CyberBlitz 2025
These writeups only contain those that I had solved / helped in solving.
S3CR3T 4GENT
Our spy manage to get a hold of this apk. Inside lies a secret of an secret agent of our enemy. Can you crack it?
Solution
Upon examining the apk, the following code can be found:
private String decodeFlag() throws Resources.NotFoundException {
int[] data = getResources().getIntArray(R.array.flag_data);
char[] c = new char[data.length];
for (int i = 0; i < data.length; i++) {
c[i] = (char) (data[i] ^ 85);
}
return new String(c);
}
}
public static final class array {
public static int flag_data = 0x7f030000;
private array() {
}
}
res/values/arrays.xml
<resources>
<integer-array name="flag_data">
<item>22</item>
<item>44</item>
<item>55</item>
<item>48</item>
<item>39</item>
<item>23</item>
<item>57</item>
<item>60</item>
<item>33</item>
<item>47</item>
<item>103</item>
<item>101</item>
<item>103</item>
<item>96</item>
<item>46</item>
<item>38</item>
<item>56</item>
<item>97</item>
<item>57</item>
<item>60</item>
<item>10</item>
<item>100</item>
<item>38</item>
<item>10</item>
<item>48</item>
<item>52</item>
<item>96</item>
<item>100</item>
<item>48</item>
<item>39</item>
<item>10</item>
<item>33</item>
<item>61</item>
<item>97</item>
<item>59</item>
<item>10</item>
<item>55</item>
<item>100</item>
<item>59</item>
<item>97</item>
<item>39</item>
<item>44</item>
<item>106</item>
<item>40</item>
</integer-array>
</resources>
Then copy this whole entire code and put it into an AI agent such as ChatGPT and ask it to decode the flag.
CyberBlitz2025{sm4li_1s_ea51er_th4n_b1n4ry?}
Help me deliver this letter
The General has tasked you to deliver this letter ASAP to Alan Turing, the renowned cryptologist who cracked the Enigma Machine. However, ink was spilled on the address stated in the letter, and the General, who is away, is the only one who knows Mr Turing’s address. Perhaps there is a way to find out Mr Turing’s address?
Flag format: CyberBlitz2025{streetnamepostalcode}
Include an underscore() if there is a space in the street name. For example, CyberBlitz2025{10_Downing_St_SW1A2AA}
Initially, I thought that the challenge required us to find out where Alan Turing lived back in 1945 considering that it is an OSINT challenge. I tried multiple addresses for the flag such as:
CyberBlitz2025{Sherwood_Dr_MK36EB}
CyberBlitz2025{Hut_3_MK36EB}
CyberBlitz2025{78_High_St_TW122SJ}
CyberBlitz2025{78_High_St_TW122SW}
CyberBlitz2025{78_High_Street_TW122SJ}
CyberBlitz2025{Hampton_Road_TW110LW}
CyberBlitz2025{Hampton_Rd_TW110LW}
CyberBlitz2025{Kings_Parade_CB21ST}
CyberBlitz2025{Hanslope_Park_MK197BH}
CyberBlitz2025{Ennismore_Avenue_GU12QX}However, none of them were right.
Solution
Only near the end of the CTF did I noticed that the image right above To Mr Alan Turing
is actually a valid barcode.
Navigating to this website: https://online-barcode-reader.inliteresearch.com/, there’s an option for Postal, which is the same type of barcode shown in the pdf.
After saving the image of the barcode and decoding it using the website, the flag is given:
CyberBlitz2025{262_Balestier_Road_329714}
Thermite or Hibana
Our plan to blow up the World Health Organisation to release ebola and covid-REDACTED failed. Team rainbow sent in 5 goons in black masks to defuse our bombs and left behind a laptop in a white suitcase. The laptop was cooked by bullets but we managed to recover this file. Your task as our forensics intern is to analyse this file find anything interesting. Try to impress me before our next mentoring session - Deimos
Solution
We were given a file named redacted.bin, by viewing the hex code using a hex editor such as ImHex, the file header can be observed.
hsqs is a SquashFS compressed, read-only file system. However, I also noticed that there were blank spaces in the header, so by using ImHex, I removed all the blank spaces until the file starts with hsqs before saving the file as redactedfix.squashfs
Afterwards, this file can then be mounted onto our Linux file system.
Then I enumerated through the file system and found some interesting files:
/disk/etc/shadow
root::19354:0:99999:7:::
dokkaebi:!:19354:0:99999:7:::
thermite:!:19354:0:99999:7:::
hibana:!:19354:0:99999:7:::
thatcher:$6$saltyohoiq2$KUVUt8jV85ZsQFlX1xFTeTo3f/rZFxQcBL7yOe48ksYbzNIIJjBrOcohhbIIfL3BZaJ.WkFQB0lz9XU6lZglV.:19354:0:99999:7:::
jackal:!:19354:0:99999:7:::
rook:!:19354:0:99999:7:::
aruni:!:19354:0:99999:7:::
lesion:!:19354:0:99999:7:::
vigil:!*:19354:0:99999:7:::/disk/home/thatcher/flag.enc
U2FsdGVkX18Qnbi/RSL+IXD3cmZ/eIHai5k4c7HBt8A8vplbr6Uofxmi21gHp8zj
K+feVXRfAL0mEOOBjoKubfIEZaZTJupnkUaBV+MUUasZsd2H9bDw21VPjzAzbYBuThatcher’s password can be brute-forced using JohnTheRipper or hashcat. This gives us the password: raynbow69
However, this is not enough to retrieve the flag yet.
