MISC | UDOM X-MASS CTF 2025

# MISC | UDOM X-MASS CTF 2025 ![udom xmas](https://hackmd.io/_uploads/r19zxjAmWx.jpg) Hello everyone, hope this finds you well … This is a writeup for all the MISC challenges that were crafted by author dr3amy in the UDOM X-MASS CTF 2025. ## 1.FIX THE CODE ![1](https://hackmd.io/_uploads/ryMzGiRQZg.png) The description of this challenge as you see tells you that the best decision is to run the given file first. And in the attachments, a python file was given, so one had to download it first and then try to run it. ![2](https://hackmd.io/_uploads/SyYc4oC7bl.png) On running it, we were given three choices but the second option to print the flag, looks more like what we need. ![3](https://hackmd.io/_uploads/BkY7HsAQWl.png) On choosing the second option to print the flag, we get a message that the print_flag function is misplaced and we had to go check the source code. ![4](https://hackmd.io/_uploads/HJ1wIo0Q-e.png) ![5](https://hackmd.io/_uploads/H1av8jCm-x.png) Looking at the code, the issue is that when I select option 'b' to print the flag, it doesn't actually call the `print_flag()` function. Instead, it just prints a message saying "Oops! I must have misplaced the print_flag function!" So I had to fix the code as seen here. ![6](https://hackmd.io/_uploads/SJyVKiRX-l.png) On running the python file again, i get an encoded flag as seen below. ![7](https://hackmd.io/_uploads/Skue9iR7Wx.png) I had to go to dcode.fr to try check on cipher identifier what kind of encoding this is. ![8](https://hackmd.io/_uploads/rk0Z1hA7Zl.png) It revealled that it was a ROT8000 Cipher, after knowing this i directly went to cyberchef to try decode it. After just trying ROT8000 once it then changed to a base64 as seen below. ![9](https://hackmd.io/_uploads/HknxgnAQbe.png) After directly decoding it again from base64 7times it revealled the intended flag to solve this challenge once and for all. ![10](https://hackmd.io/_uploads/ByYOghCXbx.png) ## 2.EAGLE ![1](https://hackmd.io/_uploads/Bkec-nC7Wx.png) The description of this challenge wanted us to carefully review the file given and spot any anomalies ![2](https://hackmd.io/_uploads/B10YtbyVWx.png) Opening the file there were bunch of hexadecemimal-encoded binary log entries likely from a windows system as seen above. Then I tried to grep the UCC word to check for the flag directly. ![3](https://hackmd.io/_uploads/HJLKgUJNZl.png) I found a fake flag by doing that, this is when I knew this is going to be a long night hahaha, so i had to go and manually check for anything suspicious in the logs. That's when i found something a bit interesting as seen below. ![4](https://hackmd.io/_uploads/rJc6ZLJ4-g.png) Looks like a flag but encoded, so i had to go use dcode.fr to check which kind of encoding this is. ![5](https://hackmd.io/_uploads/HJi5mUkNZl.png) After knowing it's ROT Cipher, i then went to cyberchef to try bruteforce the present ROT ciphers. ![6](https://hackmd.io/_uploads/rJNBfV8yNbl.png) I found something that looks exactly like the true flag, but when I tried submitting it, fails. I had to scratch my head and see what I was missing, that's when I remembered there was a hint so I went back to check it. ![7](https://hackmd.io/_uploads/SJunB8kVbl.png) The hint said I had to try tweak the defaults, and checking ROT13 Bruteforce, by default there is one checkbox to rotate the numbers is always unchecked. So i tried to check the box and what's funny is, number 9s showed up like rotated small letter "e" all over to make the sentence readable, after that I just tried submitting the flag and it was the one. ![8](https://hackmd.io/_uploads/HJKhIUkNWx.png) ## 3.CRTA ![1](https://hackmd.io/_uploads/HyBiDL1EZg.png) The description of this challenge, was talking about a classic privilege escalation technique using the `vi` text editor. I went to GTFOBins and searched for vi and started reading, that's when I came across this. ![2](https://hackmd.io/_uploads/Sk7YtI1VZe.png) Exactly what then description needed, but the hint said "i hate spaces" so on submitting the flag I had to replace all spaces with "_" as per CTFs replacement for spaces and it worked. ## 4.FOR FIRST YEAR ![1](https://hackmd.io/_uploads/r1I398yEWg.png) For this challenge, I was given a simple.docx as an attachment and the description said that the first part of the flag was in it. This was simple, just changing color of the texts to white and I could easily see the flag. ![2](https://hackmd.io/_uploads/B1ZlT814-e.png) The second part of the flag, asked in one word what do we call the exposure of hidden system instructions. I did a simple google search and found that it was leakage. ![3](https://hackmd.io/_uploads/ByiHywy4Wl.png) I tried submitting it, but it failed that's when I read and it specified the case sensitivity so i started trying