Walkthrough

The most obvious hint here is the reference to the Caesar cipher, further confirmed by the use of the word shift. However, we could try all 26 possibilities here, and none of them would result in a coherent FLAG.

The sneakier part that you may not have caught in the wording is the ‘double shift’ - two different Caesar shifts were used.

One thing we can note is that we can expect the message to start with FLAG. If we try to rig a shift so that we get the first letter to be F (+13), we get:

FDAY{fol_a_vohpdej_khafl}

Interestingly, this also gets the A in the right place, giving us F_A_.

Shifting to get L in the second position (-5) gives us

NLIG{nwt_i_dwpxlmr_spint}

This time, we also get the G in the right place! This suggests that there are two alternating shifts.

FDAY{fol_a_vohpdej_khafl}
NLIG{nwt_i_dwpxlmr_spint}

Taking alternating letters, we get our flag.

Flag

FLAG{not_a_doppler_shift}

Walkthrough

We seem to have the strings ‘comp’ and ‘club’ as base units here - this seems very much like a binary system!

There also seems to be exactly 8 comps or clubs in a group, or exactly a byte! This suggests that the FLAG could be encoded in ASCII.

We know that all ASCII characters represented as a binary byte start with 0. Since all the groups start with comp, we can guess that comp is 0, and club is 1.

Replacing, we get,

01001100 01000001 01000111 01111011 01100010 01111001 01010100 00110011 01011111 01110011 00110001 01111010 01000101 01100100 01111101

Converting these into their ASCII characters, we get our flag.

Flag

FLAG{byT3_s1zEd}

Walkthrough

The name of the file index.txt hints that the numbers in its contents could be some way that we could index the book, just like we index lists/arrays when programming.

We can see the numbers occur in pairs, (a, b). The a values can get pretty big, while b is always relatively small (at most, 6). This suggests that the second number could be some way of indexing a character within a word. Maybe the first number could be the index of the word we’re using?

We can also see a couple of 0s occurring in the index, for example, the second pair is (0, 0). This suggests that both words and characters are zero-indexed, just like lists and arrays in most programming languages start counting from 0.

This is what is known as a book cipher. You could either try manually calculating each of the letters, writing a script to do it, or using a website like this one to decode it. You’ll need to convert all the index pairs to match the format on that site. Make sure you select the correct options (word number, character number, none), and set the numbering start to 0. Once you do this, you should get your flag.

Flag

FLAG{lightpollution}

Other notes

The contents of the book are actually the lyrics to Shooting Stars by Bag Raiders.

Walkthrough

Typically with an image challenge, I would go through

• Metadata (basically non-existent with PNG files)
• Photoshop levels (and other adjustments)
• Steganography
• Hexdump (checking through the raw bytes in the file for any anomalies, but not typical in a beginner’s CTF of this level).

It’s certainly worth checking through these if everything else fails, but this is a crypto challenge, not a forensics challenge. The wording of the challenge also suggests that the name being hidden in the flag is intrisic to the flag design itself, and not the file.

At this point, we can analyse the colours in the image - there are three of them:

• #486163
• #6b746f
• #706961

It’s worth noting this image looks really dull. Breaking each of the colours into their subpixels (or bytes):

• 48 61 63
• 6b 74 6f
• 70 69 61

We can see that none of the bytes are greater than 7F, which is equal to 127 in decimal. This suggests that the colours may be being used to encode ASCII values.

If we convert each byte to their corresponding ASCII values (remember to use the hexadecimal column on the ASCII table), we get

• H a c
• k t o
• p i a

revealing the flag.

Flag

FLAG{Hacktopia}

Walkthrough

This requires some minor intelligence gathering:

1. Note that FireDnD’s offices are located at 33-39 Hunter Street, Sydney. This can be found on the site’s footer, or ‘Contact Us’ page.
2. The nearest station can be found using the measure distance tool on Google Maps - this is Martin Place station - however, it only barely beats out Wynyard station.
3. We are told that the CEO wishes to take a T4 train from Platform 2 - if you chose Wynyard Station earlier, this is a big clue that something may have gone wrong, as no T4 trains pass through Wynyard. Avid train nerds may also note that Wynyard doesn’t have a Platform 2, as platforms there are numbered from 3. T4 trains on Platform 2 of Martin Place station run eastbound towards Bondi Junction. Two stops in this direction takes us to Edgecliff station.
4. We now want to check the train schedule for T4 trains departing after 5:08pm on Fridays. The next train would leave at 5:12, and is scheduled to arrive at 5:16:30pm, making the answer 5:17pm, or 17:17.

