# CTF@CIT 2025
Link: https://ctftime.org/event/2759
# Crypto
## Rotten
Using ROT13 cipher to decode this: `PVG{LxxdJwAXJGcsDoncKfRctddA}`
**FLAG: CIT{YkkqWjNKWTpfQbapXsEpgqqN}**
# Forensics
## Brainrot Quiz!
Resource: brainrot.pcap
Use Wireshark, it has some ICMP packet. Tracing it and catching the packet No.11 that has the base64 message in Data
Decode base64 and get the flag
**FLAG: CIT{tr4l4l3r0_tr4l4l4}**
## True CTF Love
Resource: The_Flag_Well_Capture_Together.eml
This is an email forensics, to open .eml file, I using this web [EML Analyzer](https://analyzer.sublime.security/)
Flag is hidden in `DKIM-signature`. This has 2 field `b=` - First is encrypt signature, second is base64 of the flag. Decode base64 and get the flag
**FLAG: CIT{i+l0v3_ctf$_t00}**
## We lost the flag
Resource: lost.png
This file is corrupted when opened
Check with HxD, I see that has some hex `JFIF` - this byte is only appearing in JPEG file, and the file signature is corrupted. So my idea is changing the file signature to `JPEG`
Check JPEG file signature with this [List of file signatures](https://en.wikipedia.org/wiki/List_of_file_signatures), fixing it, changing file type to .jpeg, opening it and getting the flag
**FLAG: CIT{us1ng_m4g1c_1t_s33m5}**
## Bits 'n Pieces
Resource: Cache0000.bin
It's a .bin, so first I use HxD to check some bit in header
`RDP8bmp` is RDP bitmap cache. Use [mbc-tools](https://github.com/ANSSI-FR/bmc-tools) to extract bmp file, using option -b to combine all bmp file
```
python3 bmc-tools.py -s Cache0000.bin -d . -b
```
Open the `Cache0000.bin_collage.bmp`
Flag is in the pic.
**FLAG: CIT{c4ch3_m3_if_y0u_c4n}**
## Baller
Resource: baller.zip
When I tried to unzip it, I got this Warning. I thought wrong file extension/wrong bit or mistake structure causes this problem.
Check with HxD, I saw file name `01.txt` so it is real zip file, no mistake with file signature.
To check the hidden files, I used `binwalk` and saw that there were 4 zipped files: `01.txt`, `02.txt`, `03.txt` and a GIF image
Extract with binwalk option -e, but text in those .txt file is not include flag. The GIF image is not extracted with binwalk, so I use `dd` to extract it.
```
dd if=baller.zip of=hidden.gif bs=1 skip=16631
```
Open GIF image
The flag is in the lower right corner
**FLAG: CIT{im_balling_fr}**
# Steganography
## Blank Image
Resource: image.png
This image has size 8x17, so it's hard to see with eyes.
Check with `strings` for content and `zsteg` for lsb, I got the flag.
**FLAG: CIT{n1F0Rsm0Er40}**
## I AM Steve
Resource: ChickenJockey.png
I saw that it has a mini black line in the top of the image, so maybe something was hidden in color bit.
About color bit, using `zsteg` to extract, I got a base64 in `b1,rgb,lsb,xy`
Decode it and get the flag
**FLAG: CIT{THIS_is_a_crafting_table}**
## sw0906
Resource: yoda
It is a data file, first check with HxD
I see something familier. Check with [List of file signatures](https://en.wikipedia.org/wiki/List_of_file_signatures), with first 4 bytes, it looks like JPEG but in reverse.
JPEG starts with `FF D8 FF E0` `00 10 4A 46` `49 46 00 01`
But this starts with `E0 FF D8 FF` and next `46 4A 10 00`
I fixed those bytes but the image was still corrupted.
Finally, I got it, not only magic bytes but also all bytes of file, with 4 consecutive bytes, it is written in reverse. Write a python program to repair it
```python
def fix_reverse_blocks(input_path, output_path):
with open(input_path, "rb") as f:
data = f.read()
fixed_data = bytearray()
# Xử lý từng block 4 byte
for i in range(0, len(data), 4):
block = data[i:i+4]
fixed_data.extend(block[::-1]) # đảo ngược block
with open(output_path, "wb") as f:
f.write(fixed_data)
print(f"Đã ghi file đã sửa vào: {output_path}")
# Ví dụ dùng
fix_reverse_blocks("yoda", "output_yoda.jpeg")
```
Open fix file and get the flag
**FLAG: CIT{h1dd3n_n0_m0r3_1t_i5}**
## Sorry, you're NOT a sigma
Resource: lion.mp4
The describe give the hint "track" so I just follow it.
