# ACECTF 2025 Writeup ## Forensics ### Broken Secret >Author: kAiZ3n >Description: >You’ve found a suspicious file, but it seems broken and cannot be opened normally. Your goal is to uncover its secrets. Submit your answer in the following format: ACECTF{3x4mpl3_fl4g} The first I used binwalk/7z tool to extract hidden folder in file jpg and then I saw an interesting file in `path : _\word\media\not_suspicious_file` checking it with HxD it seems to be an PNG image file but was corrupted header file  after fixing it I got the flag  ### Hidden in the traffic  >Author: kAiZ3n >Description : >A whistleblower tipped us off about a secret communication between two devices. We managed to intercept the network traffic, but the flag is hidden within the data. Your task is to analyze the provided PCAP file, uncover the hidden message, and extract the flag. Submit your answer in the following format: ACECTF{3x4mpl3_fl4g} This is network analysis challenge. When it comes to Network Analysis THe first thing I think of is exfilltration Oke let's me check oke I find that thing seems suspicious in ICMP packets ip.src==10.0.2.15 && ip.dst==8.8.8.8 Having send alotof packet with length data 1 bytes Oke Let's extract them with tshark ``` tshark -r <pcapfile> -Y "icmp && ip.src==10.0.2.15 && ip.dst==8.8.8.8" > secret.txt ``` after decoding hex  It seems that the characters "ABCDEFGHIJKL" have been repeated remove it and get flag flag: **ACECTF{p1n6_0f_D347h}** ### Deep Memory Dive  >Author : kAiZ3n >Description : A gamer was experiencing severe lag while playing. They decided to disable unnecessary startup applications to free up system resources. However, after investigating the system, they noticed an unusual entry in the Startup registry. The flag is divided in different parts. Investigate the dump and gather all the flags. Flag Format: ACECTF{3x4mpl3_fl4g} Oke first of all I see the desciption has mentioned "the Startup registry" and this is memory analysis Windows OS oke let's me check it with volatility3 (or vol2.6 depends on each people's favor :v) the first I use plugin windows.registry.hivelist to list all of registry has on target memory  and then user plugin windows.registry.printkey  ``` 2025-02-26 18:26:54.000000 UTC 0xa589d0187000 REG_SZ \??\C:\Users\John\ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Run HiddenFlag "( ACECTF{3xplor1n6_ ) the clipboard is not copying the right things" False ``` It mentioned to "clipboard" and then I switched to use vol2 to check it with plugin "clipboard" but it didn't work After a few hours of thinking and using another plugin of vol2 and vol3 I have a idea using "strings" and "grep" with keyword "echo" It's amazing which worked better  Oke we had more 2 part of flag >flag: ACECTF{3xplor1n6_th3_c0nc3al3d_ During I look up these part of flag I found the last part in plugin pslist  check filescan plugin  **Flag: ACECTF{3xplor1n6_th3_c0nc3al3d_r1ddl3s}** ### Fractured Frames >Author: nh0kt1g3r12  >Description: >A forensic investigator retrieved this image from a suspect’s device, but something isn’t right. The structure shows unusual modifications. Could it be that vital information was concealed rather than erased? Flag Format: ACECTF{3x4mpl3_fl4g}  We were given a jpg file, by changing its height, we can easily obtain the flag.   ***Flag: ACECTF{th1s_sh0uld_b3_en0ugh6}*** ### Virtual Hard Disk >Author: nh0kt1ger12  >Description: >One of the first things I learnt when I started learning to hack was linux. It was fun until I hit a ceiling of understanding about the differences in Operating Systems, what's a Shell, Kernel, etc. But once I got better I started developing a liking towards the terminal and how the Linux operating system is better than say Windows, or worse in some cases. How none of them is superior, nor the other inferior. We shall find out with this challenge. Be careful, a lot of fake galfs around. Opening the file with FTK Imager, I got the flag in the ADS(Alternative Data Stream) of