{"id":388,"date":"2026-03-17T22:54:55","date_gmt":"2026-03-17T22:54:55","guid":{"rendered":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/17\/utctf-2026-writeups-inferiorak\/"},"modified":"2026-03-17T22:54:55","modified_gmt":"2026-03-17T22:54:55","slug":"utctf-2026-writeups-inferiorak","status":"publish","type":"post","link":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/17\/utctf-2026-writeups-inferiorak\/","title":{"rendered":"UTCTF 2026 Writeups | InferiorAK"},"content":{"rendered":"<p>These are some of my Writeups from my recent CTF, UTCTF 2026 where I shared my thoughts and approaches on how I overcame the given problems.<\/p>\n<figure><img data-opt-id=771569372  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*SO2AYxgb2953Pg7Qe69ksA.jpeg\" \/><\/figure>\n<figure><img data-opt-id=771569372  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*C6W7ejIRKmSa_pu_Edl1Tw.png\" \/><\/figure>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*Mj5hEJniw29GXejO64WJ2g.png\" \/><figcaption><strong>My Solves x All solved by my Team Integrated Hawkers<\/strong><\/figcaption><\/figure>\n<p>I also participated in last year\u2019s UTCTF, UTCTF 2025. It was really exciting and so now. Here are my writeups of this year listed\u00a0below:<\/p>\n<p><strong>Misc:<\/strong><\/p>\n<ul>\n<li>W3W2<\/li>\n<li>QRecreate<\/li>\n<li>Jail Break<\/li>\n<li>Insanity Check: Hat Trick\u00a0Denied<\/li>\n<li>Double Check<\/li>\n<li>Breadcrumbs<\/li>\n<\/ul>\n<p><strong>Forensics:<\/strong><\/p>\n<ul>\n<li>Half Awake<\/li>\n<li>Last Byte\u00a0Standing<\/li>\n<\/ul>\n<p><strong>Past year\u2019s OSINT Writeups:<\/strong> <a href=\"https:\/\/medium.com\/@inferiorak\/three-words-all-osint-challenge-utctf-2025-7b1ef89c8cbf\">https:\/\/medium.com\/@inferiorak\/three-words-all-osint-challenge-utctf-2025-7b1ef89c8cbf<\/a><\/p>\n<p>So let\u2019s just begin with the\u00a0Misc.<\/p>\n<h3>Misc\u200a\u2014\u200aW3W2 (OSINT Challenge)<\/h3>\n<p><strong>Description:<\/strong><\/p>\n<pre>W3W2<br \/>Points: 919<br \/>1 (100% liked)  0<br \/>The three words I would use to describe this location are...<br \/><br \/>Flag format: utflag{word1.word2.word3}<br \/><br \/>By Caleb (@eden.caleb.a on discord)<\/pre>\n<h4><strong>Solution:<\/strong><\/h4>\n<ul>\n<li>Given Image:<\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*-PYWH6cw_JszGunwgAhTjw.jpeg\" \/><figcaption>W3W2.jpg<\/figcaption><\/figure>\n<ul>\n<li><strong>It\u2019s Merchandice &amp; Gift\u00a0Shop<\/strong><\/li>\n<li>Then I searched in Google\u00a0Lens:<\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*b6c6GCCh1yA-oT4clhiEXQ.png\" \/><\/figure>\n<figure><img data-opt-id=1445388884  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1000\/1*aC0slzadDjyLof_ETwrCqQ.jpeg\" \/><figcaption>1. Google Lens\u00a0Search<\/figcaption><\/figure>\n<ul>\n<li>Picked up the matched\u00a0one.