Published: Nov 14, 2025
The CTF has two parts: online and onsite. For the online competition, participants are given 5-6 days to solve problems over the Internet. For the other one, participants will solve a different set of problems on the club’s room for 8 hours with AI assistance prohibited. The final score will be calculated from results of these two parts.
These are my write-ups for problems I solved. Credits to Anthony Wang for helping me with the crypto problem. The CTF site can be accessed here.
Online
Warm-up
Sanity Check
Simply follow the instructions and the flag should appear: message link
BKISC{W3lcom3_to_Our_CTF_G00d_luK}
Crypto
Hint
Let’s take a look at the source code:
|
|
The author is generous enough to give us a hint value here. Maybe we
can use this value to somehow calculate $p$ and $q$.
A key observation here is that $p + q + p^{2} + q^{2}$ is very small compared to $N \ast N \ast \text{hash}$. With that, we could retrace each values using some maths:
|
|
After that, it is just basic RSA:
|
|
Web
JUMP
Examining the source code with DevTools, we can see that this is a pure JavaScript game, running entirely on the client-side. There are also a decent amount of module-level variables for us to play with.
The game is supposed to give us the flag when we achieve a high-score of
10000, so the simplest approach is to somehow get 10000 in scores. I
looked for the function that is responsible for calculating the score
and found this function from the Score class:
|
|
This frameTimeDelta argument can be manipulated by:
-
Refresh the page to reset everything.
-
Open up the DevTools" debugger and go to line 894.
-
Start the game and immediately stop the execution with the debugger.
-
Set a breakpoint at line 894.
-
Resume execution so the game reaches the breakpoint.
-
Go to “Console” and run
previousTime = -1000000 -
Go back to debugger and remove the breakpoint.
-
Resume execution, you should reach just above 10000 points and get the flag.
I didn’t save the flag, but you can try retrieving it by following the steps above.
Error
The homepage seems to do nothing and visiting any other paths will only return a 404 page that seems to copy the requested path into the HTML source.
Considering the easy, rce and ssti tags from the problem’s page,
also knowing that the page is being served using
Flask by examining the
HTTP headers, I assume that this is a simple Jinja2 server-side template
injection problem. Testing it by visiting /{{7*7}}, we get 49 back
in the page. We can now search for a Jinja2 RCE payload online and just
try it out.
I use this payload template
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
to look around the system and discovered the flag in the environment
variables:
GET /{{request.application.__globals__.__builtins__.__import__('os').popen('env').read()}}
-> HOSTNAME=be82b2d ... FLAG=BKISC{3rr0r_b453d_55t1_r34lly???}
Thief
Inspecting the page, we can find a single JavaScript tag that seems to
do some hash comparison. There is one thing that caught my eye: the
attemptLogin function.
|
|
When we put submit the credentials, this function checks if the inputted
username is admin and password" hash is identical to the provided
hash. If it satisfies, it will set a value in the page’s session storage
and redirects us to /admin.html. If we attempt to access the admin
page directly, we’ll get an “Access Denied” error. But when we inspect
the page again:
|
|
Oh well, that was anti-climatic.
Pwn
Digital Systems
|
|
The unsigned short types suggests that this is a integer overflow
problem. Wikipedia has a great article on C data
types which we could use as
a reference for the bounds. An unsigned short can only contain values
in between 0 and 65535, assigning -1 should give us 65535, -2 would be
65534, and so on. Now we can solve the problem with simple arithmetics:
Is there a number that is less than 10 and equal to 11?
Enter a number: -65525
Correct!
One more question: Is there a number that is less than 69 and equal to 96?
Enter a number: -65440
Correct!
Here is your flag:
BKISC{digital_systems_4r3_m4dn355_133467}
Forensics
Wireshark 101
This file contains only TCP packets. First thing to do is to follow the
TCP stream and see where it brings us to. We then notice that all
packets contain some kind of data under the form of ASCII strings. Going
to the last packet, we get a =, suggesting that this stream of data is
encoded in Base64. Simply extract all data transmitted from this file
into strings and we get a bunch of Lorem Ipsums and the flag.
