# BabyPWN CTF 3.0 Official Writeup

As part of **TechParva3.0,** the **Innovative Computer Engineering Students’ Society(i-CES)** of WRC, Pokhara, hosted an exciting **BabyPWN CTF(Capture the Flag)** competition for beginners. I had an incredible opportunity **to** **design** a few challenges for this event. In this post, I’ll be sharing the official write-up for the challenges: **Compression, Envelope, PDF it is, Keep it safe, Source Non-Error, Elon Musk, Tick TIck Boom, Logged in, Byte, Penguin, Brother, Rescue me, mereko pata nahi, Impure, Hi Jack!!!, Developer Madness, Sigma, NotAgain, Titanic, Fire, Monkey, CID.** Except for these challenges, you can find writeups **here:** https://blog.sudarshandevkota.com.np/babypwnctf

# Miscellaneous

## Compression:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736228244976/c293945d-b86c-43b6-9b95-cefc011ff33f.png align="center")

To unzip the downloaded file run the command in the Linux terminal

```bash
unzip challenge.zip
```

This gives us an error

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736228625638/43fb50fa-c2f7-4c07-91ad-7b97d2bf3003.png align="center")

We need to use gzip to unzip the file 1st we need to rename the file

```bash
mv challenge.zip challenge.zip.gz
```

Now let’s run the command

```bash
gzip -d challenge.zip.gz
```

This provides us with the new zip file `challenge.zip` again and again

```bash
unzip challenge.zip
```

Doing `ls` we get the `challenge.tar.gz` so use tar to unzip the file using again this three methods we can `cat` out the flag

```bash
tar -xf challenge.tar.zip
gzip -d challenge.zip.gz
unzip challenge.zip
```

Listing the directory we see `flag.txt` which we simply `cat` out it.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736229077625/870ae447-6aea-48d0-8e02-fbd52536ca96.png align="center")

```bash
Flag: i-CES{ZiP_Un2ip_fr0m_D1ff3r3n7_7yp35}
```

## Envelope:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736229150790/9c069077-c676-43bb-94ff-511b80d3799a.png align="center")

Unzip the file using the unzip command

```bash
unzip Gogogogo.zip
```

Use the command

```bash
tree -a
```

To list all the files and folders in the challenge directory

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736508616230/c5579667-8dde-47c8-add5-f445df622316.png align="center")

By this, we can view every folder and file. While looking at these there is `.flag.png` which is suspicious and is the first target to view so view it by

```bash
open Gogogogo/are_you_sure/home/Think_again/drop-in/nearly/choose/.ices/greatchoice/us/taketheflag/.flag.png
```

This opens a file viewer

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736508759704/5c3f89e5-ffc1-4dff-9bc7-d4501a518132.png align="center")

Scan the QR we can get the flag:

`i-CES{CoN9r475_Y0u_foUNd_m3}`

## PDF it is:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736263586467/058bfba0-a118-424e-a213-ab58fa8f5ced.png align="center")

Unzip the zip file using

```bash
unzip challenge.zip
```

This gives us a file `file.pdf`

Let’s view the file type first

```bash
file file.pdf
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736509170339/076b6e0b-5621-43a3-a419-9415a90b9762.png align="center")

if we open the file we get

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736509205627/b43b4654-2181-4fbb-a1e1-fd5323f52dc1.png align="center")

So let’s check it using the ExifTool

```bash
exiftool file.pdf
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736509261855/92ce6a19-dbca-4e62-9761-494b32c83365.png align="center")

The suspicious here is the user comment which seems to be in`hex` encoded using `cyberchef.io`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736509334171/ef1199ef-57c2-4c84-8704-497476327b92.png align="center")

There is another encoded text which looks like base64 but it failed to generate useful output so try other base values where base32 provided a useful value

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736509406881/841ff548-a885-469c-b1f8-44f48879e055.png align="center")

so the flag is:`i-CES{HidD3N_1n_XMp}`

## Keep it safe:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736263615471/eadcf3f0-7f14-4b87-a9e9-93677745118a.png align="center")

unzip the file

```bash
unzip challenge.zip
```

while attempting to open the file it provides us with an error

```bash
warning: Invalid UTF-8 byte sequences have been replaced.
error: source: error sourcing file '....../private'
```

