BabyPWN CTF 3.0 Official Writeup
As part of TechParva3.0, the Innovative Computer Engineering Students’ Society(i-CES) of WRC, Pokhara, hosted an exciting BabyPWN CTF(Capture the Flag) competition for beginners. I had an incredible opportunity to design a few challenges for this event. In this post, I’ll be sharing the official write-up for the challenges: Compression, Envelope, PDF it is, Keep it safe, Source Non-Error, Elon Musk, Tick TIck Boom, Logged in, Byte, Penguin, Brother, Rescue me, mereko pata nahi, Impure, Hi Jack!!!, Developer Madness, Sigma, NotAgain, Titanic, Fire, Monkey, CID. Except for these challenges, you can find writeups here: https://blog.sudarshandevkota.com.np/babypwnctf
Miscellaneous
Compression:
To unzip the downloaded file run the command in the Linux terminal
unzip challenge.zip
This gives us an error
We need to use gzip to unzip the file 1st we need to rename the file
mv challenge.zip challenge.zip.gz
Now let’s run the command
gzip -d challenge.zip.gz
This provides us with the new zip file challenge.zip again and again
unzip challenge.zip
Doing ls we get the challenge.tar.gz so use tar to unzip the file using again this three methods we can cat out the flag
tar -xf challenge.tar.zip
gzip -d challenge.zip.gz
unzip challenge.zip
Listing the directory we see flag.txt which we simply cat out it.
Flag: i-CES{ZiP_Un2ip_fr0m_D1ff3r3n7_7yp35}
Envelope:
Unzip the file using the unzip command
unzip Gogogogo.zip
Use the command
tree -a
To list all the files and folders in the challenge directory
By this, we can view every folder and file. While looking at these there is .flag.png which is suspicious and is the first target to view so view it by
open Gogogogo/are_you_sure/home/Think_again/drop-in/nearly/choose/.ices/greatchoice/us/taketheflag/.flag.png
This opens a file viewer
Scan the QR we can get the flag:
i-CES{CoN9r475_Y0u_foUNd_m3}
PDF it is:
Unzip the zip file using
unzip challenge.zip
This gives us a file file.pdf
Let’s view the file type first
file file.pdf
if we open the file we get
So let’s check it using the ExifTool
exiftool file.pdf
The suspicious here is the user comment which seems to be inhex encoded using cyberchef.io
There is another encoded text which looks like base64 but it failed to generate useful output so try other base values where base32 provided a useful value
so the flag is:i-CES{HidD3N_1n_XMp}
Keep it safe:
unzip the file
unzip challenge.zip
while attempting to open the file it provides us with an error
warning: Invalid UTF-8 byte sequences have been replaced.
error: source: error sourcing file '....../private'
So let’s check the header using hexedit tool and search for the file header signatures On the web, find the number 25 as it is at the first. On hit and trail, it was found to be PDF, with 25 and 46 the same in hexedit. check here: https://www.garykessler.net/library/file_sigs.html
hexedit private
Correct the header file to 25 50 44 46 now save using ctrl+x and y now use mv private private.pdf as it was found to be a PDF file. While attempting to open it ask for the password so brute-force it using rockyou.txt
Convert to hash
pdf2john private.pdf > pdf.hash
john pdf.hash --wordlist=/usr/share/wordlist/rockyou.txt
After this use john —show command to view the password
john --show pdf.hash
use the supersecret as password to unlock the pdf which gives us a flag: i-CES{S01v3_7H3_9Uz2l3}
Web
Source Non-Error:
Visit the URL which provides us 404 error.
Now, Right-click and visit View the source code where you get a hint
Using cyber chef:https://gchq.github.io/CyberChef/ decode the base64 which provides you with a flag i-CES{404_Fa1lED_t0_TRIck_y0U}
Elon Musk
Read the description properly which said the Tesla bot which leads to think about the robots.txt file for the website. A robots.txt file tells search engine crawlers which URLs the crawler can access on your site. You can also find this using the command
gobuster dir -u 20.244.121.137:7855 -w /usr/share/wordlists/dirb/common.txt
So now visit the nothere.html endpoint which asks us for a password if we look back to the robots.txt then there is another endpoint mentioned which is nothing but the password for nothere.html.
