Using ROT13 cipher to decode this: PVG{LxxdJwAXJGcsDoncKfRctddA}
FLAG: CIT{YkkqWjNKWTpfQbapXsEpgqqN}
Resource: brainrot.pcap
Use Wireshark, it has some ICMP packet. Tracing it and catching the packet No.11 that has the base64 message in Data
Decode base64 and get the flag
FLAG: CIT{tr4l4l3r0_tr4l4l4}
Resource: The_Flag_Well_Capture_Together.eml
This is an email forensics, to open .eml file, I using this web EML Analyzer
DKIM-signature. This has 2 field b= - First is encrypt signature, second is base64 of the flag. Decode base64 and get the flag
Resource: lost.png
This file is corrupted when opened
Check with HxD, I see that has some hex JFIF - this byte is only appearing in JPEG file, and the file signature is corrupted. So my idea is changing the file signature to JPEG
Check JPEG file signature with this List of file signatures, fixing it, changing file type to .jpeg, opening it and getting the flag
FLAG: CIT{us1ng_m4g1c_1t_s33m5}
Resource: Cache0000.bin
It's a .bin, so first I use HxD to check some bit in header
RDP8bmp is RDP bitmap cache. Use mbc-tools to extract bmp file, using option -b to combine all bmp file
python3 bmc-tools.py -s Cache0000.bin -d . -b
Open the Cache0000.bin_collage.bmp
Flag is in the pic.
FLAG: CIT{c4ch3_m3_if_y0u_c4n}
Resource: baller.zip
When I tried to unzip it, I got this Warning. I thought wrong file extension/wrong bit or mistake structure causes this problem.
Check with HxD, I saw file name 01.txt so it is real zip file, no mistake with file signature.
To check the hidden files, I used binwalk and saw that there were 4 zipped files: 01.txt, 02.txt, 03.txt and a GIF image
Extract with binwalk option -e, but text in those .txt file is not include flag. The GIF image is not extracted with binwalk, so I use dd to extract it.
dd if=baller.zip of=hidden.gif bs=1 skip=16631
Open GIF image
The flag is in the lower right corner
FLAG: CIT{im_balling_fr}
Resource: image.png
This image has size 8x17, so it's hard to see with eyes.
Check with strings for content and zsteg for lsb, I got the flag.
FLAG: CIT{n1F0Rsm0Er40}
Resource: ChickenJockey.png
I saw that it has a mini black line in the top of the image, so maybe something was hidden in color bit.
About color bit, using zsteg to extract, I got a base64 in b1,rgb,lsb,xy
Decode it and get the flag
FLAG: CIT{THIS_is_a_crafting_table}
Resource: yoda
It is a data file, first check with HxD
I see something familier. Check with List of file signatures, with first 4 bytes, It looks like JPEG but in reverse.
JPEG starts with FF D8 FF E0 00 10 4A 46 49 46 00 01
But this starts with E0 FF D8 FF and next 46 4A 10 00
I fixed those bytes but the image was still corrupted. Finally, I got it, not only magic bytes but also all bytes of file, with 4 consecutive bytes, it is written in reverse. Write a python program to repair it
def fix_reverse_blocks(input_path, output_path):
with open(input_path, "rb") as f:
data = f.read()
fixed_data = bytearray()
# Xử lý từng block 4 byte
for i in range(0, len(data), 4):
block = data[i:i+4]
fixed_data.extend(block[::-1]) # đảo ngược block
with open(output_path, "wb") as f:
f.write(fixed_data)
print(f"Đã ghi file đã sửa vào: {output_path}")
# Ví dụ dùng
fix_reverse_blocks("yoda", "output_yoda.jpeg")Open fix file and get the flag
FLAG: CIT{h1dd3n_n0_m0r3_1t_i5}
Resource: lion.mp4
The describe give the hint "track" so I just follow it.
Use ffmpeg to show all track in mp4, I use ffmpeg online
ffmpeg -i lion.mp4
This show all streams (track) in the file
There are 3 streams (#0:0, #0:1 and #0:2)
- Stream 0:0 - Video - It seems normal video
- Stream 0:1 - Audio (48kHz Stereo) - Default audio
- Stream 0:2 - Audio (22kHz Stereo) - Sus!!!, 22050 Hz is low rate to hide info
Extract this track with ffmpeg
ffmpeg -i lion.mp4 -map 0:2 -c copy hidden_audio.aac
Covert to .wav for analysis
ffmpeg -i hidden_audio.aac hidden_audio.wav
Open with Audacity and use mode Spectrogram
Get an image about command. Run this command and get the flag
FLAG: CIT{wh3n_th3_l10n_sp34k5_y0u_l1st3n}
Use zsteg to extract lsb, get the chess move
Put it in chess board, I see the word "PWN"
FLAG: CIT{PWN}
Check /robots.txt in url
FLAG: CIT{m6F2nr8RgjYI}
Resource: calculator.lua
This code is just to trick players.
At the end of the file, finding something maybe is the main of this challenge
It looks like Whitespace language, so I use dcode to decode it
FLAG: CIT{hft4bT0415Lb}
Follow that link, I get a website when I click on reCAPTCHA, it creates a powershell command in my clipboard
That command is so suss!!, it is an obfuscation powershell that seem run something bad in my PC, but I trust the author =)) so just run it (I run it in virtual machine)
Deobfuscation that command is quite hard for me, so I check Windows Event about file creation and open some directories I think it could be found.
It is in Local/Temp/
FLAG: CIT{th1s_a1nt_m4lw4r3_d0nt_w0rry}
Searching and finding there are two media: linkedin and github. About API key, check github
It has only one project, check it's commits (there are 7 commits)
Check removed my API key commit and get it
FLAG: CIT{ap9gt04qtxcqfin9}
The github has no more information, go to visit the linkedin
He has a post a about website and domain. "And here's a fun fact – he even registered his domain with my favorite registrar! 😎 This guy… dare I say it... ROCKS!"
Let's check this domain with Whois
FLAG: GIT{GoDaddy.com}
There no more information in Linkedin, next searching with username found in github (antmcconn)
Found an X account antmcconn
See a post with hashtag #throwback, so we need to check the day of this event.
Search with Google Lens
It is in Gillette Stadium
Now, using the power of Artificial Intelligence. 🔥
FLAG: CIT{10/22/2023}
Searching using Google Lens with that brigde
It is "Little Nestucca River Bridge II"
The road name is the flag
FLAG: CIT{Little_Nestucca_River_Rd}
Resource: readonly
Use IDA to open it
Check the start function
It call to sub_407C05 function, so I follow that.
The flag is show through v6, and v6 reads the string CIT{87z1BjG1968G} so It is the flag.
FLAG: CIT{87z1BjG1968G}