# BlitzCTF 2025 The [BlitzCTF](https://ctftime.org/event/2816/) 2025 took place between `Sat, 05 July 2025, 14:30 UTC — Mon, 07 July 2025, 02:30 UTC.` It was really fun, and it was important to me to join as a challenge creator. Thank you, everyone. :innocent: *** ## Hidden Signal in Noise (Misc)

{% file src="/files/dVSEeg1QSE6syWHFjLHe" %} Since the description clearly stated how it’s corrupted, I’ll just provide the Solution Script. ```python FILENAME = "magic.mrf" def decode_flag(filename): with open(filename, "rb") as f: data = f.read() if data[:4] != b"\x5A\xA5\x5A\xA5": print("Warning: Unexpected magic header") # Extract high nibbles every 10 bytes nibbles = [(data[i] >> 4) for i in range(4, len(data), 10)] # Combine nibbles into ASCII characters chars = [] for i in range(0, len(nibbles) - 1, 2): c = (nibbles[i] << 4) | nibbles[i+1] if 32 <= c <= 126: chars.append(chr(c)) else: break print("Recovered flag:", "".join(chars)) if __name__ == "__main__": decode_flag(FILENAME) ``` *** ## Blitz Traffic (Forensics)

{% file src="/files/Huzv1cJakXgGvEbD6dCf" %} A lot of people asked whether they needed to crack the password of the ZIP file. The answer is actually **no**. All you had to do was find the password among the printable strings.

It’ll show PCAP file, where you’ll be able to see the hex of PNG file. Solution script to extract the image from PCAP file. {% file src="/files/LcskrSuHkMVzxBEc68VO" %}

*** ## Essay (Forensics) The problem itself asks you to get to know the Object Linking and Embedding (OLE) file format. You can learn more about it [here](https://en.wikipedia.org/wiki/Object_Linking_and_Embedding). {% embed url="" %} The `oletools` will help you to extract and analyze hidden link/text from the doc file. Installation ``` pip install oletools ``` First of all, let’s use [olevba](https://github.com/decalage2/oletools/blob/master/oletools/olevba.py) to extract **macros embedded in Word file**. Output file shows below. {% file src="/files/z4J1eSj59QZNBAkXnY6l" %} ### Key Findings * It runs `AutoOpen` to show some messages. * It calls `EmbedDesktopZip` which tries to embed a ZIP file named **`secret.zip`** located on the user’s Desktop (`%USERPROFILE%\\Desktop\\secret.zip`). * The ZIP filename is obfuscated as `"zcrseet.ip"` and unscrambled by reversing and fixing the extension. * If the ZIP is missing, it shows an error and exits. If you look closely, there are suspicious decimal values that appear to be a key. ```python Key & Chr(83) & Chr(117) & Chr(112) & Chr(51) & Chr(114) & Chr(83) & Chr(51) & Chr(99) & Chr(114) & Chr(101) & Chr(116) & Chr(80) & Chr(97) & Chr(115) & Chr(115) & Chr(87) & Chr(48) & Chr(82) & Chr(68) ``` Decryption gives you a password: `Sup3rS3cretPassW0RD` Since there’s a password, there must be a file or something else associated with it. Now, extract the hidden links of Doc file. ```bash ┌──(py310env)─(zwique㉿zwique)-[~/Downloads] └─$ oleobj Essay.docm oleobj 0.60.1 - http://decalage.info/oletools THIS IS WORK IN PROGRESS - Check updates regularly! Please report any issue at https://github.com/decalage2/oletools/issues ------------------------------------------------------------------------------- File: 'Essay.docm' Found relationship 'hyperlink' with external link https://www.youtube.com/watch?v=dQw4w9WgXcQ ``` ### Execution Flow 1. **Document opens** * `AutoOpen()` runs automatically. 2. **Counter runs** * Displays a few **“Initializing system…”** message boxes. 3. **ZIP handling starts** * Determines your Desktop path: ``` Environ("USERPROFILE") & "\Desktop\" ``` * Unscrambles the string `"zcrseet.ip"` into `"secret.zip"`. * Looks for `secret.zip` on your Desktop. 4. **If `secret.zip` exists** * Embeds it as an OLE object in the Word document. * Immediately tries to open the embedded ZIP. * Likely contains **`secret.txt`**, which is where the **real flag** resides. 5. **If `secret.zip` does not exist** * Displays an error message: ``` Error: Could not embed resources. Ensure 'secret.zip' exists on your Desktop. ``` *** ### Key Points * The macro does **not** create or modify `secret.txt`. * `secret.txt` should already be **inside** `secret.zip` on the Desktop. * The macro’s sole purpose is to **deliver** and **open** that ZIP file upon document open, meaning the content of `secret.txt` is embedded inside the Doc file. So, let's try unzipping/extracting the `Essay.docm` file. ``` unzip Essay.docm ``` You’ll receive extracted files of Doc file. Now, look at the `vbaProject.bin` So our mission is `secret.zip` Here is the hook. Well, actually the content of `secret.zip` was leaked inside `vbaProject.bin` in Base64 format. `Base64: QmxpdHp7 → Blitz{` ```bash strings vbaProject.bin | grep QmxpdHp7 QmxpdHp7MGwzX0QzTXBfTTNsMTBzfQoBase64: QmxpdHp7 → Blitz{ ``` **`Flag: Blitz{0l3_D3Mp_M3l10s}`** Sorry for the misleading points like `Sup3rS3cretPassW0RD` , `secret.zip` , and more. XD *** ## Randomized Chaos (Crypto)