Flag

FLAG{1717}

Walkthrough

Typically when I’m solving a CTF challenge which involves trying to find some hidden resource on a website, I’ll open the ‘Network’ tab of my browser, and start recording the requests the browser is making. These requests can tell me, for example, what images the browser is loading in - a fair initial suspicion would be that the browser is loading this image of the fired team member, but not displaying it.

However, this isn’t quite the case. If we visit the /team.html page, we can see that three images are being loaded in: team-1.jpg, team-2.jpg and team-4.jpg. The glaring omission of team-3.jpg suggests that this might be our missing file. Visiting /team-3.jpg gives us our flag!

Flag

FLAG{h3Lps_t0_c0uNt}

Walkthrough

The first big hint in this challenge comes from the ‘cool way to prevent search engines from finding’ part - this is the exact function of robots.txt. If we visit /robots.txt, we find the following:

User-agent: Googlebot
Disallow: /ry4ns-s3cret-p4ge.html

We’ve now got the URL for the secret page! If we pay it a visit, however, we get this:

Hi! CEO of FireDnD here! I have taken over Ryan's secret page after firing him. That being said, I heard that nothing is deleted from the internet forever. Surely no one has a copy of the old contents of this page?

Unfortunate. Except, not really, because every internet historian’s favourite tool, The Internet Wayback Machine at web.archive.org happens to conveniently have a copy of the page!

There’s an unloaded image on this page. Looking at the source code, we see

<div class="container">
    <h1>Ryan's top secret page</h1>

    <p>Hello, I'm Ryan, a developer at firednd. This is my secret page!</p>

    <p>Here is a secret:</p>
    <img src="/web/20210106050020im_/http://firednd-syd.web.app/FLAG{hiDD3n_in_the_s0uRce}"/>
</div>

giving us our flag.

Flag

FLAG{hiDD3n_in_the_s0uRce}

Walkthrough

(Replace Ctrl with Cmd on macOS.)

This first (well, zeroth) flag requires you to view the page source - that is, the code used to render the webpage to you - to look for comments. The flag is split up across three comments in three different files:

• index.html

  This HTML file contains the overall structure of the page, and can be easily found through Ctrl+Shift+I and checking the ‘Elements’ tab or Ctrl+U, to view the raw HTML (on Chrome, at least).

• hello.js

  JS files usually make a webpage interactive. You could’ve found this from the ‘Sources’ tab, or noticing the JS file was loaded in the HTML source code, or even noticing the origin of the sneaky message in the ‘Console’ tab.

• style.css

  CSS files make pages look pretty. You again could’ve found this from the ‘Sources’ tab, or noticing the CSS file was loaded in the HTML source code.

Flag

FLAG{0_i_f0unD_tHre3_tYpEs_oF_cOmM3NtS}

Walkthrough

(Replace Ctrl with Cmd on macOS.)

CTF authors like to involve cookies in challenges somehow, and this includes me! Using Ctrl+Shift+I on Chrome and selecting the Application tab, and then ‘Cookies’, reveals all cookies set by the current site, including the flag!

Flag

FLAG{1_i_cHeCkeD_f0r_c0oki3S}

Walkthrough

You probably tried to login before anything else, but this is in fact the final flag! Logging in with incorrect details gives us the following message:

‘Password did not match expected encoded result: aXJlQUxMeUxpa0VzUGFjZVNoaVBzMjA3JA==’

This looks a lot like base-64 encoding - the biggest giveaway is the occurrence of equal signs on the end (which has a 2/3 probability of happening with base-64). Googling for a base-64 decoder gives us plenty of results, and decoding it gets us the password to use with the username ‘astronaut’ - ‘ireALLyLikEsPaceShiPs207$’. Logging in will give you the flag.

You can also decode base-64 on a Linux command line with echo 'aXJlQUxMeUxpa0VzUGFjZVNoaVBzMjA3JA==' | base64 -d.