Entering the password we get our flag: i-CES{R0B075_FL4G_H3R3}
Tick Tick Boom
Visit the URL and first view the source code if you can find something useful. Inspect the challenge and visit the console to see anything when running the start challenge
While we START the challenge then there is a hint printed in the console that says call function which capture flag in the console to capture the flag before time runs out! we try every word combined and uncombined to obtain the flag in function format. Or the hint is indirectly saying capture flag function so try it.
captureflag() provide us with the flag: i-CES{t1m3_1s_0f_th3_3ss3nc3}
Logged in
This challenge belongs to seeking the network tab where the number is seen in file section on viewing we can see requests from /github/main/3 so visiting the /github/main/3 endpoint there is a flip game type which shows nothing useful to us.
gain on inspect the network tab there is another endpoint with id 8.
Since there is an ID in the endpoint. So, check for every id from 1 to .. until the flag is obtained. In doing so we can retrieve the flag at the id 15 that is /github/main/15
Which has a flag in JSON format and is encoded with base64.
Decoding the base64 we get our flag: i-CES{yoU8_$3CRE7_F1@6_15_H3r3}
OSINT
Byte:
0xzerobyte is no-one but me. If you visit my LinkedIn linkedin/in/giriamrit or search in Google then you can see my blog post. Visit any of the blogs and go to the home page. There you can find the Techparva 3.0 blog.
Check TechParva3.0. and find the flag
So there you can see: i-CES{0P3N_50urC3_In73ll1g3nCe} which is the real flag.
Penguin
At the top right of the image there is a human leg so guess is made for the zoo as the flag format has reg_no in it. So search for the live webcam zoo. Check each link and check the penguin cam.
Bravo, got the place dublinzoo now find the registration number which can be found while scrolling down the page, 207824
Let’s keep this in flag format we get: i-CES{dublinzoo_reg_207824}
Cryptography
Brother
The provided image is alien code which can be decoded from https://www.dcode.fr/alien-language visit and enter each term you see in the image.
flag: i-CES{ALIENSARESOON_COMINGTOTAKEYOU}
Rescue me:
unzip the file unzip challenge.zip
use cat to view the file.
cat flag
aS1DRVM=
粄簿类籪籟籸籨籢簹
0x555f317535375f
01000100 01100101 01100011 00110000
25ApIrerTJ
Use cyberchef to cook this encoded text.
1st one is base64
2nd one is ROT8000 which is found by brute force ROT
3rd text is hex as we can see starting from 0x
4th is binary
5th is base62 on brute force
flag: i-CES{6raVo_Y0U_1u57_Dec0d3d_m3}
Mereko pata nahi:
unzip and cat out the challenge.zip we get
lllr%25w%2Bv%25r%7Dv%26%2A%7Czsz%23vtr%23tvz%22xudtwzqxvt%7Du%7Bsz%27xubxuur%23z%26%2B%2Av%27q%23%24%25%27txs%24%7C%7Cur%27z%21%24%7Dr%26wuw%26%24%7Bxt%24%2Az%0D%0A
This is URL-encoded text so let’s decode from the URL decoder we get
lllr%w+v%r}v&*|zsz#vtr#tvz"xudtwzqxvt}u{sz'xubxuur#z&+*v'q#$%'txs$||ur'z!$}r&wuw&${xt$*z
Now here is just a guess as of now the most famous encoding technique is rot47 so let’s decode using rot47 and reverse the output
This looks more like base encoded so let’s try and use the base decoding technique and receive the flag
flag: i-CES{muLt1Pl3_eNC0diN6_dOe5N0T_mean_54fE}
Impure:
Unzip the file unzip challenge.zip
cat out both the files we see flag has hashes and words has some of the possible passwords. On using hascat our john it is unable to crack the hash so we have to munge the given words for that let’s search for the code that helps to munge the words. On search we can find the https://github.com/Th3S3cr3tAg3nt/Munge which has Python code to make given words a list so let munge the given words file.
