# CatWithASteg - We are given a file named `hiden.jpg`, which is an invalid `.jpg` file. - Reading the file's header, we are met with: ```bash $ hexdump -C hiden.jpg | head 00000000 01 23 45 67 89 01 23 45 67 89 01 23 45 67 89 01 |.#Eg..#Eg..#Eg..| 00000010 23 45 67 89 aa aa aa aa ff 8d ff 0e 00 10 4a 46 |#Eg...........JF| 00000020 49 46 00 01 01 01 00 60 00 60 00 00 ff e1 00 be |IF.....`.`......| 00000030 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 06 |Exif..MM.*......| 00000040 01 12 00 03 00 00 00 01 00 01 00 00 01 1a 00 05 |................| 00000050 00 00 00 01 00 00 00 56 01 1b 00 05 00 00 00 01 |.......V........| 00000060 00 00 00 5e 01 28 00 03 00 00 00 01 00 02 00 00 |...^.(..........| 00000070 02 13 00 03 00 00 00 01 00 01 00 00 87 69 00 04 |.............i..| 00000080 00 00 00 01 00 00 00 66 00 00 00 00 00 00 00 60 |.......f.......`| 00000090 00 00 00 01 00 00 00 60 00 00 00 01 00 06 90 00 |.......`........| ``` - We can see garbage date from line 0 to 10, from `01` to `aa`. To fix this, we need to extract the image by writing this file to another file, but skipping the first 24 bytes. ```sh $ dd if=hiden.jpg of=fixed.jpg bs=1 skip=24 5857+1 records in 5857+1 records out 140589 bytes (141 kB, 137 KiB) copied, 0.000000000001 s, 9999.99 TB/s ``` - However, it's still not a valid image because byte at 02 and 04 are wrong. Using tools like `dhex`, we fix the two bytes `8d` and `0e` into `d8` and `e0`, the resulting image is:  Flag: `W1{Y0u_4r3_v3ry_g00d_m3ow!}` --- # Free Flag On Network - We are given a file `chall.pcapng`, reading the file gives up multiple POST request with the name `flag*.txt`, which mean the flag is fragmented and encoded with Base64, we first extract the fragments to a single file. - The resulting file is a `.png` file, but all of it's chunks are flipped! We can fix the image by using this script. ```bash= #!/usr/bin/sh for i in `seq 1 100` do sed -n "$i"p flag-reverse.png | base64 -d | xxd -p -c1 | tac | xxd -p -r >> flag.png done ```  Flag: `W1{W3llc0me_to_For3nS1cs}` --- # What is it? - We are given an audio file which contains morse code. Translating the morse code gives us `passwordisgoodluck`, which looks like a `steghide` password. ```bash $ steghide extract -sf chall.wav -p 'passwordisgoodluck' wrote extracted data to "hidden.zip" ``` - Extracting `hidden.zip` gives us 2 files: `part1.txt` and `next2.zip` - The file `part1.txt` reads `W1{s0m3_7h1ng5_1n`, which is half of our flag. - The file `next2.zip` has it's bits flipped every byte. To fix this, we have this script: ```bash! #!/usr/bin/sh xxd -p "next2.zip" | tr -d '\n' | \ awk '{for(i=1;i<=length($0);i+=4) printf substr($0,i+2,2) substr($0,i,2)}' | \ xxd -r -p > "fixed.zip" unzip "fixed.zip" ``` - The result is the following image:  Flag: `W1{s0m3_7h1ng5_1n_7h15_4ud10}` --- # Paranoid ## Part 1 - We are given a password-protected zip file `Challenge.zip`. The given password is `Y9vSetBNi01L`, we first extract this zip file by running: ```bash $ 7z x -p 'Y9vSetBNi01L' Challenge.zip ``` - The zip file deflates into the following directories: ``` Challenge └── C ├── $Recycle.Bin ├── Users └── Windows ``` - Navigate into `$Recycle.Bin`, we