πBroncoCTF 2024
All solutions in categories roughly sorted from easy to hard.
Beginner
Keyboard Elitist (125 Solves)
Description:
My buddy is bragging about how cool his Framework laptop is and how much faster he can type than me.
When I tried to type a message, it came out as garbage!
A;;apfkgij gj;ukd ar ut ghur war a Qwfpgj efjbyaps yk a Cyifmae uk;lg rchfmf maefr ghur iyye iuef dapbadf. Mj tpufks ur sftukugfij a efjbyaps rkyb, ylg hfpf wugh hur mysliap tpamfwype ia;gy;. Rudh, fughfp waj... hfpf ur ghf tiadO bpykcy{qwfpgj_vr_c0ifm@e}
Solution:
Keyboard Elitist and speed typing makes me immediately think of Colemak (as a fellow speed typer). Converter here: https://colemak.com/Converter
Shrekanana Banana (120 Solves)
Description:
I was given this image of Shrek in a Banana, but I can't help but feel like I am missing something...
Solution:
aperisolve.com, in one of the bit planes.
Stego-Snore-Us (50 Solves)
Description:
I'm not the only one tired after pulling an all-nighter for Hack for Humanity...
Solution:
Same as the previous, but it's encoded:
From pesxas to bronco seems like a mono-alphabetic cipher, use the manual decryption mode with this tool, using the description as a guideline. https://www.dcode.fr/monoalphabetic-substitution
Forensics
Medieval Beats (48 Solves)
Description:
Solution:
This is a 1 hour video with characters of the flag coming up in random frames throughout. First I downloaded the video at the lowest resolution possible with some generic online tool. Then I extracted one frame each second (~3600 total) and deleted all the black frames which were 284 bytes.
Wario Party (29 Solves)
Description:
Who is the true hero of the Mario Party games you might ask? Look inward and you might find it at the intersection of Mario's color and the number of brothers.
Target Difficulty: Easy/Medium
Note: This flag is wrapped in broncosec{}
Solution:
Opening the image in aperisolve, we can see some data encoded in one of the bits.
The data in a bitplane can be extracted with stegsolve.jar, download it to get the following jpg file.
I tried building a script that will use constant offsets to detect if a pixel is yellow or purple but it got off every 3-4 rows, so I ended up just typing it all into cyberchef binary decode. Not proud of it but it doesn't take that long.
Boom (11 Solves)
Description:
With all these talks of arbitration, things are tense here around the office. I feel like people are going to explode at any moment. I gotta watch where I step before I accidentally bring something up and uncover something I didn't want to.
Solution:
A file is attached named HarvestBroom.mbf. I added the newlines where there was an obvious pattern (and left in my notes when I made initial observations).
Boom and Broom, as well as the fact that these seem to be coordinates makes me think of a minesweeper field. If every pair of numbers (ignoring the 4-byte header and the 03 designating a row) is an x/y location, it may be able to print a flag.
The above code prints the map with O/X, and then by optionally searching for X in a text editor to highlight it, we get the flag.
Mystery Sound (9 Solves)
Description:
This transmission supposedly contains a secret flag, but I can't decode it because of some interference. Can you help?
Solution:
Playing the audio in the wav file with sonic visualizer, we see a square wave in the spectrogram. I considered screen capturing it and building a program to analyze it programatically but it wasn't too long so I just turned on the grid, scrolled in until the grid lines lined up roughly with the start/end, and typed the 0/1 into cyberchef. It's slightly off but every byte starts with 0 and it's pretty clear if you make a mistake.
LAN Party (13 Solves)
Description:
Solution:
The attachment is a minecraft source with various files including mca files. Looking at similar CTF challenges, the flag could either be encoded in the files like in a book, or displayed visually in the map. Going for the easier option, I downloaded chunky to see if anything stood out, and saw a red squiggle in the top right of the map. Zooming in with the scale option, we see the flag.
