BroncoCTF Writeup 2024
Planted February 18, 2024
This is a writeup for all challenges from BroncoCTF 2024. Despite the CTF being targeted for beginners, some challenges were actually pretty difficult with some unique challenges tailor-made for the different categories. The organizers also do love their binary.
Team
We are a team of two members, Me (Your’s Truly) and Aviral(error9098x). We managed to solve most of the problems and had a lot of fun doing so. And got 13th place in the CTF out of more than 250 teams.
Trident09 | error9098x |
Challenges
Welcome
Beginner
Crypto
- Birthday-Bash - Did not solve
- Electrical-Engineering 🔗
- Oh-Danny - Did not solve
- Preschool-Lessons 🔗
- Zodiac-Killer 🔗
Forensics
Misc
Reversing
- MZ - Did not solve
- Serpent-Pass 🔗
Web
OSINT
Don’t Be a Slacker
Target Difficulty: Functional Human Brain (10 pts)
Description
If you are an SCU student, join our Slack channel in the H4H org!
#broncoctf
Otherwise, join the Discord for event updates!
This is a sanity check challenge to make sure you can submit flags. All you had to do is to join the discord server and the flag was posted on the #rules channel’s topic section.
Flag:
broncoCTF{not_a_slacker!}
Welcome Challenge
Target Difficulty: Basically a CAPTCHA (10 pts)
Description
Hello, welcome to BroncoCTF!
To see all the challenges, you need to visit the rules page and find the flag.
Happy Hacking!
Flag:
bronco{welcome_to_the_show}
Keyboard Elitist
Target Difficulty: Beginner (100 Points)
Description
My buddy is bragging about how cool his Framework laptop is and how much faster he can type than me.
When I tried to type a message, it came out as garbage!
A;;apfkgij gj;ukd ar ut ghur war a Qwfpgj efjbyaps yk a Cyifmae uk;lg rchfmf maefr ghur iyye iuef dapbadf. Mj tpufks ur sftukugfij a efjbyaps rkyb, ylg hfpf wugh hur mysliap tpamfwype ia;gy;. Rudh, fughfp waj... hfpf ur ghf tiadO bpykcy{qwfpgj_vr_c0ifm@e}
This seems like a simple substitution cipher. We can use an online tool to decrypt the message. There is a wonderful tool called quipqiup that can help us solve this challenge.
- We also know the flag format so we can help the quipqiup by providing matches for the flag format.
Flag:
bronco{qwerty_vs_c0lem@k}
Shrekanana Banana
Target Difficulty: Beginner (100 Points)
Description
I was given this image of Shrek in a Banana, but I can’t help but feel like I am missing something…
This is a steganography challenge. We can use a all in one online image stegnography tool called Aprei Solve. We can upload the image and it will give us the flag. The flag is hidden in the image in the 3rd bit plane of the green color.
Flag:
bronco{shr3konogr@phy}
Stego-Snore-Us
Target Difficulty: Beginner (100 pts)
Description
I’m not the only one tired after pulling an all-nighter for Hack for Humanity…
This is another steganography challenge. We can use the same tool as before to solve this challenge. We can upload the image and it will give us the flag.
This time the flag is hidden in the 2nd bit plane of the blue color. Its also encrypted.
The Flag has a substitution cipher applied to it. We can use quipqiup to solve the cipher.
Flag:
bronco{no_more_all_nighters}
Electrical Engineering
Target Difficulty: Easy (200 pts)
Description
I hate electrical engineering
This Pdf has a bunch of images of Resistors. The flag can be decrypted by using the color codes of the resistors. The color codes of the resistors are used to represent the flag.
This can be used to convert the resistors into numbers that are ASCII values. We can use an online tool to convert the ASCII values to text.
Flag:
bronco{rEsi5t_ev1L}
Preschool Lessons
Target Difficulty: Easy (150 pts)
Description
a b c… easy as 1 2 3…
Do you REALLY know your ABCs?
a string of a's, b's, and c's - i have removed it because it was breaking the webpage you can copy it from the program below
This is a simple cipher where the flag is encoded using the alphabet. The challenge description hints that the flag is encoded using 3 letters. If we look closely, there is a similar pattern with binary.
taking a
as 0
, b
as 1
, and c
as <space>
we can convert the flag to binary and then to text.
