# Preliminary Round Welcome back to my writeup! In this post, I’ll take you step by step through how we approached and solved the challenges from the Trend Micro uCTF preliminaries, held on August 22, 2025. This CTF was intense and fast-paced, giving us only one hour to solve all the challenges, which really tested our problem-solving speed and teamwork. I’ll break down our thought process, the tools we used, and the strategies that helped us tackle each challenge efficiently.

**Attached in the Email**

In this challenge, we are given a Base64 encoded string, all we need to do is to decode it. `echo "" | base64 -d`

**Common Password**

In this challenge, we are given a SHA256 hash, all we need to do is to crack this using **John** or **Hashcat**. In our case, we will use **John**. `john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt hash`

Flag: **uCTF{2\_iloveyou}** **Ancient File**

For this challenge, we were given a file resembling a wordlist.

The description is straightforward, so there’s no need to overthink it—simply use **Ctrl + F** or **grep** to search for the flag format.

**Follow the Train**

In this challenge, we are given an image.

A train, since this is an OSINT challenge, we need to get the small details. If you noticed, The red train has the marking **"VIEUX-LYON FOURVIÈRE"**. This is a funicular railway in **Lyon, France**, that goes up to the **Basilica of Notre-Dame de Fourvière** (a very famous pilgrimage site). Let’s look up the Basilica’s contact info.

Flag: **uCTF{14\_33478251301}** **In The Property**

In this challenge, we are given a PNG file

Just from the title, it’s clear that something is hidden in the metadata. Let’s take a closer look.

**File in a File**

For this challenge, we’re given a file that’s been compressed multiple times. Here’s the sequence of compressions 1. lz4 -d file file.out 2. zstd -d file.out -o file.next 3. unrar x file.next 4. unzip file3 5. bunzip -d file2 6. gzip -d file2.gz 7. tar -xf file2

**Hidden in the Bytes**

In this challenge, we are given a PNG file

Once again, the title hints that LSB is at play here, so let’s examine it using **zsteg**. `zteg file.png`

**PWSH Guess**

In this challenge, we are given an obfuscated powershell.

It consists of a Base64 encoded string, when I decode it, this is the result

Now the flag is obvious here ```powershell If ($n -lt (644 % 2)) { Write-Host "$([char]0x75)$([char]0x43)$([char]0x54)$([char]0x46)$([char]0x7B)$([char]0x31)$([char]0x31)$([char]0x5F)$([char]0x56)$([char]0x47)$([char]0x68)$([char]0x70)$([char]0x63)$([char]0x30)$([char]0x6C)$([char]0x7A)$([char]0x51)$([char]0x55)$([char]0x5A)$([char]0x68)$([char]0x61)$([char]0x32)$([char]0x56)$([char]0x47)$([char]0x62)$([char]0x47)$([char]0x46)$([char]0x6E)$([char]0x7D)" } ``` This PowerShell snippet constructs a string (the flag) by converting a sequence of hexadecimal ASCII codes into characters using `$([char]0xXX)`. Each `$([char]0xXX)` represents one character in the flag, and `Write-Host` prints them all together. The `if` condition `$n -lt (644 % 2)` evaluates whether `$n` is less than the remainder of 644 divided by 2 (which is 0), so the block only executes if `$n < 0`—meaning it’s mostly used as a “hidden” or conditional print. In Python, this can be decoded by taking the list of hex codes, converting each to its corresponding character using `chr()`, and joining them into a string, effectively reconstructing the exact flag the PowerShell code would display. ```python hex_values = [ 0x75, 0x43, 0x54, 0x46, 0x7B, 0x31, 0x31, 0x5F, 0x56, 0x47, 0x68, 0x70, 0x63, 0x30, 0x6C, 0x7A, 0x51, 0x55, 0x5A, 0x68, 0x61, 0x32, 0x56, 0x47, 0x62, 0x47, 0x46, 0x6E, 0x7D ] flag = ''.join(chr(h) for h in hex_values) print(flag) ``` Here's the output

**Double Blind**

In this challenge, we are provided with an encrypted string. `a2hhaGloemxuaHN2eWwuanZ0` As mentioned in the challenge, it's **encrypted + encoded.** The initial string looks like a Base64, let's try

Looks like ROT13, let's check

There it is, that's the DNS, now we will encode it to Base64 and we will use that as the flag.

Flag: **uCTF{3\_ZGF0YWJhc2VnYWxvcmUuY29t}** **Need The Debugger**

For this challenge, we are provided with a binary file. The title hints that a debugger will be required, but before using one, let's first analyze the file in **Ghidra**.

This is the main function, now let's check the `do_guess` function.

You see the Juicy part here? ```c if (numberofguess == 1) { builtin_memcpy(pp,"_i~lQ\x13uank\tlekkL|II^\x1bD\x12W",0x19); sVar4 = strlen((char *)pp); memfrob(pp,(long)(int)sVar4); puts((char *)pp); } ``` This code snippet executes when the player correctly guesses the number on their very first attempt. It first copies an obfuscated string into the buffer `pp` using `builtin_memcpy`. The length of the string is calculated with `strlen`, and then `memfrob` is applied to the buffer, which is a simple reversible XOR-based transformation used to obscure data. Finally, the transformed string is printed with `puts`, effectively revealing a hidden message or flag that is only accessible if the player guesses the number correctly on their first try. What is `memfrob`? * `memfrob()` is a glibc function that **XORs each byte with 42 (`0x2A`)**. * So the hidden string is simply the above bytes **XOR’d with 0x2A**. #### That means the **flag is `_i~lQ...` XOR 0x2A**. ```python data = b"_i~lQ\x13uank\tlekkL|II^\x1bD\x12W" decoded = bytes([b ^ 0x2A for b in data]) print(decoded.decode(errors="ignore")) ``` Here's the output

That’s a fantastic milestone!

Out of 199 competing teams, we proudly secured 2nd place, demonstrating our skills and teamwork. Now, with the finals ahead, we’re more motivated than ever to push our limits, sharpen our strategies, and aim for the top spot. This achievement not only reflects our hard work but also sets the stage for an even greater challenge in the upcoming competition.