<\/li>\n<li><a href=\"https:\/\/ululanis-hawaiian-shave-ice-kihei.wheree.com\/\">https:\/\/ululanis-hawaiian-shave-ice-kihei.wheree.com\/<\/a><\/li>\n<li>Searched the place on Google Map\u00a0: Ululani\u2019s Hawaiian Shave Ice\u200a\u2014\u200aKihei<\/li>\n<li>The provided image\u2019s place was just after that\u00a0one<\/li>\n<li>Found <a href=\"https:\/\/www.google.com\/maps\/place\/Merchandise+%26+Gift+shop\/@20.7814512,-156.4626022,3a,19.8y,42.31h,90.42t\/data=!3m8!1e1!3m6!1sC5hpK-ZatajZ5SyMtE8Uqw!2e0!5s20191001T000000!6shttps:%2F%2Fstreetviewpixels-pa.googleapis.com%2Fv1%2Fthumbnail%3Fcb_client%3Dmaps_sv.tactile%26w%3D900%26h%3D600%26pitch%3D-0.41616389848874746%26panoid%3DC5hpK-ZatajZ5SyMtE8Uqw%26yaw%3D42.31017727280525!7i16384!8i8192!4m15!1m8!3m7!1s0x7954d1b021100c3b:0x4245bc9926607de8!2sUlulani's+Hawaiian+Shave+Ice+-+Kihei!8m2!3d20.7817454!4d-156.4624555!10e5!16s%2Fg%2F11h0pp71z!3m5!1s0x7954d1b025f260cf:0xdb82c61d43e218ac!8m2!3d20.7816744!4d-156.4623956!16s%2Fg%2F11k5ltmv2b?entry=ttu&amp;g_ep=EgoyMDI2MDMxMS4wIKXMDSoASAFQAw%3D%3D\">Merchandise &amp; Gift\u00a0shop<\/a><\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*YAl1bI-o31BlxH9ESdaNXQ.png\" \/><figcaption>2. Google Map Matching\u00a0Objects<\/figcaption><\/figure>\n<ul>\n<li>Then got Correct Google Map Angle of <a href=\"https:\/\/www.google.com\/maps\/place\/Merchandise+%26+Gift+shop\/@20.7815417,-156.4626497,3a,20.1y,63.69h,89.48t\/data=!3m8!1e1!3m6!1sX7MWrNFjnkcQGnsCdcltCA!2e0!5s20090801T000000!6shttps:%2F%2Fstreetviewpixels-pa.googleapis.com%2Fv1%2Fthumbnail%3Fcb_client%3Dmaps_sv.tactile%26w%3D900%26h%3D600%26pitch%3D0.5171529261836554%26panoid%3DX7MWrNFjnkcQGnsCdcltCA%26yaw%3D63.69370073471969!7i13312!8i6656!4m15!1m8!3m7!1s0x7954d1b021100c3b:0x4245bc9926607de8!2sUlulani's+Hawaiian+Shave+Ice+-+Kihei!8m2!3d20.7817454!4d-156.4624555!10e5!16s%2Fg%2F11h0pp71z!3m5!1s0x7954d1b025f260cf:0xdb82c61d43e218ac!8m2!3d20.7816744!4d-156.4623956!16s%2Fg%2F11k5ltmv2b?entry=ttu&amp;g_ep=EgoyMDI2MDMxMS4wIKXMDSoASAFQAw%3D%3D\">Merchandise &amp; Gift\u00a0shop<\/a><\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*XWtkxv7uyRYDjCoJfTkEEA.png\" \/><figcaption>3. Google Map Similar Objects with similar\u00a0Angle<\/figcaption><\/figure>\n<ul>\n<li>Exact Coordinates: 20.7815417,-156.4626497<\/li>\n<li>Searched the coordinates in <a href=\"https:\/\/what3words.com\/bystander.boulders.pillowcase\">What3Words<\/a><\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*FuY4ppOmlBqaFu9hi-2Zwg.png\" \/><figcaption>4. What3Words Block\u00a0Matched<\/figcaption><\/figure>\n<ul>\n<li>Final Flag:<\/li>\n<\/ul>\n<pre>utflag{bystander.boulders.pillowcase}<\/pre>\n<h3>Misc\u200a\u2014\u200a<strong>QRecreate<\/strong><\/h3>\n<p><strong>Description:<\/strong><\/p>\n<pre>QRecreate<br \/>744<br \/>4 (100% liked)  0<br \/>I managed to bypass the IPS to exfiltrate the secrets you wanted from the target's intranet. I just hope you remember the encoding structure we agreed on. by Emmett (@emdawg25 on discord)<\/pre>\n<h4><strong>Solution:<\/strong><\/h4>\n<ul>\n<li><strong>Goal: <\/strong>Reconstruct the final QR code from many image chunks, then decode the hidden message to recover the\u00a0flag.<\/li>\n<\/ul>\n<p><strong>Provided Files \/ Structure<\/strong><\/p>\n<p>The challenge directory contains many folders with base64-like names:<\/p>\n<ul>\n<li>MDAx\/, MDAy\/, MDAz\/,\u00a0&#8230;,\u00a0MTAw\/<\/li>\n<li>each folder contains: data\/img.png<\/li>\n<\/ul>\n<p>So there are 100 chunk images\u00a0total.<\/p>\n<p><strong>Key Observation<\/strong><\/p>\n<p>The folder names are Base64-encoded indices.<\/p>\n<p>Examples:<\/p>\n<ul>\n<li>MDAx -&gt; 001 -&gt;\u00a01<\/li>\n<li>MDEw -&gt; 010 -&gt;\u00a010<\/li>\n<li>MTAw -&gt; 100 -&gt;\u00a0100<\/li>\n<\/ul>\n<p>Decoding and sorting these indices gives the intended sequence order of chunks from 1 to\u00a0100.<\/p>\n<p><strong>Reconstruction Logic<\/strong><\/p>\n<ol>\n<li>Enumerate all top-level folders.<\/li>\n<li>For each folder, read data\/img.png.<\/li>\n<li>Base64-decode the folder name to get numeric\u00a0index.<\/li>\n<li>Sort by numeric index ascending.<\/li>\n<li>Verify chunk dimensions:<\/li>\n<\/ol>\n<ul>\n<li>each tile is\u00a074&#215;74<\/li>\n<li>total chunks = 100, which is a perfect\u00a0square<\/li>\n<\/ul>\n<p>6. Place chunks row-major into a 10&#215;10\u00a0grid.<\/p>\n<p>7. Save final stitched image as reconstructed_qr.png.<\/p>\n<p>Resulting image\u00a0size:<\/p>\n<ul>\n<li>10 * 74 =\u00a0740<\/li>\n<li>final QR canvas:\u00a0740&#215;740<\/li>\n<\/ul>\n<p><strong>Python Script (Reconstruction + Payload\u00a0Decode)<\/strong><\/p>\n<pre>#!\/usr\/bin\/env python3<br \/>import os<br \/>import base64<br \/>import math<br \/>from PIL import Image<br \/><br \/>ROOT = \".\"<br \/>OUT = \"reconstructed_qr.png\"<br \/><br \/>chunks = []<br \/>for d in os.listdir(ROOT):<br \/>    img_path = os.path.join(ROOT, d, \"data\", \"img.png\")<br \/>    if os.path.isfile(img_path):<br \/>        try:<br \/>            idx = int(base64.b64decode(d).decode())<br \/>            chunks.append((idx, img_path))<br \/>        except Exception:<br \/>            # Skip anything that is not a valid base64 index folder<br \/>            pass<br \/><br \/>chunks.sort(key=lambda x: x[0])<br \/>n = len(chunks)<br \/>side = int(math.isqrt(n))<br \/>assert side * side == n, f\"Chunk count {n} is not a perfect square\"<br \/><br \/>imgs = [Image.open(path).convert(\"RGB\") for _, path in