CIT CTF 2025—WriteUp
Today, I'll be sharing the challenges I managed to solve during the CIT CTF 2025! Keep in mind, I only got around to solving 3 challenges due to being swamped with midterm exams during the event—haha, time really flew by! But even with the limited time, it was still a great experience, and I can’t wait to dive into more challenges when I have the chance! Let's dive!
Ask Nicely — Reverse Engineering
Description: I made this program, you just have to ask really nicely for the flag!
In this challenge, we are given a binary file called asknicely . Let's try to execute it!
It seems like the challenge is testing how badly I want the flag. I entered an input, and it prompted me again with "Ask nicely..." So, I added the word "Please," hoping it would trigger a different response or change how the code behaves, but nothing worked.
So, I launched Ghidra to take a closer look at what’s happening behind the scenes.
The solution is clear right? The key to this challenge is the exact input string the program expects. The program is not complex at all; it’s simply a string comparison that checks whether the second input from the user matches a hardcoded string. Here’s the key part:
bVar1 = std::operator==(local_68, "pretty pretty pretty pretty pretty please with sprinkles and a cherry on top");The program performs an equality check on the input and compares it to the string:
"pretty pretty pretty pretty pretty please with sprinkles and a cherry on top"If the input matches, the program executes the block of code that calls give_flag(), which likely reveals the flag.
All we need to do is, when the program presents the second prompt "Ask Nicely...", we provide the exact string it expects in order to trigger the give_flag() function, which will likely reveal the flag.
The Domain Always Resolves Twice — OSINT
Description: What is Anthony McConnolly's favorite domain registrar?
Honestly, this is probably the simplest challenge I've ever encountered, XD.
What are the popular domain registrar we have? I'll list it for you.
GoDaddy
Namecheap
Google Domains
Bluehost
HostGator
1&1 IONOS
DreamHost
Domain.com
Hover
Gandi
Dynadot
Namesilo
Tucows
OVH
Alibaba Cloud
Porkbun
Enom
Register.com
EuroDNS
Cloudflare Registrar
Since it's asking us the Anthony McConnolly's favorite domain registrar, all we need to do is to try all this and luckily, GoDaddy is the correct flag!
CIT{godaddy}Select all squares that contain uhh... — Misc
Description: These captchas seem to get more difficult day by day...
In this challenge, we are provided with a link, and the following is the content.
All I did was follow the steps (a bit malicious), and when I checked the "I'm not a robot" box, an obfuscated command was copied to my clipboard.