So let’s check the header using `hexedit` tool and search for the `file header signatures` On the web, find the number `25` as it is at the first. On hit and trail, it was found to be PDF, with 25 and 46 the same in hexedit. check here: [`https://www.garykessler.net/library/file_sigs.html`](https://www.garykessler.net/library/file_sigs.html)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736509714320/483a46e0-57a8-432e-9ce8-7e69cc654de5.png align="center")

```bash
hexedit private
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736509742943/8587bab2-a043-4a44-836e-07b155842202.png align="center")

Correct the header file to `25 50 44 46` now save using `ctrl+x` and `y` now use `mv private private.pdf` as it was found to be a PDF file. While attempting to open it ask for the password so brute-force it using `rockyou.txt`

Convert to hash

```bash
pdf2john private.pdf > pdf.hash
john pdf.hash --wordlist=/usr/share/wordlist/rockyou.txt
```

After this use john —show command to view the password

```bash
john --show pdf.hash
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736510468043/75b6481a-2908-478a-a926-94285256dfb4.png align="center")

use the `supersecret` as password to unlock the pdf which gives us a flag: `i-CES{S01v3_7H3_9Uz2l3}`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736510519613/3ad5334b-2aad-4718-8217-80e1b700fc0a.png align="center")

# Web

## Source Non-Error:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736263653014/6269799e-e437-49c6-877b-65b44bde2df1.png align="center")

Visit the URL which provides us 404 error.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736263671845/9d791af7-866d-493b-bc57-181f44038605.png align="center")

Now, Right-click and visit View the source code where you get a hint

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736263727923/f1c8afd3-e256-4625-a10a-c32c20bb6fec.png align="center")

Using cyber chef:[https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) decode the base64 which provides you with a flag `i-CES{404_Fa1lED_t0_TRIck_y0U}`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736263809412/6fbe0b9d-33ef-4bab-8336-2c8271dbee5a.png align="center")

## Elon Musk

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736263890367/cf9ec32f-1cba-4f1d-8339-f9293a19a0a2.png align="center")