then have the following files: ``` $Recycle.Bin └── S-1-5-21-2765701107-1008841495-107006118-1001 ├── $IF8GDZ2.lnk ├── $IOPM1D5.txt ├── $RF8GDZ2.lnk ├── $ROPM1D5.txt └── desktop.ini ``` - Reading `$ROPM1D5` gives us the first part of our flag encrypted with base64 and base32. ```bash! $ cat '$ROPM1D5' TODO: - Learning about Windows operating system. - Is there a way to store data secretly? - Someone send me this message: V2UgaGF2ZSBiZWVuIGtlZXBpbmcgdHJhY2sgb2YgeW91IGZvciBvdmVyIGEgbW9udGggbm93LiBTb29uLCB3ZSB3aWxsIGhhY2sgeW91ciBkYXRhLiBIZXJlIGlzIG91ciBmaXJzdCBtZXNzYWdlOiBLNFlYV05DN09ZWlhFNks3TU5XRElOSlZHRlJWNj09PQ== $ echo 'V2UgaGF2ZSBiZWVuIGtlZXBpbmcgdHJhY2sgb2YgeW91IGZvciBvdmVyIGEgbW9udGggbm93LiBTb29uLCB3ZSB3aWxsIGhhY2sgeW91ciBkYXRhLiBIZXJlIGlzIG91ciBmaXJzdCBtZXNzYWdlOiBLNFlYV05DN09ZWlhFNks3TU5XRElOSlZHRlJWNj09PQ==' | base64 -d We have been keeping track of you for over a month now. Soon, we will hack your data. Here is our first message: K4YXWNC7OYZXE6K7MNWDINJVGFRV6=== $ echo 'K4YXWNC7OYZXE6K7MNWDINJVGFRV6===' | base32 -d W1{4_v3ry_cl4551c_ ``` - First part of the flag: `W1{4_v3ry_cl4551c_` ## Part 2 - Next, reading `$IF8GDZ2.lnk` gives us: ```bash $ strings '$RF8GDZ2.lnk' /C:\ 8[2U PROGRA~1 XD;8[4U. 8[3U VERACR~1 8[2U8[4U. 8[3U VERACR~1.EXE 8[3U8[4U. C:\Program Files\VeraCrypt\VeraCrypt.exe desktop-e28o89c 1SPSU(L 1SPS ``` - This gives us a hint that [VeraCrypt](veracrypt.io) - a disk encryptor - might have been used to hide the next part of our flag. - We then navigate into `Users/KoishiKomeiji/Documents`, which then gives us 2 suspicious files: ``` KoishiKomeiji └── Documents ├── desktop.ini ├── more_secret ├── nothing_here.txt └── secret.kdbx ``` - The `secret.kbdx` file is a database file for KeepassXC - a password manager. - The `more_secret` file is unknown. One interesting fact about it is it's size. ```bash $ du more_secret 10240 more_secret ``` - We know that **Veracrypt** has been used on this computer based on the previous hint. **Veracrypt** encrypts filesystem with a block size of `512`, of which `10240 / 512 = 20`, a perfect integer! Now we can say for sure that `more_secret` is a **Veracrypt** file. But we still need to find the *keys* to open it. - By navigating into `Users/KoishiKomeiji/Pictures`, we are met with: ``` Pictures ├── desktop.ini ├── i_m_bored.bmp └── my_cats ``` - This is what the `i_m_bored.bmp` looks like.  - The text reads: `keepass:1_am_b3h1nd_U!`. That gives the password for the previously found `secret.kbdx` file! - Opening it up, the password for the **Veracrypt** file is `YHG8YjFscyZRVDtJV1TH` along with a note that says *"also, my favourite cat is a key too!"*. Which mean that the **Veracrypt** file was encrypted with a **passphrase** and a **keyfile**. - Inside the `my_cats` directory, we have 5 pictures of 5 different cats. By bruteforcing, the `cat4.jpg` file is the correct keyfile. - By mounting the decrypted file, we are met with a peculiar file called `secret_token.txt`, which reads: ```bash $ cat secret_token.txt API Token for my hidden web app: SECRET-X-KEY=T2theSwgeW91IGdvdCB0aGlzISBIZXJlIGlzIHBhcnQgMjogbl8zel9kZjFyXw ``` - Yes! We have found another clue, but this time it's a LIE! There