chunks]<br \/>tile_w, tile_h = imgs[0].size<br \/><br \/>canvas = Image.new(\"RGB\", (side * tile_w, side * tile_h), (255, 255, 255))<br \/><br \/>for i, tile in enumerate(imgs):<br \/>    r, c = divmod(i, side)  # row-major order<br \/>    canvas.paste(tile, (c * tile_w, r * tile_h))<br \/><br \/>canvas.save(OUT)<br \/>print(f\"[+] saved {OUT} ({canvas.size[0]}x{canvas.size[1]})\")<br \/><br \/># Payload found from reconstructed QR:<br \/>payload_b64 = \"dXRmbGFne3MzY3IzdHNfQHJlX0Bsd0B5c193MXRoMW5fczNjcjN0c30\"<br \/>print(\"[+] payload:\", payload_b64)<br \/>print(\"[+] decoded:\", base64.b64decode(payload_b64).decode())<\/pre>\n<figure><img data-opt-id=1470043290  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/740\/1*YPkftV8pWmvuyUfCnWV-Yw.png\" \/><figcaption>Merged QRcode<\/figcaption><\/figure>\n<p><strong>Decoding the Reconstructed QR<\/strong><\/p>\n<ul>\n<li>From the rebuilt QR, the extracted data\u00a0is:<\/li>\n<\/ul>\n<pre>dXRmbGFne3MzY3IzdHNfQHJlX0Bsd0B5c193MXRoMW5fczNjcjN0c30<\/pre>\n<ul>\n<li>Base64-decoding that\u00a0yields:<\/li>\n<\/ul>\n<pre>utflag{s3cr3ts_@re_@lw@ys_w1th1n_s3cr3ts}<\/pre>\n<p><strong>Notes:<\/strong><\/p>\n<ul>\n<li>The phrase in the description, <em>\u201cremember the encoding structure we agreed on\u201d<\/em>, hints at using encoded folder names as ordering metadata.<\/li>\n<li>A common pitfall is sorting folders lexicographically; decoding to numeric index is the safe\u00a0method.<\/li>\n<\/ul>\n<h3><strong>Misc\u200a\u2014\u200aJail\u00a0Break<\/strong><\/h3>\n<p><strong>Description:<\/strong><\/p>\n<pre>Jail Break<br \/>410<br \/>5 (45% liked)  6<br \/>We've built the world's most secure Python sandbox. Nothing can escape. Probably. Hopefully. Run it locally: python3 jail.py By Garv (@GarvK07 on discord)<\/pre>\n<h4><strong>Solution:<\/strong><\/h4>\n<p>Given <strong>jail.py<\/strong>:<\/p>\n<pre>import sys<br \/><br \/>_ENC = [0x37, 0x36, 0x24, 0x2e, 0x23, 0x25, 0x39, 0x32, 0x3b, 0x1d, 0x28, 0x23, 0x73, 0x2e, 0x1d, 0x71, 0x31, 0x21, 0x76, 0x32, 0x71, 0x1d, 0x2f, 0x76, 0x31, 0x36, 0x71, 0x30, 0x3f]<br \/>_KEY = 0x42<br \/><br \/>def _secret():<br \/>    return ''.join(chr(b ^ _KEY) for b in _ENC)<br \/><br \/>BANNED = [<br \/>    \"import\", \"os\", \"sys\", \"system\", \"eval\",<br \/>    \"open\", \"read\", \"write\", \"subprocess\", \"pty\",<br \/>    \"popen\", \"secret\", \"_enc\", \"_key\"<br \/>]<br \/><br \/>SAFE_BUILTINS = {<br \/>    \"print\": print,<br \/>    \"input\": input,<br \/>    \"len\": len,<br \/>    \"str\": str,<br \/>    \"int\": int,<br \/>    \"chr\": chr,<br \/>    \"ord\": ord,<br \/>    \"range\": range,<br \/>    \"type\": type,<br \/>    \"dir\": dir,<br \/>    \"vars\": vars,<br \/>    \"getattr\": getattr,<br \/>    \"setattr\": setattr,<br \/>    \"hasattr\": hasattr,<br \/>    \"isinstance\": isinstance,<br \/>    \"enumerate\": enumerate,<br \/>    \"zip\": zip,<br \/>    \"map\": map,<br \/>    \"filter\": filter,<br \/>    \"list\": list,<br \/>    \"dict\": dict,<br \/>    \"tuple\": tuple,<br \/>    \"set\": set,<br \/>    \"bool\": bool,<br \/>    \"bytes\": bytes,<br \/>    \"hex\": hex,<br \/>    \"oct\": oct,<br \/>    \"bin\": bin,<br \/>    \"abs\": abs,<br \/>    \"min\": min,<br \/>    \"max\": max,<br \/>    \"sum\": sum,<br \/>    \"sorted\": sorted,<br \/>    \"reversed\": reversed,<br \/>    \"repr\": repr,<br \/>    \"hash\": hash,<br \/>    \"id\": id,<br \/>    \"callable\": callable,<br \/>    \"iter\": iter,<br \/>    \"next\": next,<br \/>    \"object\": object,<br \/>}<br \/><br \/># _secret is in globals but not documented - players must find it<br \/>GLOBALS = {\"__builtins__\": SAFE_BUILTINS, \"_secret\": _secret}<br \/><br \/>print(\"=\" * 50)<br \/>print(\"  Welcome to PyJail v1.0\")<br \/>print(\"  Escape to get the flag!\")<br \/>print(\"=\" * 50)<br \/>print()<br \/><br \/>while True:<br \/>    try:<br \/>        code = input(\"&gt;&gt;&gt; \")<br \/>    except EOFError:<br \/>        break<br \/><br \/>    blocked = False<br \/>    for word in BANNED:<br \/>        if word.lower() in code.lower():<br \/>            print(f\"  [BLOCKED] Nice try!\")<br \/>            blocked = True<br \/>            break<br \/><br \/>    if blocked:<br \/>        continue<br \/><br \/>    try:<br \/>        exec(compile(code, \"&lt;jail&gt;\", \"exec\"), GLOBALS)<br \/>    except Exception as e:<br \/>        print(f\"  [ERROR] {e}\")<\/pre>\n<ul>\n<li>It\u2019s just simply XORed, we don\u2019t need to do anything beacause the source code is already\u00a0given.<\/li>\n<li>Maybe it wasn\u2019t the Itentional, a netcat server should have been provided instead this.\u00a0Btw\u2026.<\/li>\n<li>Here is the reversing XOR scriptto get the\u00a0flag:<\/li>\n<\/ul>\n<pre>_ENC = [0x37, 0x36, 0x24, 0x2e, 0x23, 0x25, 0x39, 0x32, 0x3b, 0x1d, 0x28, 0x23, 0x73, 0x2e, 0x1d, 0x71, 0x31, 0x21, 0x76, 0x32, 0x71, 0x1d, 0x2f, 0x76, 0x31, 0x36, 0x71, 0x30, 0x3f]<br \/>_KEY = 0x42<br \/><br \/>def _secret():<br \/>    return ''.join(chr(b ^ _KEY) for b in _ENC)<br \/><br \/>flag = _secret()<br \/>print(flag)<\/pre>\n<ul>\n<li>Final Flag:<\/li>\n<\/ul>\n<pre>utflag{py_ja1l_3sc4p3_m4st3r}<\/pre>\n<h3><strong>Misc\u200a\u2014\u200aInsanity Check: Hat Trick\u00a0Denied<\/strong><\/h3>\n<p><strong>Description:<\/strong><\/p>\n<pre>Insanity Check: Hat Trick Denied<br \/>936<br \/>2 (100% liked)  0<br \/><br \/>After a gap year, the sequel to \"Insanity Check: Redux\" and \"Insanity Check: Reimagined\" is finally here!<br \/>The flag is in CTFd, but, as always, you'll have to work for it.