CatWithASteg

• We are given a file named hiden.jpg, which is an invalid .jpg file.
• Reading the file’s header, we are met with:

$ hexdump -C hiden.jpg | head
00000000  01 23 45 67 89 01 23 45  67 89 01 23 45 67 89 01  |.#Eg..#Eg..#Eg..|
00000010  23 45 67 89 aa aa aa aa  ff 8d ff 0e 00 10 4a 46  |#Eg...........JF|
00000020  49 46 00 01 01 01 00 60  00 60 00 00 ff e1 00 be  |IF.....`.`......|
00000030  45 78 69 66 00 00 4d 4d  00 2a 00 00 00 08 00 06  |Exif..MM.*......|
00000040  01 12 00 03 00 00 00 01  00 01 00 00 01 1a 00 05  |................|
00000050  00 00 00 01 00 00 00 56  01 1b 00 05 00 00 00 01  |.......V........|
00000060  00 00 00 5e 01 28 00 03  00 00 00 01 00 02 00 00  |...^.(..........|
00000070  02 13 00 03 00 00 00 01  00 01 00 00 87 69 00 04  |.............i..|
00000080  00 00 00 01 00 00 00 66  00 00 00 00 00 00 00 60  |.......f.......`|
00000090  00 00 00 01 00 00 00 60  00 00 00 01 00 06 90 00  |.......`........|

• We can see garbage date from line 0 to 10, from 01 to aa. To fix this, we need to extract the image by writing this file to another file, but skipping the first 24 bytes.

$ dd if=hiden.jpg of=fixed.jpg bs=1 skip=24
5857+1 records in
5857+1 records out
140589 bytes (141 kB, 137 KiB) copied, 0.000000000001 s, 9999.99 TB/s

• However, it’s still not a valid image because byte at 02 and 04 are wrong. Using tools like dhex, we fix the two bytes 8d and 0e into d8 and e0, the resulting image is:

  

Flag: W1{Y0u_4r3_v3ry_g00d_m3ow!}

Free Flag On Network

• We are given a file chall.pcapng, reading the file gives up multiple POST request with the name flag*.txt, which mean the flag is fragmented and encoded with Base64, we first extract the fragments to a single file.
• The resulting file is a .png file, but all of it’s chunks are flipped! We can fix the image by using this script.

#!/usr/bin/sh
for i in `seq 1 100`
do
	sed -n "$i"p flag-reverse.png | base64 -d |  xxd -p -c1 | tac | xxd -p -r >> flag.png
done

What is it?

• We are given an audio file which contains morse code. Translating the morse code gives us passwordisgoodluck, which looks like a steghide password.

$ steghide extract -sf chall.wav -p 'passwordisgoodluck'
wrote extracted data to "hidden.zip"

• Extracting hidden.zip gives us 2 files: part1.txt and next2.zip
• The file part1.txt reads W1{s0m3_7h1ng5_1n, which is half of our flag.
• The file next2.zip has it’s bits flipped every byte. To fix this, we have this script:

#!/usr/bin/sh
xxd -p "next2.zip" | tr -d '\n' | \
awk '{for(i=1;i<=length($0);i+=4) printf substr($0,i+2,2) substr($0,i,2)}' | \
xxd -r -p > "fixed.zip"
unzip "fixed.zip"

• The result is the following image:

  

  Flag: W1{s0m3_7h1ng5_1n_7h15_4ud10}

Paranoid

Part 1

• We are given a password-protected zip file Challenge.zip. The given password is Y9vSetBNi01L, we first extract this zip file by running:

$ 7z x -p 'Y9vSetBNi01L' Challenge.zip

• The zip file deflates into the following directories:

Challenge
└── C
    ├── $Recycle.Bin
    ├── Users
    └── Windows

• Navigate into $Recycle.Bin, we then have the following files:

$Recycle.Bin
└── S-1-5-21-2765701107-1008841495-107006118-1001
    ├── $IF8GDZ2.lnk
    ├── $IOPM1D5.txt
    ├── $RF8GDZ2.lnk
    ├── $ROPM1D5.txt
    └── desktop.ini

• Reading $ROPM1D5 gives us the first part of our flag encrypted with base64 and base32.