sEt-varIabLE IqBofD ( " ) )43]rAhC[,)18]rAhC[+77]rAhC[+28]rAhC[(eCaLpeRc-93]rAhC[,'ukz'eCaLpeRc- 63]rAhC[,'akF'eCaLpeRc-)') uk'+'zukz'+'NIoJ-]) hTGNEl.jQZakF ( -.. 1 -'+'[jQZakF ()ukzxukz+'+']03[EmoHsPakF+]4[eMohspakF (. ; ) QMR iex( (ukz & ( r'+'A9SHeLLiD'+'[1]+rA9sheLLId[13]+IiDXIiD)( (u'+'kz+ukz((lbH{15}{11}{10}{1}ukz+ukz{22}{35}{24}{21ukz+'+'ukz}{4}{34}{8}{9}{16}{27}{5}{38}{33}{23}{14}{20}{6}{26}{13}{17}{7}{28}{ukz+ukz37}{31}{29}{2}{32}{ukz+ukz1'+'2ukz+ukz}{36}{0}ukz+ukz{19}{3}{18}{25}{30}lbH-fIiDriDmoIiD,IiD3]RahC[,yzpC1HyzpeCAlp'+'eukz+ukzr-93]Rah'+'C[,IiD,IiD]diug[(yzIiD,IiD((( )yzpxyzp+]43[EMohSPA'+'ROIiD,IiDhC[IiD,IiDzpos si gayzp+yzIiD,IiDukz+ukzyzpnlQsnyzp+yz'+'plyzp+yzpQukz+ukzsyzp+yzpPyzp+yzp81 tsoH-eukz+ukztiyzp+yzprW ;Pyzp+yzp81yzp+yukz+ukzzp}yryzp+yzpr0wukz+ukz_tn'+'0d_3r4yzp+'+'yzpwl4m_t'+'n1yzp+yzpa_s1htIiD,IiDyyzukz+ukzp+yzpr'+'otceriD'+' eyzp+yzppy'+'Tmyzukz+u'+'kzp+yzpetyzp'+'+'+'yzpI- riDyzp+yzpIiD,IiD[(eCAlper-)yzpukz+ukzP81!ti ukz+ukzd'+'IiD,IiDyzp+yzpnifyzp+yzukz+ukzp ogyzIiD,IiD )6I'+'iD,Iiukz+ukz'+'DIABLE '+'n7A1u (ask )IiD,IiDzp+yzpaPdlihC- yzp+ukz+ukzyzpPMET:vneIiDukz+ukz,IiDP81ukz+ukztyzp+yzpxt.galfP8yzp+yzp1 yzp+yzphtyzp+yzpaPdlihukz+ukzC- r'+'i'+'Dmodnay'+'zp+yzprC1H htaP- yzp+yzp'+'hukz+ukztayzp+ukz+ukzyzpP-nioJ( h'+'taP- tnyzp+yzpetnoC-tyzp+yzukz+ukzpeS yzp+yzp;'+'lyzp+yzpluyzp+yzpNIiD,I'+'iD llehSrewoIiD,IiDSeT-vARIiD,IiDp+yzp os metsys ruo'+'y no eryzp+IiD,Ii'+'D-tuO vyzp+yzpVQ yzp+uk'+'z+ukzyzpIiD,IiD+]4[EMOhspu'+'kz+uk'+'zARO ( . ask ) ; -join ( VAriAblEI'+'iD,IiDyzp+yzpdnarC1'+'yzp+yzpHyukz+ukzzpIiD,IiDyzp+yzpP moyukz+ukzzp+yzpdnar nyzp+yzpur yzp+yzpttyzp+yz'+'pNHnodukz+ukz yzp+'+'yzpyletinifeDyzp+IiD,IiD]RahC[,)811]u'+'kz+ukzRahC[+68]R'+'ahC[+18'+']RahC['+'( eCAlper-43]RahC[,'+'yzpP81yzp eCAlPeR'+'ukz+ukzc-69]'+'R'+'aIiD,IiD)611]Raukz+ukzhC[+87]IiD,IiDzp+yzp uoyIiD,IiDhC['+'+27]'+'RahC[(eCAlPeRc- ukz+ukz ukz+ukz421IiD,ukz+ukzIi'+'D N'+'7a1U -vaLUEo )[ -1.ukz+ukz. -( ( VAr'+'iAblE N7a1U IiD,IiD{TIC'+'P8yzp+yukz+u'+'kzzp1'+' eulaV-yzukz+ukzp+yzp )IiD,IiDyzpehweukz+ukzmyzp'+'+yIiD,IiDmodnayzp+yzp'+'ryzp+yzpCyzp+yzp1H hyzp+yzptaP-yzp+yzp myzukz+ukzp+yzpe'+'tI-yzp+'+'yzpweN ;))(gnyzp+yukz+ukzzpirtSoT.)('+'diuukz+ukzGwyzp+yzIiD,IiD:ukz+ukzyzp+yzukz+ukzpIiD,IiD-vaLUEo ).LEngtH )]olTiexIiD,IiDN:IiD,Iiukz+ukzDp'+'+yzp h'+'tyIuk'+'z+ukziD,ukz+ukzIiDno dnifyukz+ukzIiD,IiD,)801]RahC[+18]RahC[+511]RahCIiD,Iukz+u'+'kziDRaIiD,IiDC1H htaP- htaP-nioyzp+yzpJ = Iukz+ukziD,IiDpeukz+ukzIiD,IiDpukz+ukzlf eht ,syawyyzp+yzpnukz+ukza tu'+'B yzp+yzp.yzp+yzp.tenretni eht IiD)) -REplAceIiDolTIiD,['+'CHaR]124 -REplAceIiDyzpIiD,[CHaR]39 -CREplaCE IiDAROIi'+'D,[ukz+ukzCHaR]36-CREplaCE ([CHaR]97+[CHaR]115+[CH'+'aR]107),[CHaR]3'+'4) '+')ukz).rePLACE(([cHar]73+[cHar]105+[cHar]68),[StRiNg][cHar]39).rePL'+'ACE(([cHar]114+[cHar]65+[cHar]57),[StRiNg]'+'[cHar]36).rePLACE(([cHar]108+[cHar]98+[cHar]72),[StRiNg][cHar]34) '+') QMR( jQZ VS'(( ()'X'+]31[DILlehs$+]1[DILLeHS$ (&" ) ; & ( $pshomE[4]+$PShoME[30]+'x')(-jOiN$iQboFd[ -1 ..-( $iQboFd.lenGTH ) ] )All I did was paste this into my PowerShell and run it, following the instructions.
As you can see, there's a message at the bottom.
Definitely don't run random PowerShell you find on the internet.. But anyways, the flag is somewhere on your system so go find it!Since it mentioned that the flag is placed somewhere in our system, let's analye our system throughly. (It's a prank!!), we don't need to do that. We're hackers so we need to find more convenient ways. Let's analyze the command.