a jpg file  Decrypting the flag using Vigenere Cipher with the provided key: ***Flag: ACECTF{7h3_d1ff3r3nc3_b37w33n_y0u_4nd_m3}*** ### Keyboard echo >Author: kywh1t3h4t  >Description: >You have intercepted USB traffic from a device and captured the data in a .pcapng file. However, the keystrokes are encoded and need to be converted into readable text. Your task is to analyze the provided packet capture, extract the keystrokes, and reconstruct the original input. Flag Format: ACECTF{3x4mpl3_fl4g} We were given a pcap file with lots of USB stream, using specific tool, I can easily decode the contain of those streams.  ***Flag: ACECTF{y0u_h4v3_f0und_17}*** ## Steganography ### Tabs&Space  >Author: kAiZ3n >Description : >A mysterious ZIP file containing a collection of images and a file has been discovered.The task is to retrieve the flag. I recieved a folder files with a lot of file jpg extention but I find that one of those seems more inconstant than others it only has 124bytes length compared to others I used to stegseek  reading hex in file text we see 0x20 is Space and 0x90 "\t" 0x0a "\n" oke let's me decode with convention is 0x20 = 0 and 0x90 = 1 after decoding ,we get this ``` 010000010100001101000101010 000110101010001000110011110 11011011100011000001011111 001100110111100001110000001 100010011000000110001001101 11010111110110111000110000 010111110110011100110100001 100010110111001111101 ``` decoding with binary and get flag **FLAG: ACECTF{n0_3xp1017_n0_g41n}** ### Double Vision >Author: t4t3012  >Description: >You've stumbled upon a ZIP file named double_vision.zip. Inside, you find two PNG images labeled 1.png and 2.png. While the images appear nearly identical, something unusual is hidden between them. Can you uncover the secret and retrieve the flag? We were provided a zip file contains 2 png files. By xorin them, we can barely see the dot-dot-dash in the top right corner. Decoding them using morse code, we can easily obtain the flag. ***Flag: ACECTF{D07_D45H}*** ### HeaderHijack  >Author: kAiZ3n >Description: A secret agent's intercepted video file refuses to play. A mysterious checksum file was found alongside it. Your task is to repair the file and retrieve the flag… First of all I try to search about header mp4 file https://www.file-recovery.com/mp4-signature-format.htm  Oke now I'll fix it with this format and get flag  FLAG: ACECTF{d3c0d3_h3x_1s_fun} ### Cryptic Pixels >Author: kywh1t3h4t >Description: >This image looks normal at first, but something important is hidden inside. The secret is carefully concealed, making it hard to find. Your task is to explore the image, uncover the hidden message, and reveal what’s concealed. Do you have what it takes to crack the code and unlock the secret? Submit your answer in the following format: ACECTF{3x4mpl3_fl4g}  - We extract hidden file from `CrypticPixels.png`. > Command: binwalk --dd='.*' CrypticPixels.png - Then we access folder `_CrypticPixels.png.extracted`. - We bruteforce password file zip `B8103` and found it. > Command: fcrackzip -u -D -p ../rockyou.txt B8103 > Password: qwertyuiop - Then we unzip and saw file flag.txt > JLNLCO{q4q4_h0d'a3_5v4a7} - We decode it by https://www.dcode.fr/rot-cipher > Flag: ACECTF{h4h4_y0u'r3_5m4r7} ## Reverse ### Significance of Reversing > Author: kywh1t3h4t > Description: > Over the years, we hackers have been reversing stuff, thinking we understand how everything works and feel good about it. But, sometimes it feels like do we really understand what reversing means in mordern days? Anyways, here's a PNG, let's see if you can reverse your way out of this one.  - We check file `Reverseme.png` in HxD, then we see the hex data of the ELF file has been reversed and the hexder of the PNG image file has been inserted. -  - Then I looked at this file in IDA and analyzed it. - Script solve: ```python= def transform_char(char): ascii_val = ord(char) if ascii_val > 32 and ascii_val != 127: return chr((ascii_val + 14) % 94 + 33) return char def transform_string(s): return ''.join(transform_char(c) for c in s) str1 = "N" str2 = "LHb0fc" str3 = "prtr%u" transformed_str1 = transform_string(str1) transformed_str2 = transform_string(str2) transformed_str3 = transform_string(str3) print(f"N → {transformed_str1}") print(f"LHb0fc → {transformed_str2}") print(f"prtr%u → {transformed_str3}") print("\nPossible flag combinations:") print(f"1. {transformed_str1 + transformed_str2 + transformed_str3}") print(f"2. {transformed_str3 + transformed_str2 + transformed_str1}") print(f"3. {transformed_str2 + transformed_str1 + transformed_str3}") flag1 = transformed_str3 flag2 = transformed_str2 flag3 = transformed_str1 print(f"\nPotential CTF flag: {flag1}{flag2}{flag3}") ``` > Flag: ACECTF{w3_74} ### DONOTOPEN ``` ARCHIVE_START=$(awk '/^__ARCHIVE_BELOW__/ {print NR + 1; exit 0; }' script.sh) tail -n +$ARCHIVE_START script.sh | g -d > embedded_script.py ``` PIN = `ACE@SE7EN` Flag: `ACECTF{e2e3619b630b3be9de762910fd58dba7}` ### Trust Issues > Author: kywh1t3h4t > Description: > A program is checking your input against a hidden value, but the comparison is far from straightforward. Something’s been altered to obscure the truth. Your goal is to uncover the transformation behind the check and reveal the original content. Submit your answer in the following format: ACECTF{3x4mpl3_fl4g}  - We check file `trust.exe` in IDA and we saw: - Main function:  - strcmp function:  - Script solve: ```python= v3 = [6, 17, 29, 114, 96, 31, 24, 124, 62, 15, 109,120,51,53,64,94,62,37,95,48,120, 20, 55, 74] flag_enc = "GRX14YcKLzXOlW5iaSlBIrN7" for i in range (len(flag_enc)): flag = ord(flag_enc[i]) ^ v3[i % len(v3)] print(chr(flag), end = "") ``` > Flag: ACECTF{7ru57_bu7_v3r1fy} ### The Chemistry Of Code My script: ```python= import base64 import binascii # Constants from the original code FERROUS_OXIDE_USERNAME = "AdminFeroxide" ANIONIC_PASSWORD = "NjQzMzcyNzUzNTM3MzE2Njc5MzE2ZTM2" ALKALINE_SECRET = "4143454354467B34707072336E373163335F3634322C28010D3461302C392E" def ionic_bond(cation_input, anion_input): # Convert inputs to hex cation_hex = binascii.hexlify(cation_input.encode()).decode() anion_hex = binascii.hexlify(anion_input.encode()).decode() # Convert hex to integers cation_value = int(cation_hex, 16) anion_value = int(anion_hex, 16) # XOR operation (equivalent to BigUint ^ in Rust) covalent_link = cation_value ^ anion_value # XOR with alkaline secret alkaline_secret_value = int(ALKALINE_SECRET, 16) metallic_alloy = covalent_link ^ alkaline_secret_value # Convert to hex string precipitate = format(metallic_alloy, 'x') # Make sure the hex string has even length if len(precipitate) % 2 != 0: precipitate = '0' + precipitate # Convert hex to ASCII alloy_compound = ''.join([chr(int(precipitate[i:i+2], 16)) for i in range(0, len(precipitate), 2)]) print(f"Crystallized Flag (ASCII): {alloy_compound}") def reaction_chamber(): username = input("Introduce the Catalyst: ") password = input("Introduce the Reagent: ") if username != FERROUS_OXIDE_USERNAME: print("Reaction denied: Unstable molecule detected.") return # Check password reagent_ion = base64.b64encode( binascii.hexlify(password.encode())).decode() if reagent_ion != ANIONIC_PASSWORD: print("Reaction denied: Unstable molecule detected.") return ionic_bond(username, password) def get_password(): # Decode the ANIONIC_PASSWORD hex_password = base64.b64decode(ANIONIC_PASSWORD).decode() actual_password = bytes.fromhex(hex_password).decode() return actual_password def direct_flag_calculation(): # Instead of going through the input process, directly calculate the flag username = FERROUS_OXIDE_USERNAME password = get_password() print(f"Username: {username}") print(f"Password: {password}") ionic_bond(username, password) if __name__ == "__main__": print("Choose an option:") print("1. Run interactive program") print("2. Directly calculate flag") choice = input("Choice (1/2): ") if choice == "1": reaction_chamber() elif choice == "2": direct_flag_calculation() else: print("Invalid choice") ```  Flag: `ACECTF{4ppr3n71c3_w4l73r_wh1t3}` ### Pined up ```python= import itertools key = b"\x7b\x2e\xf1\xeb\x8b\x76\xe7\x68\x77\xa3\xef\x52\xf6\x3c\xda\xaa\xf6\xa7\x43\xeb\x21\x24\xc3\x9c\x7d\x08\x33\xb7\xf7\x2c\xb4" data = b"\x6c\x2c\xe0\xef\x8d\x60\xdc\x75\x0d\xff\xd6\x59\xf4\x5d\xde\x9b\xe3\xd7\x52\x99\x5a\x7c\xa3\xc9\x4e\x1b\x45\xe5\xc0\x29\x9a" print(len(data)) print(len(key)) def step1(values): foo = 0 for i in range(len(values)-1, 0, -1): values[i] ^= values[i-1] def step3(values): for i in range(len(values)): values[i] ^= 0x56 def step5(values): global key for i in range(len(values)): values[i] ^= key[i%len(key)] steps = [step1, step3, step5] for foo in list(itertools.permutations(steps)): temp = bytearray(data) while len(temp) < 39: temp.append(0) for step in foo: step(temp) print(temp) ``` Flag: `ACECTF{p1p3d_53cr375_unc0v3r3d}` ## Misc ### Sanity check >Author: t4t3012  >Description: Let's Test Out Your Sanity. Did You Join Our Discord? The flag is in the rule:  ***Flag: ACECTF{54n3_3n0u6h}*** ### Insanity check >Author: nh0kt1g3r12  >Description: >You might've breezed through the easy Sanity Check, but this challenge is for true contenders! If you want to prove your sanity is as unhinged as mine, you’ll have to earn it. How, you ask? Back when we were building these CTF challenges, everyone would upload their carefully crafted puzzles, and I was the one reviewing them. But me being me—I rejected a ton of them, tossing them straight into the bin for all sorts of reasons. Naturally, my teammates started questioning my sanity, some even calling me insane. But if there was one thing that remained constant, it was the bin. Now, it’s your turn to dig in and you already know where to start... The same place where you proved you were sane! I think you must be in the Discord server by now - https://discord.gg/BWYPxRQPSd Since the people in the discord server keep spamming the role `r8F53sXv`, I realized this is the ID of a pastebin. Navigate to https://pastebin.com/r8F53sXv and I got the flag: ***ACECTF{7h47_w45_1n54n3}*** ### Hash Guesser >Author: t4t3012 >Description: Welcome to the only cracking challenge of ACECTF1.0, here we have a Hash that we need to crack. The target hash has been taken from a very famous wordlist which has around what 14 million passwords? Yeah, but it's not that simple, the target hash has been base32 encoded & then reversed before generating the MD5 hash. I guess that's enough information for you to start, good luck. nc 34.131.133.224 50000 Solve script: ```python= from pwn import * # Địa chỉ và cổng của server remote_host = "34.131.133.224" remote_port = 5000 # Khởi tạo MD5 hash ban đầu (32 ký tự 'f') current_hash = 'f' * 32 # Danh sách các ký tự hex có thể thử hex_chars = "0123456789abcdef" # Hàm để kết nối đến server, gửi hash và nhận phản hồi def send_hash(hash): # Kết nối đến server conn = remote(remote_host, remote_port) # Nhận thông báo từ server conn.recvuntil("Enter MD5 hash: ") # Gửi hash conn.sendline(hash.encode()) # Đảm bảo gửi dữ liệu dạng bytes # Nhận phản hồi từ server response = conn.recvall().decode() # Nhận toàn bộ phản hồi conn.close() # Đóng kết nối sau khi nhận phản hồi # Trích xuất giá trị "Characters in correct positions" if "Characters in correct positions: " in response: correct_positions = int(response.split( "Characters in correct positions: ")[1].split("/")[0]) return correct_positions else: # Nếu phản hồi không đúng định dạng, trả về giá trị mặc định print("Unexpected response from server.") return 0 # Lặp qua từng vị trí trong hash for i in range(32): best_char = current_hash[i] # Khởi tạo ký tự tốt nhất là ký tự hiện tại # Lấy số lượng ký tự đúng vị trí ban đầu best_correct = send_hash(current_hash) # Thử từng ký tự hex for char in hex_chars: # Tạo hash mới bằng cách thay thế ký tự tại vị trí i new_hash = current_hash[:i] + char + current_hash[i+1:] # Gửi hash mới lên server và nhận phản hồi correct_positions = send_hash(new_hash) # Nếu