are actually no web apps, the token is actually our flag, but encrypted with base64. ```bash $ echo 'T2theSwgeW91IGdvdCB0aGlzISBIZXJlIGlzIHBhcnQgMjogbl8zel9kZjFyXw==' | base64 -d Okay, you got this! Here is part 2: n_3z_df1r_ ``` - Which give us the second part of our flag: `n_3z_df1r_` ## Part 3 - Going into `Users/KoishiKomeiji/Desktop`, we are met with: ``` Desktop ├── desktop.ini ├── 'Microsoft Edge.lnk' └── new_note.txt ``` - Reading `new_note.txt`, we get the following text: ```bash $ cat new_note.txt TODO: - Learning more about Windows (maybe learning about PowerShell is a good idea!). - I need to be more careful. Someone is watching me recently. - Asking for cat food since our cat Orin is hungry. - Learning how to use both password and file as a key for disk encryption. ``` - The first line hinted at some PowerShell activity. Which is often recorder in an `.evtx` file. ```bash $ find -name '*.evtx' ./C/Windows/System32/winevt/logs/Microsoft-Windows-PowerShell%4Admin.evtx ./C/Windows/System32/winevt/logs/Microsoft-Windows-PowerShell%4Operational.evtx ./C/Windows/System32/winevt/logs/Windows PowerShell.evtx ``` - By reading `Microsoft-Windows-PowerShell%4Operational.evtx`, either on *Windows*, or with `evtx_dump` on Linux we are met with interesting activities by the owner. ```xml! ... <Data Name="ScriptBlockText">$k=[Convert]::FromBase64String(&quot;XAAeAgAAAAaAAFAAAAAAFAAAAAAFAAAAAAFAAGAAAAA=&quot;);$iv=[Convert]::FromBase64String(&quot;ABBCCDDEEFAAXXAAAAEAFA==&quot;);$aes=[System.Security.Cryptography.Aes]::Create();$aes.Key=$k;$aes.IV=$iv;$aes.Mode=&quot;CBC&quot;;$aes.Padding=&quot;PKCS7&quot;;[IO.File]::WriteAllBytes(&quot;what.enc&quot;,($aes.CreateEncryptor().TransformFinalBlock([IO.File]::ReadAllBytes(&quot;part3.txt&quot;),0,(Get-Item &quot;part3.txt&quot;).Length)));Remove-Item &quot;part3.txt&quot; -Force</Data> <Data Name="ScriptBlockId">f310491a-a6cb-4763-8939-9192971f8b9f</Data> ... <Data Name="ScriptBlockText">$k=[Convert]::FromBase64String(&quot;isAHwCEPTivSgg8lTyCBCdY4XNBMtmyh56ddKBX9GAU=&quot;);$iv=[Convert]::FromBase64String(&quot;ABBCCDDEEFAAXXAAAAEAFA==&quot;);$aes=[System.Security.Cryptography.Aes]::Create();$aes.Key=$k;$aes.IV=$iv;$aes.Mode=&quot;CBC&quot;;$aes.Padding=&quot;PKCS7&quot;;[IO.File]::WriteAllBytes(&quot;again.enc&quot;,($aes.CreateEncryptor().TransformFinalBlock([IO.File]::ReadAllBytes(&quot;part3.txt&quot;),0,(Get-Item &quot;part3.txt&quot;).Length)));Remove-Item &quot;part3.txt&quot; -Force</Data> <Data Name="ScriptBlockId">7db6a942-b08c-473b-9e18-a3a87913d0b2</Data> ... ``` - This suggests that some `part3.txt` file has been encrypted with *AES-CBC* from a file called `again.enc` and `what.enc` - The logs also gives us three very important data which can be useful for decrypting later on: 1. The encryption key: `XAAeAgAAAAaAAFAAAAAAFAAAAAAFAAAAAAFAAGAAAAA=` 2. Another encryption key: `isAHwCEPTivSgg8lTyCBCdY4XNBMtmyh56ddKBX9GAU=` 3. The IV (Initilization Vector): `ABBCCDDEEFAAXXAAAAEAFA==` - Finding `again.enc` gives us nothing, but we are able to find `what.enc` ```bash $ find -name 'what.enc' ./C/Users/KoishiKomeiji/AppData/Local/Temp/what.enc ``` - By using a tool like [CyberChef](https://cyberchef.io/), we can start our decryption. - With: 1. The encryption key: `isAHwCEPTivSgg8lTyCBCdY4XNBMtmyh56ddKBX9GAU=`. 