Web
ACM Borg Members (40 Solves)
Description:
I am convinced the board members of Santa Clara's ACM clubs are cyborgs! They are definitely digitally enhanced! ACM Board? More like, ACM-BORG! If only I had a way of proving it.
Target Difficulty: Easy
Solution:
With the mention of robots and a random official website, we eventually try https://www.scuacm.com/robots.txt
Blue Boy Storage (122 Solves)
Description:
This blue boy saved something on his home planet but cannot seem to find it. Can you help him?
Target Difficulty: Easy
Note: flag wrapped in broncoctf{}
https://blue.web.broncoctf.xyz
Solution:
At the website, we see a main page with some text and a video, and a very long javascript file in the developer tools. Searching bronco in the js file, we will get the flag, but the javascript file will also store it into the browser storage tab of the developer tools which is likely the intended solution.
Blue Herring (25 Solves)
Description:
This page contains the elusive blue herring, however it's never been seen by the human eye. See if you can catch it and rip it open to find a flag.
Target Difficulty: Easy/Medium
Note: flag wrapped in broncoctf{}
https://blue.web.broncoctf.xyz
Solution:
In the network tab of developer tools, we can see files that are received, so we can eventually find and download BlueHerring-CPmowcv1.png. Running zsteg with the --all flag gives us the answer.
There's an option to enable zsteg --all on aperisolve before submitting but it still says nothing found for some reason (which is a clear indication that it's not working since this should match many things in a png). It did work at one point but even then it's hard to notice since all the text is white.
All I Do Is (42 Solves)
Description:
I LOVE TO ROLE PLAY! for my upcoming convention, i am reliving my glory days of being a minecrafter.
https://www.youtube.com/watch?v=DLgYt-569jc
https://diamonds.broncoctf.xyz
Target Difficulty: Easy/Medium
Solution:
The link goes to a video called "All I Do Is Dig", hinting we need dig. If we go to the url, we don't find anything because the default DNS server doesn't know how to access diamonds.broncoctf.xyz.
Here's the flow to using dig to find the DNS server that knows about it, getting its IP address, and then getting the TXT info from it.
Edit: somehow I missed it but all that's necessary is dig diamonds.broncoctf.xyz txt (I thought I would have tried that first though, leaving below in just in case it was necessary for some reason)
Crypto
Preschool Lessons (70 Solves)
Description:
a b c... easy as 1 2 3...
Do you REALLY know your ABCs?abbaaabacabbbaabacabbabbbbcabbabbbacabbaaabbcabbabbbbcabbbbabbcabbabaabcababbbbbcabbabbabcaabbaaabcabbbaabbcabbbaabbcababbbbbcabbbaaaacabbbaabacaabbaabbcabbbaabbcabbaaabbcabbabaaacabbabbbbcaabbaaaacabbabbaacabbbbbab
Target Difficulty: Easy
Solution:
This looks like binary, with c representing space. Find replace a with 0, b with 1, and c with space to get:
Zodiac Killer (84 Solves)
Description:
The Zodiac Killer is on the loose! I saw this message spray painted on a wall.
Wrap the flag in bronco{}
Target Difficulty: Easy
Solution:
The attached picture shows a Zodiac cipher, solve with this: https://www.dcode.fr/zodiac-killer-cipher
Electrical Engineering (52 Solves)
Description:
I hate electrical engineering
Target Difficulty: Easy
Solution:
We're given a pdf with many 6-band resistors.
The last three bands never change in color so we just have the first 3. The first band is either black (0) or brown (1) so we know we're likely dealing with 3-digit decimal ASCII. Decoding the rest with resistor color codes, we get:
Oh, Danny (13 Solves)
Description:
When using AES in CBC mode, Danny has a habit of leaving messages in his initialization vectors. Can you find his secret message?
Flag Format: Wrap the IV in bronco{ }
Target Difficulty: Medium
Solution:
Here's what AES CBC is:
Conveniently everything's already in 16-byte blocks. We know the input into the 2nd XOR operation since we have pt2/ct2, and then we reverse once more to use pt1 to get IV.