Read the description properly which said the Tesla bot which leads to think about the `robots.txt` file for the website. A `robots.txt` file tells search engine crawlers which URLs the crawler can access on your site. You can also find this using the command

```bash
gobuster dir -u 20.244.121.137:7855 -w /usr/share/wordlists/dirb/common.txt
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736263976309/3a510040-0955-4175-9c93-703c2b76b933.png align="center")

So now visit the `nothere.html` endpoint which asks us for a `password` if we look back to the `robots.txt` then there is another endpoint mentioned which is nothing but the `password` for `nothere.html`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264023286/ff45c992-9e62-44c5-8369-2a30ff8c2926.png align="center")

Entering the password we get our flag: `i-CES{R0B075_FL4G_H3R3}`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264036071/77766160-9d0d-421a-93cb-9a13e3b664a0.png align="center")

## Tick Tick Boom

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264080593/122cebf8-979b-40c1-9660-e70780d46886.png align="center")

Visit the URL and first view the source code if you can find something useful. Inspect the challenge and visit the `console` to see anything when running the `start challenge`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264095761/0fd02427-2deb-4f52-84e1-e9b8551a25e3.png align="center")

While we **START** the challenge then there is a hint printed in the `console` that says `call function which` **capture flag** `in the console to capture the flag before time runs out!` we try every word combined and uncombined to obtain the flag in function format. Or the hint is indirectly saying `capture flag` function so try it.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736265375068/008850e3-a48d-4064-8247-9d6ad6e39982.png align="center")

`captureflag()` provide us with the flag: `i-CES{t1m3_1s_0f_th3_3ss3nc3}`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736265349496/2dbd12e6-bb5d-45f8-9dc8-365a43f70949.png align="center")

## Logged in

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264184795/33660fa5-b39f-4ec1-b239-13b7f21e028a.png align="center")

This challenge belongs to seeking the network tab where the number is seen in `file` section on viewing we can see requests from `/github/main/3` so visiting the `/github/main/3` endpoint there is a flip game type which shows nothing useful to us.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264224993/cafc8d31-4c7a-4b34-80de-3254cf76fe50.png align="center")

gain on inspect the network tab there is another endpoint with `id 8`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264264636/108d45ea-6ced-4142-83ee-10b299bbbe2e.png align="center")

Since there is an ID in the endpoint. So, check for every id from 1 to .. until the flag is obtained. In doing so we can retrieve the flag at the id `15` that is `/github/main/15`

Which has a flag in JSON format and is encoded with base64.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264322675/31a9a9c7-39a7-4570-ac27-efee4ea3a0c0.png align="center")

Decoding the base64 we get our flag: `i-CES{yoU8_$3CRE7_F1@6_15_H3r3}`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264356337/a2d3ece3-9b0c-4273-a956-7ea6b47df2a4.png align="center")

# OSINT

## Byte:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264383627/67a525aa-575c-434b-88f2-4d0c1b429a77.png align="center")

0xzerobyte is no-one but me. If you visit my LinkedIn `linkedin/in/giriamrit` or search in Google then you can see my blog post. Visit any of the blogs and go to the home page. There you can find the Techparva 3.0 blog.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264511946/1293176e-6da8-4eba-b28a-9cd9a3dc1bae.png align="center")

Check TechParva3.0. and find the flag

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264550777/08bbce8d-e2b8-4d1b-9475-ae41031fa6b7.png align="center")

So there you can see: `i-CES{0P3N_50urC3_In73ll1g3nCe}` which is the real flag.

## Penguin

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264608015/1356f430-c7f3-4f49-b9cf-b691834e61ba.png align="center")

At the top right of the image there is a human leg so guess is made for the zoo as the flag format has reg\_no in it. So search for the live webcam zoo. Check each link and check the penguin cam.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736512012527/d2691ede-3db6-4867-ae22-40f7166d89aa.png align="center")

Bravo, got the place `dublinzoo` now find the registration number which can be found while scrolling down the page, `207824`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736512169688/fc4ef8db-98bd-4aed-8f3e-8958435de960.png align="center")

Let’s keep this in flag format we get: `i-CES{dublinzoo_reg_207824}`

# Cryptography

## Brother

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264630499/fff20512-d0aa-4908-88d6-b5d98b8c9459.png align="center")

The provided image is alien code which can be decoded from [https://www.dcode.fr/alien-language](https://www.dcode.fr/alien-language) visit and enter each term you see in the image.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736512466358/00c9e881-4484-4212-8ee8-9732adbc571d.png align="center")

flag: `i-CES{ALIENSARESOON_COMINGTOTAKEYOU}`

## Rescue me:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264652847/8a7a660f-41f9-4429-8d1e-b7329b47cfe0.png align="center")

unzip the file `unzip challenge.zip`

use cat to view the file.

```bash
 cat flag    

aS1DRVM=

粄簿类籪籟籸籨籢簹

0x555f317535375f

01000100 01100101 01100011 00110000

25ApIrerTJ
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736512550579/93f6f2db-6a5c-4d28-b65f-fa07c392e20a.png align="center")

Use `cyberchef` to cook this encoded text.

1st one is base64

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736512611287/aefc04f5-3da2-4d14-807b-0f23e7833148.png align="center")

2nd one is `ROT8000` which is found by brute force ROT

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736512908830/b2467a14-cc56-47a0-b799-2c310aede560.png align="center")

3rd text is hex as we can see starting from `0x`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736512978679/c20611d4-ab56-4604-8066-88b19a6ca5b0.png align="center")

4th is binary

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736513020654/d676d97f-e5ef-4ceb-b713-8af51139d148.png align="center")

5th is base62 on brute force

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736513089554/112cf7ac-c0fb-4cda-be7b-398dfb7f0607.png align="center")

flag: `i-CES{6raVo_Y0U_1u57_Dec0d3d_m3}`

## Mereko pata nahi:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264725274/d18ed125-3654-48b1-8709-af42388c2f78.png align="center")

`unzip` and `cat` out the `challenge.zip` we get

```bash
lllr%25w%2Bv%25r%7Dv%26%2A%7Czsz%23vtr%23tvz%22xudtwzqxvt%7Du%7Bsz%27xubxuur%23z%26%2B%2Av%27q%23%24%25%27txs%24%7C%7Cur%27z%21%24%7Dr%26wuw%26%24%7Bxt%24%2Az%0D%0A
```