2. The IV: `ABBCCDDEEFAAXXAAAAEAFA==`. - We get the following message: ``` Yay! U found me! Here is ur final part: 7nQ0;92dTA:J+,V;c,>Q9f5pO:Kg(d9hnGR9iWrO:JilK<A[ZI:KgUr6TmRq ``` - This is a string encoded in Base85, after decoding we get a Base32 string, then Base58, then finally Base64, which gives us: ```bash $ echo "Y2g0bGxfcjFnaDc/fQ==" | base64 -d ch4ll_r1gh7?} ``` - Our final part of the flag: `ch4ll_r1gh7?}` Flag: `W1{4_v3ry_cl4551c_n_3z_df1r_ch4ll_r1gh7?}` --- # Unreliable supporter - We first access the challenge's server by running the given script. ```bash! $ nc 61.28.236.247 1279 Before accessing the service, you must solve a proof of work (PoW) challenge. Just run the solver with the following command: python3 <(curl -sSL https://goo.gle/kctf-pow) solve <ID> =================== Solution? <ADD_YOUR_TOKEN_HERE> $ python3 <(curl -sSL https://goo.gle/kctf-pow) solve <ID> Solution: <TOKEN> ``` - After plugin in our token, the first question is as followed: ``` [1]. What app did the user use to connect with the supporter? [Text] ==> ``` - By navigating into `C:/Program Files`, we see a single `TeamViewer` directory. This is a directory for **TeamViewer** - a program that allows remote access control. From there we are able to answer the first question. ```! [1]. What app did the user use to connect with the supporter? [Text] ==> Teamviewer Correct! [2]. When did the supporter connect to the victim's computer? [YYYY/MM/DD hh:nn:ss] ``` - Inside the `TeamViewer` directory, we are able to find a log file: `TeamViewer15_Logfile.log` - According to TeamViewer's documentation, we are able to find the successful connection time by finding the `CPersistentParticipantManager::AddParticipant:` keyword. ```bash! $ grep 'CPersistentParticipantManager::AddParticipant:' TeamViewer15_Logfile.log 2025/09/24 16:00:47.571 10336 10360 S0 CPersistentParticipantManager::AddParticipant: [835637453,-2031617936] type=3 name=CONAN 2025/09/24 16:00:47.573 10336 10356 S0 CPersistentParticipantManager::AddParticipant: [835637453,-2031617936] type=3 name=CONAN 2025/09/24 16:00:47.581 10336 10360 S0 CPersistentParticipantManager::AddParticipant: [838465849,-1253335535] type=6 name=Thinh Dinh Quoc ``` - The host will have the ID `type=3` and the client wil have the ID `type=6` - From here, we can extract the time in the given format: `2025/09/24 16:00:47` ``` [2]. When did the supporter connect to the victim's computer? [YYYY/MM/DD hh:nn:ss] ==> 2025/09/24 16:00:47 Wrong answer! Disconnected. Bye! ``` - Hmm, maybe the answer isn't the *Successful Connection Attempt*, but on a *handshake*? ```bash! $ grep 'CreateServerHandshake' TeamViewer15_Logfile.log 2025/09/24 16:00:35.026 10336 10356 S0 tvsecurenetworkimpl::SecureNetworkHandshakeFactoryTVSession::CreateServerHandshake: Using secure network handshake type: 0 ``` - Our answer is `2025/09/24 16:00:35` ```! [2]. When did the supporter connect to the victim's computer? [YYYY/MM/DD hh:nn:ss] ==> 2025/09/24 16:00:35 Correct! [3]. Which file did the attacker exfiltrate first from the victim's