<br \/><br \/>(This challenge does not require any brute-force -- as per the rules of the competition, brute-force tools like dirbuster are not allowed, there is a clear solution path without it if you know where to look.)<br \/><br \/>By Caleb (@eden.caleb.a on discord)<\/pre>\n<h4>Solution:<\/h4>\n<p>Initial Findings:<\/p>\n<ul>\n<li>From <a href=\"https:\/\/utctf.live\/robots.txt:\">https:\/\/utctf.live\/robots.txt:<\/a><\/li>\n<\/ul>\n<pre>User-agent: *<br \/>Disallow: \/admin<br \/>Disallow: \/2065467898<br \/>Disallow: \/3037802467<\/pre>\n<ul>\n<li>Visiting https:\/\/utctf.live\/2065467898 returned:<\/li>\n<\/ul>\n<pre>[REDACTED HTML]<br \/><br \/>&lt;h1&gt;File not found&lt;\/h1&gt;<br \/>&lt;!-- 2, 7, 9, 7, 8, 13, 17, 39, 85, 4, 57, 4, 93, 30, 104, 27, 44, 23, 89, 8, 30, 68, 107, 112, 54, 0, 30, 11, 2, 92, 66, 23, 31 --&gt;<br \/><br \/>[REDACTED HTML]<\/pre>\n<ul>\n<li>Visiting https:\/\/utctf.live\/3037802467 returned:<\/li>\n<\/ul>\n<pre>[REDACTED HTML]<br \/><br \/>&lt;h1&gt;File not found&lt;\/h1&gt;<br \/>&lt;!-- 119, 115, 111, 107, 105, 106, 106, 110, 114, 105, 102, 106, 50, 106, 55, 122, 115, 101, 54, 106, 113, 48, 52, 57, 105, 112, 108, 100, 111, 53, 49, 114, 98 --&gt;<br \/><br \/>[REDACTED HTML]<\/pre>\n<p><strong>Solving Idea:<\/strong><\/p>\n<ul>\n<li>Both comments are equal-length integer arrays.<br \/>Try XOR pairwise: chr(a[i] ^\u00a0b[i]).<\/li>\n<li>Solve Script:<\/li>\n<\/ul>\n<pre>a = [2, 7, 9, 7, 8, 13, 17, 39, 85, 4, 57, 4, 93, 30, 104, 27, 44, 23, 89, 8, 30, 68, 107, 112, 54, 0, 30, 11, 2, 92, 66, 23, 31]<br \/>b = [119, 115, 111, 107, 105, 106, 106, 110, 114, 105, 102, 106, 50, 106, 55, 122, 115, 101, 54, 106, 113, 48, 52, 57, 105, 112, 108, 100, 111, 53, 49, 114, 98]<br \/><br \/>flag = ''.join(chr(x ^ y) for x, y in zip(a, b))<br \/>print(flag)<\/pre>\n<ul>\n<li>Final Flag:<\/li>\n<\/ul>\n<pre>utflag{I'm_not_a_robot_I_promise}<\/pre>\n<h3>Misc\u200a\u2014\u200aDouble\u00a0Check<\/h3>\n<p><strong>Description:<\/strong><\/p>\n<pre>Double Check<br \/>100<br \/> 14 (100% liked)  0<br \/>We're planning on deploying some new static sites for our officers. We've cloned a template from Hugo's Static Site Generator (SSG). Can you make sure that our website is clean before it's deployed?<br \/><br \/>https:\/\/github.com\/Jarpiano\/utctf-profile<br \/><br \/>By Jared (@jarpiano on discord)<\/pre>\n<h4>Solution:<\/h4>\n<ul>\n<li>First I went to the GitHub Repo: <a href=\"https:\/\/github.com\/Jarpiano\/utctf-profile\"><strong>https:\/\/github.com\/Jarpiano\/utctf-profile<\/strong><\/a><\/li>\n<li>In this kind of challenges we first need to see the <strong>commit\u00a0logs<\/strong><\/li>\n<li>You can just clone the repo and\u00a0run:<\/li>\n<\/ul>\n<pre>git log -p | grep -i \"utflag{\"<\/pre>\n<ul>\n<li>This