$ cat '$ROPM1D5'
TODO:

- Learning about Windows operating system.
- Is there a way to store data secretly?
- Someone send me this message: V2UgaGF2ZSBiZWVuIGtlZXBpbmcgdHJhY2sgb2YgeW91IGZvciBvdmVyIGEgbW9udGggbm93LiBTb29uLCB3ZSB3aWxsIGhhY2sgeW91ciBkYXRhLiBIZXJlIGlzIG91ciBmaXJzdCBtZXNzYWdlOiBLNFlYV05DN09ZWlhFNks3TU5XRElOSlZHRlJWNj09PQ==

$ echo 'V2UgaGF2ZSBiZWVuIGtlZXBpbmcgdHJhY2sgb2YgeW91IGZvciBvdmVyIGEgbW9udGggbm93LiBTb29uLCB3ZSB3aWxsIGhhY2sgeW91ciBkYXRhLiBIZXJlIGlzIG91ciBmaXJzdCBtZXNzYWdlOiBLNFlYV05DN09ZWlhFNks3TU5XRElOSlZHRlJWNj09PQ==' | base64 -d
We have been keeping track of you for over a month now. Soon, we will hack your data. Here is our first message: K4YXWNC7OYZXE6K7MNWDINJVGFRV6===

$ echo 'K4YXWNC7OYZXE6K7MNWDINJVGFRV6===' | base32 -d
W1{4_v3ry_cl4551c_

• First part of the flag: W1{4_v3ry_cl4551c_

Part 2

• Next, reading $IF8GDZ2.lnk gives us:

$ strings '$RF8GDZ2.lnk'
/C:\
8[2U
PROGRA~1
XD;8[4U.
8[3U
VERACR~1
8[2U8[4U.
8[3U
VERACR~1.EXE
8[3U8[4U.
C:\Program Files\VeraCrypt\VeraCrypt.exe
desktop-e28o89c
1SPSU(L
1SPS

• This gives us a hint that VeraCrypt - a disk encryptor - might have been used to hide the next part of our flag.
• We then navigate into Users/KoishiKomeiji/Documents, which then gives us 2 suspicious files:

KoishiKomeiji
└── Documents
    ├── desktop.ini
    ├── more_secret
    ├── nothing_here.txt
    └── secret.kdbx

• The secret.kbdx file is a database file for KeepassXC - a password manager.
• The more_secret file is unknown. One interesting fact about it is it’s size.

 $ du more_secret
10240	more_secret

• We know that Veracrypt has been used on this computer based on the previous hint. Veracrypt encrypts filesystem with a block size of 512, of which 10240 / 512 = 20, a perfect integer! Now we can say for sure that more_secret is a Veracrypt file. But we still need to find the keys to open it.
• By navigating into Users/KoishiKomeiji/Pictures, we are met with:

Pictures 
    ├── desktop.ini
    ├── i_m_bored.bmp
    └── my_cats

• This is what the i_m_bored.bmp looks like.

• The text reads: keepass:1_am_b3h1nd_U!. That gives the password for the previously found secret.kbdx file!
• Opening it up, the password for the Veracrypt file is YHG8YjFscyZRVDtJV1TH along with a note that says “also, my favourite cat is a key too!”. Which mean that the Veracrypt file was encrypted with a passphrase and a keyfile.
• Inside the my_cats directory, we have 5 pictures of 5 different cats. By bruteforcing, the cat4.jpg file is the correct keyfile.
• By mounting the decrypted file, we are met with a peculiar file called secret_token.txt, which reads:

$ cat secret_token.txt
API Token for my hidden web app:

SECRET-X-KEY=T2theSwgeW91IGdvdCB0aGlzISBIZXJlIGlzIHBhcnQgMjogbl8zel9kZjFyXw

• Yes! We have found another clue, but this time it’s a LIE! There are actually no web apps, the token is actually our flag, but encrypted with base64.