Birthday Bash (8 Solves)
Description:
22 years ago today, my dearest neighbor gave birth to a child, my best friend. I got an invite to their birthday party, but I cannot understand it for the life of me. I will feel guilty 100 times over if I don't attend their birthday bash! Can you help?
Target Difficulty: Hard Hint 1: Based. Hint 2: Think about 100 and 22 together.
Solution:
The attached text file seems like random bytes, not much we can get from it directly so we need to go off of other info. I don't think this is solvable without the hints, but with them, we think of either some base operation followed by something related to 100 and 22, or them combined (base 122). Googling base122, we find the following Github repo which lets us know we're on the right track: https://github.com/kevinAlbs/Base122
Reversing
Serpent's Pass (64 Solves)
Description:
Snakes! Snakes! Snakes!
Target Difficulty: Medium/Hard
nc serpant.broncoctf.xyz 8000
Solution:
The attachment is a python server where three questions are asked and if they are correctly answered, we get the flag. The following courtesy of GPT-4.
Gate 1
Gate 1 requires you to return the result of the expression pow(10 * 9 + 7 - 2, 2). This is a straightforward calculation.
Gate 2
For Gate 2, the function gate2(guess: int) returns True if the binary representation of a number (formed by appending guess number of 1s to a 0) when converted to an integer, corresponds to the ASCII character '?'. We need to find the correct guess that satisfies this condition.
Gate 3
Gate 3 involves the Fibonacci sequence, calculated by the mystery(n: int) function through recursion. The function gate3(guess: int) will return True if the Fibonacci number at position guess is a perfect square. We need to find such a guess.
Let's calculate the inputs for each gate.
The inputs required to pass the three gates in the CTF challenge are as follows:
MZ (6 Solves)
Description:
Can you reveal the secrets hidden within this binary?
(Note: this is a Windows executable, but it's been saved with a .BIN extension to avoid antivirus problems. You will need to replace .BIN with .EXE to run it.)
Solution:
Doing some research, MZ (the first two bytes in the file) means it's an executable format where if it's run in DOS, it can have some other behavior. More info: https://en.wikipedia.org/wiki/DOS_MZ_executable
We can use an online DOS emulator to run the binary to see what would happen. https://virtualconsoles.com/online-emulators/dos/ It wouldn't work for me on firefox for some reason, but in Chromium, we get the flag.
OSINT
Wiki Wiki Wiki (118 Solves)
Description:
Not much to go off here, but itβs all you need: Wikipedia and 128.125.52.138.
The flag is not in the typical format, but wrap it in bronco{} before submitting. You will know when you find it.
Target Difficulty: Easy/Medium
Solution:
Searching that IP address on Wikipedia, we see a user with a single contribution to the Flag Wiki page. Clicking on "diff", we can see what that was.
Side Quest (15 Solves)
Description:
There is a side-quest hidden midway through the Lost Valentine Challenge. You will know when you find it.
Target Difficulty: Medium/Hard
Solution:
In the description of one of the google drive folders for Lost Valentine (can be seen either in the page source or in the social preview associated with the link), we get the following ciphertext along with some message referring to 1000 that I didn't keep.
My unintended solution was removing the first byte for each character (d1) to make it one byte for each character, then running XOR brute force in cyberchef and noticing the flag is a combination of characters from the c8 and d8 decryptions.
This actually isn't the intended solution, which was supposed to be just using https://www.dcode.fr/unicode-shift-cipher with the default shift of 1000 to get:
Some weird math property is involved here why my solution even worked, and I don't even know how the y became lowercase, maybe there's some magic in here that would make a good CTF challenge.
Lost Valentine (6 Solves)
Description:
Valentine's day came and past, and I am still pretty upset. My girlfriend didn't show up for dinner at the restaurant she made a reservation at. After about 30 minutes, the waiter came and left me a note in her handwriting: "cupid-is-upset"
What could that mean!!
