• NathamCon – CTF 2021

  • Back
15 March 2021 by 

If you found my content helpful then please consider supporting me to do even more crazy projects and writeups. Just click the button below to donate.

In the end I only had a few hours to participate in the conference so I didn’t manage to get many of the challenges done. The ones I solved are below.


Buzz buzz, can you find the honey?
file: veebee.vbe

VBE is encrypted VBS. Using https://master.ayra.ch/vbs/vbs.aspx or https://github.com/DidierStevens/DidierStevensSuite/blob/master/decode-vbe.py we can decrypt it.

From the first link we see:

The content should start with #@~^XXXXXX== and end with ==^#~@ plus a "null" char, which is not visible in most editors.

Looking at the file, we have two scripts and some garbage at the start. Splitting the two scripts into different files and running through the decode produces the flag in the second vbe script.

Flag: flag{f805593d933f5433f2a04f082f400d8c}


Do you double-knot your shoelaces? You gotta keep’em tied!
file: shoelaces.jpg

Use strings to find flag.

Flag: flag{137288e960a3ae9b148e8a7db16a69b0}

Chicken Wings

I ordered chicken wings at the local restaurant, but uh… this really isn’t what I was expecting…
file: chicken_wings

It’s just wingdings encoded – decode with https://www.dcode.fr/wingdings-font

Flag: flag{e0791ce68f718188c0378b1c0a3bdc9e}


You know, that sound that bumblebees make?
file: buzz

Using file on buzz shows: compress'd data 16 bits. This shows its a UNIX-compressed file – and probably should have extension .z. Giving it correct extension you can open it with archiver and read buzz file contents inside.

Flag: flag{b3a33db7ba04c4c9052ea06d9ff17869}


Was it a car or a cat I saw?
file: esab64

Notice that filename is base64 but backwardish. Read file backwards and decode as base64 using tac: tac -r -s 'x\|[^x]' esab64. This produces the flag but backwards so reverse again: tac -r -s 'x\|[^x]' esab64 | base64 -d | tac -r -s 'x\|[^x]' and get the flag

Flag: flag{fb5211b498afe87b1bd0db601117e16e}

Car Keys

We found this note on someone’s key chain! It reads… ygqa{6y980e0101e8qq361977eqe06508q3rt}? There was another key that was engraved with the word QWERTY, too…

Keyed Caesar Cipher. Use QUERTY as key. Decode on https://www.boxentriq.com/code-breaking/keyed-caesar-cipher.

Flag: flag{6f980c0101c8aa361977cac06508a3de}

The Mission


CONSTELLATIONS has "tried" to reduce their attack surface by offering just a static website. But you might find some low-hanging fruit to get you started.

Find the standard robots.txt file: https://constellations.page/Robots.txt

Flag: flag{33b5240485dda77430d3de22996297a1}

Meet The Team

Recover the list of employees working at CONSTELLATIONS.

Git repo on website: https://constellations.page/.git/config. Use GitTools Dumper.

Flag: flag{4063962f3a52f923ddb4411c139dd24c}


Use open-source intelligence to track down information on Hercules.

Find link to user from CONSTELLATIONS github (linked from constellations site). Search github user for flag. Find the following file and extract flag.

Flag: flag{84d5cc7e162895fa0a5834f1efdd0b32}


Use open-source intelligence to track down information on Hercules.

Find link to user from Gus’s github (Gus is watching). Search Hercules github for flag and find the following file

flag: flag{5bf9da15002d7ea53cb487f31781ce47}


Google name and find Twitter account. One Tweet has link to constellations website https://constellations.page/constellations-documents/1/. See it’s potential ennumeration and eventually find https://constellations.page/constellations-documents/5/.

Flag: flag{bd869e6193c27308d2fd3ad4b427e8c3}