This is URL-encoded text so let’s decode from the URL decoder we get

```bash
lllr%w+v%r}v&*|zsz#vtr#tvz"xudtwzqxvt}u{sz'xubxuur#z&+*v'q#$%'txs$||ur'z!$}r&wuw&${xt$*z
```

Now here is just a guess as of now the most famous encoding technique is `rot47` so let’s decode using rot47 and reverse the output

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736513347326/60cc0fa8-86c8-4912-b948-c28e638dd319.png align="center")

This looks more like base encoded so let’s try and use the base decoding technique and receive the flag

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736513412001/67ff2a8d-9974-4922-bd4f-7fa523471e51.png align="center")

flag: `i-CES{muLt1Pl3_eNC0diN6_dOe5N0T_mean_54fE}`

## Impure:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264744705/29a6c8a8-4ebd-44a6-a1e5-25b6b95f986f.png align="center")

Unzip the file `unzip challenge.zip`

cat out both the files we see flag has hashes and words has some of the possible passwords. On using `hascat` our `john` it is unable to crack the hash so we have to `munge` the given words for that let’s search for the code that helps to munge the words. On search we can find the [https://github.com/Th3S3cr3tAg3nt/Munge](https://github.com/Th3S3cr3tAg3nt/Munge) which has Python code to make given words a list so let munge the given words file.

Clone the repo

```bash
git clone https://github.com/Th3S3cr3tAg3nt/Munge
python3 Munge/munge.py -l 9 -i words -o munged.txt
```

now use John to crash the hash

```bash
john flag --wordlist=munged.txt 
john --show flag
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736517509536/109ff738-8e61-47c2-bb65-d596e6c33013.png align="center")

so the flag: `i-CES{techparva3:P@$ch!m@nch@18}`

# Forensics

## Hijack:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264788149/7973bf69-b747-4226-9fb3-7a374c35e834.png align="center")

use [https://morsecodemagic.com/morse-code-audio-decoder/](https://morsecodemagic.com/morse-code-audio-decoder/)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736518078743/6169d839-35a4-4818-8d48-c08d3a1bf16d.png align="center")

flag: `i-CES{M0RSE_COD3_F0R_H1J4CK1N9_UN1V3R517Y_9U35T1ONS}`

## Developers Madness:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264850721/490bdf7d-b01b-446f-976a-1c04dab9e9d1.png align="center")

unzip the challenge.zip file `unzip challenge.zip` then `ls -la` to see all the hidden files as this is the `.git` challenge

Let’s check the branch

```bash
git branch
```

there is a `secret-branch` move to that branch before using git

```bash
git checkout secret-branch
git log --oneline
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736527517032/7d62fa40-08eb-4875-8cc5-974ff68389f0.png align="center")

Moving from the bottom let’s decode this

```bash
git show 26d90e1
commit 26d90e1ff9f20a93b8db87b368eb7b601b0f8f78
Author: amritgiri <amritgiri5813@gmail.com>
Date:   Sat Jan 4 12:30:18 2025 +0545

    0x74 0x68 0x69 0x73 0x20 0x69 0x73 0x20 0x73 0x75 0x73 0x70 0x65 0x63 0x69 0x6f 0x75 0x73

diff --git a/solve.py b/solve.py
index f97f7ea..7a03f67 100644
--- a/solve.py
+++ b/solve.py
@@ -7,9 +7,9 @@ def generate_random_flag():
     # Encode the random bytes in Base64 format
     base64_flag = base64.b64encode(random_bytes).decode('utf-8')
     # Format the flag
-    flag = f"FLAG{{{base64_flag}}}"
+    flag = f"i-CES{{{base64_flag}}}"
     return flag
 
 if __name__ == "__main__":
     random_flag = generate_random_flag()
-    print(f"Flag: i-CES{random_flag}")
+    print(f"Flag: {random_flag}")
```

let’s see the second one

```bash
└─$ git show 0180277                                 
commit 0180277dceedd1020340a9e7217152ec8d7dbcc7
Author: amritgiri <amritgiri5813@gmail.com>
Date:   Sat Jan 4 12:43:28 2025 +0545

    ZmluZCBtZSBoZXJl=

diff --git a/.0xzerobyte b/.0xzerobyte
new file mode 100644
index 0000000..46b0bf0
--- /dev/null
+++ b/.0xzerobyte
@@ -0,0 +1 @@
+FDDVM8-OAD3D1WEEB6E2C669.2C-96IN802C04E32C007B6A-1ADA6Z2
```