Solution:
This was a long one and I didn't take good notes but here's my best attempt at a writeup. The only thing we have to go off of is "cupid-is-upset", and through a username search https://instantusername.com we find it is taken by github.
Going to https://github.com/cupid-is-upset, we see flag parts scattered around, such as 5 rg/ji in the description, 12 TnTa_Z in the README, etc. There's a thought bubble next to the icon with 6, the lost repository with 2 in the workflows, 1 in the issues, 10 and 11 in the wiki, etc.
Here's all the pieces I found:
I didn't find 3/4 but looking up jigsaw sites, puzzel was the first one. I don't know if that was intended or if I just missed 3/4.
Solving this jigsaw manually (since I couldn't find a method to extracting/solving it) actually had some strategy to it. The pieces snap into place when you place them in the right spot so all edges can be handled right away as well as the heart outline. Then, just put all the purple into a pile and go from there. Online QR solvers couldn't decode it but my phone could which was https://qrcc.me/s8gjjl3yizv8
This link went to a google drive with an aup3 file. The page source has the sidequest described above, and when clicking on the file and then the three dots for details, we see a hint in the description:
The aup3 extension is an audacity project, opening it there and exporting the data as raw (following online instructions) gives the following image.
Looking up the user on namemc.com, we see their profile has an instagram linked.
The instagram has two photos with alt text (viewable in the page source directly on instagram.com which is replaced by some 3rd party instagram viewers) leading to a puzzle where you have to click four related words, below is the solved image:
It says to look at california state parks yelp review check when looking at the categories. In the previous step with the two images, they were location-tagged to Castle De haar and The Rock Hazelwood. Using that as a hint to look up the Castle Rock page specifically, we see the review when sorting by latest. Fun challenge and nudges were provided for each stage at the helpdesk as was advertised in the discord chat.
Misc
Countries Unite (98 Solves)
Description:
"yoshie" sent me a peculiar message. What could he possibly be trying to say?
Target Difficulty: Easy
Solution:
We're given a picture of a bunch of flags. We can see from the first few that the flag is represented by the first letter of the country represented by the flag. I used a generic page to look at the country flags and solved it manually, it may also be more convenient for some to mouse over the emojis when searching for flags in discord.
BroncoCTF Crossword (23 Solves)
Description:
I am really annoyed. I work at Bronco Venture Accelerator and instead of doing work, my boss is just sitting doing a crossword. And drinking lemon juice? WHY! I want to dump it on him and his paper. We need to make MONEY.
Target Difficulty: Medium
Solution:
We're given a pdf file, and when opening it, we can see the solution flash for a second so we know the image is embedded. Running pdfimages on it gives us the extracted image solution but it doesn't seem helpful. I then noticed my ranger preview showed the flag, so the pdf must have had this text below the image or something.
World's Hardest Flag (8 Solves)
Description:
Good luck. Be sure to read the game description.
Note: this does require a Roblox account.
Target Difficulty: Hard
https://www.roblox.com/games/16323057979/Worlds-Hardest-Flag-Early-Access
Solution:
This was a fun one. A Roblox account is necessary but the link leads us to a game where we need to get to checkpoints while avoiding enemies. We have access to a Lua console so we can type in commands to affect the game state. Here are some general commands I worked out.
I'm not sure on the last two since I didn't save the last ones I ended up using, but it's something very close to that if they don't work directly. I tried teleporting initially to the "WinPad" found with the first function but kept falling into a pit so instead just despawned the enemies and walked through the game. At the end I saw there was a block needing 100 coins so I needed to walk back and collect them all, and although there were exactly 100 coins, the door wasn't unlocking. It may have been bugged since I had errors on every room I walked into because of the enemies being gone. In the last room however, I saw the glowing green win pad and was able to stand next to it, walk away and get my location, to then extrapolate what my location would be if I was able to walk to it without the door in the way. Teleporting to that location gave the flag.
Last updated