I used this python script to convert the flag to text.
def binary_to_text(binary_str):
# Replace 'a' with '0', 'b' with '1', and 'c' with ' ' (space)
binary_str = binary_str.replace('a', '0').replace('b', '1').replace('c', ' ')
# Split the string into chunks of 8 bits (ignoring spaces) and convert to characters
binary_chunks = binary_str.split()
text_str = ''
for binary_chunk in binary_chunks:
if len(binary_chunk) == 8:
decimal_value = int(binary_chunk, 2)
text_str += chr(decimal_value)
return text_str
# Input string
input_str = 'abbaaabacabbbaabacabbabbbbcabbabbbacabbaaabbcabbabbbbcabbbbabbcabbabaabcababbbbbcabbabbabcaabbaaabcabbbaabbcabbbaabbcababbbbbcabbbaaaacabbbaabacaabbaabbcabbbaabbcabbaaabbcabbabaaacabbabbbbcaabbaaaacabbabbaacabbbbbab'
# Convert and print the resulting text
converted_text = binary_to_text(input_str)
print(converted_text)
This binary string can also be converted into the flag
01100010 01110010 01101111 01101110 01100011 01101111 01111011 01101001 01011111 01101101 00110001 01110011 01110011 01011111 01110000 01110010 00110011 01110011 01100011 01101000 01101111 00110000 01101100 01111101
Flag
bronco{i_m1ss_pr3scho0l}
Zodiac Killer
Target Difficulty: Easy (100 pts)
Description
The Zodiac Killer is on the loose! I saw this message spray painted on a wall.
Wrap the flag in bronco{}
This is a simple Zodiac cipher. We can use an online tool to decrypt the message. DCODE can be used to decrypt the message.
Flag:
bronco{LOOKOVERYOURSHOULDER}
Boom
Target Difficulty: Medium (300 Points)
Description
With all these talks of arbitration, things are tense here around the office. I feel like people are going to explode at any moment. I gotta watch where I step before I accidentally bring something up and uncover something I didn’t want to.
Given File is a HarvestBoom.mbf
7d 19 01 2e 03 01 04 01 05 01 06 01 07 01 08 01 09 01 0a 01 0b 01 0d 01 0e 01 0f 01 10 01 11 01 12 01 13 01 14 01 15 01 16 01 17 01 18 01 19 01 1a 01 1b 01 1c 01 1d 01 1e 01 1f 01 20 01 21 01 22 01 23 01 24 01 25 01 26 01 27 01 28 01 29 01 2a 01 2b 01 2c 01 2d 01 2e 01 2f 01 30 01 31 01 32 01 33 01 34 01 35 01 36 01 37 01 38 01 39 01 3a 01 3b 01 3c 01 3d 01 3e 01 3f 01 03 02 3f 02 03 03 3f 03 03 04 3f 04 03 05 1f 05 20 05 39 05 3a 05 3f 05 03 06 06 06 1f 06 2b 06 2c 06 2d 06 2e 06 2f 06 3a 06 3f 06 03 07 06 07 1e 07 23 07 2b 07 2f 07 37 07 3b 07 3f 07 03 08 06 08 1f 08 23 08 2b 08 2e 08 2f 08 31 08 37 08 3a 08 3f 08 53 08 57 08 59 08 5a 08 5b 08 03 09 06 09 07 09 08 09 0a 09 0b 09 0c 09 0e 09 0f 09 10 09 12 09 13 09 14 09 16 09 17 09 18 09 1a 09 1b 09 1c 09 1e 09 23 09 24 09 25 09 27 09 28 09 29 09 2b 09 2d 09 2f 09 31 09 32 09 34 09 37 09 3b 09 3f 09 54 09 56 09 59 09 5c 09 03 0a 06 0a 08 0a 0a 0a 0e 0a 10 0a 12 0a 14 0a 16 0a 1a 0a 1c 0a 1f 0a 23 0a 25 0a 27 0a 29 0a 2b 0a 2c 0a 2f 0a 31 0a 33 0a 35 0a 3a 0a 3f 0a 55 0a 59 0a 5c 0a 03 0b 06 0b 07 0b 08 0b 0a 0b 0e 0b 0f 0b 10 0b 12 0b 14 0b 16 0b 17 0b 18 0b 1a 0b 1b 0b 1c 0b 1f 0b 20 0b 23 0b 24 0b 25 0b 27 0b 28 0b 29 0b 2b 0b 2c 0b 2d 0b 2e 0b 2f 0b 31 0b 33 0b 35 0b 37 0b 39 0b 3a 0b 3f 0b 54 0b 56 0b 59 0b 5c 0b 03 0c 3f 0c 53 0c 57 0c 59 0c 5a 0c 5b 0c 03 0d 3f 0d 03 0e 04 0e 05 0e 06 0e 07 0e 08 0e 09 0e 0a 0e 0b 0e 0c 0e 0d 0e 0e 0e 0f 0e 10 0e 11 0e 12 0e 13 0e 14 0e 15 0e 16 0e 17 0e 18 0e 19 0e 1a 0e 1b 0e 1c 0e 1d 0e 1e 0e 1f 0e 20 0e 21 0e 22 0e 23 0e 24 0e 25 0e 26 0e 27 0e 28 0e 29 0e 2a 0e 2b 0e 2c 0e 2d 0e 2e 0e 2f 0e 30 0e 31 0e 32 0e 33 0e 34 0e 35 0e 36 0e 37 0e 38 0e 39 0e 3a 0e 3b 0e 3c 0e 3d 0e 3e 0e 3f 0e 1c 13 1e 13 2e 13 30 13 1b 15 1f 15 2d 15 2e 15 2f 15 30 15 31 15 1c 16 1d 16 1e 16 2d 16 31 16 2e 17 2f 17 30 17
