As part of TechParva3.0, the Innovative Computer Engineering Students’ Society(i-CES) of WRC, Pokhara, hosted an exciting BabyPWN CTF(Capture the Flag) competition for beginners. I had an incredible opportunity to design a few challenges for this event. In this post, I’ll be sharing the official write-up for the challenges: Compression, Envelope, PDF it is, Keep it safe, Source Non-Error, Elon Musk, Tick TIck Boom, Logged in, Byte, Penguin, Brother, Rescue me, mereko pata nahi, Impure, Hi Jack!!!, Developer Madness, Sigma, NotAgain, Titanic, Fire, Monkey, CID. Except for these challenges, you can find writeups here: https://blog.sudarshandevkota.com.np/babypwnctf

Miscellaneous

Compression:

To unzip the downloaded file run the command in the Linux terminal

unzip challenge.zip

This gives us an error

We need to use gzip to unzip the file 1st we need to rename the file

mv challenge.zip challenge.zip.gz

Now let’s run the command

gzip -d challenge.zip.gz

This provides us with the new zip file challenge.zip again and again

unzip challenge.zip

Doing ls we get the challenge.tar.gz so use tar to unzip the file using again this three methods we can cat out the flag

tar -xf challenge.tar.zip
gzip -d challenge.zip.gz
unzip challenge.zip

Listing the directory we see flag.txt which we simply cat out it.

Flag: i-CES{ZiP_Un2ip_fr0m_D1ff3r3n7_7yp35}

Envelope:

Unzip the file using the unzip command

unzip Gogogogo.zip

Use the command

tree -a

To list all the files and folders in the challenge directory

By this, we can view every folder and file. While looking at these there is .flag.png which is suspicious and is the first target to view so view it by

open Gogogogo/are_you_sure/home/Think_again/drop-in/nearly/choose/.ices/greatchoice/us/taketheflag/.flag.png

This opens a file viewer

Scan the QR we can get the flag:

i-CES{CoN9r475_Y0u_foUNd_m3}

PDF it is:

Unzip the zip file using

unzip challenge.zip

This gives us a file file.pdf

Let’s view the file type first

file file.pdf

if we open the file we get

So let’s check it using the ExifTool

exiftool file.pdf

The suspicious here is the user comment which seems to be inhex encoded using cyberchef.io

There is another encoded text which looks like base64 but it failed to generate useful output so try other base values where base32 provided a useful value

so the flag is:i-CES{HidD3N_1n_XMp}

Keep it safe:

unzip the file

unzip challenge.zip

while attempting to open the file it provides us with an error

warning: Invalid UTF-8 byte sequences have been replaced.
error: source: error sourcing file '....../private'

So let’s check the header using hexedit tool and search for the file header signatures On the web, find the number 25 as it is at the first. On hit and trail, it was found to be PDF, with 25 and 46 the same in hexedit. check here: https://www.garykessler.net/library/file_sigs.html

hexedit private

Correct the header file to 25 50 44 46 now save using ctrl+x and y now use mv private private.pdf as it was found to be a PDF file. While attempting to open it ask for the password so brute-force it using rockyou.txt

Convert to hash

pdf2john private.pdf > pdf.hash
john pdf.hash --wordlist=/usr/share/wordlist/rockyou.txt

After this use john —show command to view the password

john --show pdf.hash

use the supersecret as password to unlock the pdf which gives us a flag: i-CES{S01v3_7H3_9Uz2l3}

Web

Source Non-Error:

Visit the URL which provides us 404 error.

Now, Right-click and visit View the source code where you get a hint

Using cyber chef:https://gchq.github.io/CyberChef/ decode the base64 which provides you with a flag i-CES{404_Fa1lED_t0_TRIck_y0U}

Elon Musk

Read the description properly which said the Tesla bot which leads to think about the robots.txt file for the website. A robots.txt file tells search engine crawlers which URLs the crawler can access on your site. You can also find this using the command

gobuster dir -u 20.244.121.137:7855 -w /usr/share/wordlists/dirb/common.txt

So now visit the nothere.html endpoint which asks us for a password if we look back to the robots.txt then there is another endpoint mentioned which is nothing but the password for nothere.html.