Use `ffmpeg` to show all track in mp4, I use [ffmpeg online](https://ffmpeg-online.vercel.app/?inputOptions=-i&output=output.mp4&outputOptions=)
```
ffmpeg -i lion.mp4
```
This show all streams (track) in the file
There are 3 streams (#0:0, #0:1 and #0:2)
- Stream 0:0 - Video - It seems normal video
- Stream 0:1 - Audio (48kHz Stereo) - Default audio
- Stream 0:2 - Audio (22kHz Stereo) - Sus!!!, 22050 Hz is low rate to hide info
Extract this track with ffmpeg
```
ffmpeg -i lion.mp4 -map 0:2 -c copy hidden_audio.aac
```
Covert to `.wav` for analysis
```
ffmpeg -i hidden_audio.aac hidden_audio.wav
```
Open with `Audacity` and use mode `Spectrogram`
Get an image about command. Run this command and get the flag
**FLAG: CIT{wh3n_th3_l10n_sp34k5_y0u_l1st3n}**
## Queen's Gambit
Use zsteg to extract lsb, get the chess move
Put it in chess board, I see the word "PWN"
**FLAG: CIT{PWN}**
# MISC
## Robots
Check /robots.txt in url
**FLAG: CIT{m6F2nr8RgjYI}**
## Calculator
Resource: calculator.lua
This code is just to trick players.
At the end of the file, finding something maybe is the main of this challenge
It looks like `Whitespace language`, so I use [dcode](https://www.dcode.fr/whitespace-language) to decode it
**FLAG: CIT{hft4bT0415Lb}**
## Select all squares that contain uhh...
Follow that link, I get a website when I click on reCAPTCHA, it creates a powershell command in my clipboard
That command is so suss!!, it is an obfuscation powershell that seem run something bad in my PC, but I trust the author =)) so just run it (~~I run it in virtual machine~~)
Deobfuscation that command is quite hard for me, so I check Windows Event about file creation and open some directories I think it could be found.
It is in `Local/Temp/`
**FLAG: CIT{th1s_a1nt_m4lw4r3_d0nt_w0rry}**
## What am I Hearing
It seems like morse code, let's decode it
Receive a text with ".", "?", "!" - search a lot and a lot or use [Dcode cipher indentifier](https://www.dcode.fr/cipher-identifier), it is [Ook! language](https://esolangs.org/wiki/Ook!), a type of Brainfuck language.
Decode it with [dcode](https://www.dcode.fr/ook-language)
**FLAG: CIT{zG48r2FBR6Wn}**
## Malware Analysis
It is a malware, so I put it in [VirusTotal](https://www.virustotal.com/)
Flag is in the `Name` field
**FLAG: CIT{y6Z97OnNt79F}**
# OSINT
## No Country for Old Keys
Searching and finding there are two media: `linkedin and github`. About API key, check github
It has only one project, check it's commits (there are 7 commits)
Check `removed my API key` commit and get it
**FLAG: CIT{ap9gt04qtxcqfin9}**
## The Domain Always Resolves Twice
The github has no more information, go to visit the linkedin
He has a post a about website and domain.
"And here's a fun fact – he even registered his domain with my favorite registrar! 😎 This guy… dare I say it... ROCKS!"
Let's check this domain with [Whois](https://who.is/)
**FLAG: CIT{GoDaddy.com}**
## Throwback to the Future
There no more information in Linkedin, next searching with username found in github (antmcconn)
Found an X account [antmcconn](https://x.com/antmcconn)
See a post with hashtag `#throwback`, so we need to check the day of this event.
Search with Google Lens
It is in Gillette Stadium
Now, using the power of Artificial Intelligence. :fire:
**FLAG: CIT{10/22/2023}**
## Timesink
Searching using Google Lens with that brigde
It is "Little Nestucca River Bridge II"
The road name is the flag
**FLAG: CIT{Little_Nestucca_River_Rd}**
# Reverse Engineering
## Read Only
Use `IDA` to open it
Check the `start function`
It call to `sub_407C05 function`, so I follow that.
The flag is show through v6, and v6 reads the string CIT{87z1BjG1968G} so It is the flag.
**FLAG: CIT{87z1BjG1968G}**
# Conclusion
CTF@CIT is suitable for beginners. This event, I played solo. At least, I solved all forensics challenges. Hope you enjoy my writeups. :rolling_on_the_floor_laughing: :rolling_on_the_floor_laughing:.
Google Drive
Gist
Clipboard
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