số lượng ký tự đúng vị trí tăng, cập nhật ký tự tốt nhất if correct_positions > best_correct: best_char = char best_correct = correct_positions # Cập nhật hash hiện tại với ký tự tốt nhất current_hash = current_hash[:i] + best_char + current_hash[i+1:] print(f"Current hash: {current_hash}") # In ra hash cuối cùng print(f"Final hash: {current_hash}") ``` Flag: `ACECTF{h45h_cr4ck1n6_r3qu1r35_4_l177l3_w17}` ## Cryptography ### Super Secure Encryption  ```python= from binascii import unhexlify msg_plaintext = b'This is just a test message and can totally be ignored.' msg_ciphertext = unhexlify("d71f4a2fd1f9362c21ad33c7735251d0a671185a1b90ecba27713d350611eb8179ec67ca7052aa8bad60466b83041e6c02dbfee738c2a3") flag_ciphertext = unhexlify("c234661fa5d63e627bef28823d052e95f65d59491580edfa1927364a5017be9445fa39986859a3") # Tính P1 XOR C1 để lấy keystream keystream = bytes(a ^ b for a, b in zip(msg_plaintext, msg_ciphertext)) # Tính keystream XOR C2 để lấy flag flag = bytes(a ^ b for a, b in zip(keystream, flag_ciphertext)) print("Flag:", flag.decode()) ``` Flag: `ACECTF{n07h1n6_15_53cur3_1n_7h15_w0rld}` ### Hexxed and Squared >Author: t4t3012  >Description: >Cryptography While developing these challenges, I kept in mind that some challenges should be made easy for the newbies who're gonna be playing in our CTF. But, I'm totally against using common encodings and just giving away a flag for free. There's just no learning in that, instead what we're gonna do, is that we'll use a custom encoding, where we just have the number 3. Let's see how good your math is. Flag Format - ACECTF{some_string} According to the description, by continously decoding the hex, we can easily obtain the flag: https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')From_Hex('Auto')From_Hex('None')From_Hex('Auto')From_Hex('Auto')From_Hex('Auto')From_Hex('Auto')From_Hex('Auto')From_Hex('Auto')From_Hex('None')From_Hex('None')From_Hex('None')From_Hex('Auto')From_Hex('Auto')From_Hex('None')From_Hex('None')&ieol=CRLF&oeol=NEL ***Flag: ACECTF{5uch_4_5qu4r3}*** ### Custom Encoding Scheme >Author: t4t3012 >Description: I wanted to create a custom encoding for a crypto challenge but turns out, I didn't have anough time on my hands. So, what I did here is - Well instead of explaining it to you why don't I give you the script? ```python= import base64 def recover_b(t, output_file): t1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" with open(output_file, "r") as f: output_lines = [line.strip() for line in f.readlines()] recovered_b = ["" for _ in range(42)] b_parts = ["" for _ in range(42)] for x, y in enumerate(t): r = output_lines[x] e = t1.index(r[0]) g = t1.index(r[1]) a_bin = f"{e:06b}" g_bin = f"{g:06b}" char_bin = a_bin + g_bin[:2] recovered_char = chr(int(char_bin, 2)) if x < 42: b_parts[x] = g_bin[2:] # Lấy phần còn lại từ g_bin recovered_b = "".join(b_parts) return recovered_b t = "I TOLD YOU THAT BASE64 DECODING IS NO GOOD" output_file = "output.txt" b = recover_b(t, output_file) print("Recovered b:", b) ``` Flag: `ACECTF{7h47_w45_c00l}` ### A Little Extra Knowledge Is Too Dangerous >Author: t4t3012 >Description: Have you ever heard the quotes, A little knowledge is a dangerous thing and In the land of the blind, the one-eyed man is king? They strike me as deeply contradictory—one condemning the slightly knowledgeable, while the other exalts them. This contradiction highlights something unsettling: fairness doesn’t seem to exist in this world. Everyone seems to twist things to suit their own agendas, leading to divisions—arbitrary ones—where people impose their ideologies on others. What if we eliminated excess knowledge and these divisions altogether? Perhaps then we could live like illiterate cynics—but in peace. That’s the essence of this challenge I’m presenting to you. Or should I call it a sermon? decode base64 `QUNFQ1RGe/==MV82dTM1NV95MHVfN3J1bmM0NzNkXzdoM18zeDdyNF9rbjB3bDNkNjNfcjRkMG1fNTdyMW42NjY2NjY2NjY2NjU1NTU1NTU1NV94eHh4eHh4YmJieHh4eHh4Y2NjY3h9 ` Flag: `ACECTF{1_6u355_y0u_7runc473d_7h3_3x7r4_kn0wl3d63_r4d0m_57r1n66666666666555555555_xxxxxxxbbbxxxxxxccccx}` ## Web ### Webrypto >Author: nh0kt1g3r12  >Description: >I think we can all agree that most of us grew up watching the iconic cartoon Tom & Jerry. Every kid would feel that surge of adrenaline during the thrilling chases and chaotic conflicts between the mischievous mouse and the ever-determined cat. The excitement of those scenes—the heart-pounding moments of escape—sometimes felt almost real. But then, I heard a little rumor: what if all those chases were fake? What if Tom and Jerry were actually friends all along? That revelation shook me. I had no one to ask about this mind-bending twist, so I decided to take matters into my own hands—I created a web app to settle this question once and for all. I know the truth now. Do you think you can uncover it too? https://chal.acectf.tech/Webrypto/  So basically the server is checking if the md5 hash of "ACECTF" + parameter "tom" is equal with md5 hash of "ACECTF" + parameter "jerry". The problem is the server is using `loose comparision (==)` to check the equation, not `strict comparison (===)`. This could lead to **PHP Type Juggling** vulnerability. We can assign a `NULL` array to these parameters so that NULL == NULL is true.  And here goes the flag: ***ACECTF{70m_4nd_j3rry_4r3_4ll135}*** ### Bucket list >Author: nh0kt1g3r12  >Description: >You know what's a bucketlist? In simple terms, it's just a list of wishes people want to achieve before the leavee this world. I found it to be very limiting & ironic because how can you know when you'll leave the world behind? It's better to enjoy every moment and take on every opportunity you can. One of my whishes though is to pet a cat, do you mind checking this one out. So cute. https://opening-account-acectf.s3.ap-south-1.amazonaws.com/fun/can_we_get_some_dogs/026.jpeg  The website is just basically an aws cloud server. By moving to the root directory of the server, we can see some exclusive contents because of the **AWS Misconfiguration**.  As you can see, we have a secret.txt at `/cry-for-me` path. Decoding its content, here is the flag: ***ACECTF{7h3_4w5_15_m15c0nf16ur3d}*** ### Token of trust >Author: nh0kt1g3r12  >Description: >At first, this web app seems straightforward, but there’s something more lurking beneath the surface. It relies on a token for user authentication, but not everything is as secure as it seems. Look closely, and you might discover that the system’s trust can be manipulated. The secret is hidden within the way this token is used. Can you find the key to unlock what’s been concealed? The challenge is waiting for you to crack it. Submit your answer in the following format: ACECTF{3x4mpl3_fl4g} http://34.131.133.224:9999/  Navigating to `/login`, we can see some hints:  Cool, now we have to login using these credentials. After logged in, I got a token:  At first, I tried cracking this jwt using hashcat, john, and jwt_tool.py but nothing worked. But what if this jwt has no **secret** ?. I changed the payload from `"user":"guest"` to `"user":"admin"` using https://token.dev/, then send a POST request to `/flag` with the token, I got the flag:  ***Flag: ACECTF{jwt_cr4ck3d_4dm1n_4cce55_0bt41n3d!}*** >P/s: For anyone who doesn't know where the `/flag` came from, it's in **robots.txt** file. ### Buried Deep >Author: nh0kt1g3r12  >Description: >"I’m not a hacker. I’m just someone who wants to make the world a little better. But the world isn’t going to change itself." Submit your answer in the following format: ACECTF{3x4mpl3_fl4g} The flag content should be in lowercase letters only. http://34.131.133.224:9998/ According to the challenge's title, I definitely sure we have to find some pieces of flag around the web server.  Searching the front-end code first (html, css), I found the 3rd part of the flag in `style.css` file.  Rot47 it:  `3rd Part of the Flag is : 7h3_53cr3t5_4r3_bur13d}` Next step is to look for **robots.txt** file, since its very common in most CTF challenges. 