Flag

FLAG{2_b4Se_64_iS_nOt_eNcrYpTi0n}

Walkthrough

I tried to hints for this one in plain sight - taking a look at the two recent search items shows you a song named ‘Multiply’ and another named ‘Resolution’ - resolution is a term to describe how many pixels tall and wide an image/video is.

From multiplying the resolution of the image (887 x 606), we get our solution.

Flag

FLAG{537522}

Other notes

I made my Spotify look pretty using Spicetify with this theme.

Walkthrough

In the workshop slides, I highly suggested getting either Photoshop or GIMP to use - however, this was entirely solvable with just Microsoft Paint.

I set the background of this image to #ffffff - this is the hexadecimal code for the colour white. I then used the paintbrush to hide the flag to #fffffd - a colour that is extremely close to white, but not quite, making the writing seem basically invisible.

When solving image challenges for CTFs like these, I typically use Photoshop:

1. Open the Levels tool from Edit > Adjustments > Levels
2. Mess around with the input level sliders, and then the output level sliders and see if something reveals itself.

This would’ve worked perfectly well for this challenge. However, a simpler solution would be:

1. Open the image in Microsoft Paint.
2. Use the Fill bucket tool, and select a colour like black.
3. Click somewhere close to the border of the image, ‘flooding the image’.

Paint only fills neighbouring pixels with the exact same colour - this should’ve revealed the off-white writing.

Flag

FLAG{st4rBucKs_Lov3Rs}

Other notes

Yes, this flag was a reference to the misheard ‘Starbucks Lovers’ lyrics from Taylor Swift’s Blank Space.

Walkthrough

While this challenge uses a set of techniques that are relatively common in CTFs, paying attention to the workshop slides would have helped a lot here.

The first image you want to look at is eggnog.jpg - note that the contents featured in both images are basically identical, although the PNG is of much lower resolution. Looking at the file’s metadata, we can see that there is some hidden information in the EXIF data (JPG files can have EXIF data, PNG files don’t) - namely, the following string:

jocksfindquartzglyphvexbmw

We shall save this for later use.

The second image is named steggnog.png - a huge hint that more advanced image steganography, like least significant bit steganography, might be in use here. Googling ‘online steganography’ yields this website. sDecoding it yields the following:

FAJI{tzhpzdtpditdfdcjthtzx}

This is the point where this challenge now becomes more crypto than forensics - we can see the result of our steganography decode looks almost like a flag. This is where we go back to our older string - jocksfindquartzglyphvexbmw. Googling this string yields a result about ‘perfect pangrams’ - sentences with all 26 letters of the alphabet exactly once. You might notice that this perfect pangram makes a perfect key for a substitution cipher.

Decoding the substitution cipher (using the perfect pangram as our ciphertext alphabet) on a website like this gives us our flag.

Flag

FLAG{notsoinsignificantnow}

Other notes

The reason the PNG was lower resolution was so that your computer didn’t die trying to decode using the steganography tool - fewer pixels means less work.

Walkthrough

Find the slide about what CTF flags are - it’s in plain sight!

Flag

FLAG{y0ur_f1rSt_flaG}

Walkthrough

This challenge features the distinctive short and long flashes (or dots and dashes used in Morse code). Fortunately, there’s also synced beeping noises with the video, which makes interpreting the Morse code a lot easier (although you can just use the video, too!):

1. Open the audio from the video in an audio editor like Audacity.
2. Use the spectrogram to identify where each short (dot) flash or long (dash) sound is, and enter it into a Morse Code translator, and voila!

Flag

FLAG{no_remorse}

Walkthrough

This challenge uses a fake, but straight-forward ‘programming language’ - this is what we call ‘pseudocode’, which is a simplified notation to describe how a program or algorithm should work.

There are some things that you might need to be careful for here:

• If a ‘branch’ of an if statement is true, then we don’t need to worry about other branches of the if statement. For example:

if (a) {
    do_something();
} else if (b) {
    do_something_else();
} else if (c) {
    do_other_thing();
} else {
    do_last_thing();
}

If b is true, then it doesn’t matter if c is true as well - once we’ve completed do_something_else(), we skip to the end of the entire if statement structure.

• Be careful with ‘less than’ - this is not the same as ‘less than or equal to’.

Following through each of the statements should get you to the flag.

Flag

FLAG{n3buL0uS_r3d5h1fT}