The text `FDDVM8-OAD3D1WEEB6E2C669.2C-96IN802C04E32C007B6A-1ADA6Z2` looks normal but it is not so let’s find out what is this starting from the base models. Seems to be `base45`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736527819814/a1e88901-0b9c-4d92-a03f-bcd12cba6762.png align="center")

There is the flag: `i-CES{git_1s_THE_p14Ce_For_I7_P3Op1E}`

# Binary

## Sigma:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264872530/089ed4d7-b2b7-4dbb-95e3-717c66a5ca6d.png align="center")

Unzip the file `unzip challenge.zip`

use `ghidra` import the Sigma and analyze it

In the `window` tab there is `Define strings` option click on that

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736518433748/5d1d38d7-c04d-443a-9191-e54325481ae0.png align="center")

You can see the highlight on a visit there by clicking and closing the right tab and use `CTRL+c` to view the decompiled C program

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736518588217/3c6c59b5-ee5b-479a-9842-069a4c8f26fa.png align="center")

Here we can see the hex number now let’s decode this

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736518631651/37fd03f4-7b03-47c6-ac58-8e8e66b83cf4.png align="center")

we get 5362 which is the key to unlocking the flag

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736518686350/52bd9562-33df-4ca3-ab85-a6b769c45614.png align="center")

`i-CES{Y0u_h4vE_6reat_516m4_CON6R4T5}`

## Notagain:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264955273/6c502306-b81b-42b6-bff9-e935a7712688.png align="center")

Unzip and run the `notagain`. If it is not running then change the mode to make it executable.

```bash
chmod 777 notagain 
./notagain
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736519018086/b3407274-bf8c-42ab-8d90-e63c43a1927b.png align="center")

If you look at this carefully there is given what you have to input i.e.`5MnOpQr6` on calculation this consists of **8 characters** and its ASCII sum is **600** so paste to the input field we get the answer.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736519074018/af7655c4-0429-4d79-a00d-35d64b7407c7.png align="center")

flag: `i-CES{k3Y_Ma7CHED_SuccE5sFu11Y}`

## Titanic:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736264946828/b0653399-d51c-4dac-993e-80e624590271.png align="center")

This challenge is similar to the Sigma challenge

let us make it executable

```bash
chmod 777 boatrescue
```

Don’t get confused as the `string boatrescue` provided flag is not correct

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736519549521/0db4e3ab-1290-4ee7-9dc4-9cc80cceff4e.png align="center")

Use `ghdira` to retrieve the real flag

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736519404386/9b31fc1c-9726-41e3-a8ec-41ed743a7bf6.png align="center")

use these to decode the hex we get `33700` which provides us flag: `i-CES{9UE5S3d_C0Ns74Nt_H4SH3d_NUm63R}`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736519445384/a177749b-ce43-4753-84a7-94d945e0b2f8.png align="center")

# Steganography

## Fire:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736265007372/13466d67-98ec-45cf-ad5d-85e36c3dfdba.png align="center")

We can use `steghide` command to extract the metadata in the file

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736519887217/f7445fb4-d1ec-404f-8f69-8945f1b73303.png align="center")

Enter passphrase is empty you can directly press enter to get the metadata.

on `cat` it provides random text so we need to `string` out the output text

```bash
strings steganopayload29731.txt
```

This still gives us many values so let’s filter them

```bash
strings stegnopatload29731.txt | grep {*}
```

we get our flag where `grep {*}` Search for `{` and `}` pattern.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736520077826/739d066d-2570-4b19-959f-85aeb1a2fee5.png align="center")

Add i-CES in front and the flag is complete.

`i-CES{f1NA11y_IM_free3e_THaNK5}`

## Monkey:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736265039667/46814baa-8fb0-467c-8d4d-7a9f459d0629.png align="center")

Check the file type of `monkey.jpg`. Use `steghide` command to extract first without a password.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736521432525/80951509-5d51-4252-a92a-c8435b1161c6.png align="center")

unzip the `heheboi.zip` file which provides us with folder files in which one of them is a flag so instead of decoding we will write a simple script

Create a script named `sol.sh`