So I also dug through thatcher’s bash history.
┌──(dng㉿dng)-[~/Downloads/squashfs-root/home/thatcher]
└─$ cat .bash_history
whoami
id
sudo -l
openssl enc -aes-256-cbc -salt -out flag.enc -e -a -pbkdf2
openssl enc -aes-256-cbc -in flag.enc -out -d -a -pbkdf2From the history, the openssl commands were used to create the flag.enc. Now I can proceed to decode the flag.enc using the same commands.
┌──(dng㉿dng)-[~/Downloads/squashfs-root/home/thatcher]
└─$ openssl enc -aes-256-cbc -d -a -pbkdf2 -in flag.enc
enter AES-256-CBC decryption password: raynbow69
`CyberBlitz2025{6p5_5473ll1735_unm4nn3d_dr0n35_fu1n6_l453r_516h75}`CyberBlitz2025{6p5_5473ll1735_unm4nn3d_dr0n35_fu1n6_l453r_516h75}
Ela or Zofia
Team rainbow has breached our secure location. The operators responsible have seen too much of our operation. As our forensics intern, your objective is to go through some fragments of digital evidence which will identify the operator(s) responsible or you can taste my .44 Vendetta - Deimos
Solution
The flag can be retrieved by combining the two images using XOR mode by using a tool such as stegsolve.
CyberBlitz2025{900d_w02k_0p324702}
Matryoshka Doll
Apparently AI thinks this is how a Matryoshka Doll holding a flag looks like?
Solution
Using binwalk on the image, a file named Listen2me.exe can be extracted.
Change the file extension to .wav instead and open it.
It will give you the password: russian32
This password can then be used to retrieve another file from the Matryoshka Doll image using steghide
┌──(dng㉿dng)-[~/Downloads/_Matryoshka_Doll.png.extracted]
└─$ steghide extract -sf MatryoshkaDoll.jpg -p russian32A file named final.zip which contains flag.txt, however it is encrypted with a password.
The password for final.zip can be retrieved by using exiftool.
┌──(dng㉿dng)-[~/Downloads/_Matryoshka_Doll.png.extracted]
└─$ exiftool final.zip
ExifTool Version Number : 13.25
File Name : final.zip
Directory : .
File Size : 251 bytes
File Modification Date/Time : 2025:12:19 23:59:48-06:00
File Access Date/Time : 2025:12:19 23:59:51-06:00
File Inode Change Date/Time : 2025:12:19 23:59:48-06:00
File Permissions : -rw-rw-r--
Comment : c3VwM3JTM2NyMzdwQDU1
File Type : ZIP
File Type Extension : zip
MIME Type : application/zip
Zip Required Version : 10
Zip Bit Flag : 0x0009
Zip Compression : None
Zip Modify Date : 2025:02:04 02:58:06
Zip CRC : 0x335c5c2c
Zip Compressed Size : 49
Zip Uncompressed Size : 49
Zip File Name : flag.txtUnder the comment, c3VwM3JTM2NyMzdwQDU1 can be found. After decoding it, it gives the password: sup3rS3cr37p@55
This can then be used to retrieve flag.txt
CyberBlitz2025{Juz_L1I<3_0n10n_125!}
SiT By The Island
Hot weather, idea for a cold drink after finishing my research on this island. Guess where am I? The flag format is CyberBlitz2025{island_name} - All lowercase
Solution
Using Google Lens on the image, it will come up with the name Coney Island
CyberBlitz2025{coney_island}
Where are you looking at?
I want to access the secret site but it keeps asking me to look elsewhere.
Fuzzing may be required
Solution
┌──(dng㉿dng)-[/usr/share/seclists/Discovery/DNS]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://blitzinstance1.ddns.net:32776/FUZZ
/'\ /'\ /'\
/\ _/ /\ __/ /\ __/
\ \ ,\ \ ,/\ /\ \ \ \ ,\
\ \ _/ \ \ _/\ \ _\ \ \ \ _/
\ _\ \ _\ \ _/ \ _\
// // // /_/
v2.1.0-dev
__
:: Method : GET
:: URL : http://blitzinstance1.ddns.net:32776/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
__
redirect [Status: 200, Size: 511, Words: 59, Lines: 15, Duration: 6ms]
secret [Status: 302, Size: 271, Words: 18, Lines: 6, Duration: 107ms]
:: Progress: [4989/4989] :: Job [1/1] :: 17 req/sec :: Duration: [0:01:38] :: Errors: 0 ::Examining the HTTP request for /secret gives the following:
HTTP/1.1 302 FOUND
Server: Werkzeug/3.1.4 Python/3.12.12
Date: Sat, 20 Dec 2025 02:02:08 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 271
Location: https://www.youtube.com/shorts/ShA03TDC4O0
X-Tip: Some secrets reveal themselves when you ask nicelyThere’s a hint under the X-Tip, Some secrets reveal themselves when you ask nicely
I was stuck at this point, but my friend managed to solve it by adding an additional header: X-Bypass: true
The flag can then be retrieved from the request.
CyberBlitz2025{K33p%L00k1ng%L3f7%&%R1gh7:D}