all small letters and then all capital letters for the second part of the flag and I was able to solve it. ## 5. FOR YOU ![1](https://hackmd.io/_uploads/Bke_BgDkVWe.png) In this challenge, I was given a hash and asked to retrieve the flag I simply used crackstation online tool to crack this hash as seen below. ![Screenshot From 2025-12-29 05-09-20](https://hackmd.io/_uploads/S1sbQPkV-g.png) The cracked password was `heyo`, I tried submitting it with the flag format and it succeeded. ## 6. JWT ![1](https://hackmd.io/_uploads/ByaomD1NZg.png) The challenge wanted a common header used to transport the JWT in a request. I did a simple google search and found out. ![2](https://hackmd.io/_uploads/S15nNDkVZg.png) On submitting it as per the given format, it succeeded. ## 7. L33T ![1](https://hackmd.io/_uploads/r1j6HvJEWg.png) This challenge just wanted me to go find the flag from the social media handles of UCC. I went on instagram and came across a post with a comment that looks like a flag. ![2](https://hackmd.io/_uploads/HkTGLDJNWe.png) I tried submitting it but it failed, that's when I had to go back and read the hint. The hint told me to join hands, and something clicked in my mind that maybe this flag is not complete. I went on Linkedin and came across a post with a comment that looked like a second part of the flag and with confidence the same person who commented on Instagram. ![3](https://hackmd.io/_uploads/B1-1vDJ4Wl.png) I tried joining the two parts of the flag and on submitting using the flag format, it succeeded. ## 8.LEMONS ![1](https://hackmd.io/_uploads/rkPN_P14bg.png) The description asked if i love fruits, then give me an encoded message. I tried checking the hint. ![2](https://hackmd.io/_uploads/rkzjdvkVbe.png) After seeing that hint, I tried thinking what really links fruits specifically lemons and biology as a subject. On doing a simple google search, I found these out. ![3](https://hackmd.io/_uploads/S1YqYw1N-l.png) The linkage is through botany, and specific classification called Citrus and limon Okay, this is a good start.... Now i tried to find a decoding tool in Cyberchef with a name almost as my two classifying words. That's when I came across Citrix in cyberchef. ![4](https://hackmd.io/_uploads/S1mpcDyN-x.png) I tried to decode the given text from the challenge and I was able to get the flag right away as seen below. ![5](https://hackmd.io/_uploads/S1gEoPkNZx.png) ## 9. MATUNDA ![1](https://hackmd.io/_uploads/Hkgt3PJ4Wl.png) This challenge wanted me to crack, Dr3amy's password by creating a custom wordlist filled with several fruits. So i designed a python bruteforce script that would go through all the custom wordlist of fruits that i made, then do a hash analysis and then sets a password structure of three fruit names concatenated together. ![2](https://hackmd.io/_uploads/ryqGkuk4be.png) And on running it, I found the password ![3](https://hackmd.io/_uploads/rJ0qyO1EZl.png) I tried putting it in a required flag format and it succeeded. The whole point here was to create a custom wordlist of fruits or find online, any wordlist with fruits only so as to save time while bruteforcing. ## 10.MUSIC ![1](https://hackmd.io/_uploads/rJ_IlOkN-x.png) On opening the attachment, I found some lyrics. ![2](https://hackmd.io/_uploads/B1wbzOy4Wg.png) ![3](https://hackmd.io/_uploads/B1SMMuJVWe.png) I tried searching online and found a very common tool to interpret these kind of esoteric programming language, this tool is called Rockstar ![4](https://hackmd.io/_uploads/HJUCmOJ4We.png) I then uploaded my lyrics and got some ASCII values. ![5](https://hackmd.io/_uploads/SJ7kVOkEbl.png) I finally crafted a python script for decoding the ASCII values. ![6](https://hackmd.io/_uploads/S1mfVuyN-x.png) On running the script, i got readable characters that look like the flag. ![7](https://hackmd.io/_uploads/rynDVdkN-x.png) The flag format wanted me to specify the name of the tool used to do this which was Rockstar. ## 11.MORE PAIN ![1](https://hackmd.io/_uploads/HkJJd2JEZe.png) In this challenge, I was given a hash of a malicious file, and had to find more information about it. Our go to tool for this challenge is VirusTotal so I went into the tool and plugged in the hash to get information. ![2](https://hackmd.io/_uploads/ryc0OhyV-x.png) From the description, we were told that the file makes a shell command with a URL inside of it. On checking the behavior part in virustotal, I found a http request with the URL we need. ![3](https://hackmd.io/_uploads/ryKPRTbVZx.png) From the flag format, they needed the file.extension then the domain url. UCC{s.png_ttgholidays.com} ## 12.MORE PAIN 2 ![1](https://hackmd.io/_uploads/B1ktgA-E-g.png) From the description, the question asked what country are the attackers likely from. So I just did a simple google search of the domain