```bash
#!/bin/bash

# Function to check if a string is valid Base64
is_base64() {
    echo "$1" | base64 --decode 2>/dev/null | grep -q -P '^\S+$'
}

# Loop through all files in the "files" directory
for file in files/*; do
    # Check if it's a regular file
    if [ -f "$file" ]; then
        echo "==== Decoding: $file ===="
        content=$(cat "$file")
        
        # Check if the content is valid Base64
        if is_base64 "$content"; then
            echo "$content" | base64 -d
        else
            echo "Skipping: $file (Invalid Base64 data)"
        fi
        
        echo -e "\n==========\n"
    else
        echo "Skipping: $file (Not a regular file)"
    fi
done
```

Save the file and change the mode to executable for now let’s use `777`

```bash
chmod 777 sol.sh
./sol.sh
```

This will give all the output without filtering so let’s use grep to get the desired output

```bash
./sol.sh | grep -a 'i-CES' --color=none
```

flag: `i-CES{D1D_Y0U_11kE_y0UR_1m49E}`

## CID:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736265084252/aae9d498-a27a-433d-a8e4-44fb6396adfe.png align="center")

The file type is shown `jpeg` and when `steghide` is used it does not open without a passphrase so check if the `exiftool` has the pass to `treasure`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736525021842/7d887c04-4d07-4a9a-9de2-309ef8f489ac.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736525043313/73ea0119-336a-4386-ad14-d357bdac0e7d.png align="center")

Here `exiftool` has exciting file `License` which is seen to be a hex let’s try to decode it which yields the output `FoRY0U7h@T5h3X`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736525168211/b787d36e-5cd3-4f7c-8677-1b53c313bf66.png align="center")

paste the password to the passphrase we get out metadata in `zip` file lets extract

```bash
└─$ unzip daya_pata_laga.zip 
Archive:  daya_pata_laga.zip
 extracting: badeharamiho.zip        
  inflating: waitaminute
```

So now we have two files waitaminute has a binary file which on decoding we get

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736525268821/8d7f4122-1557-4008-bb49-63b0bd15e561.png align="center")

Paste the output in the mousepad and find for the term `pass`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736525306648/6f4a8c2f-f5e9-4210-b2dc-5ad088fec3e2.png align="center")

We get `Thisisfakeoneword` let's save this data if we need this

using the`unzip` command asked for the password so provide `Thisisfakeoneword` as the password that will unzip the file

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736525401365/cea9a24f-a6a6-40f7-a810-8279b96198c8.png align="center")

Viewing this each flag has a different type of encoded text so there must be a hint to find it which was the passphrase `FoRY0U7h@T5h3X` This said `For You Thats hex` so let’s search for the hex.

For this, we will write a script

```bash
#!/bin/bash

for i in {0..18}; do
    file="flag$i.txt"

    # Check if the file exists
    if [ ! -f "$file" ]; then
        echo "File $file does not exist!"
        continue
    fi

    # Check if the content of the file is valid hexadecimal
    if grep -q '^[0-9a-fA-F]*$' "$file"; then
        echo "$file is encoded in hexadecimal."
    else
        echo "$file is not hexadecimal."
    fi
done
```

On executing this `hex.sh` file after `chmod 777 hex.sh` we can find which has hex and which does not

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736525793021/ca87424f-e562-4fde-bf6b-19ed9d259e03.png align="center")

decode each hexadecimal file.

```bash
 mv flag0.txt flag2.txt flag7.txt flag8.txt flag13.txt flag15.txt flag18.txt ./hexfiles
```

using this command to separate the hex files

Decoding each we found base32 encoded in `flag18`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736526079325/3f2bbbe3-5c29-4489-ae50-88150d603bda.png align="center")

While baking we found that this was encoded multiple times after `hex` `base32` `base64` `morse code` `base32` `hex`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736526273771/e34cd37d-8ffe-412f-a2e4-4c1f91169a6f.png align="center")

Which yields the flag: `i-CES{StE9ANo9R4Phy_3NC0d3_anD_dEc0dE}`

# Conclusion

Hope you enjoy reading the above writeups. Feel free to provide feedback.