$ echo 'T2theSwgeW91IGdvdCB0aGlzISBIZXJlIGlzIHBhcnQgMjogbl8zel9kZjFyXw==' | base64 -d
Okay, you got this! Here is part 2: n_3z_df1r_

• Which give us the second part of our flag: n_3z_df1r_

Part 3

• Going into Users/KoishiKomeiji/Desktop, we are met with:

Desktop
    ├── desktop.ini
    ├── 'Microsoft Edge.lnk'
    └── new_note.txt

• Reading new_note.txt, we get the following text:

$ cat new_note.txt
TODO: 

- Learning more about Windows (maybe learning about PowerShell is a good idea!).
- I need to be more careful. Someone is watching me recently.
- Asking for cat food since our cat Orin is hungry.
- Learning how to use both password and file as a key for disk encryption. 

• The first line hinted at some PowerShell activity. Which is often recorder in an .evtx file.

$ find -name '*.evtx'
./C/Windows/System32/winevt/logs/Microsoft-Windows-PowerShell%4Admin.evtx
./C/Windows/System32/winevt/logs/Microsoft-Windows-PowerShell%4Operational.evtx
./C/Windows/System32/winevt/logs/Windows PowerShell.evtx

• By reading Microsoft-Windows-PowerShell%4Operational.evtx, either on Windows, or with evtx_dump on Linux we are met with interesting activities by the owner.

...
<Data Name="ScriptBlockText">$k=[Convert]::FromBase64String(&quot;XAAeAgAAAAaAAFAAAAAAFAAAAAAFAAAAAAFAAGAAAAA=&quot;);$iv=[Convert]::FromBase64String(&quot;ABBCCDDEEFAAXXAAAAEAFA==&quot;);$aes=[System.Security.Cryptography.Aes]::Create();$aes.Key=$k;$aes.IV=$iv;$aes.Mode=&quot;CBC&quot;;$aes.Padding=&quot;PKCS7&quot;;[IO.File]::WriteAllBytes(&quot;what.enc&quot;,($aes.CreateEncryptor().TransformFinalBlock([IO.File]::ReadAllBytes(&quot;part3.txt&quot;),0,(Get-Item &quot;part3.txt&quot;).Length)));Remove-Item &quot;part3.txt&quot; -Force</Data>
    <Data Name="ScriptBlockId">f310491a-a6cb-4763-8939-9192971f8b9f</Data>
...
<Data Name="ScriptBlockText">$k=[Convert]::FromBase64String(&quot;isAHwCEPTivSgg8lTyCBCdY4XNBMtmyh56ddKBX9GAU=&quot;);$iv=[Convert]::FromBase64String(&quot;ABBCCDDEEFAAXXAAAAEAFA==&quot;);$aes=[System.Security.Cryptography.Aes]::Create();$aes.Key=$k;$aes.IV=$iv;$aes.Mode=&quot;CBC&quot;;$aes.Padding=&quot;PKCS7&quot;;[IO.File]::WriteAllBytes(&quot;again.enc&quot;,($aes.CreateEncryptor().TransformFinalBlock([IO.File]::ReadAllBytes(&quot;part3.txt&quot;),0,(Get-Item &quot;part3.txt&quot;).Length)));Remove-Item &quot;part3.txt&quot; -Force</Data>
    <Data Name="ScriptBlockId">7db6a942-b08c-473b-9e18-a3a87913d0b2</Data>
...