BKISC{TCP_15_e4zy_e76531}
ezBlockchain
The provided link leads us to a Sepolia Testnet contract. Since this is a “wander around” problem, I will just list out where the flag parts are, for the sake of brevity:
-
Part 1: Go to the “Contract” section, we get a bunch of Solidity code and our first part of the flag in the variable
part1→BKISC{w0w_y0u -
Part 2: Go to “Contract” -> “Read Contract” and open up the
twotrapcontract information →_D3fin1tely_a -
Part 3: Go to the “Transactions” section and open up the details of the only transaction there (0x67e885366aaef8f4f71c798c7ff2a4a4010bc7b623ca689b4872be239bd58289), click on “More Details”, open up “View Input As” dropdown menu and choose
UTF-8→_m4sT3r_at_ -
Part 4: In the original contract page, go to the “Events” section, convert the last three log lines to text →
BlOcKcHaIn_c736e7a84f0b1e54ac288417ed5fb04800621be4a119184c998e0d621d63625a}
Merge them all together and we get:
BKISC{w0w_y0u_D3fin1tely_a_m4sT3r_at_BlOcKcHaIn_c736e7a84f0b1e54ac288417ed5fb04800621be4a119184c998e0d621d63625a}
Web Deployment
The challenge gives us a Dockerfile:
|
|
Checking out the hah4/found-me image on
DockerHub, we can see
that the image is just a harmless web server. Since a Docker image is
just an archive of files glued together, perhaps there is something
interesting stored inside the image. A simple web search on how to
extract a Docker image and some
UNIX magic is enough for us to find the flag (note: I’m using
fd as a replacement for find):
|
|
Misc
ai_thong_minh_hon_hoc_sinh_lop_5
Connecting to the netcat server gives us this prompt:
============================================================
🧠 AI THONG MINH HON HOC SINH LOP 5 🧠
============================================================
Answer all questions correctly to get the flag!
You have 300 seconds to complete the challenge.
============================================================
📝 Total questions: 100
Question 1/100:
>>> 2 + 2
Your answer:
After typing in some answers, we notice that the questions all seems to be Python expressions and the server will timeout after 20-30 seconds. A simple solution to get over this timeout is to save all of the answers, separate them by a newline, and then copy and paste it all in the prompt to gradually work out to the end.
Question 100/100:
>>> str('BKISC{r3m3mb3r_t0_5@n1t1z3_b4_eval}')
# BKISC{r3m3mb3r_t0_5@n1t1z3_b4_eval}
2 World
The challenge gives us an audio file. If you listen to it, you’ll hear a horrible rap track on the right stereo and an automated voice on the left stereo that whispers the flag. Plug in your IEM, listen to the left stereo and write out the flag in uppercase. I didn’t save the flag, but you should be able to get it by following the steps above.
Hornpy Jail
|
|
This challenge introduces us to an unique CTF field called
PyJail. In these problems,
contestants will try to break out of a Python sandbox by crafting a
payload that bypasses all provided constrains. From the source code, we
figured that we’ll need a payload that does not use, literally, any of
character you could find on your keyboard, but except for round brackets
().
The first thing I did is to lookup if there are existing articles that
document eval’s quirks and found this excellent
write-up. From it, I found some
crucial information about Python, like:
The Unicode standard supports the concept of equivalence. If we look at this useful page for the codepoint for the letter a for example, we can see a long list of symbols that are declaratively similar in appearance or meaning to the ASCII letter ‘a’.
…
All these fancy codepoints will be converted into the correct ASCII letter when normalized, which is an operation that python3 performs before parsing an identifier.
This means:
|
|
and this:
|
|
does the exact same thing: printing “Hello, world” to output.