Clone the repo
git clone https://github.com/Th3S3cr3tAg3nt/Munge
python3 Munge/munge.py -l 9 -i words -o munged.txt
now use John to crash the hash
john flag --wordlist=munged.txt
john --show flag
so the flag: i-CES{techparva3:P@$ch!m@nch@18}
Forensics
Hijack:
use https://morsecodemagic.com/morse-code-audio-decoder/
flag: i-CES{M0RSE_COD3_F0R_H1J4CK1N9_UN1V3R517Y_9U35T1ONS}
Developers Madness:
unzip the challenge.zip file unzip challenge.zip then ls -la to see all the hidden files as this is the .git challenge
Let’s check the branch
git branch
there is a secret-branch move to that branch before using git
git checkout secret-branch
git log --oneline
Moving from the bottom let’s decode this
git show 26d90e1
commit 26d90e1ff9f20a93b8db87b368eb7b601b0f8f78
Author: amritgiri <amritgiri5813@gmail.com>
Date: Sat Jan 4 12:30:18 2025 +0545
0x74 0x68 0x69 0x73 0x20 0x69 0x73 0x20 0x73 0x75 0x73 0x70 0x65 0x63 0x69 0x6f 0x75 0x73
diff --git a/solve.py b/solve.py
index f97f7ea..7a03f67 100644
--- a/solve.py
+++ b/solve.py
@@ -7,9 +7,9 @@ def generate_random_flag():
# Encode the random bytes in Base64 format
base64_flag = base64.b64encode(random_bytes).decode('utf-8')
# Format the flag
- flag = f"FLAG{{{base64_flag}}}"
+ flag = f"i-CES{{{base64_flag}}}"
return flag
if __name__ == "__main__":
random_flag = generate_random_flag()
- print(f"Flag: i-CES{random_flag}")
+ print(f"Flag: {random_flag}")
let’s see the second one
└─$ git show 0180277
commit 0180277dceedd1020340a9e7217152ec8d7dbcc7
Author: amritgiri <amritgiri5813@gmail.com>
Date: Sat Jan 4 12:43:28 2025 +0545
ZmluZCBtZSBoZXJl=
diff --git a/.0xzerobyte b/.0xzerobyte
new file mode 100644
index 0000000..46b0bf0
--- /dev/null
+++ b/.0xzerobyte
@@ -0,0 +1 @@
+FDDVM8-OAD3D1WEEB6E2C669.2C-96IN802C04E32C007B6A-1ADA6Z2
The text FDDVM8-OAD3D1WEEB6E2C669.2C-96IN802C04E32C007B6A-1ADA6Z2 looks normal but it is not so let’s find out what is this starting from the base models. Seems to be base45
There is the flag: i-CES{git_1s_THE_p14Ce_For_I7_P3Op1E}
Binary
Sigma:
Unzip the file unzip challenge.zip
use ghidra import the Sigma and analyze it
In the window tab there is Define strings option click on that
You can see the highlight on a visit there by clicking and closing the right tab and use CTRL+c to view the decompiled C program
Here we can see the hex number now let’s decode this
we get 5362 which is the key to unlocking the flag
i-CES{Y0u_h4vE_6reat_516m4_CON6R4T5}
Notagain:
Unzip and run the notagain. If it is not running then change the mode to make it executable.
chmod 777 notagain
./notagain
If you look at this carefully there is given what you have to input i.e.5MnOpQr6 on calculation this consists of 8 characters and its ASCII sum is 600 so paste to the input field we get the answer.