1st part of the flag is in `/buried`:  Decoding it with hex: `1st Part of the Flag is : ACECTF{1nf1l7r471ng_7h3_5y573m_ ` The 2nd part of the flag is in `/secret_path`:  Decoding it with morse: `2ND PART OF THE FLAG IS: 15_345Y_WH3N_Y0U_KN0W_WH3R3_` Combine them all, and accord to the description, flag is all in lowercase, so the flag is: ***ACECTF{1nf1l7r471ng_7h3_5y573m_15_345y_wh3n_y0u_kn0w_wh3r3_7h3_53cr3t5_4r3_bur13d}*** ### Flag-Fetcher >Author: nh0kt1g3r12  >Description: >Hey guys, I created a flag fetcher using some web stacks & technologies. It was supposed to fetch the flag.webp image file which contains the flag but there was some kind of error in doing that. Can you verify it? Maybe just get the flag I don't really care if you fix it or not. http://34.131.133.224/Flag-Fetcher/ For this challenge, the flag is in the `index--6xk1ldU.js` file of the server. Scrolling down to the end, we could see the content of the flag:  ***Flag: ACECTF{r3d1r3ct10n}*** ## Pwn ### !Underflow  >Author: t4t3012 >Description: Something simple to warm you up. Flag in`print_flag()`:  Flag: `ACECTF{buff3r_0v3rfl3w}` ### jumPIEng  >Author: t4t3012 >Description: Harry, a rookie in CTFs just begun learning binary exploitation and was fascinated with how PIE works. So, he now believe that no matter how much information you have about the addresses, you cannot leak the flag from his binary because it has PIE enabled. Good luck proving him wrong.     Flag: `ACECTF{57up1d_57up1d_h4rry}` ### Running Out of Time  >Author: t4t3012 >Description: A mysterious program asks for a specific number, but the correct value changes every time you run it. Can you figure out how the number is generated and retrieve the hidden flag? > >Analyze the binary, reverse-engineer the logic, and find a way to predict the correct input to trigger the win condition. ```c= int p3xr9q_t1zz() { _BYTE v1[27]; // [rsp+20h] [rbp-20h] char v2; // [rsp+3Bh] [rbp-5h] unsigned int i; // [rsp+3Ch] [rbp-4h] v1[0] = 29; v1[1] = 27; v1[2] = 71; v1[3] = 25; v1[4] = 117; v1[5] = 31; v1[6] = 29; v1[7] = 26; v1[8] = 90; v1[9] = 90; v1[10] = 25; v1[11] = 78; v2 = 42; printf("Success! Here is your output: "); for ( i = 0; i <= 0xB; ++i ) putchar(v2 ^ v1[i]); return putchar(10); } ``` Script: ```python= v1 = [29, 27, 71, 25, 117, 31, 29, 26, 90, 90, 25, 78] v2 = 42 decoded_output = ''.join(chr(v ^ v2) for v in v1) print(decoded_output) ``` Flag: `ACECTF{71m3_570pp3d}` ## OSINT ### Fall of 2022 >Author: nh0kt1g3r12  >Description: It was a peaceful time — schools were over, college admissions were delayed, and COVID was slowly on the decline. It seemed like the perfect time to relax and check my phone for her txts. The funny thing is, I never got any. So I considered it just another gloomy year. Anyways, here’s the domain for this CTF: acectf.tech What? You already knew this domain? Oh, I guess you’ll have no trouble finding the flag then. The challenge gives a big hint about TXT. For those who don't know, a TXT record is a type of DNS record that allows the domain owner to store arbitrary text information within the DNS system. These records are often used to provide verification data, security information (like SPF, DKIM, or DMARC records), or even custom metadata for applications. In the context of Capture The Flag (CTF) challenges, TXT records are sometimes used to hide clues, secret keys, or flags directly within the domain’s DNS information. This means that solving the challenge could involve performing a DNS query to extract the TXT record associated with the given domain. To solve this challenge, we can use `dig` to retrieve the content of the domain's **TXT record** `dig txt acectf.tech`  ***Flag: ACECTF{y0u_g07_7h3_73x7}*** ### The Symphony of Greatness  >Description: >Hey everyone, myself modernlouis. I remember starting to explore music outside of my native language years ago. Back then, I was just a kid, trying something