Utilizing this knowledge, we can craft a payload that allows us to execute Python code via input:
|
|
Applying this to the remote challenge instance:
You got sent to jail for being horny!
Type your defense here and the judges will decide your fate: exec(input())
import os; os.system("cat flag.txt")
BKISC{y0u_c4n_0nly_35c4p3_7h3_b0nk_th15_t1m3}
Reverse
Baby flag checker
First thing to do is to put the binary on a decompiler, I use Dogbolt for this since I can’t get a good decompiler on my Linux system. The password checking mechanism looks like this:
|
|
This piece of code should be sufficient for you to work out the flag.
BKISC{Apprentice_Reverser_sUp3r_5eCUr3_p4s5w0rD}
Web-ASM
“Find the password for the Admin user.”
The bundled archive gives us the source code of a web application that
uses WebAssembly. Let’s decompile the WASM binary with wasm-decompile
from wabt:
|
|
From the decompiled C code and JavaScript files, we’ll have a few observations:
-
check_authwill be called from Javascript, with inputted username, password as arguments. -
check_authcallsf_b -
From the decompiled code, we know that
f_bchecks if the username equals to “Admin” -
check_authcallsf_c -
f_cchecks if the provided password, XOR-ed withB, is identical to\00\09\0b\11\019\00#1+!\1d\0376*\1d71+,%\1d\15\03\11\0f?
So the password would be
\00\09\0b\11\019\00#1+!\1d\0376*\1d71+,%\1d\15\03\11\0f? XOR-ed with
B. Put it on
Cyberchef
and we will get the flag:
BKISC{Basic_Auth_using_WASM}
Onsite
pwn
hidden in plain sight
Unlike off-site, this time I got Binary Ninja up and running on my machine, so I’m a bit more comfortable working on problems related to compiled binaries.
The challenge comes with a compiled Linux binary and a Dockerfile. Let’s boot up the binary file in Binary Ninja and see what we get:
Looking up the main function, we can see that the program is executing
a getflag function at the very top of it. getflag will attempt to
read flag.txt from system and save the value into a global buffer
named flag. Right below the getflag call, the function loads
flag’s value into a local variable. So basically the flag is saved
somewhere on the stack and we need a way to retrieve it.
Going down the main function, we find:
|
|
These lines of code indicates that this is a format string
vulnerability.
That makes things easier, since the offset between the printf call and
the local flag variable is always the same, we can just brute force to
find the payload. I wrote this Bash script below:
|
|
Basically, what it does is get values from increasing positions of the
stack with this base payload: %n$s (interpret n-th stack value as a
string). Since the challenge doesn’t include a flag.txt for the local
binary to read, we need to create it with some identifiable content in
order to make this script work. After that just run the script and save
its output to a file:
$ echo 'test_flag' > flag.txt
$ bash script.sh > out
In out, find test_flag. You’ll see that it appears at position 30,
which means our payload is %30$s. Sending this to the challenge’s
instance should reveal the flag:
BKISC{s0_f4r_y3t_5o_cl0s3_bu7_5om3h0w_y0u_s71LL_f0und_m3}
forensics
Transmission
Another Wireshark challenge. This time it is about Bluetooth traffic:
Bluetooth can be used to transfer files, so our top priority should be to analyze the traffic involving the OBEX (file transfer) protocol, let’s look it up:
The packet information kinda gave it away, this part of traffic seems to
be transferring a PNG image file. From here, I looked up for some
information about the properties of a PNG file so that we could identify
the starting and ending point of traffic. One well-documented
information that we could utilize is file
signatures. A
normal PNG file would start with 89 50 4E 47 0D 0A 1A 0A and end with
a data chunk that contains 49 45 4E 44 (IEND). With this
information, we would that the data transfer starts at packet 294 and
ends at packet 351. This means that all chunks of data are transferred
sequentially (this is observable by trying to transfer files with
Bluetooth actually). With further analyzation, you would see that all
OBEX packets labelled Put continue will contain data, accessible via
the field obex.header.value.byte_sequence as hex. We can use tshark
to extract all data from these OBEX packets and save them into a file.