Given Hint : Look into Minesweeper and hex
Searching mbf file won’t yield any good results. But some surfing later it is found that the .mbf extension is used by the the minesweeper game to store board layout and the mbf
stands for Minesweeper Board File
.
For this challenge, we can use the Javascript Minesweeeper website Copy the hex and load in this website to get the flag.
You can barely make out the flag in the minesweeper board. It’s written with the mines as the flag.
Flag:
bronco{bo0m!}
Medieval Beats
Target Difficulty: Easy (200 pts)
Description
Check out my youtube video
This was a tedious challenge. The video is an hour long and the flag is hidden in the video. The flag is hidden in the video at random timestamps. I just downloaded the video and used a video player to skip through the video to find the flag. But the beat was too catchy and I ended up watching the whole video throughout the ctf.
Flag:
bronco{1n_17_f0r_7h3_10n6_h4ul}
(And variations with 0 substituted with ‘o’) I think there are other non boring ways to solve this challenge. But I was too lazy to find them. ffmpeg is one of them.
WarioParty
Target Difficulty: Easy/Medium (250 pts)
Description
Who is the true hero of the Mario Party games you might ask? Look inward and you might find it at the intersection of Mario’s color and the number of brothers.
The Image is very big in size both in dimensions and in file size. We can use a tool called StegOnline. Its a steganography tool that is very versatile and can be used to solve a lot of steganography challenges.
Uploadin the image to the tool we can see all kind og bitplanes and color channels. The challenge description hints that the flag is at the intersection of Mario’s color and the number of brothers. The flag is hidden in the 2nd bit plane of the red color.
We can also confirm it through the tool AperiSolve
There is something embedded in the image. We have to extract it to get the flag.
The extracted data seems to be an image of another puzzle with Wario and Waluigi. Analyzing the image, it seems that it is another binary type puzzle where Wario=0 and Waluigi=1. Converting the binary to Ascii, the flag can be obtained.
Flag:
broncosec{b0ws3r_g0t_th4t_dumpy}
BroncoCTF Crossword
Target Difficulty: Medium (300 Points)
Description
I am really annoyed. I work at Bronco Venture Accelerator and instead of doing work, my boss is just sitting doing a crossword. And drinking lemon juice? WHY! I want to dump it on him and his paper. We need to make MONEY.
This is a simple crossword puzzle. But solving won’t give you the flag. The flag is hidden in the pdf file. We can see there is some letters that are erased in the crossword. Or can it be painted over?
I used photopea.
Upon opening the pdf in photopea, we can see that there is a hidden layer in the pdf. The flag is hidden in the hidden layer. The challenge description hints that the flag is hidden in the lemon juice. Which means use of invisible ink therefore the text is white over a white background.