Here's the Step-by-Step Solution
Step 1: Understanding the Script’s Structure
The script is a mess of obfuscation techniques:
Variable obfuscation: Variables like IqBofD, N7a1U, and others are assigned strings or values that are manipulated later.
String manipulation: The script uses Join, Replace, and array indexing to construct strings dynamically.
Character encoding: It references [CHaR] with numeric values (e.g., [CHaR]124) to represent ASCII characters.
Environment variables: References to $pshomE and environment variables like TEMP or Path suggest file system interaction.
Execution tricks: Commands like iex (Invoke-Expression) and & (call operator) indicate dynamic code execution.
Step 2: Deobfuscating Key Parts
Let’s break down the script by focusing on the most promising sections that might reveal the flag’s location or content.
Initial Variable Assignment
The script starts with:
sEt-varIabLE IqBofD ( " ) )43]rAhC[,..."This assigns a long string to the variable IqBofD. The string contains references like ]rAhC[ (which is [CHaR] reversed, a common obfuscation trick) and character indices (e.g., 43]rAhC[). These are likely ASCII codes for characters. For example:
[CHaR]43 is +.
[CHaR]18 is a control character (not printable, possibly used for obfuscation).
The string also includes literals like ukz, yzp, and IiD, which act as separators or markers.
The string is manipulated later with Join, Replace, and indexing, so IqBofD likely holds the core logic or data for the flag.
String Replacements
The script performs multiple .Replace operations:
.rePLACE(([cHar]73+[cHar]105+[cHar]68),[StRiNg][cHar]39)Let’s decode the character combinations:
[cHar]73 = I, [cHar]105 = i, [cHar]68 = D, so IiD is replaced with [cHar]39 (a single quote ').
[cHar]114 = r, [cHar]65 = A, [cHar]57 = 9, so rA9 is replaced with [cHar]36 (a dollar sign $).
[cHar]108 = l, [cHar]98 = b, [cHar]72 = H, so lbH is replaced with [cHar]34 (a double quote ").
[cHar]97 = a, [cHar]115 = s, [cHar]107 = k, so ask is replaced with [cHar]34 (also ").
These replacements transform the obfuscated string into executable PowerShell code or a meaningful string (e.g., a file path or flag).
File System Interaction
The script mentions:
htaP-nioJ( htaP- tnetnoC-ty...This is obfuscated, but it resembles:
Join-Path -Path $Content...It also references PMET:vne (which is env:TEMP reversed) and xt.galfP81, which, when deobfuscated, might be P81flag.txt. This strongly suggests the script writes the flag to a file named something like P81flag.txt in the TEMP directory ($env:TEMP).
Random String Generation
The script includes:
modnayrC1HThis likely translates to C1Hrandom (reversed and mixed with separators). It might generate a random string for the flag or file name.
Final Execution
The script ends with:
& ( $pshomE[4]+$PShoME[30]+'x')(-jOiN$iQboFd[ -1 ..-( $iQboFd.lenGTH ) ])$pshomE is the PowerShell home directory (~\Documents\WindowsPowerShell or similar).
$pshomE[4]+$PShoME[30]+'x' likely forms iex (Invoke-Expression):
$pshomE[4] might be i (from WindowsPowerShell).
$pshomE[30] might be e (depending on the string index).
+ 'x' gives iex.
(-jOiN$iQboFd[ -1 ..-( $iQboFd.lenGTH ) ]) reverses the string stored in $iQboFd and joins it.
& (iex) executes the resulting string as PowerShell code.
This means the deobfuscated $iQboFd string is the key to the flag.
Step 3: Hypothesizing the Flag’s Location
Based on our analysis:
The script likely constructs a file path using Join-Path and $env:TEMP.
It may write to a file named P81flag.txt or similar (since xt.galfP81 suggests P81flag.txt reversed).
The flag itself might be embedded in $iQboFd after deobfuscation or generated dynamically.
Since the clue says “the flag is somewhere on your system,” the most likely location is:
$env:TEMP\P81flag.txtThis translates to:
Windows: C:\Users\<Username>\AppData\Local\Temp\P81flag.txt
PowerShell: $env:TEMP\P81flag.txt
Now let's check
cd $env:TEMPInitially, I couldn't find the file I was looking for, but I did come across a UUID folder that was created on the exact date I solved the challenge. When I checked the folder, the flag is present!!
Print and it should give us the flag!
That's it! I sincerely apologize for the few solutions I’ve posted, but I hope you can understand – midterms have been really stressful. However, once I'm done and have some free time, I’ll be sure to upload a lot more! Thanks for your patience and understanding. Adios!!
Last updated