "AES"); Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); cipher.init(2, secretKeySpec); return new String(cipher.doFinal(toByte(str))); } ``` - Vậy thuật toán mã hóa được sử dụng để obfuscate ở đây là `AES/ECB`, với `key` là chuỗi PBKDF2 từ `password=salt=r3UKMIuOqoBGxTy6oo86FP4MXwVj1UVS`. Từ đây mình dễ dàng tìm lại được `key`:  - Code do chatGPT tài trợ nên các bạn tự làm nha, `key = 99619726087289C36D83A4D6F8F382C3F219D401A21C2B2BCCAE0BC7121D8614`. - Từ đây, mình sẽ decrypt tất cả các chuỗi mà mình tìm được. Mình sử dụng [cyberchef](https://cyberchef.org/#recipe=AES_Decrypt(%7B'option':'Hex','string':'99619726087289C36D83A4D6F8F382C3F219D401A21C2B2BCCAE0BC7121D8614'%7D,%7B'option':'Hex','string':''%7D,'ECB','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)) để mã hóa. Mình lấy data từ anh Sơn:  - Sau khi decrypt tất cả, mình tìm được chuỗi khá sú:  - Encrypt ngược lại, mình được chuỗi sau:  - Đi tìm trong file thì tới được:  - Hàm như sau: ::: spoiler sú ```kotlin= public final Object mo2m(Object obj) { OutputStream openOutputStream; if ((10 + 30) % 30 <= 0) { } EnumC2199a enumC2199a = EnumC2199a.f8269d; int i4 = this.f5228h; if (i4 == 0) { AbstractC1460q.mdd753679(obj); C1375a c1375a = this.f5229i.f5235b.f4820e; this.f5228h = 1; obj = c1375a.m1634c(this); if (obj == enumC2199a) { return enumC2199a; } } else { if (i4 != 1) { throw new IllegalStateException(DecryptString.decryptString("8373656ae774c53e86146e46108b62cfe91efd9f6023a585156dec080e0ea47dfb38a2252790b5afc43b823aa3d98717")); } AbstractC1460q.mdd753679(obj); } String str = (String) obj; AbstractC1460q abstractC1460q = this.f5230j; Context context = ((C1534d) abstractC1460q).f5187a; String string = Settings.Secure.getString(context.getContentResolver(), DecryptString.decryptString("a8cb51f1e8ca37f419b7bcfa41a6c084")); AbstractC2629i.me1671797(string, DecryptString.decryptString("944c6f5076e8836c97f15317c3752e2a2f6ceb55177be8613468704def94cf95eb654c464548cfd664d134a82db2c8679ec44f7713c1d4852062a395fb1c6c24")); String m13313787 = AbstractC3359d.m13313787(string); AbstractC2832b.me1671797(16); BigInteger valueOf = BigInteger.valueOf(Integer.parseInt(m13313787, 16)); String decryptString = DecryptString.decryptString("7a58d74ac244703dd9d91901cbcb3ac7"); AbstractC2629i.me1671797(valueOf, decryptString); BigInteger valueOf2 = BigInteger.valueOf(6969696969696969696L); AbstractC2629i.me1671797(valueOf2, decryptString); BigInteger add = valueOf.add(valueOf2); BigInteger valueOf3 = BigInteger.valueOf(6969696969696969696L); AbstractC2629i.me1671797(valueOf3, decryptString); byte[] byteArray = add.multiply(valueOf3).toByteArray(); byte[] bytes = str.getBytes(AbstractC3356a.f12019a); AbstractC2629i.me1671797(bytes, DecryptString.decryptString("d7b43352f159c37902d105773b5d357a")); AbstractC2629i.me1671797(byteArray, DecryptString.decryptString("ec492b96af3456bc8ca652b84e5c1e45")); byte[] m5206560a = AbstractC2023l.m5206560a(byteArray, AbstractC2836f.m69691c7b(byteArray.length - 16, byteArray.length)); Cipher cipher = Cipher.getInstance(DecryptString.decryptString("51d8486085461cf681eba09b42bb36c9504671bc93ac79cadf1763bd942bc07b")); byte[] bArr = new byte[16]; new SecureRandom().nextBytes(bArr); cipher.init(1, new SecretKeySpec(m5206560a, 0, 16, DecryptString.decryptString("788853b0944d43c2ffe4bb17efd0e06c")), new IvParameterSpec(bArr)); byte[] doFinal = cipher.doFinal(bytes); AbstractC2629i.me1671797(doFinal, DecryptString.decryptString("f010d2895978ae832251535e53ce54d9315cce3269786e25ba77316964cb58da")); int length = doFinal.length; byte[] copyOf = Arrays.copyOf(bArr, 16 + length); System.arraycopy(doFinal, 0, copyOf, 16, length); AbstractC2629i.m4a8a08f0(copyOf); ContentValues contentValues = new