This is my first post here on my IT-related account, I didn’t expect it will be a writeup about the CTF that I’ve joined with my team at FetchOrbisX. I should preface this that while I graduated with a Cyber Security Degree, my strongest suit is my IT helpdesk troubleshooting, so I don’t tend to solve questions like Rev, BinEx, or Crypto. My approach probably look different than CTF veterans, hopefully that would provide a different perspectives on how I solve the challenges.
Challenges Writeup
- [Forensic] I Cant Manipulate People
- [Misc] Invisible Ink
- [Forensic] Unwanted Meow
- [Misc] Christmas GIFt
- [OSINT] 迅帝
[Forensic] I Cant Manipulate People
Difficulty: Easy
Likely the easiest challenge in the game, the challenge provided a .pcap file which contains recorded network traffic and is commonly viewable using Wireshark. Opening the file using Wireshark, I see a lot of ping request but crucially, the last byte of every ICMP request contains one character of the flag. All I need to do is to obtain the character in the last byte of each ICMP request packet and form the flag.
While some will opt for writing a script for it, I am not well-verse enough to write a script, so the least time consuming option for me is to type it out.
Flag: WGMY{1e3b71d57e466ab71b43c2641a4b34f4}
[Misc] Invisible Ink
Difficulty: Medium
Description: The flag is hidden somewhere in this GIF. You can’t see it? Must be written in transparent ink.
Since this is a medium difficulty question, its solution probably wouldn’t be something trivial like Exif data or Mark-of-the-Web (I did check, it’s not). Therefore, it is reasonable to assume to check the GIF file for it’s individual frame to see what can be found. Using ImageMagick software, I extracted the individual GIF frames and found something interesting.
magick .\challenge.gif frame-%d.png
frame-4.png and frame-5.png is unexpected and looks noisy at first glance, but look carefully, there’s some concentrated raw data in the middle that forms a line. The next step would be to inspect the two frames. I tried using these two frames and layer them via blend modes like dissolve, multiply, darken etc, but it doesn’t seem to combine to a readable text.
After some digging, there’s another image stegnography solving tool called StegSolve can be used to review image metadata, view data on specific color channel and overlay images. Using StegSolve, I managed to view part of the flag hidden in the alpha channel for frame-4.png. Unfortunately, frame-5.png doesn’t show the other half of the flag.
After some trial-and-error, I wasn’t able to reproduce the second half of the flag from the frame-5.png. StegSolve also have ability to extract frames, in which I also tried and I extracted these two frames saved as bitmap image.
Dealing with two bitmap images, I tried all color channel modes and found that StegSolve have a feature (Random colour map) that can map the data on each color channel to random colors. This feature successfully show both part of the flags. Therefore the next step would be to find ways to combine both images into each other.
Using Photopea, both images are layered on each other, I changed the top layer blend mode to Difference. The flag is revealed.
Flag: wgmy{d41d8cd98f00b204e9800998ecf8427e}
[Forensic] Unwanted Meow
Difficulty: Medium
Using ImHex, the tool suggested this could contain an image since there’s image header of JPEG in it.
Inspecting the raw data closely, there’s seem to be lots of “meow” littered across the data. Given that the title of the challenge is Unwanted Meow, I suppose I will need to remove the “meow” found in the raw file. I gotten Claude AI to write a script that do just that.
def clean_meow(input_file, output_file):
# Read the corrupted file as bytes
with open(input_file, 'rb') as f:
content = f.read()
# Convert 'meow' to bytes for searching
meow = b'meow'
# Remove all instances of 'meow'
cleaned = content.replace(meow, b'')
# Write the cleaned content to new file
with open(output_file, 'wb') as f:
f.write(cleaned)
if __name__ == "__main__":
input_file = "flag.shredded"
output_file = "output.jpg"
try:
clean_meow(input_file, output_file)
print("File cleaned successfully!")
except Exception as e:
print(f"An error occurred: {e}")Once the unwanted “meow” are removed, the image is restored, somewhat.
Since the flag is a MD5 hash with 32 characters, the output image already have 30 of the characters visible, with 2 characters partially corrupted in the middle. I can vaguely make out the character 4 and 1 in the image. So I tried to submit the flag as WGMY{4a4be40c96ac6341e91d93f38043a634}. Unfortunately, it is incorrect.
I went through the rabbit hole of trying to restore that corrupted part and try to shift back the image, as well as attempting to understand subsampling since the corrupted blocks are quite even and resembled subsampling blocks.
Turns out, I need to try flipping the 4 and 1 since it is part of the uncorrupted image.
Note: In retrospect, I could have just run my script the second time to remove any remaining “meow” to obtain an uncorrupted image.
Flag: WGMY{4a4be40c96ac6314e91d93f38043a634}
[Misc] Christmas GIFt
Difficulty: Easy
I just woke up from slight nap for last wave of challenges. Since the description was about waiting for the flag, I supposed I just need to analyze the frames and find the one frame with the flag. Using ImageMagick again, I extracted all 1402 frames and found the flag on the last one.
magick .\gift.gif frame-%d.pngNote: I’m aware StegSolve could just browse the frame backwards and get the flag directly. At that moment, this was the quickest idea that I had.
Flag: wgmy{1eaa6da7b7f5df6f7c0381c8f23af4d3}
[OSINT] 迅帝
Difficulty: Hard
Description: 18 years, I waited 18 years and finally they are active once again. We managed to obtain some artifact from their last work, it seem a secret message is hidden deep inside. Find out what to do with these files. Oh, right, our agent has further message for you: ‘Melancholy Angel holds the flag.’ Good Luck, you need it.