Add a dark background below all the layers and zoom in to see the flag The flag can now be seen with some educated guesses within the context of the name of the layer
There are other better ways to solve this challenge. But this is the way I did it.
Flag:
bronco{crosswords_do_not_increase_shareholder_value}
Countries Unite!
Target Difficulty: Easy (200 pts)
Description
“yoshie” sent me a peculiar message. What could he possibly be trying to say?
This is a simple flag encoded using the country codes. We can use an online tool to decode the flag. Country Codes
The first letters of each flag can be used to form the flag. And the arrow in the middle are the curly braces.
Flag:
bronco{diversityequityinclusion}
Serpent Pass
Target Difficulty: Medium/Hard (250 Points)
Description
Snakes! Snakes! Snakes!
nc serpant.broncoctf.xyz 8000
There are two files given. The dockerfile is not important if you are not running the challenge locally.
The server is asking 3 questions. The first question is a simple math question. Imminent by the gate code
def gate1():
return pow(10 * 9 + 7 - 2, 2)
This is equal to 9025
The second question is not as straightforward.
def gate2(guess: int) -> bool:
if guess > 20:
return False
binString = '0'
for _ in range(0, guess):
binString += '1'
binary = int(binString, 2)
return chr(binary) == '?'
Upon Checking the logic the guess has to be 6
for the binary to be 111111
which is equal to 63
in decimal. As the ASCII equivallent of ?
is 63. The answer is 6
The third question is a simple logic question. for the guess to be correct the guess has to be 2
if gate3(guess3) == 1:
Putting it all together the in the netcat session yields the flag.
Flag:
bronco{w0w_uR_@_g00d_gu3ss3r}
ACM Borg Members
Target Difficulty: Easy (200 Points)
Description
I am convinced the board members of Santa Clara’s ACM clubs are cyborgs! They are definitely digitally enhanced! ACM Board? More like, ACM-BORG! If only I had a way of proving it.
This being a web challenge lacks a website in the challenge therefore, we have to do a little bit googling to find the ACM board members of Santa Clara’s ACM club. The ACM board members are listed on the ACM website.
The challenge description hints that the board members are cyborgs which somehow hints towards robots, a way of hiding things in website.
After navigating to the https://www.scuacm.org/robots.txt page. The flag is visible in plain sight.
Flag:
bronco{be3p_b0op_@CM_are_cyb0rgs}
All I Do Is
Target Difficulty: Easy/Medium (250 Points)
Description
I LOVE TO ROLE PLAY! for my upcoming convention, i am reliving my glory days of being a minecrafter.
https://diamonds.broncoctf.xyz gives dns error
The video given in the challenge hints towards dig
command. The video is a parody of the song All I Do Is Win
by DJ Khaled. The lyrics are changed to All I Do Is Dig
which hints towards the dig
command.
Then I used dig
dig MX diamonds.broncoctf.xyz
dig TXT diamonds.broncoctf.xyz
dig NS diamonds.broncoctf.xyz
Flag:
bronco{Finding_diamonds_aint_so_hard_just_dig_baby_dig}
Blue Boy Storage
Target Difficulty: Easy (200 pts)
Description
This blue boy saved something on his home planet but cannot seem to find it. Can you help him?
Note: flag wrapped in broncoctf{}
Looking at the source code of the website we can see that there is a js file we have to analise that.
In the Js file this code can be found.
function App() {
const [count, setCount] = useState(0)
useEffect(() => {
localStorage.setItem('flag', "broncoctf{ab4_d3_4ba_d1e_1m_blu3}")
}, [])
Flag:
broncoctf{ab4_d3_4ba_d1e_1m_blu3}
Blue Herring
Target Difficulty: Easy (200 pts)
Description
This page contains the elusive blue herring, however it’s never been seen by the human eye. See if you can catch it and rip it open to find a flag.
Note: wrapped in broncoctf{} rather than bronco{}
This has the same website link as the previous challenge. Looking at the source we can find a image of a red hearing.
Now Since the challenge is called Blue Herring, we can assume that the flag is hidden in the image. But a red herring is a distraction from the real issue. So the flag is hidden somewhere else or is it.