ContentValues(); contentValues.put(DecryptString.decryptString("55a1fa6f849647ab8ee45b4fc6772bf6"), DecryptString.decryptString("440fa0b17ce768d8d1382d4010dc70803547f49ad97634b52fd4d41bd9ad6ede")); contentValues.put(DecryptString.decryptString("c6dca8836b71349226bdd9059524d6f8"), DecryptString.decryptString("35f6f3136c6e8badc7fc992119de391e041c9354b0640a15b86e1a76ce83547f")); contentValues.put(DecryptString.decryptString("dbc8740788326f66c2e0c58821679b86"), DecryptString.decryptString("d5534e894441627e3a5cc4b4642ae569")); ContentResolver contentResolver = context.getContentResolver(); Uri insert = contentResolver.insert(MediaStore.Files.getContentUri(DecryptString.decryptString("d09f7e2ac4e55a4c80fff05a8f401434")), contentValues); if (insert != null && (openOutputStream = contentResolver.openOutputStream(insert)) != null) { try { openOutputStream.write(copyOf); Toast.makeText(((C1534d) abstractC1460q).f5187a, DecryptString.decryptString("b8a1d3d30de5b4a562613083e858f9ea45fdf00d2f94ff1d8ece8f2e5a805ddd087caf73746556e505614efb5e32e54e4cebee4b3b9f53158242cc845d711e67"), 1).show(); AbstractC1460q.m7b8b965a(openOutputStream, null); } finally { } } return C1991n.f7598a; } ``` ::: - Hàm sẽ đóng vai trò chính là backup, viết chuỗi mã hóa vào trong `.bkp`. Theo luồng mà mình đã decrypt hết các chuỗi, chương trình sẽ lấy 6 hex cuối của chuỗi `android_id` (3 bytes), thực hiện tính toán lấy `key`, tạo ra `iv`, mã hóa `data` với `AES/CBC` và viết `iv|enc` vào file. Vậy để tìm lại data bị mã hóa, mình đã có `iv` là 16 bytes đầu, còn `key` do chỉ có 3 bytes tương đương `256 ** 3 = 2 ** 24` trường hợp, ngót nghét 8p bruteforce. Code giải như sau: ```python= from Crypto.Util.number import long_to_bytes from Crypto.Cipher import AES from Crypto.Util.Padding import unpad from tqdm import tqdm with open("secure-notes-backup.bkp", 'rb') as file: given = file.read() iv = given[:16] encrypted = given[16:] out = open("flag.txt", 'wb') # android_id = 14946604 for android_id in tqdm(range(2**24, -1, -1)): try: key = long_to_bytes((android_id + 6969696969696969696) * 6969696969696969696) cipher = AES.new(key, AES.MODE_CBC, iv) flag = unpad(cipher.decrypt(encrypted), AES.block_size).decode() out.write(flag.encode()) out.close() break except: pass ``` - Cuối cùng, mình nhận được flag: ::: spoiler flag.txt ``` [ { "color": -21615, "content": "Access granted to {f5V-g4} command. Temporarily redirect traffic to #subnet! {Update} proxychains-0405 complete, initiating layer 3 bypass. Override input_d1ffr3nt @sandbox. Data spikes detected: {analysis} incomplete. Buffer overrun error: {S3v3r17y level:high} – recalibrate. Awaiting {keygen} response. Sequence obfuscated! X9F_purge complete", "id": 3, "timestamp": 1740062993464, "title": "Nuke Access Pwned" }, { "color": -749647, "content": "Warning: Unsolicited {command} execution on node Z-r3x. Buffer overflow risk at location{4X} in RAM. Manual override required – engage test_protection level 8G. Re-routing through firewall-delta. {sync error} identified, solution encrypted in layer K-9. Rebooting {undefined} core, engage hardlock immediately. Intrusion log confirms {attempt} to decrypt_secure {c4dm1um_c0r3}. Proceed with force-quit after 3x retries. Data breach imminent!", "id": 4, "timestamp": 1740064791357, "title": "Sunday Log" }, { "color": 36434, "content": "K", "id": 54, "timestamp": 1740060518247, "title": "Never gonna tell a lie and hurt you" }, { "color": 469998, "content": "a", "id": 56, "timestamp": 1740060996851, "title": "Your heart's been aching, but you're too shy to say it" }, { "color": 767362, "content": "s", "id": 18, "timestamp": 1740060285194, "title": "Your heart's been aching, but you're too shy to say it" }, { "color": 1203932, "content": "h", "id": 