flag: i-CES{k3Y_Ma7CHED_SuccE5sFu11Y}
Titanic:
This challenge is similar to the Sigma challenge
let us make it executable
chmod 777 boatrescue
Don’t get confused as the string boatrescue provided flag is not correct
Use ghdira to retrieve the real flag
use these to decode the hex we get 33700 which provides us flag: i-CES{9UE5S3d_C0Ns74Nt_H4SH3d_NUm63R}
Steganography
Fire:
We can use steghide command to extract the metadata in the file
Enter passphrase is empty you can directly press enter to get the metadata.
on cat it provides random text so we need to string out the output text
strings steganopayload29731.txt
This still gives us many values so let’s filter them
strings stegnopatload29731.txt | grep {*}
we get our flag where grep {*} Search for { and } pattern.
Add i-CES in front and the flag is complete.
i-CES{f1NA11y_IM_free3e_THaNK5}
Monkey:
Check the file type of monkey.jpg. Use steghide command to extract first without a password.
unzip the heheboi.zip file which provides us with folder files in which one of them is a flag so instead of decoding we will write a simple script
Create a script named sol.sh
#!/bin/bash
# Function to check if a string is valid Base64
is_base64() {
echo "$1" | base64 --decode 2>/dev/null | grep -q -P '^\S+$'
}
# Loop through all files in the "files" directory
for file in files/*; do
# Check if it's a regular file
if [ -f "$file" ]; then
echo "==== Decoding: $file ===="
content=$(cat "$file")
# Check if the content is valid Base64
if is_base64 "$content"; then
echo "$content" | base64 -d
else
echo "Skipping: $file (Invalid Base64 data)"
fi
echo -e "\n==========\n"
else
echo "Skipping: $file (Not a regular file)"
fi
done
Save the file and change the mode to executable for now let’s use 777
chmod 777 sol.sh
./sol.sh
This will give all the output without filtering so let’s use grep to get the desired output
./sol.sh | grep -a 'i-CES' --color=none
flag: i-CES{D1D_Y0U_11kE_y0UR_1m49E}
CID:
The file type is shown jpeg and when steghide is used it does not open without a passphrase so check if the exiftool has the pass to treasure
Here exiftool has exciting file License which is seen to be a hex let’s try to decode it which yields the output FoRY0U7h@T5h3X
paste the password to the passphrase we get out metadata in zip file lets extract
└─$ unzip daya_pata_laga.zip
Archive: daya_pata_laga.zip
extracting: badeharamiho.zip
inflating: waitaminute
So now we have two files waitaminute has a binary file which on decoding we get
Paste the output in the mousepad and find for the term pass
We get Thisisfakeoneword let's save this data if we need this
using theunzip command asked for the password so provide Thisisfakeoneword as the password that will unzip the file
Viewing this each flag has a different type of encoded text so there must be a hint to find it which was the passphrase FoRY0U7h@T5h3X This said For You Thats hex so let’s search for the hex.
For this, we will write a script
#!/bin/bash
for i in {0..18}; do
file="flag$i.txt"
# Check if the file exists
if [ ! -f "$file" ]; then
echo "File $file does not exist!"
continue
fi
# Check if the content of the file is valid hexadecimal
if grep -q '^[0-9a-fA-F]*$' "$file"; then
echo "$file is encoded in hexadecimal."
else
echo "$file is not hexadecimal."
fi
done
On executing this hex.sh file after chmod 777 hex.sh we can find which has hex and which does not
decode each hexadecimal file.
mv flag0.txt flag2.txt flag7.txt flag8.txt flag13.txt flag15.txt flag18.txt ./hexfiles
using this command to separate the hex files
Decoding each we found base32 encoded in flag18
While baking we found that this was encoded multiple times after hex base32 base64 morse code base32 hex
Which yields the flag: i-CES{StE9ANo9R4Phy_3NC0d3_anD_dEc0dE}
Conclusion
Hope you enjoy reading the above writeups. Feel free to provide feedback.