Entering the password we get our flag: i-CES{R0B075_FL4G_H3R3}

Tick Tick Boom

Visit the URL and first view the source code if you can find something useful. Inspect the challenge and visit the console to see anything when running the start challenge

While we START the challenge then there is a hint printed in the console that says call function which capture flag in the console to capture the flag before time runs out! we try every word combined and uncombined to obtain the flag in function format. Or the hint is indirectly saying capture flag function so try it.

captureflag() provide us with the flag: i-CES{t1m3_1s_0f_th3_3ss3nc3}

Logged in

This challenge belongs to seeking the network tab where the number is seen in file section on viewing we can see requests from /github/main/3 so visiting the /github/main/3 endpoint there is a flip game type which shows nothing useful to us.

gain on inspect the network tab there is another endpoint with id 8.

Since there is an ID in the endpoint. So, check for every id from 1 to .. until the flag is obtained. In doing so we can retrieve the flag at the id 15 that is /github/main/15

Which has a flag in JSON format and is encoded with base64.

Decoding the base64 we get our flag: i-CES{yoU8_$3CRE7_F1@6_15_H3r3}

OSINT

Byte:

0xzerobyte is no-one but me. If you visit my LinkedIn linkedin/in/giriamrit or search in Google then you can see my blog post. Visit any of the blogs and go to the home page. There you can find the Techparva 3.0 blog.

Check TechParva3.0. and find the flag

So there you can see: i-CES{0P3N_50urC3_In73ll1g3nCe} which is the real flag.

Penguin

At the top right of the image there is a human leg so guess is made for the zoo as the flag format has reg_no in it. So search for the live webcam zoo. Check each link and check the penguin cam.

Bravo, got the place dublinzoo now find the registration number which can be found while scrolling down the page, 207824

Let’s keep this in flag format we get: i-CES{dublinzoo_reg_207824}

Cryptography

Brother

The provided image is alien code which can be decoded from https://www.dcode.fr/alien-language visit and enter each term you see in the image.

flag: i-CES{ALIENSARESOON_COMINGTOTAKEYOU}

Rescue me:

unzip the file unzip challenge.zip

use cat to view the file.

 cat flag    

aS1DRVM=

粄簿类籪籟籸籨籢簹

0x555f317535375f

01000100 01100101 01100011 00110000

25ApIrerTJ

Use cyberchef to cook this encoded text.

1st one is base64

2nd one is ROT8000 which is found by brute force ROT

3rd text is hex as we can see starting from 0x

4th is binary

5th is base62 on brute force

flag: i-CES{6raVo_Y0U_1u57_Dec0d3d_m3}

Mereko pata nahi:

unzip and cat out the challenge.zip we get

lllr%25w%2Bv%25r%7Dv%26%2A%7Czsz%23vtr%23tvz%22xudtwzqxvt%7Du%7Bsz%27xubxuur%23z%26%2B%2Av%27q%23%24%25%27txs%24%7C%7Cur%27z%21%24%7Dr%26wuw%26%24%7Bxt%24%2Az%0D%0A

This is URL-encoded text so let’s decode from the URL decoder we get

lllr%w+v%r}v&*|zsz#vtr#tvz"xudtwzqxvt}u{sz'xubxuur#z&+*v'q#$%'txs$||ur'z!$}r&wuw&${xt$*z

Now here is just a guess as of now the most famous encoding technique is rot47 so let’s decode using rot47 and reverse the output

This looks more like base encoded so let’s try and use the base decoding technique and receive the flag

flag: i-CES{muLt1Pl3_eNC0diN6_dOe5N0T_mean_54fE}

Impure:

Unzip the file unzip challenge.zip

cat out both the files we see flag has hashes and words has some of the possible passwords. On using hascat our john it is unable to crack the hash so we have to munge the given words for that let’s search for the code that helps to munge the words. On search we can find the https://github.com/Th3S3cr3tAg3nt/Munge which has Python code to make given words a list so let munge the given words file.

