# SEEN CTF 2025—Writeup Welcome back to another writeup! 🚩 This time, I’ll be walking you through a detailed, step-by-step breakdown of how we tackled and solved the challenges from **SEEN CTF 2025**. In this writeup, I’ll not only share the exact methods and techniques we used, but also provide insights, thought processes, and alternative approaches that might help you in future competitions. Whether you’re a beginner looking to learn or a seasoned player comparing strategies, I hope this guide gives you both knowledge and inspiration for your own CTF journey!

**AUDITION** Challenge Name #1: **first\_task** In the challenge description, the term **`leash_protocol`** is emphasized, and within the provided game materials, there’s also a file with the same name. Opening this file in a text editor like Notepad shows that it’s technically readable, but the content appears messy and difficult to interpret. A practical approach here is to adjust or correct the file’s encoding to make the text more understandable. Here's a Python script to automate this. ```python import chardet input_file = "leash_protocol" # Detect encoding with open(input_file, "rb") as f: raw = f.read() enc = chardet.detect(raw)["encoding"] # Read and print with open(input_file, "r", encoding=enc, errors="ignore") as f: text = f.read() print(text) ``` Run the script and use grep for filtering. `python3 utf-8_encoder.py | grep "SEEN"` And here's the result

Challenge Name #2: **corp\_portal** In the challenge description, we’re provided with a link to a login page. At first glance, it looks like a standard login form, but let’s take a closer look by inspecting it to understand what’s happening behind the scenes.

While examining the source code, we notice that the credentials are hardcoded, and the password is written in a flag-like format. However, the expected flag format should be **`SEEN{}`**. To make sense of this, let’s attempt to decode it using common ciphers, such as the Caesar cipher.

Challenge Name #3: **unsecured** The challenge description indicates that our goal is to obtain some form of **Clearance**. Looking at the source code, we can see that after a successful login, the page redirects to **dashboard.html**. Interestingly, we can bypass the login entirely and access **dashboard.html** directly by simply modifying the URL.

This is the **dashboard.html**, now let's take a look at the source code of this.

At the end, you’ll notice that the dashboard links to another HTML page called **file.html**. Let’s take a closer look at it.

This is **file.html**, and as mentioned earlier, we need to find some kind of clearance. Here, we can see a file that matches the description—the **Clearance Documentation**. Let’s take a closer look.

You can use **Ctrl + F** for this but the flag is already obvious hehe. Challenge Name #4: **company\_memo** The challenge states that we need to locate a file named **quarterlybudgets.pdf** and inspect it. This one is straightforward—if we examine the list on **file.html**, we can see **Quarterly Budgets 2025**. Let’s go ahead and check it.

There's nothing useful at the contents of this PDF File, now let's check the metadata. Here's the result

Challenge Name #5: **logging** The challenge description mentions that there’s a log file in the same directory, but it’s not listed on **files.html**. So how can we locate it? One way is to enumerate the directory using Gobuster to find all files with the **`.log`** extension. `gobuster dir -u https://zdvlg8fx0mugwaof.apollodon.tech -w wordlist.txt -t 50 -x log -k` Here's the result

There it is, now let's check the `access.log` .

Challenge Name #6: **the\_name** For this challenge, we’re provided with a link to a login page, which is indicated to be vulnerable to **SQL injection (SQLi)**. Let’s take a closer look.

This is the login page, now let's do the classic 1=1 payload. `' OR '1'='1` And it works!!!! We're in!

Just do the same payload again xD..

Challenge Name #7: **getaway** In this challenge, the **corporate logo** is referenced, and we can find it listed on **file.html**. Let’s go ahead and take a closer look.

And in the file.html, the title of this has this word inside a parenthesis "(High-Res)" So I wonder, what if we increase the resolution of this image.. We use Aperi'solve for this, and this is the result.

**AXIOM CORP** Challenge Name #8: **thorne's website** In this challenge, we are presented with a webpage that requires a password. It’s specified that the verification happens entirely on the **client side**, which means tools like BurpSuite or ZAP won’t be effective. The flag is embedded in the frontend itself. Let’s take a closer look.

This is the webpage, now let's check the source code.