completely new and unfamiliar. At first, I did it to feel included with others who were effortlessly singing along to the most popular songs of the time. Over the years, I listened to a lot of artists, but for a long time, I couldn’t settle on an all-time favorite. That changed during the recent pandemic. With all the extra time on my hands, I dove deeper into my love for music. Slowly and without even realizing it, I found myself drawn to a specific kind of sound. What kind of music, you ask? Well, not the ones filled with meaningless words just to make rhymes. Not the albums entirely focused on heartbreak stories. And definitely not the tracks made just to curse or diss someone—come on, let’s move past that. I admire musicians who showcase raw vocal talent, seamlessly blend different genres, and have a a signature sound that was instantly recognizable and highly danceable. Now, here’s the challenge: Your task is to figure out which band I’m talking about. The biggest hint? Me... Flag Format: The Flag is the band's name followed by their most streamed song, in this format: ACECTF{band_name_song_name} Example: If the band is One Direction and their most streamed song is Night Changes, then the flag would be: ACECTF{0n3_d1r3c710n_n16h7_ch4n635} Well, in this challenge, we were given a username called `modernlouis`, so let's start an investigation on this user. Using `namecheckup.com`, I've found that this username is available on many sites. Since the challenge's about music, the most possible site is genius.com, a well-known platform where users contribute song lyrics, annotations, and even artist informatio   There is a weird string in his bio, once again, definitely this is a default username of a Spotify user, so let's have a look on Spotify :>.  Looks like we're on the right track. He has a playlist which shows his fav musics.  So his fav band is `Modern Talking`, and their most streamed must be `Cheri Cheri Lady`. So our flag is: ***ACECTF{m0d3rn_74lk1ng_ch3r1_ch3r1_l4dy}*** ### Social Circles >Author: nh0kt1g3r12  >Description: >Hey guys, my friend is starting a gaming channel—go sub to @AhjussiPlayz on Youtube!  His channel has only a video, by viewing it, we can see an only subtitle, changing the language to Korean, a mystery appears:   He mentioned about his friend named `wimebix884`. Using `blackbird` on the given username:  Trying every single sites, we discovered that the username `wimebix884` is available on smule.com.  And there we go, the `Flag Debauchery` leads us to a Google Drive folder which contains a mp3 file, listen to that mp3 file gives us the flag. ***Flag: ACECTF{MUL71M3D14_F146}*** ### For The Fans >Author: nh0kt1g3r12  >Description: >Yo, I’ve lowkey always been a Drake fan, that’s why my username’s "DrakeSaltyOVO". It was literally everywhere on my dashboard until I had to take it down 'cause people just kept hating. But, like, that’s one thing I’ve always related to with my guy Drake, and honestly, I’ve been an even bigger fan ever since. 😂 Ya, laugh all you want, but I’m literally the only one with the flag fr, rofl! We were provided with a username called `DrakeSaltyOVO` Using `sherlock` always gives me good results:  So we have had his Twitter, let's start the investigation.  According to his tweets, he has a blog, and possibly he won't use his username, which is `DrakeSaltyOVO` on that blog, he shows us his birthday, and a password test, so he probaly uses his birthday as his password. Searching his X username salty-senpai-drake1 using google dork:  We could see his blogs on Tumbig,  Decoding the content of the base64, we got a 7z file, use the birthday as his password (2000914), the content of the flag.txt is: ***ACECTF{y0u_b3773r_41nt_h4t3}*** ### The Mysterious Building >Author: t4t3012 >  Using exiftool on the image, we can see the description of the picture:  Searching on google New Dehli TV Tower (since New Dehli is the national capital of India), I found this:    Flag: `ACECTF{pp_trade_center}`