7, "timestamp": 1740060730781, "title": "We know the game and we're gonna play it" }, { "color": 1543074, "content": "i", "id": 27, "timestamp": 1740060427492, "title": "Never gonna let you down" }, { "color": 2206012, "content": "C", "id": 25, "timestamp": 1740060997304, "title": "We know the game and we're gonna play it" }, { "color": 3758780, "content": "T", "id": 13, "timestamp": 1740060866316, "title": "Never gonna make you cry" }, { "color": 4065727, "content": "F", "id": 20, "timestamp": 1740060364383, "title": "Never gonna let you down" }, { "color": 4604875, "content": "{", "id": 35, "timestamp": 1740060218025, "title": "Your heart's been aching, but you're too shy to say it" }, { "color": 4890408, "content": "r", "id": 6, "timestamp": 1740060376398, "title": "Never gonna say goodbye" }, { "color": 5222517, "content": "1", "id": 28, "timestamp": 1740060615783, "title": "We know the game and we're gonna play it" }, { "color": 5307958, "content": "P", "id": 45, "timestamp": 1740060775176, "title": "And if you ask me how I'm feeling" }, { "color": 5387248, "content": "_", "id": 57, "timestamp": 1740060259043, "title": "Your heart's been aching, but you're too shy to say it" }, { "color": 5499089, "content": "C", "id": 21, "timestamp": 1740060868567, "title": "We've known each other for so long" }, { "color": 5516682, "content": "h", "id": 24, "timestamp": 1740060497888, "title": "Never gonna run around and desert you" }, { "color": 5593554, "content": "3", "id": 39, "timestamp": 1740060590195, "title": "Never gonna make you cry" }, { "color": 5836742, "content": "4", "id": 5, "timestamp": 1740060556387, "title": "Never gonna make you cry" }, { "color": 5938876, "content": "P", "id": 11, "timestamp": 1740060219670, "title": "Never gonna make you cry" }, { "color": 6091001, "content": "_", "id": 26, "timestamp": 1740060512293, "title": "Inside, we both know what's been going on" }, { "color": 6247025, "content": "o", "id": 31, "timestamp": 1740060035716, "title": "And if you ask me how I'm feeling" }, { "color": 7645409, "content": "8", "id": 33, "timestamp": 1740060095196, "title": "Never gonna run around and desert you" }, { "color": 7714761, "content": "F", "id": 32, "timestamp": 1740060903515, "title": "Your heart's been aching, but you're too shy to say it" }, { "color": 7776150, "content": "u", "id": 9, "timestamp": 1740060602748, "title": "Don't tell me you're too blind to see" }, { "color": 7847587, "content": "S", "id": 36, "timestamp": 1740060635300, "title": "Never gonna let you down" }, { "color": 8971511, "content": "C", "id": 19, "timestamp": 1740060148373, "title": "We've known each other for so long" }, { "color": 9072311, "content": "4", "id": 46, "timestamp": 1740060162143, "title": "Don't tell me you're too blind to see" }, { "color": 9385420, "content": "7", "id": 50, "timestamp": 1740060073947, "title": "We know the game and we're gonna play it" }, { "color": 9566546, "content": "1", "id": 53, "timestamp": 1740060787441, "title": "Never gonna tell a lie and hurt you" }, { "color": 9631259, "content": "o", "id": 34, "timestamp": 1740060940189, "title": "We've known each other for so long" }, { "color": 9906685, "content": "N", "id": 47, "timestamp": 1740060179098, "title": "Never gonna let you down" }, { "color": 10397659, "content": "_", "id": 30, "timestamp": 1740060589829, "title": "We've known each other for so long" }, { "color": 10527225, "content": "7", "id": 10, "timestamp": 1740060811128, "title": "Never gonna say goodbye" }, { "color": 10556508, "content": "_", "id": 14, "timestamp": 1740060391824, "title": "Never gonna give you up" }, { "color": -749647, "content": "Præparátur dominus, Káshī nûkelarī datūrum. Ex ignis pyrëx, ēvolvitur