As you can see, this project is using **Next.js**. Let’s take a closer look at it.

I noticed a **Base64** encoded string here, now let's decode it. (**VGgwcm4zX1MzY3VyM19QQHN3**)

Now let's enter this as a password.

It works, but something is blocking us to get the flag, so let's check the source code again. ```javascript try { let s = await fetch("/api/".concat(btoa("notes")), { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ password: e }) }); ``` This line of JavaScript is making a **POST request** to an API endpoint. It first encodes the string `"notes"` in Base64 using `btoa()` and appends it to `"/api/"`. Then it sends a JSON payload containing a `password` field with the value `e`. Now let's navigate to `/api/notes` using curl. `curl -X POST https://huilaumycqq3yrno154j36g65cf2fwm0.apollodon.tech/api/notes -H "Content-Type: application/json" -d '{"password": "Th0rn3_S3cur3_P@sw"}' | grep "SEEN"`

Challenge Name #9: **network\_sniff** We were provided with a pcap file named **traffic.pcap**. Before opening it in Wireshark, I ran `strings` combined with `grep` on the file, hoping to filter out and reveal the flag directly. `strings traffic.pcap | grep "SEEN"`

Challenge Name #10: **the\_truth** In this challenge, we’re given a zip file, and it’s noted that the password (or ciphertext) is encrypted using a **Vigenère cipher**. `vfffrqbumef` In the challenge number 8, the key is mentioned as `cybernaut` so I decode and the plaintext is `thebadbatch` , but the problem is when I enter the bad batch, the plaintext is not the correct password.... So I entered the ciphertext instead as the password and it works. Weird.

Challenge Name #11: **daemon** In this challenge, we’re given an executable file. Most people would immediately open it in **Ghidra** or try running the program. But in CTFs, it’s important not to overthink—challenges are often simpler than they seem. In this case, you can use the same `strings` and `grep` approach we applied to the pcap file earlier. Yes, it’s really that simple.

**THE STELLAR SOVEREIGNTY** Challenge Name #12: **loyalist** In this challenge, we’re again provided with a **.pcap** file, and as usual, using `strings` combined with `grep` proves to be the most effective approach.

Challenge Name #13: **gateway** In this challenge, we are given a link for a webpage but CLI style, and it was asking for username and password and I enter the credentials we've got from loyalist.

The core logic is this ```javascript function checkCookieStatus() { const cookies = document.cookie.split(";"); let bypassCookie = false; for (let i = 0; i < cookies.length; i++) { const cookie = cookies[i].trim().split("="); if (cookie[0] === "bypass" && cookie[1] === "true") { bypassCookie = true; break; } } ``` We will just use a bypass payload for this. `document.cookie = "bypass=true";` Just enter that to the console and refresh the page.

Challenge Name #14: **prime\_bug** Here we are given a ciphertext

The main issue is that we have the values of p, q, and the private key, but we don’t yet have the decrypted number sequence. However, if we encrypt the correct decrypted sequence, it produces the same ciphertext. Looking back at the description, the word “sovereignty” catches our attention, and it turns out that the ciphertext corresponds to 11 characters — which is actually the decrypted text.

Challenge Name #15: **stellar\_redemption**

The description mentioned that we needed to find some kind of kill switch or key. After carefully analyzing every detail, the URL “S33N2025” stood out. When we submitted this as the final flag, it worked perfectly! Final Flag: **SEEN{S33N2025}** I am proud to share that our efforts paid off — we secured **Top 1** and emerged as the **champions of SEEN CTF 2025**. This achievement would not have been possible without the exceptional dedication, skill, and support of my fellow members: **Brylle (ka1ro), Alisha (isha), Arvin (y3y), Matt (emoa),** and every single player who contributed, collaborated, and challenged us along the way. Your expertise, encouragement, and energy were invaluable in making this victory possible.

This competition was not just about ranking or accolades — it was about pushing the boundaries of our knowledge, sharpening our skills, and embracing the spirit of cybersecurity and ethical hacking. To all the participants, thank you for making SEEN CTF 2025 a truly unforgettable experience. Every challenge solved and every obstacle overcome has left a lasting impression, and I am inspired to continue striving for excellence in future competitions.