BlitzHack CTF 2025 Writeups

The writeups of challenges I have created in BlitzCTF 2025

The BlitzCTF 2025 took place between Sat, 05 July 2025, 14:30 UTC — Mon, 07 July 2025, 02:30 UTC. I was really fun and important for me to join as a challenge creator.

Thank you for everyone. 😇

Hidden Signal in Noise (Misc)

1024B
magic.mrf

Since the description clearly stated how it’s corrupted, I’ll just provide the Solution Script.

FILENAME = "magic.mrf"

def decode_flag(filename):
    with open(filename, "rb") as f:
        data = f.read()

    if data[:4] != b"\x5A\xA5\x5A\xA5":
        print("Warning: Unexpected magic header")

    # Extract high nibbles every 10 bytes
    nibbles = [(data[i] >> 4) for i in range(4, len(data), 10)]

    # Combine nibbles into ASCII characters
    chars = []
    for i in range(0, len(nibbles) - 1, 2):
        c = (nibbles[i] << 4) | nibbles[i+1]
        if 32 <= c <= 126:
            chars.append(chr(c))
        else:
            break

    print("Recovered flag:", "".join(chars))

if __name__ == "__main__":
    decode_flag(FILENAME)

Blitz Traffic (Forensics)

2MB
protected.zip
archive

A lot people asked me whether I need to crack the password of the zip file. The answer is actually no All you can do was find the password among printable strings.

It’ll show PCAP file, where you’ll be able to see the hex of PNG file. Solution script to extract the image from PCAP file.

424B
exp.py

Essay (Forensics)

Th problem itself asks you to get know Object Linking and Embedding (OLE)` file. You can get know more about it from here.

LogoGitHub - decalage2/oletools: oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.GitHub

The oletools will help you to extract and analyze hidden link/text from the doc file.

Installation

pip install oletools

First of all, let’s use olevba to extract macros embedded in Word file. Output file shows below.

14KB
output.txt

  • It runs AutoOpen to show some messages.

  • It calls EmbedDesktopZip which tries to embed a ZIP file named secret.zip located on the user’s Desktop (%USERPROFILE%\\Desktop\\secret.zip).

  • The ZIP filename is obfuscated as "zcrseet.ip" and unscrambled by reversing and fixing the extension.

  • If the ZIP is missing, it shows an error and exits.

If you seeks closely, there’ll be suspicious decimals denoted as a key of something.

Key & Chr(83) & Chr(117) & Chr(112) & Chr(51) & Chr(114) & Chr(83) & Chr(51) & Chr(99) & Chr(114) & Chr(101) & Chr(116) & Chr(80) & Chr(97) & Chr(115) & Chr(115) & Chr(87) & Chr(48) & Chr(82) & Chr(68)

Decryption gives you a password: Sup3rS3cretPassW0RD

Since there’s a password, there must be a file or something else associated with it.

Now, extract the hidden links of Doc file.

┌──(py310env)─(zwique㉿zwique)-[~/Downloads]
└─$ oleobj Essay.docm 
oleobj 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

-------------------------------------------------------------------------------
File: 'Essay.docm'
Found relationship 'hyperlink' with external link https://www.youtube.com/watch?v=dQw4w9WgXcQ

So, we’ve found nothing. Try unzipping/extracting the Essay.docm file.

unzip Essay.docm

You’ll receive extracted files of Doc file. Now, look at the vbaProject.bin

So our mission is secret.zip Here is the hook. Well, actually the content of secret.zip was leaked inside vbaProject.bin in Base64 format.

Base64: QmxpdHp7 → Blitz{

strings vbaProject.bin | grep QmxpdHp7

QmxpdHp7MGwzX0QzTXBfTTNsMTBzfQoBase64: QmxpdHp7 → Blitz{

Flag: Blitz{0l3_D3Mp_M3l10s}

Sorry for the misleading points like Sup3rS3cretPassW0RD , secret.zip , and more. XD

Randomized Chaos (Crypto)

552B
enc.py
457KB
output.txt

Solution Script:

1KB
slv.py

Hacked By Kids Part 1 (OSINT)

The intended solution was picking up keywords from the given description and search them on the internet. You’ll find the matching crime case where UK teens hacked CIA agent.

For more about the case: https://darknetdiaries.com/transcript/139/

Then what you need to do is locate the court.

https://www.justice.gov/usao-edva/file/890421/dl

Flag: Blitz{1:16-mj-406}

Lost in UB (OSINT)

First of all, you have to get know the case and list down the things you’ve found so far.

  1. I was next to Genghis Khan National Museum Mongolia https://maps.app.goo.gl/dqF4tG2AALnWTqQX7

  2. They want me to take a bus to get back to the hotel. As he mentioned at 12:26, I’ll need to hop off the bus. If you look closely, he actually messaged at 12:10. That means it takes 16 minutes to reach the final destination (station where I hopped on different trip)

  3. He also mentioned another trip I posted on my social media, where I took the same bus.

  4. Lastly, there is a Japanese restaurant located nearby the hotel.

Great!!! You’ve got everything from their chat. Now let’s stalk on me.