• This suggests that some part3.txt file has been encrypted with AES-CBC from a file called again.enc and what.enc

• The logs also gives us three very important data which can be useful for decrypting later on:

  1. The encryption key: XAAeAgAAAAaAAFAAAAAAFAAAAAAFAAAAAAFAAGAAAAA=
  2. Another encryption key: isAHwCEPTivSgg8lTyCBCdY4XNBMtmyh56ddKBX9GAU=
  3. The IV (Initilization Vector): ABBCCDDEEFAAXXAAAAEAFA==

• Finding again.enc gives us nothing, but we are able to find what.enc

$ find -name 'what.enc'
./C/Users/KoishiKomeiji/AppData/Local/Temp/what.enc

• By using a tool like CyberChef , we can start our decryption.
• With:
  1. The encryption key: isAHwCEPTivSgg8lTyCBCdY4XNBMtmyh56ddKBX9GAU=.
  2. The IV: ABBCCDDEEFAAXXAAAAEAFA==.
• We get the following message:

Yay! U found me! Here is ur final part:
7nQ0;92dTA:J+,V;c,>Q9f5pO:Kg(d9hnGR9iWrO:JilK<A[ZI:KgUr6TmRq

• This is a string encoded in Base85, after decoding we get a Base32 string, then Base58, then finally Base64, which gives us:

$ echo "Y2g0bGxfcjFnaDc/fQ==" | base64 -d
ch4ll_r1gh7?}

• Our final part of the flag: ch4ll_r1gh7?}

Flag: W1{4_v3ry_cl4551c_n_3z_df1r_ch4ll_r1gh7?}

Unreliable supporter

• We first access the challenge’s server by running the given script.

$ nc 61.28.236.247 1279

Before accessing the service, you must solve a proof of work (PoW) challenge.
Just run the solver with the following command:
python3 <(curl -sSL https://goo.gle/kctf-pow) solve <ID>
===================

Solution? <ADD_YOUR_TOKEN_HERE>

$ python3 <(curl -sSL https://goo.gle/kctf-pow) solve <ID>
Solution: <TOKEN>

• After plugin in our token, the first question is as followed:

[1]. What app did the user use to connect with the supporter? [Text]
==>

• By navigating into C:/Program Files, we see a single TeamViewer directory. This is a directory for TeamViewer - a program that allows remote access control. From there we are able to answer the first question.

[1]. What app did the user use to connect with the supporter? [Text]
==> Teamviewer
Correct!

[2]. When did the supporter connect to the victim's computer? [YYYY/MM/DD hh:nn:ss]

• Inside the TeamViewer directory, we are able to find a log file: TeamViewer15_Logfile.log
• According to TeamViewer’s documentation, we are able to find the successful connection time by finding the CPersistentParticipantManager::AddParticipant: keyword.

$ grep 'CPersistentParticipantManager::AddParticipant:' TeamViewer15_Logfile.log
2025/09/24 16:00:47.571 10336      10360 S0   CPersistentParticipantManager::AddParticipant: [835637453,-2031617936] type=3 name=CONAN
2025/09/24 16:00:47.573 10336      10356 S0   CPersistentParticipantManager::AddParticipant: [835637453,-2031617936] type=3 name=CONAN
2025/09/24 16:00:47.581 10336      10360 S0   CPersistentParticipantManager::AddParticipant: [838465849,-1253335535] type=6 name=Thinh Dinh Quoc

• The host will have the ID type=3 and the client wil have the ID type=6
• From here, we can extract the time in the given format: 2025/09/24 16:00:47

[2]. When did the supporter connect to the victim's computer? [YYYY/MM/DD hh:nn:ss]
==> 2025/09/24 16:00:47
Wrong answer!
Disconnected. Bye!

• Hmm, maybe the answer isn’t the Successful Connection Attempt, but on a handshake?

$ grep 'CreateServerHandshake' TeamViewer15_Logfile.log
2025/09/24 16:00:35.026 10336      10356 S0   tvsecurenetworkimpl::SecureNetworkHandshakeFactoryTVSession::CreateServerHandshake: Using secure network handshake type: 0

• Our answer is 2025/09/24 16:00:35

[2]. When did the supporter connect to the victim's computer? [YYYY/MM/DD hh:nn:ss]
==> 2025/09/24 16:00:35
Correct!

