📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	ACECTF - 2025	Event Link
🔰 Category	Web	🌐
💎 Points	100	Out of 500 total
⭐ Difficulty	🟢 Easy	Personal Rating: 1/10
👤 Author	Unknown	Profile
🎮 Solves (At the time of writeup writing)	89	solve rate
📅 Date	27-02-2025	ACECTF - 2025
🦾 Solved By	mH4ck3r0n3	Team: QnQSec

📝 Challenge Information

“I’m not a hacker. I’m just someone who wants to make the world a little better. But the world isn’t going to change itself.” Submit your answer in the following format: ACECTF{3x4mpl3_fl4g} The flag content should be in lowercase letters only. http://34.131.133.224:9998/

🎯 Challenge Files & Infrastructure

Provided Files

1	Files: None

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

Since I didn’t find anything by inspecting the page source, I decided to check the robots.txt:

Finding some routes. Instead of inspecting them one by one, I wrote a for loop in bash that uses curl:

1 2 3

bash -c 'for path in secret hidden cryptic forbidden private buried underground secret_path hidden_flag buried_flag encrypted; do curl -s -w "- %{http_code} - $path\n" "http://34.131.133.224:9998/$path" done'

By doing this, I extracted the text from each page. I noticed that some pages had strange text, like /buried and /secret_path, and I thought that buried might contain a part of the flag in decimal to be converted into ascii (since there are no hex characters), and secret_path seems pretty obvious that it might be in morse code. Let’s move on to the exploitation phase.

🎯 Solution Path

Exploitation Steps

Initial setup

The first thing I do is verify that /buried contains the first part of the flag converted to decimal. I do this with CyberChef by applying the From Decimal filter.

As we can see, the decoded text is indeed the first part of the flag. Let’s move on to the next phase.

Exploitation

For the second part of the flag, I used an online tool (https://morsecodetranslator.com/) to decode from morse code to text.

For the last part of the flag, the final curl request tells us, “Sometimes the answers are hidden in plain sight. Or, in this case, styled just right. 🖋️👀”. Since “styled” is mentioned, I figured it might be in the css. Indeed, by inspecting the source of /, I found the CSS file http://34.131.133.224:9998/static/css/style.css, and inside it, I found #flag.

As we can see, it specifies (content: “bC5 !2CE @7 E96 u=28 :D i f9b0db4CbEd0cCb03FC`b5N”;), which looks quite strange. I then used (https://www.dcode.fr/cipher-identifier) to identify the cipher used.

It turns out to be a ROT47, so I used CyberChef again with the ROT47 filter to decode it.

Putting together the three parts, I obtained: ACECTF{1nf1l7r471ng_7h3_5y573m_15_345y_wh3n_y0u_kn0w_wh3R3_7h3_53cr3t5_4r3_bur13d}. However, there’s still one last step, which is to make it lowercase as mentioned in the challenge description. So, I used Python to do that.

1	python -c 'print("\nFLAG: " + "ACECTF"+"{1nf1l7r471ng_7h3_5y573m_15_345y_wh3n_y0u_kn0w_wh3R3_7h3_53cr3t5_4r3_bur13d}".lower())'

This gave me the final flag.

Flag capture

🛠️ Exploitation Process

Approach

The automatic exploit takes the decimal text and converts it to ASCII, the Morse code and translates it to text, then takes the last part of the flag in ROT47, applies the decode, and finally forms the complete flag.

1 2	# Requirements pip install morse-talk

•  Exploit

🚩 Flag Capture

Flag

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit
Decode.fr	Cipher Indetifier
CyberChef	Decoding
MorseCode Translator	Decoding Morse Code

💡 Key Learnings

Time Optimization

Always use https://www.dcode.fr for the cipher identifier.

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📚 References & Resources

Learning Resources

• https://it.wikipedia.org/wiki/Codice_Morse
• https://en.wikipedia.org/wiki/ROT13

📊 Final Statistics

Created: 27-02-2025 • Last Modified: 27-02-2025 Author: mH4ck3r0n3 • Team: QnQSec