Different Trip to National University

x.comhttps://x.com/Zwique_1337

Quite interesting posts, where you’ll see I discussed my plan to go to the National University of Mongolia. However, most of the players didn’t notice that it’s a completely different trip from the one going from the Genghis Khan National Museum to my hotel. Furthermore, I’ve mentioned the station where I hopped on my personal blog. Let’s check that.

If you run Sherlock, you’ll find https://zwique.blogspot.com/ and https://github.com/Zwique/ links. The first blog is a text-only version of my blog. However, if you visit my GitHub, you’ll see that my blog there posts only images: https://zwique.gitbook.io/zwique_notes/achievements/blog-in-ulaanbaatar

Images on Blog

It clearly shows the proof of images where I took Ч:28 bus line and headed to one station. Check the time takes to reach every stop from Genghis Khan National Museum

https://www.google.com/maps/dir/47.9228543,106.9147054/МУБИС,+SBD+-+8+khoroo,+Ulaanbaatar/@47.9210604,106.9144673,2274m/data=!3m1!1e3!4m9!4m8!1m0!1m5!1m1!1s0x5d96924746339b05:0x63195dbfccabd5df!2m2!1d106.923851!2d47.9185715!3e3?entry=ttu&g_ep=EgoyMDI1MDYzMC4wIKXMDSoASAFQAw%3D%3D

Nice, bus line Ч:28 stops on MUBIS station and it takes 16 mins to reach the station.

Recap:

  1. He hopped off on MUBIS station https://maps.app.goo.gl/gxri4fXiBCLPKUmr5

  2. We know the picture, where I’m heading the station

Now your mission is simply to locate the location shown in this image. This part might be difficult for players to handle. https://maps.app.goo.gl/va8827SG4TfJrFve7 It’s possible to find by going nearby MUBIS station and locate this road. At the end, search for the hotel that has a Japanese restaurant next to it.

Hotel: https://maps.app.goo.gl/b4rSoeneoHwdnFQr5

Japanese Restaurant: SUSHI HERO Japan Restaurant 寿司廣(すしひろ)

Flag: Blitz{Epos_Hotel}

Switzerland of Asia (OSINT)

It was actually quite easy to solve. As the description stated, I like to take photos and write short reflections. Some people may have just found the place where I upload the full version of this photo and write reviews.

However, the intended solution is to check my GitBook:

https://zwique.gitbook.io/zwique_notes/achievements/blog-in-ulaanbaatar

*Only images here.* I also like to add blogs with beautiful nature photos on [<https://kr.pinterest.com>](<https://kr.pinterest.com/>).

Find my account on Pinterest:

https://kr.pinterest.com/Zwique_1337/switzerland-of-asia/

In the comments section, a long text is waiting for you all. As mentioned in the description, hit CMD/CTRL + F or open your eyes and look closely for suspicious things.

Follow the pastebin, get what you looked for. https://pastebin.com/HvCVgscd

Flag: Blitz{ALTa1_TaVAn_B0Gd_Mongolia}

Hacked By Kids Part 2 (OSINT)

I’m proud to say that this is my most favorite challenge I’ve created in BlitzCTF 2025 so far.

Since it’s related to the part 1, we gotta look at the characters of last crime case.

Associated People:

Search each of them on our Discord Server. You’ll find Cracka.

He is the guy 📈 Check every link. One of them leads to a YouTube video that covers the crime case:

https://youtu.be/FivA4WubhLY?si=RFOO2MPjyD0mXGzB

Inside the description, you can find a Pastebin link mentioning sources across different media platforms:

https://pastebin.com/raw/wrQ13aSY

As the description mentioned he revealed his location on news platform, check every link and look for interesting comments, information, etc.

In 20 minutes news site, you’ll find Cracka commenting on his own crime case.

LogoL'ado qui a piraté le compte de l'ex-chef de la CIA devant la justice20 Minutes

He clearly describes he’s sitting in a restaurant that closes at 8:30 pm (he’s quite upset about that) Moreover, you can see his IP address from the profile picture.

Look up the IP address and find its origin.

Latitude:52.6386 (52° 38′ 18.96″ N)

Longitude:-1.1317 (1° 7′ 54.08″ W)

https://whatismyipaddress.com/ip/93.93.223.188

As mentioned on the description, go to the Google Maps and locate the coordinates.

Search for restaurant that closes at 8:30 pm nearby https://www.google.com/maps/search/Restaurants/@52.6386,-1.1342749,694m/data=!3m2!1e3!4b1!4m7!2m6!3m5!1sRestaurants!2s52.6388,+-1.1317!4m2!1d-1.1317229!2d52.6387613?entry=ttu&g_ep=EgoyMDI1MDYzMC4wIKXMDSoASAFQAw%3D%3D

The only restaurant you’ll get is PHỞ LÊ Vietnamese Restaurant https://maps.app.goo.gl/gLPGanBYNYHEs2168

Check the review and get the flag

Flag: Blitz{C24ck45_W17h_A7717ud3_F0r3v3r}

This is the challenge I’ve enjoyed creating the most. Congratulations to teams Curiosity and 0bscuri7y for solving it.

Thank you so much for playing BlitzCTF 2025. I hope to see everyone next year.

PreviousBlog in Ulaanbaatar

Last updated