[3]. Which file did the attacker exfiltrate first from the victim's computer? [File.ext]

• According to TeamViewer’s documentation, we are able to trace transfered file with the Send file keyword.

$ grep 'Send file' TeamViewer15_Logfile.log
2025/09/24 16:04:11.776  5828       9584 G1   Send file C:\Users\iamqt\Documents\secret\account.txt
2025/09/24 16:05:10.414  5828       9584 G1   Send file C:\Users\iamqt\Favorites\Links\secret.zip

• The first stolen file is account.txt, we are also able to answer the following question.

[3]. Which file did the attacker exfiltrate first from the victim's computer? [File.ext]
==> account.txt
Correct! 

[4]. What is the full path of the .zip file the attacker obtained? [full path]
==> C:\Users\iamqt\Favorites\Links\secret.zip
Correct!

[5]. What is the password for that .zip file? [Text]
==>

• Moving to C:/Users/iamqt/Favourites/Links, we are able to find a zip file c3507d5b8fa65c7e08a7f4c9075d6b39.zip. Trying to unzip this file prompts us for a password. This is secret.zip, but renamed somehow. This will be important later on.
• According to our previous answer, the attacker also stole account.txt. Traversing to C/Users/iamqt/Documents/secret/ gives us a text file 2064c76a06fd0048e38261b5c8b01597.txt, which reads:

$ cat '2064c76a06fd0048e38261b5c8b01597.txt'
app,username,password
facebook,user01,password123
zalo,0232167876,12345678
uit,26529999,qwerty2025
gmail,fakemail@gmail.com,letmein!
secret.zip,.,******

• The password to the zip file is redacted, but has 6 characters, we can bruteforce the password using the rockyou wordlist and JohnTheRipper

$ zip2john c3507d5b8fa65c7e08a7f4c9075d6b39.zip > zip.hash
ver 1.0 efh 5455 efh 7875 c3507d5b8fa65c7e08a7f4c9075d6b39.zip/message.txt PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=11D1EC96

$ Warning: invalid UTF-8 seen reading rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveu           (c3507d5b8fa65c7e08a7f4c9075d6b39.zip/message.txt)
1g 0:00:00:00 DONE (2025-10-09 13:02) 33.33g/s 118200p/s 118200c/s 118200C/s 123456..sss
Use the "--show" option to display all of the cracked passwords reliably
Session complete

• Our password is iloveu

[5]. What is the password for that .zip file? [Text]
==> iloveu
Correct!

[6]. Which file did the attacker transfer to the victim's computer for malicious purposes? [Text]
==>

• Going to C/Users/iamqt, we find a file named aShjKg, which reads:

import os,hashlib

self_path = os.path.abspath(__file__) if '__file__' in globals() else None

for root,_,files in os.walk('.'):
    for f in files:
        old = os.path.join(root,f)
        if self_path and os.path.abspath(old) == self_path: 
            continue
        new = os.path.join(root, hashlib.md5(f.encode()).hexdigest() + os.path.splitext(f)[1])
        try:
            os.rename(old, new)
        except (PermissionError, FileNotFoundError, OSError):
            continue

• This script replaces rename files with their MD5 hash, which is malicious.
• Furthermore, the log shows that this file was sent to the User.

2025/09/24 16:05:24.934  5828       9584 G1   Write file C:\Users\iamqt\aShjKg
2025/09/24 16:05:24.960  5828       9584 G1   Download from "aShjKg" to "C:\Users\iamqt\aShjKg" (274 Bytes)
2025/09/24 16:09:00.598  5828       9584 G1   Write file C:\Users\iamqt\aShjKg
2025/09/24 16:09:00.618  5828       9584 G1   Download from "aShjKg" to "C:\Users\iamqt\aShjKg" (381 Bytes)
2025/09/24 16:10:41.798  5828       9584 G1   Write file C:\Users\iamqt\aShjKg
2025/09/24 16:10:41.810  5828       9584 G1   Download from "aShjKg" to "C:\Users\iamqt\aShjKg" (503 Bytes)

• So that concludes the question. (PS: The actual answer is aShjKq due to a technical error.)