Clone the repo

git clone https://github.com/Th3S3cr3tAg3nt/Munge
python3 Munge/munge.py -l 9 -i words -o munged.txt

now use John to crash the hash

john flag --wordlist=munged.txt 
john --show flag

so the flag: i-CES{techparva3:P@$ch!m@nch@18}

Forensics

Hijack:

use https://morsecodemagic.com/morse-code-audio-decoder/

flag: i-CES{M0RSE_COD3_F0R_H1J4CK1N9_UN1V3R517Y_9U35T1ONS}

Developers Madness:

unzip the challenge.zip file unzip challenge.zip then ls -la to see all the hidden files as this is the .git challenge

Let’s check the branch

git branch

there is a secret-branch move to that branch before using git

git checkout secret-branch
git log --oneline

Moving from the bottom let’s decode this

git show 26d90e1
commit 26d90e1ff9f20a93b8db87b368eb7b601b0f8f78
Author: amritgiri <amritgiri5813@gmail.com>
Date:   Sat Jan 4 12:30:18 2025 +0545

    0x74 0x68 0x69 0x73 0x20 0x69 0x73 0x20 0x73 0x75 0x73 0x70 0x65 0x63 0x69 0x6f 0x75 0x73

diff --git a/solve.py b/solve.py
index f97f7ea..7a03f67 100644
--- a/solve.py
+++ b/solve.py
@@ -7,9 +7,9 @@ def generate_random_flag():
     # Encode the random bytes in Base64 format
     base64_flag = base64.b64encode(random_bytes).decode('utf-8')
     # Format the flag
-    flag = f"FLAG{{{base64_flag}}}"
+    flag = f"i-CES{{{base64_flag}}}"
     return flag

 if __name__ == "__main__":
     random_flag = generate_random_flag()
-    print(f"Flag: i-CES{random_flag}")
+    print(f"Flag: {random_flag}")

let’s see the second one

└─$ git show 0180277                                 
commit 0180277dceedd1020340a9e7217152ec8d7dbcc7
Author: amritgiri <amritgiri5813@gmail.com>
Date:   Sat Jan 4 12:43:28 2025 +0545

    ZmluZCBtZSBoZXJl=

diff --git a/.0xzerobyte b/.0xzerobyte
new file mode 100644
index 0000000..46b0bf0
--- /dev/null
+++ b/.0xzerobyte
@@ -0,0 +1 @@
+FDDVM8-OAD3D1WEEB6E2C669.2C-96IN802C04E32C007B6A-1ADA6Z2

The text FDDVM8-OAD3D1WEEB6E2C669.2C-96IN802C04E32C007B6A-1ADA6Z2 looks normal but it is not so let’s find out what is this starting from the base models. Seems to be base45

There is the flag: i-CES{git_1s_THE_p14Ce_For_I7_P3Op1E}

Binary

Sigma:

Unzip the file unzip challenge.zip

use ghidra import the Sigma and analyze it

In the window tab there is Define strings option click on that

You can see the highlight on a visit there by clicking and closing the right tab and use CTRL+c to view the decompiled C program

Here we can see the hex number now let’s decode this

we get 5362 which is the key to unlocking the flag

i-CES{Y0u_h4vE_6reat_516m4_CON6R4T5}

Notagain:

Unzip and run the notagain. If it is not running then change the mode to make it executable.

chmod 777 notagain 
./notagain

If you look at this carefully there is given what you have to input i.e.5MnOpQr6 on calculation this consists of 8 characters and its ASCII sum is 600 so paste to the input field we get the answer.

flag: i-CES{k3Y_Ma7CHED_SuccE5sFu11Y}

Titanic:

This challenge is similar to the Sigma challenge

let us make it executable

chmod 777 boatrescue

Don’t get confused as the string boatrescue provided flag is not correct

Use ghdira to retrieve the real flag

use these to decode the hex we get 33700 which provides us flag: i-CES{9UE5S3d_C0Ns74Nt_H4SH3d_NUm63R}

Steganography

Fire:

We can use steghide command to extract the metadata in the file

Enter passphrase is empty you can directly press enter to get the metadata.

on cat it provides random text so we need to string out the output text

strings steganopayload29731.txt

This still gives us many values so let’s filter them

strings stegnopatload29731.txt | grep {*}

we get our flag where grep {*} Search for { and } pattern.

Add i-CES in front and the flag is complete.

i-CES{f1NA11y_IM_free3e_THaNK5}

Monkey:

Check the file type of monkey.jpg. Use steghide command to extract first without a password.

unzip the heheboi.zip file which provides us with folder files in which one of them is a flag so instead of decoding we will write a simple script

Create a script named sol.sh

#!/bin/bash

# Function to check if a string is valid Base64
is_base64() {
    echo "$1" | base64 --decode 2>/dev/null | grep -q -P '^\S+$'
}

# Loop through all files in the "files" directory
for file in files/*; do
    # Check if it's a regular file
    if [ -f "$file" ]; then
        echo "==== Decoding: $file ===="
        content=$(cat "$file")

        # Check if the content is valid Base64
        if is_base64 "$content"; then
            echo "$content" | base64 -d
        else
            echo "Skipping: $file (Invalid Base64 data)"
        fi

        echo -e "\n==========\n"
    else
        echo "Skipping: $file (Not a regular file)"
    fi
done

Save the file and change the mode to executable for now let’s use 777

chmod 777 sol.sh
./sol.sh

This will give all the output without filtering so let’s use grep to get the desired output

./sol.sh | grep -a 'i-CES' --color=none

flag: i-CES{D1D_Y0U_11kE_y0UR_1m49E}

CID:

The file type is shown jpeg and when steghide is used it does not open without a passphrase so check if the exiftool has the pass to treasure

Here exiftool has exciting file License which is seen to be a hex let’s try to decode it which yields the output FoRY0U7h@T5h3X

paste the password to the passphrase we get out metadata in zip file lets extract

└─$ unzip daya_pata_laga.zip 
Archive:  daya_pata_laga.zip
 extracting: badeharamiho.zip        
  inflating: waitaminute

So now we have two files waitaminute has a binary file which on decoding we get

Paste the output in the mousepad and find for the term pass

We get Thisisfakeoneword let's save this data if we need this

using theunzip command asked for the password so provide Thisisfakeoneword as the password that will unzip the file

Viewing this each flag has a different type of encoded text so there must be a hint to find it which was the passphrase FoRY0U7h@T5h3X This said For You Thats hex so let’s search for the hex.

For this, we will write a script

#!/bin/bash

for i in {0..18}; do
    file="flag$i.txt"

    # Check if the file exists
    if [ ! -f "$file" ]; then
        echo "File $file does not exist!"
        continue
    fi

    # Check if the content of the file is valid hexadecimal
    if grep -q '^[0-9a-fA-F]*$' "$file"; then
        echo "$file is encoded in hexadecimal."
    else
        echo "$file is not hexadecimal."
    fi
done

On executing this hex.sh file after chmod 777 hex.sh we can find which has hex and which does not

decode each hexadecimal file.

 mv flag0.txt flag2.txt flag7.txt flag8.txt flag13.txt flag15.txt flag18.txt ./hexfiles

using this command to separate the hex files

Decoding each we found base32 encoded in flag18

While baking we found that this was encoded multiple times after hex base32 base64 morse code base32 hex

Which yields the flag: i-CES{StE9ANo9R4Phy_3NC0d3_anD_dEc0dE}

Conclusion

Hope you enjoy reading the above writeups. Feel free to provide feedback.