{% file src="/files/Cdtj0iYCASNa97MJL1Te" %} {% file src="/files/umvv3AV4rdUSJTmij6PT" %} Solution Script: {% file src="/files/MZpKBwH7D6aKkVEy09zg" %} *** ## Hacked By Kids Part 1 (OSINT)

The intended solution was picking up `keywords` from the given description and search them on the internet. You’ll find the matching crime case where UK teens hacked CIA agent. For more about the case: Then what you need to do is locate the court. **`Flag: Blitz{1:16-mj-406}`** *** ## Lost in UB (OSINT)

First of all, you have to get to know the case and list the things you’ve found so far. 1. I was next to **Genghis Khan National Museum Mongolia** 2. They want me to take a bus to get back to the `hotel`. As he mentioned at `12:26`, I’ll need to hop off the bus. If you look closely, he actually messaged at `12:10`. That means it takes `16 minutes` to reach the final destination (station where I `hopped on` different trip) 3. He also mentioned `another trip` I posted on my social media, where I took the same bus. 4. Lastly, there is a Japanese restaurant located nearby the hotel. Great!!! You’ve got everything from their chat. Now let’s stalk on me. ## Different Trip to National University [x.com](http://x.com) → Quite interesting posts, where you’ll see I discussed my plan to go to the National University of Mongolia. However, most of the players didn’t notice that it’s a completely `different trip` from the one going from the Genghis Khan National Museum to my hotel. Furthermore, I’ve mentioned the station where I `hopped on` my personal blog. Let’s check that.

If you run Sherlock, you’ll find and links. The first blog is a text-only version of my blog. However, if you visit my GitHub, you’ll see that my blog there posts only images: ## Images on Blog It clearly shows the proof of images where I took `Ч:28` bus line and headed to one station. Check the time takes to reach every stop from `Genghis Khan National Museum`

[https://www.google.com/maps/dir/47.9228543,106.9147054/МУБИС,+SBD+-+8+khoroo,+Ulaanbaatar/@47.9210604,106.9144673,2274m/data=!3m1!1e3!4m9!4m8!1m0!1m5!1m1!1s0x5d96924746339b05:0x63195dbfccabd5df!2m2!1d106.923851!2d47.9185715!3e3?entry=ttu\&g\_ep=EgoyMDI1MDYzMC4wIKXMDSoASAFQAw%3D%3D](https://www.google.com/maps/dir/47.9228543,106.9147054/%D0%9C%D0%A3%D0%91%D0%98%D0%A1,+SBD+-+8+khoroo,+Ulaanbaatar/@47.9210604,106.9144673,2274m/data=!3m1!1e3!4m9!4m8!1m0!1m5!1m1!1s0x5d96924746339b05:0x63195dbfccabd5df!2m2!1d106.923851!2d47.9185715!3e3?entry=ttu\&g_ep=EgoyMDI1MDYzMC4wIKXMDSoASAFQAw%3D%3D) Nice, bus line `Ч:28` stops on MUBIS station and it takes `16 mins` to reach the station. ### Recap: #### 1. He hopped off on MUBIS station 2. We know the picture where I’m heading to the station.

**Now your mission is simply to locate the location shown in this image. This part might be difficult for players to handle.** It’s possible to find by going nearby MUBIS station and locate this road. At the end, search for the `hotel` that has a Japanese restaurant next to it. Hotel: Japanese Restaurant: SUSHI HERO Japan Restaurant 寿司廣（すしひろ）

**`Flag: Blitz{Epos_Hotel}`** *** ## Switzerland of Asia (OSINT)

It was actually quite easy to solve. As the description stated, I like to take photos and write short reflections. Some people may have just found the place where I upload the full version of this photo and write reviews. However, the intended solution is to check my GitBook: `*Only images here.* I also like to add blogs with beautiful nature photos on []().` Find my account on Pinterest: In the comments section, a long text is waiting for you all. As mentioned in the description, hit CMD/CTRL + F or open your eyes and look closely for suspicious things.

Follow the pastebin, get what you looked for. **`Flag: Blitz{ALTa1_TaVAn_B0Gd_Mongolia}`** *** ## Hacked By Kids Part 2 (OSINT)

I’m proud to say that this is my favorite challenge I created for BlitzCTF 2025. Since it’s related to the part 1, we gotta look at the characters of last crime case. Associated People: * Cracka (**Kane Gamble)** * D3f4ult (JUSTIN GRAY LIVERMAN) * INCURSIO (ANDREW OTTO BOGGS) Search each of them on our Discord Server. You’ll find Cracka.

He is the guy 📈 Check every link. One of them leads to a YouTube video that covers the crime case: Inside the description, you can find a Pastebin link mentioning sources across different media platforms: As the description mentioned he revealed his location on news platform, check every link and look for interesting comments, information, etc. In 20 minutes news site, you’ll find Cracka commenting on his own crime case. {% embed url="" %}

He clearly describes he’s sitting in a restaurant that closes at 8:30 pm (he’s quite upset about that) Moreover, you can see his `IP address` from the profile picture.

Look up the IP address and find its origin. Latitude:52.6386 (52° 38′ 18.96″ N) Longitude:-1.1317 (1° 7′ 54.08″ W) As mentioned in the description, go to Google Maps and locate the coordinates. Search for restaurant that closes at 8:30 pm nearby The only restaurant you’ll get is **PHỞ LÊ Vietnamese Restaurant** Check the review and get the flag

**`Flag: Blitz{C24ck45_W17h_A7717ud3_F0r3v3r}`** This is the challenge I’ve enjoyed creating the most. Congratulations to teams **`Curiosity`** and **`0bscuri7y`** for solving it. **Thank you so much for playing BlitzCTF 2025. I hope to see everyone next year.** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zwique.gitbook.io/zwique_notes/writeups/blitzctf-2025.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.