[6]. Which file did the attacker transfer to the victim's computer for malicious purposes? [Text]
==> aShjKq
Correct!

[7]. Identify the cryptographic/hash algorithm employed by the attacker to modify files on the victim's system. [Text]
==>

• The hash algorithm is MD5, as shown in the Python script: hashlib.md5(f.encode()).hexdigest()

[7]. Identify the cryptographic/hash algorithm employed by the attacker to modify files on the victim's system. [Text]
==> md5
Correct!

Congratulations! Here is your flag: W1{h0w_c0uld_y0u_s0lve_th1s_ch4ll3ng3!!}

Flag: W1{h0w_c0uld_y0u_s0lve_th1s_ch4ll3ng3!!}

What’s wrong with my computer

• We are given an .ad1 file (+1 dot nha @KetSoSad), extracting it with FTK Imager on Windows or ad1-tools on Linux yields us a Windows User Directory

$ sudo ad1extract -i 'Chall.ad1' -d './temp/'

• Navigating into DUNG/Documents gives us two files with both being encrypted: flag.txt.enc and notsomethingshere.txt.enc
• We then navigate to DUNG/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine, which contain a Shell History file ConsoleHost_history.txt
• The file shows interesting activities from the User.

...
$key = [System.Text.Encoding]::UTF8.GetBytes("ThisIsA16ByteKey")
$iv = [System.Text.Encoding]::UTF8.GetBytes("ThisIsA16ByteIV!")
$folderPath = "C:\Users\DUNG\Documents"
function Encrypt-File {`
    param (`
        [string]$filePath,`
        [byte[]]$key,`
        [byte[]]$iv`
    )`
`
    $data = [System.IO.File]::ReadAllBytes($filePath)`
`
    $blockSize = 16`
    $padLength = $blockSize - ($data.Length % $blockSize)`
    $padded = $data + ([byte[]]@($padLength) * $padLength)`
`
    $aes = [System.Security.Cryptography.Aes]::Create()`
    $aes.Mode = "CBC"`
    $aes.Key = $key`
    $aes.IV = $iv`
    $aes.Padding = "None"`
`
    $encryptor = $aes.CreateEncryptor()`
    $cipherBytes = $encryptor.TransformFinalBlock($padded, 0, $padded.Length)`
`
    $encPath = "$filePath.enc"`
    [System.IO.File]::WriteAllBytes($encPath, $cipherBytes)`
`
    Remove-Item -Path $filePath -Force`
}
...

• From here we know that the User encrypted everything on this drive with AES-CBC with:
  • The key: ThisIsA16ByteKey in UTF-8 Bytes.
  • The IV: ThisIsA16ByteIV! in UTF-8 Bytes.
• Both of the strings have 16 characters and encoded with UTF-8, with 16 * 8 = 128 so the encryption is AES-128-CBC
• To get the UTF-8 Bytes of these two keys:

$ printf 'ThisIsA16ByteKey' | od -A n -t x1 | tr -d ' '
546869734973413136427974654b6579

$ printf 'ThisIsA16ByteIV!' | od -A n -t x1 | tr -d ' '
54686973497341313642797465495621

• Notice how we use printf instead of echo, since echo automatically add \n after every string.
• We can then go back to the two encrypted text file: flag.txt.enc and notsomethingshere.txt.enc.
• We can decrypt the two files with openssl

$ openssl enc -d -aes-128-cbc -in flag.txt.enc -out flag.txt -K '546869734973413136427974654b6579' -iv '54686973497341313642797465495621'