I thought of LSB steganography again. Hence I went ahead and tried zsteg and the flag can be located on Blue 8 LSB.
However the flag can also be found through StegOnline If you extract the whole data from the blue planes.
Flag:
broncoctf{D1s_H3rr1ng_Sh0uld4_B33n_Blue}
Wiki Wiki Wiki
Target Difficulty: Medium (250 Points)
Description
Not much to go off here, but it’s all you need: Wikipedia and 128.125.52.138.
The flag is not in the typical format, but wrap it in bronco{} before submitting. You will know when you find it.
ORIGiNAL AUTHOR NOTE
Due to a miscommunication on our part, this challenge was supposed to be inspiration for a similar challenge, but we accidentally published this one instead. Credit to CTFLearn, the original author
Search the IP address on Wikipedia
Flag:
bronco{cNi76bV2IVERlh97hP}
Lost Valentine
Target Difficulty: Hard (550 Points)
Description
Valentine’s day came and past, and I am still pretty upset. My girlfriend didn’t show up for dinner at the restaurant she made a reservation at. After about 30 minutes, the waiter came and left me a note in her handwriting: “cupid-is-upset”
What could that mean!!
Searching for the string cupid-is-upset
on Google we can find a github User with the same name.
The Concerned User has two repositories
Going to https://github.com/cupid-is-upset, we see flag parts scattered around, such as 5 rg/ji in the description, 12 TnTa_Z in the README, etc. There’s a thought bubble next to the icon with 6, the lost repository with 2 in the workflows, 1 in the issues, 10 and 11 in the wiki, etc.
Here are the flag parts that I was able to find
1 htt
2 ps:/
3 /puz
5 rg/ji
6 gsa
7 w/pla
8 y?p=
9 -NqoEdz
10 0zSA
11 gBI
12 TnTa_Z
Put together to get https://puzzel.org/jigsaw/play?p=-NqoEdz0zSAgBITnTa_Z
This is a jigsaw puzzle.
On solving this
Solving this jigsaw manually (since I couldn’t find a method to extracting/solving it) actually had some strategy to it. The pieces snap into place when you place them in the right spot so all edges can be handled right away as well as the heart outline. Then, just put all the purple into a pile and go from there. Online QR solvers couldn’t decode it but my phone could which was https://qrcc.me/s8gjjl3yizv8 This link went to a google drive with an aup3 file. The page source has the sidequest described above, and when clicking on the file and then the three dots for details, we see a hint in the description:
gordan told me its raw :( i hope he doesn't get mono. 44100
The link has a Audacity Project file. After this I was stuck and couldn’t solve the challenge.
Side Quest
Target Difficulty: Medium/Hard (375 Points)
Description
There is a side-quest hidden midway through the Lost Valentine Challenge. You will know when you find it.
In the description of one of the google drive folders for Lost Valentine (can be seen either in the page source or in the social preview associated with the link), we get the following ciphertext along with some message referring to 1000.
ъњїіыїѣєїћќчѕѡчєїўэњчъѝќчќїїѓчщчьэќїѝњѥ
This text is in Cyrillic Encoding. Which has its utf codepoints in the range of 1000. If we subtract 1000 from the codepoints we get the flag.
# Original text
text = "ъњїіыїѣєїћќчѕѡчєїўэњчъѝќчќїїѓчщчьэќїѝњѥ"
# Convert the text into a list of numbers (Unicode code points)
numbers = [ord(char) for char in text]
# Subtract 1000 from each number
modified_numbers = [num - 1000 for num in numbers]
# Filter out any negative values after subtraction to avoid errors when converting back to characters
modified_numbers = [num if num > 0 else 0 for num in modified_numbers]
# Convert the modified numbers back into text
# Note: If any modified number is invalid Unicode code point (e.g., < 0 or > 0x10FFFF), you'll need to handle those cases
# Here, we replace invalid values (0) with the Unicode Replacement Character (U+FFFD)
modified_text = ''.join(chr(num) if 0 < num <= 0x10FFFF else '\uFFFD' for num in modified_numbers)
# Print the original and the modified texts
print("Original text: {}".format(text))
print("Modified text: {}".format(modified_text))
Flag:
bronco{lost_my_lover_but_took_a_detour}