I am quite happy to be the first to solve this OSINT challenge. I wouldn’t straightly considered this OSINT since the part you need to research is the tool that can extract the data is more like Reverse Engineering than OSINT, but I digress. I wanted to walkthrough the search footprint on how I solve this, but here’s the TL;DR if you don’t care.
TL;DR
Understanding the title, the mention of Melancholy Angel, and how it has been 18 year since they are active again, all leads point to the game being Tokyo Xtreme Racer.
To extract the game data file, we will need an extractor. QuickBMS is a brilliant generic file extractor tool that allow users to write script to deal with extracting many different type of archive formats. I downloaded the tool (quickbms) and the script needed (tokyo_xtreme_racer.bms). The tool can be used to extract the data file using the following command:
.\quickbms.exe .\tokyo_xtreme_racer.bms .\BUILD.DAT output_files
After extracting all game file contents, I look through the results and found some .tga file (459 of them), which is a old image format. After painstakingly looking through hundred of them, the 188th image showed something interesting:
Flag: wgmy{bf125e1fd5095254a4bd93ffc300e256}
The rabbit hole
The first step of OSINT is to understand what are we dealing with and the purpose of the file. Searching up 迅帝 revealed some cars and many referenced Shutokō Battle, which is the Japanese name of Tokyo Xtreme Racer. This Reddit post reference of Melancholy Angel in r/tokyoxtremeracer confirmed the theory. Finally, Tokyo Xtreme Racer is set to be released on Steam in 2025, 18 years after the last non-mobile release on Xbox 360 which was called Import Tuner Challenge, part of the Tokyo Xtreme Racer series.
Very quickly, I understand that the files BUILD.DAT and BUILD.TOC resembled some sort of proprietary game files that is part of the Xbox 360 game. Rather thinking on how I could run the game based off the files provided, I rekon that the easier way is to find tools that can extract the game files.
The first tool I tried was TXRExtractor. It is a good candidate tool since the screenshot showed .DAT and .TOC file. Sadly, it doesn’t seem to work and complained about Unsupported archive. The tool is also not well-written, it seems to retain some child processes after closing the app, so I need to manually kill the process via Task Manager.
Next, I tried searching “BUILD.TOC” extractor on Google. I found two ZenHAX forum discussion with the mention of BUILD.TOC, which are Import Tuner Challenge BUILD.DAT and Tokyo Xtreme Racer Drift 2 BUILD.DAT. The first forum discussion wasn’t much help as all links in it are dead. The second forum has a link to aluigi’s script for Tokyo Xtreme Racer and the forum user are happy that it works well. Sadly for my case, the script is 404'd, but this is the closest I could have solve the challenge within 10 minutes.
I moved away from forums and found another tool from the previous Google Search. GUT Archive Tools seems to be a specific tool written to target extracting games developed by Genki, which also includes Tokyo Xtreme Racing. This tool is promising too, since it also receiving active support latest last month (Nov 2024). Following the help guide, the default option failed to extract the data file, but using -2 flag helped, since the game is technically from Import Tuner Challenge. The tool managed to extract around 23k files.
I took few minutes to sort through the extracted files, and it is mostly binary files with some weird proprietary files. Looking through the file sizes, .XPU and .XSB file is the least likely to contain anything since it is all between 1 to 5 KB. Therefore, I look through .XMD, .XSB, and .XWB as better candidates to continue the rabbit hole exploration.
So I searched more information about .XMD file and how to read or open it. I found that apparently, the developer for TXRExtractor tool mentioned he included script that can load unpacked XMD Models and XTD Textures, but it is a Autodesk 3ds Max script. No way I am downloading Autodesk 3ds Max just to try and open these unknown file format. I did try to play around the dds2gtf.exe and gtf2dds.exe files but it doesn’t help much.
Then I searched “xbox 360 xmd file”, in which I found this Reddit thread that ask about how to extract Xbox 360 textures including .XMD files. Unfortunately, the script provided are for another game called Deadly Premonition and for extracting textures from .XPC file.
Around 2:08 PM, I decided to find out what is “bms script”, so I searched about it. It brought me the QuickBMS website that is the tool I needed to solve the challenge, but I came in with the mindset of unpacking .XMD files. Suffice to say I couldn’t find anything useful.
Note: In the website, there are script to extract .XPR file. I tried a few .XPR file to extract using it. Happy to say that I did not went through this rabbit hole as I ignored this file extension while searching for scripts to extract the game files.
While in the rabbit hole, I was pretty amazed by this QuickBMS tool. I spend few minutes reading about the purpose of this tool. Out of curiousity, I do a quick Ctrl + F the website to see if I can find Tokyo Xtreme Racer script, and surprise, I could. Running the tool with the file to extract, I didn’t have much expectations since the GUT Archive Tool did extracted everything but nothing is viewable.
Well, not so fast, because it managed to extract something crucial, some properly readable image file! Unfortunately, ImageGlass couldn’t generate thumbnail previews, so I have to go through all .TGA files manually. Well, at least better than painstakingly reviewing every other weird files, right?
You could see how excited I was when I finally found the Melancholy Angel emblem. It is embeded with the flag in lime green text.
In the end, I am not very sure how strictly this challenge would be considered OSINT. I might as well considered myself lucky to avoid all sort of rabbit holes and stumble myself into the correct tool to properly extract the game data. Regardless, a flag is a flag😊.