$ openssl enc -d -aes-128-cbc -in notsomethingshere.txt.enc -out notsomethingshere.txt -K '546869734973413136427974654b6579' -iv '54686973497341313642797465495621'

• The first file contains a link to a Rick Roll (+2 dot nha @KetSoSad 😡)
• The second file reads:

Oh, my brain!!!!!!!!!!!!!!!!!!
https://ideone.com/mKM5S5

• Accessing the site gives us:

+[--->++<]>+.[------->+<]>.[----->++<]>+.>-[--->+<]>-.[---->+++++<]>-.[-->+<]>-.---[->++<]>-.[--->+<]>--.+++[++>---<]>.+++++[->++<]>+.+++.----.[-->+<]>---.---[->++<]>-.++++.+++++.[-->+<]>.++[->++<]>..-------------.+[-->+<]>+.-[----->+<]>--.---------------.+++++.+++++.+[-->+<]>.[->++<]>+.>--[-->+++<]>.

• Along with the clue Oh, my brain!!!!!!!!!!!!!!!!!!, this is Brainfuck - an esoteric programming language. Interpreting the code gives us the flag.

echo '+[--->++<]>+.[------->+<]>.[----->++<]>+.>-[--->+<]>-.[---->+++++<]>-.[-->+<]>-.---[->++<]>-.[--->+<]>--.+++[++>---<]>.+++++[->++<]>+.+++.----.[-->+<]>---.---[->++<]>-.++++.+++++.[-->+<]>.++[->++<]>..-------------.+[-->+<]>+.-[----->+<]>--.---------------.+++++.+++++.+[-->+<]>.[->++<]>+.>--[-->+++<]>.' >> flag.bfk && bfk flag.bfk
W1{Th3_s1mpl3_ch4ll_1n_di5k}

Flag: W1{Th3_s1mpl3_ch4ll_1n_di5k}

Wave second for git

• The challenge suggests using Github-CLI (but screw that LOL).
• We are given a zip file, extracting it gives us a Git repository.
• Inside the repository is our first part of the flag, encoded in Base64

$ base64 -d flag.txt
W1{g1thub_

• Next, we will find all activities inside of the Git repository.

$ git log
commit aa97ec424d14947e217575ce87301e4f9a849a3e
Author: KetSoSad102 <phanlamdung2006@gmail.com>
Date:   Thu Oct 2 09:14:19 2025 +0700

    second part

commit cb85ef07a83f250136558f2c56663cb1c25e08e4
Author: KetSoSad102 <phanlamdung2006@gmail.com>
Date:   Wed Oct 1 22:05:24 2025 +0700

    first commit
    
$ git revert aa97e

• Reverting commit aa97e gives us a fake flag. So we will read .git/packed-ref - which lists all branches and references - for clues.

$ cat .git/packed-ref
# pack-refs with: peeled fully-peeled sorted 
ee3e3573ad65935e9053b907e8c938390684c978 refs/remotes/origin/main
aa97ec424d14947e217575ce87301e4f9a849a3e refs/remotes/origin/second
39e9c7b055ab3af29a820cefe7df3ab6140418c0 refs/tags/part3
^aa97ec424d14947e217575ce87301e4f9a849a3e

• We are able to find the second and third flag on branch origin/second and object reference tag/part3

$ git rebase origin/second

$ cat flag.txt
INGESX3JGVPXK4ZTMZ2TO===

$ cat flag.txt | base32 -d
CLI_i5_us3fu7

• Next, we will inspect the object reference tag/part3

$ git cat-file -p 39e9c
object aa97ec424d14947e217575ce87301e4f9a849a3e
type commit
tag part3
tagger KetSoSad102 <phanlamdung2006@gmail.com> 1759371843 +0700

Zw4bm2:x

• We are given a string, but encrypted with XOR with the key 0x5f. Decrypting it gives us _r1gh7?}

Flag: W1{g1thub_CLI_i5_us3fu7_r1gh7?}