Challenge Description
After a gap year, the sequel to “Insanity Check: Redux” and “Insanity Check: Reimagined” is finally here!
The flag is in CTFd, but, as always, you’ll have to work for it.
(This challenge does not require any brute-force – as per the rules of the competition, brute-force tools like dirbuster are not allowed, there is a clear solution path without it if you know where to look.)
Osint Path
The challenge description tells us that the flag is in CTFd. Because this contest platform uses CTFd, we predicted the flag might be located somewhere on the contest site.
Inspecting the contest site, when we accessed https://utctf.live/robots.txt we found two hidden .html files: /2065467898.html and /3037802467.html:
Both files returned 404 Not Found when opened:
However, viewing the source of the two hidden files, we found a suspicious array of numbers:
This looks like XOR-encrypted data, so we wrote a script to decode it:
cipher = [2, 7, 9, 7, 8, 13, 17, 39, 85, 4, 57, 4, 93, 30, 104, 27, 44, 23, 89, 8, 30, 68, 107, 112, 54, 0, 30, 11, 2, 92, 66, 23, 31]
key = [119, 115, 111, 107, 105, 106, 106, 110, 114, 105, 102, 106, 50, 106, 55, 122, 115, 101, 54, 106, 113, 48, 52, 57, 105, 112, 108, 100, 111, 53, 49, 114, 98]
flag = "".join([chr(c ^ k) for c, k in zip(cipher, key)])
print(f"Flag: {flag}")
Run result:
$ python3 solve.py
Flag: utflag{I'm_not_a_robot_I_promise}