computer? [File.ext] ``` - According to TeamViewer's documentation, we are able to trace transfered file with the `Send file` keyword. ```bash! $ grep 'Send file' TeamViewer15_Logfile.log 2025/09/24 16:04:11.776 5828 9584 G1 Send file C:\Users\iamqt\Documents\secret\account.txt 2025/09/24 16:05:10.414 5828 9584 G1 Send file C:\Users\iamqt\Favorites\Links\secret.zip ``` - The first stolen file is `account.txt`, we are also able to answer the following question. ```! [3]. Which file did the attacker exfiltrate first from the victim's computer? [File.ext] ==> account.txt Correct! [4]. What is the full path of the .zip file the attacker obtained? [full path] ==> C:\Users\iamqt\Favorites\Links\secret.zip Correct! [5]. What is the password for that .zip file? [Text] ==> ``` - Moving to `C:/Users/iamqt/Favourites/Links`, we are able to find a zip file `c3507d5b8fa65c7e08a7f4c9075d6b39.zip`. Trying to unzip this file prompts us for a password. This is `secret.zip`, but renamed somehow. This will be important later on. - According to our previous answer, the attacker also stole `account.txt`. Traversing to `C/Users/iamqt/Documents/secret/` gives us a text file `2064c76a06fd0048e38261b5c8b01597.txt`, which reads: ```bash $ cat '2064c76a06fd0048e38261b5c8b01597.txt' app,username,password facebook,user01,password123 zalo,0232167876,12345678 uit,26529999,qwerty2025 gmail,fakemail@gmail.com,letmein! secret.zip,.,****** ``` - The password to the zip file is redacted, but has 6 characters, we can bruteforce the password using the `rockyou` wordlist and JohnTheRipper ```bash! $ zip2john c3507d5b8fa65c7e08a7f4c9075d6b39.zip > zip.hash ver 1.0 efh 5455 efh 7875 c3507d5b8fa65c7e08a7f4c9075d6b39.zip/message.txt PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=11D1EC96 $ Warning: invalid UTF-8 seen reading rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 16 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status iloveu (c3507d5b8fa65c7e08a7f4c9075d6b39.zip/message.txt) 1g 0:00:00:00 DONE (2025-10-09 13:02) 33.33g/s 118200p/s 118200c/s 118200C/s 123456..sss Use the "--show" option to display all of the cracked passwords reliably Session complete ``` - Our password is `iloveu` ```! [5]. What is the password for that .zip file? [Text] ==> iloveu Correct! [6]. Which file did the attacker transfer to the victim's computer for malicious purposes? [Text] ==> ``` - Going to `C/Users/iamqt`, we find a file named `aShjKg`, which reads: ```python= import os,hashlib self_path = os.path.abspath(__file__) if '__file__' in globals() else None for root,_,files in os.walk('.'): for f in files: old = os.path.join(root,f) if self_path and os.path.abspath(old) == self_path: continue new = os.path.join(root, hashlib.md5(f.encode()).hexdigest() + os.path.splitext(f)[1]) try: os.rename(old, new) except (PermissionError, FileNotFoundError, OSError): continue ``` - This script replaces rename files with their **MD5** hash, which is malicious. - Furthermore, the log shows that this file was sent to the User. ``` 2025/09/24 16:05:24.934 5828 9584 G1 Write file C:\Users\iamqt\aShjKg 2025/09/24 16:05:24.960 5828 9584 G1 Download from "aShjKg" to "C:\Users\iamqt\aShjKg" (274 