ICTF 2025
APU FSec-SS' Internal Capture the Flag (2025)
Last updated
APU FSec-SS' Internal Capture the Flag (2025)
Last updated
You wouldn't expect to find a spoon in a classroom, and you wouldn't expect the Secretary to create and contribute challenges, but here we are! (eating in class and making challenges; well, for one event at least)
This was my first ever experience at making challenges, as opposed to being the one solving them, so I had to think about what I wanted to do. The end goal was still for participants to learn and leave with some newfound knowledge.
The challenge inspiration comes from Wargames MY 2024, specifically "Oh man", whereby the SMB packets need to be decrypted in order to retrieve the file and obtain the flag. Instead of outright reusing the same setup, I wanted to do something different. So for this challenge, a "capture4.pcapng" packet capture was provided to participants, and it contains mostly TLSv1.2 packets. Basically, the packets captured were encrypted in HTTPS, and participants would have to decrypt them using the SSL key.
Challenge description: I have a bodybuilding competition in 12 weeks. My biggest rival is Ashton Hall, and he's huge! I can't let him win, so I've snuck to eavesdrop on his communications to figure out his secrets. Can you find out what his secret is?
Write-up:
Only some packets were HTTPS, whereas there were some other packets that were HTTP. The HTTP packets contained an object which can be exported. The object is the SSL key log file.
The key log file can be used to decrypt the TLS packets, decrypting the HTTPS packets and allowing us to inspect the communication.
Once the HTTPS packets have been decrypted, another communication can be seen. This communication also contains an object, which is a zip file.
The zip file contains 3 images and a text file. The images themselves don't really contain anything pertaining to the flag, but other than some hints hidden in steg. The text file, however, contains the flag.
The flag is encoded in base64 and assigned to an epoch time, then it is randomised and scrambled. So, to get the flag, you'll need to rearrange the characters and concatenate them according to the epoch time in ascending order. You can do this by using a script that reads the epoch time or just chuck it into an AI bot (your mileage may vary, but I've heard some participants find success with that).
Challenge setup:
For this challenge, I had to first set up an HTTP and an HTTPS server. I used Python servers because of their simplicity and customizability. I set up the servers to run on localhost using a specific port. I started with Wireshark to capture specific traffic from both these servers, then started with the HTTPS setup. The HTTPS server was configured to send a conversation and a file download, which would be encrypted with TLS anyway. To decrypt the HTTPS packets, the SSL log key file is needed, which is the subsequent step.
The second part of the challenge setup is done with HTTP to download the SSL log key file from the server.
The challenge was set up in Windows. Initially, I had wanted to use my Kali VMs for this, but I had trouble exporting the SSL key log file and had to resort to Windows instead, since it was easier getting the file in Windows.
In the past, steganography challenges relating to video files have only hidden information in the atoms or in the LSBs of the file itself. I wanted to take a different spin while making this challenge and explore concepts. So, for this challenge, I had done something to the stream instead of the whole video file.
Challenge description: Hey hey, I heard that the MP4 is just a bundle of streams. So I hid something in one of them. It wasn't too significant of a discovery. Can you retrieve it?
Write-up:
There are multiple hints within the challenge description itself. The first sentence points to the streams within the video file and the keyword here is "heard". The third sentence, "wasn't (was not) too significant", refers to LSB.
Extract the audio stream from the MP4 video file.
Extract the LSB from the audio stream and convert from binary into ASCII.
Challenge setup:
To do this, I first extracted the audio stream from the MP4 into a WAV file using ffmpeg.
Then, using a Python script, I altered the LSB of the audio stream, then repackaged the video file with the altered WAV containing the LSB.
I have to admit I made this challenge a little guessy. I thought I had already fixed the challenge distribution, but as it turns out, I uploaded the wrong version and it ended up being the guessier challenge file. Soz!
Initially, I wanted to recreate the challenge by zipping the hexadecimal bytes in a matryoshka zip like the inspiration, but after an hour of runtime, my script still wasn't complete (to be far the file was bigger than the original). So, some things had to be changed. I couldn't proceed with the idea of having a zip inside of another zip.
This challenge was meant to provide an opportunity for participants to get used to scripting and understanding leads. It ended up being guessy. I had noticed it earlier and changed the part to exclude the second password from the ZIP, but I sent the wrong distribution.
Challenge description: I left for a min and when I came back, my mirror was gone! When I asked where did my mirror go? My dog with his mirror-shaped stomach said, "must've been the wind". Anyways, I managed to get it out, but it broke into a thousand pieces! Help me put back my mirror!
Write-up:
A GIF was provided. Using exiftool tells us that the GIF is unusually large, which prompts further investigation (check the hex). Several file signatures can be found inside the GIF, which can be extracted using binwalk or foremost. Furthermore, a string can be found at the tail of the hex dump 'Have you tried "P@ssw0rd"?'
After the extraction, a ZIP named "hex_fragments" containing hex bytes is found. This ZIP is password protected but the password had already been found in the step prior.
Once past the password, you would need to reconstruct the file based on the order of the file. Inside the ZIP, there are 11890 text files, each containing a hex byte.
Reconstructing the file gives us another ZIP file. This one is also password protected (mistakes were made, and this part was guessy). The password to this file is ICTF2025 .
The final ZIP file contains a PNG named "you rn". The hex dump of this PNG contains a binary string, which is the flag encoded. Decoding this binary string will get us the flag.
Challenge setup:
There's just way too much going on to explain it in sequence. So I'll have to resort to explaining how I got each component.
The binary encoded flag in the PNG was done simply using cat file1 file2 > new_file.
Deconstruction of the ZIP was done with a script. Honestly, just ask GPT for this one.
Embedding the ZIP into the GIF can be done using the same cat command again.
I had fun making these challenges. Although some of them turned out to be easier than expected and some other being too guessy, it was a good experience for me to create challenges. Should there be another opportunity in the further to create and contribute challenges again, I know what to do better. It is a nice change of pace as opposed to being the one solving them.
A video is a combination of visuals and audio. But typically, the information is encoded as one whole file, meaning you won't be able to find segments of visuals and audio separated; you can't just find the atom relating to visuals, and so on. The atoms are just headers that contain the metadata of the video file ().
This challenge was inspired by I solved a year ago, which involved recompiling a hexdump of a PNG. But, instead of a PNG file, I wanted the flag to be encapsulated inside a zip file because the signature is rarer. It was a way to throw participants off so they won't immediately recognize it. (I guess that was one of the aspects that made it guessy)