Since tshark would loop through all packets to access this field, so
some empty lines and artifacts are expected. We can use UNIX’s tr to
trim those out:
|
|
Now convert all the hexes into characters and we would get a readable PNG file:
reverse
Mathematical Modelling
This challenge comes with a single compiled program as a binary file. The program asks for a password as an argument. Let’s load it up on Binary Ninja to see what it does with the password internally:
|
|
From the beginning of the main function, we have rax_6 that stores
the password and rax_8 storing the password’s length. The following
check ensures that password must be 21 characters long. Coming down to
the while loop, the program iterates through each character of the
password, stored in rax_11, and then check var_a8 in a switch
case.
Since var_a8 was initialized with 0, we should analyze the statements
from case 0: of the switch case. Inside case 0 are a bunch of
if-else statements that check if the current character is equal to a hex
value, which seems to be hex representation of ASCII characters. Ending
case 0, the program goes back to the start of while, and iterates to
the next character of the password. Looking at other switch cases
though, we can see that a lot of them simply exit the program if
var_a8 is equal to some value, but there are some cases that is almost
identical to case 0. For example, 0xa, 0x14, 0x1e, etc.
There is a if-else clause that stands out from case 0:
|
|
If two of these if statements were satisfied, var_a8 would be set to
the value that could continue down the switch. These statements stands
out by being nested, but they just check if rax_11 is equal to the
value in the second if. So basically, this while loop just check if
the password is correct by iterating and comparing each character. We
should get the password by getting the hex values of the nested ifs
above from switch cases identical to case 0. If you follow through the
cases correctly, you should end up at case 0xc8:
|
|
The right hex value of the first if statement will be our last character of the password, and following statements should process that password and give us the flag. Now that you have written all of the hex values found from cases, you will have the password by converting all of those to ASCII characters. Passing that password into the program should give you the flag:
$ ./chall "I13TXC7a7ocAe^&[Cv-hA"
Congratulations! Flag: BKISC{d0_yOu_Kn0w_4uT0mAt4?}
blockchain
Coinflip
To do all of these blockchain problems, you’ll need nothing else but a Metamask wallet and faucet.
The contract source code is quite short:
|
|
From the challenge’s description and source code, all this contract does
is simulate a coin-flip (the flip function) and keep track of your
consecutive correct guesses. The challenge asks to somehow guess the
outcome of flip correctly, ten times in a row.
Taking a closer look at flip, we see that it calculates the outcome
using two variables a and b from a State object, so we must know
a and b from the state if we want to always win. Good news is that
at the end from each flip, the state would update its values for the
next flip so the values are known before each flip, and we can start
those values via read contracts defined in the source code. The author
is also very generous to add a currentSideIsOne function that prints
the exact outcome of the next flip, so we can just call that function,
get the outcome, call flip with the outcome, repeat 10 times, and ask
for the flag. Make sure that all previous transactions have been
completed before repeating the steps.
BKISC{1_c4nt_b3l31v3_y0u_fl1p_th4t_g00d}
Coinflip Revenge
Let’s take a look at the source code:
|
|
This challenge is essentially the same as the previous challenge, but
with updated logic and instead of a and b we have lastHash.
lastHash gets updated after every flip, and a flip is true if
lastHash divided by the constant FACTOR is equal to 1. Since we can
get lastHash at any time, we can always win by getting lastHash via
the read contract, calculate the expression lastHash / FACTOR, flip
with true if the function evaluates to 1 or false otherwise.
Repeat 10 times and ask for the flag. One thing to note is that
Solidity doesn't support floating point
numbers,
so rounding errors may appear and alter the outcome. I didn’t have this
problem during my run, though.
BKISC{1_c4nt_b3l31v3_y0u_w0n_fl1p_4g41n}
← Go to parent
