* Flags Just use https://www.dcode.fr/maritime-signals-code * c0rrupt This turned out to be surprisingly tricky. The PNG format consists of a header followed by chunks. Each chunk consists of 4 length bytes, 4 identifier bytes, as many bytes as specified by the length and 4 checksum bytes. Depending on the identifier of the chunk data is interpreted accordingly, the spec explains the common ones: http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html The task is to open the file in a hex editor (try =r2= if you dare) and edit the identifiers, lengths and contents until the file opens correctly. Checksums don't need to be adjusted as most viewers will treat incorrect ones as warning, but feel free to fix them nonetheless *after* you're done fixing everything else with http://schaik.com/png/pngcsum.html One issue I ran into is assuming the PNG file has a single IDAT chunk and interpreted everything after the identifier bytes as content, then adjusted the length accordingly. This is wrong, there are several consecutive IDAT chunks and each of them needs its length adjusted to span only that much. If everything went right, you'll get a noisy image spelling out the flag as =picoCTF{c0rrupt10n_1847995}=. If not, apply the following radiff2 patch with =r2 -q -w -i mystery.r2patch mystery=: #+BEGIN_QUOTE wx 50 @ 0x00000001 wx 47 @ 0x00000003 wx 1a0a @ 0x00000006 wx 4948 @ 0x0000000c wx 00 @ 0x00000046 wx 0ec4 @ 0x00000048 wx 0ec4 @ 0x0000004c wx 0000 @ 0x00000053 wx 49 @ 0x00000057 wx 41 @ 0x00000059 #+END_QUOTE * m00nwalk http://www.techedupteacher.com/how-to-make-an-sstv-puzzle/ explains how the transmission can be decoded. I've downloaded the suggested decoder, ran it in WINE and tried figuring out a way to load up the audio file. It turns out the program processes everything looking like a microphone instead, so I ended up with the following contraption: - Upload the audio file on a web server - Download the audio file to my smartphone - Play back the audio file on my smartphone, holding it towards my laptop's built-in microphone - Make sure the sound is picked up by the program Eventually I ended up with the following: [[file:m00nwalk.png]] Note that using the save button creates a watermarked copy, with the watermark obscuring half of the flag, hence the screenshot. * m00nwalk 2 Using the same trick a few more pictures can be decoded from the additional audio files. They hint at steganography being used with the passphrase =hidden_stegosaurus=. Use =steghide= with it on the main audio file and you can extract a text file containing the flag: #+BEGIN_QUOTE picoCTF{the_answer_lies_hidden_in_plain_sight} #+END_QUOTE * mus1c Just use the online interpreter on https://codewithrockstar.com/online and it will print a bunch of numbers: #+BEGIN_QUOTE 114 114 114 111 99 107 110 114 110 48 49 49 51 114 #+END_QUOTE These are ASCII for "rrrocknrn0113r" which happens to be the flag. * 1_wanna_b3_a_r0ck5tar Unlike the previous exercise this one cannot be solved just by using the online demo on the official website and some analysis of the code is required. I've used https://github.com/marcinruszkiewicz/kaiser-ruby to compile the code to Ruby: #+BEGIN_SRC ruby @rocknroll = true @silence = false @a_guitar = 19 @tommy = 44 @music = 160 print '> ' __input = $stdin.gets.chomp @the_music = Float(__input) rescue __input if @the_music == @a_guitar puts ("Keep on rocking!").to_s print '> ' __input = $stdin.gets.chomp @the_rhythm = Float(__input) rescue __input if @the_rhythm - @music == nil @tommy = 66 puts (@tommy).to_s @music = 79 @jamming = 78 puts (@music).to_s puts (@jamming).to_s @tommy = 74 puts (@tommy).to_s @tommy = 79 puts (@tommy).to_s @rock = 86 puts (@rock).to_s @tommy = 73 puts (@tommy).to_s break puts ("Bring on the rock!").to_s else break end end #+END_SRC After ignoring the nonsensical =break= statements and fixing the second comparison, it's possible to just execute the code. Enter the two expected numbers when prompted and the the code will print the following numbers: #+BEGIN_QUOTE 66 79 78 74 79 86 73 #+END_QUOTE Once again it's ASCII, but for "BONJOVI".