in pūtris fluxus, hæc urbs spûmâta. Atomos vaporis, incandēsco transitūrum, strīdōrum exārrēt. Trănsītus, isotopīca crātēs, mŏnstrum σάπιος infestābit. Vectōrēs prōtonūculīrē, cælo frangēntēs, ad obliviōnem mīseriam. Ex ætherē magnā, zygóris vērtem, quò plūmārum odorī suorum effluet.", "id": 1, "timestamp": 1740062326423, "title": "TODO nuke Kashi" }, { "color": 10690235, "content": "7", "id": 37, "timestamp": 1740060654792, "title": "Your heart's been aching, but you're too shy to say it" }, { "color": 10762054, "content": "_", "id": 22, "timestamp": 1740060308489, "title": "Inside, we both know what's been going on" }, { "color": 10788872, "content": "N", "id": 42, "timestamp": 1740060175172, "title": "And if you ask me how I'm feeling" }, { "color": 11057783, "content": "u", "id": 16, "timestamp": 1740060661713, "title": "Never gonna tell a lie and hurt you" }, { "color": 11204949, "content": "1", "id": 43, "timestamp": 1740060373573, "title": "Never gonna tell a lie and hurt you" }, { "color": 11298104, "content": "2", "id": 44, "timestamp": 1740060136680, "title": "We know the game and we're gonna play it" }, { "color": 11542653, "content": "3", "id": 38, "timestamp": 1740060399746, "title": "Never gonna make you cry" }, { "color": 12474085, "content": "_", "id": 29, "timestamp": 1740060128462, "title": "Inside, we both know what's been going on" }, { "color": 12616339, "content": "1", "id": 40, "timestamp": 1740060706255, "title": "And if you ask me how I'm feeling" }, { "color": 13164994, "content": "1", "id": 48, "timestamp": 1740060638531, "title": "Don't tell me you're too blind to see" }, { "color": 13952863, "content": "7", "id": 52, "timestamp": 1740060338112, "title": "We've known each other for so long" }, { "color": 14022702, "content": "_", "id": 49, "timestamp": 1740060225977, "title": "Don't tell me you're too blind to see" }, { "color": 14237961, "content": "8", "id": 15, "timestamp": 1740060248198, "title": "Never gonna make you cry" }, { "color": 14258608, "content": "H", "id": 41, "timestamp": 1740060894021, "title": "And if you ask me how I'm feeling" }, { "color": 14336094, "content": "u", "id": 12, "timestamp": 1740060166684, "title": "Never gonna make you cry" }, { "color": 14341870, "content": "_", "id": 17, "timestamp": 1740060798863, "title": "Never gonna make you cry" }, { "color": -1577573, "content": "Initialize {xN8-W34d!} protocols. Exfil data from zone_13 to {3R9@V5} by-pass 7g! Subversive {packet} interference detected. Must {decrypt} mainframe before quantum_hack. Invalid_signature, revert to {basecode}. Encrypt_48x*OQ failed. Quantum-loop reset at 00:42. Clear_routing {G2F} tunnel to avoid intrusion! Commence phase Z: {bio-42} key sequence... Rebuild crypto_signature... _locked!", "id": 2, "timestamp": 1740062561425, "title": "Tuesday Log" }, { "color": 14566901, "content": "8", "id": 8, "timestamp": 1740060154206, "title": "And if you ask me how I'm feeling" }, { "color": 15363215, "content": "7", "id": 51, "timestamp": 1740060252927, "title": "Never gonna tell a lie and hurt you" }, { "color": 16045363, "content": "W", "id": 55, "timestamp": 1740060054841, "title": "Inside, we both know what's been going on" }, { "color": 16493166, "content": "}", "id": 23, "timestamp": 1740060384666, "title": "Your heart's been aching, but you're too shy to say it" } ] ``` ::: - Ghép tất cả lại, mình có được flag hoàn chỉnh:  > ~~`KashiCTF{r1P_Ch34P_o8FuSC471oN_7_7_Nu123_117_8Hu_87W}`~~ #### Note: - Trông bài giải dễ vậy thôi nhưng mình đã đi lạc hướng ngay từ đầu khi chủ quan nghĩ rằng cần phải tìm chính xác `android_id` chứ không thể bruteforce, nhân đây em cũng xin lỗi team RE rất nhiều vì sự đần độn này đã làm team không sâu được bài :cry:.