Bytes) 2025/09/24 16:09:00.598 5828 9584 G1 Write file C:\Users\iamqt\aShjKg 2025/09/24 16:09:00.618 5828 9584 G1 Download from "aShjKg" to "C:\Users\iamqt\aShjKg" (381 Bytes) 2025/09/24 16:10:41.798 5828 9584 G1 Write file C:\Users\iamqt\aShjKg 2025/09/24 16:10:41.810 5828 9584 G1 Download from "aShjKg" to "C:\Users\iamqt\aShjKg" (503 Bytes) ``` - So that concludes the question. (PS: The actual answer is aShjK**q** due to a technical error.) ```! [6]. Which file did the attacker transfer to the victim's computer for malicious purposes? [Text] ==> aShjKq Correct! [7]. Identify the cryptographic/hash algorithm employed by the attacker to modify files on the victim's system. [Text] ==> ``` - The hash algorithm is MD5, as shown in the Python script: ` hashlib.md5(f.encode()).hexdigest()` ``` [7]. Identify the cryptographic/hash algorithm employed by the attacker to modify files on the victim's system. [Text] ==> md5 Correct! Congratulations! Here is your flag: W1{h0w_c0uld_y0u_s0lve_th1s_ch4ll3ng3!!} ``` Flag: `W1{h0w_c0uld_y0u_s0lve_th1s_ch4ll3ng3!!}` --- # What's wrong with my computer - We are given an `.ad1` file (+1 dot nha @KetSoSad), extracting it with **FTK Imager** on Windows or `ad1-tools` on Linux yields us a Windows User Directory ```bash $ sudo ad1extract -i 'Chall.ad1' -d './temp/' ``` - Navigating into `DUNG/Documents` gives us two files with both being encrypted: `flag.txt.enc` and `notsomethingshere.txt.enc` - We then navigate to `DUNG/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine`, which contain a Shell History file `ConsoleHost_history.txt` - The file shows interesting activities from the User. ```powershell= ... $key = [System.Text.Encoding]::UTF8.GetBytes("ThisIsA16ByteKey") $iv = [System.Text.Encoding]::UTF8.GetBytes("ThisIsA16ByteIV!") $folderPath = "C:\Users\DUNG\Documents" function Encrypt-File {` param (` [string]$filePath,` [byte[]]$key,` [byte[]]$iv` )` ` $data = [System.IO.File]::ReadAllBytes($filePath)` ` $blockSize = 16` $padLength = $blockSize - ($data.Length % $blockSize)` $padded = $data + ([byte[]]@($padLength) * $padLength)` ` $aes = [System.Security.Cryptography.Aes]::Create()` $aes.Mode = "CBC"` $aes.Key = $key` $aes.IV = $iv` $aes.Padding = "None"` ` $encryptor = $aes.CreateEncryptor()` $cipherBytes = $encryptor.TransformFinalBlock($padded, 0, $padded.Length)` ` $encPath = "$filePath.enc"` [System.IO.File]::WriteAllBytes($encPath, $cipherBytes)` ` Remove-Item -Path $filePath -Force` } ... ``` - From here we know that the User encrypted everything on this drive with AES-CBC with: - The key: `ThisIsA16ByteKey` in UTF-8 Bytes. - The IV: `ThisIsA16ByteIV!` in UTF-8 Bytes. - Both of the strings have **16 characters** and encoded with **UTF-8**, with `16 * 8 = 128` so the encryption is AES-128-CBC - To get the UTF-8 Bytes of these two keys: ``` $ printf 'ThisIsA16ByteKey' | od -A n -t x1 | tr -d ' ' 546869734973413136427974654b6579 $ printf 'ThisIsA16ByteIV!' | od -A n -t x1 | tr -d ' ' 54686973497341313642797465495621 ``` - Notice how we use `printf` instead of `echo`, since `echo` automatically add `\n` after every string. - We can then go back to the two encrypted text file: `flag.txt.enc` and `notsomethingshere.txt.enc`. - We can decrypt the two files with `openssl` ```bash! $ openssl enc -d -aes-128-cbc -in flag.txt.enc -out flag.txt -K '546869734973413136427974654b6579' -iv '54686973497341313642797465495621' $ openssl enc -d -aes-128-cbc -in notsomethingshere.txt.enc -out notsomethingshere.txt -K '546869734973413136427974654b6579' -iv '54686973497341313642797465495621' ``` - The first file contains a link to a Rick Roll (+2 dot nha @KetSoSad 😡) - The second file reads: ``` Oh, my brain!!!!!!!!!!!!!!!!!! https://ideone.com/mKM5S5 ``` - Accessing the site gives us: ```brainfuck +[--->++<]>+.[------->+<]>.[----->++<]>+.>-[--->+<]>-.[---->+++++<]>-.[-->+<]>-.---[->++<]>-.[--->+<]>--.+++[++>---<]>.+++++[->++<]>+.+++.----.[-->+<]>---.---[->++<]>-.++++.+++++.[-->+<]>.++[->++<]>..-------------.+[-->+<]>+.-[----->+<]>--.---------------.+++++.+++++.+[-->+<]>.[->++<]>+.>--[-->+++<]>. ``` - Along with the clue `Oh, my brain!!!!!!!!!!!!!!!!!!`, this is Brainfuck - an esoteric programming language. Interpreting the code gives us the flag. ```bash! echo '+[--->++<]>+.[------->+<]>.[----->++<]>+.>-[--->+<]>-.[---->+++++<]>-.[-->+<]>-.---[->++<]>-.[--->+<]>--.+++[++>---<]>.+++++[->++<]>+.+++.----.[-->+<]>---.---[->++<]>-.++++.+++++.[-->+<]>.++[->++<]>..-------------.+[-->+<]>+.-[----->+<]>--.---------------.+++++.+++++.+[-->+<]>.[->++<]>+.>--[-->+++<]>.' >> flag.bfk && bfk flag.bfk W1{Th3_s1mpl3_ch4ll_1n_di5k} ``` Flag: `W1{Th3_s1mpl3_ch4ll_1n_di5k}` --- # Wave second for git - The challenge suggests using Github-CLI (but screw that LOL). - We are given a zip file, extracting it gives us a Git repository. - Inside the repository is our first part of the flag, encoded in Base64 ```bash $ base64 -d flag.txt W1{g1thub_ ``` - Next, we will find all activities inside of the Git repository. ```bash $ git log commit aa97ec424d14947e217575ce87301e4f9a849a3e Author: KetSoSad102 <phanlamdung2006@gmail.com> Date: Thu Oct 2 09:14:19 2025 +0700 second part commit cb85ef07a83f250136558f2c56663cb1c25e08e4 Author: KetSoSad102 <phanlamdung2006@gmail.com> Date: Wed Oct 1 22:05:24 2025 +0700 first commit $ git revert aa97e ``` - Reverting commit `aa97e` gives us a fake flag. So we will read `.git/packed-ref` - which lists all branches and references - for clues. ```bash $ cat .git/packed-ref # pack-refs with: peeled fully-peeled sorted ee3e3573ad65935e9053b907e8c938390684c978 refs/remotes/origin/main aa97ec424d14947e217575ce87301e4f9a849a3e refs/remotes/origin/second 39e9c7b055ab3af29a820cefe7df3ab6140418c0 refs/tags/part3 ^aa97ec424d14947e217575ce87301e4f9a849a3e ``` - We are able to find the second and third flag on branch `origin/second` and object reference `tag/part3` ```bash $ git rebase origin/second $ cat flag.txt INGESX3JGVPXK4ZTMZ2TO=== $ cat flag.txt | base32 -d CLI_i5_us3fu7 ``` - Next, we will inspect the object reference `tag/part3` ``` $ git cat-file -p 39e9c object aa97ec424d14947e217575ce87301e4f9a849a3e type commit tag part3 tagger KetSoSad102 <phanlamdung2006@gmail.com> 1759371843 +0700 Zw4bm2:x ``` - We are given a string, but encrypted with XOR with the key `0x5f`. Decrypting it gives us `_r1gh7?}` Flag: `W1{g1thub_CLI_i5_us3fu7_r1gh7?}`