is the easiest approach I always\u00a0take<\/li>\n<li>But here I didn\u2019t need to do even clonning, because the flag was just so easy to get from commit history\u00a0manually<\/li>\n<li>I just saw a <strong>recent <\/strong>suspicious commit: <a href=\"https:\/\/github.com\/Jarpiano\/utctf-profile\/commit\/a1546afedb6edeffa9227d70b1f5e110bda9f7e6\"><strong>https:\/\/github.com\/Jarpiano\/utctf-profile\/commit\/a1546afedb6edeffa9227d70b1f5e110bda9f7e6<\/strong><\/a><\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*Jt2lVukrH4CrNsoGiLnsLg.png\" \/><figcaption>1. Very recent interesting commit before the\u00a0CTF<\/figcaption><\/figure>\n<ul>\n<li>I just saw that history manually and found the\u00a0flag<\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*IcbbmIlBOncuB_u-lb1FSw.png\" \/><figcaption>2. Flag\u00a0found<\/figcaption><\/figure>\n<ul>\n<li>Final Flag:<\/li>\n<\/ul>\n<pre>utflag{n07h1n6_70_h1d3}<\/pre>\n<h3>Misc\u200a\u2014\u200aBreadcrumbs<\/h3>\n<p><strong>Description:<\/strong><\/p>\n<pre>Breadcrumbs<br \/>100<br \/>40 (100% liked)  0<br \/>Every trail has a beginning. This one starts here: https:\/\/gist.github.com\/garvk07\/3f9c505068c011e0fd6abd9ddf56aecb Follow the breadcrumbs. The flag is at the end.<br \/><br \/>By Garv (@GarvK07 on discord)<\/pre>\n<h4>Solution:<\/h4>\n<ul>\n<li>I first went to the gist: <a href=\"https:\/\/gist.github.com\/garvk07\/3f9c505068c011e0fd6abd9ddf56aecb\">https:\/\/gist.github.com\/garvk07\/3f9c505068c011e0fd6abd9ddf56aecb<\/a><\/li>\n<li>Found <a href=\"https:\/\/gist.github.com\/garvk07\/3f9c505068c011e0fd6abd9ddf56aecb\"><strong>start.txt<\/strong><\/a>:<\/li>\n<\/ul>\n<pre>You've found the first breadcrumb. The next step is closer than you think.<br \/><br \/>aHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vZ2FydmswNy9iYTQwNjQ2MGYyZTkzMmI1NDk2Y2EyNTk3N2JlMjViZQ==<\/pre>\n<ul>\n<li>Decoded it from base64, and found another gist:\u00a0<a href=\"https:\/\/gist.github.com\/garvk07\/ba406460f2e932b5496ca25977be25be\"><strong>poem.txt<\/strong><\/a><\/li>\n<\/ul>\n<pre>Gather your wits, the path winds on from here,<br \/>In shadows deep, the truth is never clear,<br \/>Secrets hide where few would dare to look,<br \/>Three letters follow, open up the book.<br \/><br \/>p.s. https:\/\/gist.github.com\/garvk07\/963e70be662ea81e96e4e63553038d1a<\/pre>\n<ul>\n<li>Then got another gist: <a href=\"https:\/\/gist.github.com\/garvk07\/963e70be662ea81e96e4e63553038d1a\"><strong>analysis.py<\/strong><\/a><\/li>\n<\/ul>\n<pre># A curious little script...<br \/># Nothing to see here.<br \/># 68747470733a2f2f676973742e6769746875622e636f6d2f676172766b30372f3564356566383539663533306333643539336134613363373538306432663239<br \/># Move along.<br \/><br \/>def analyse(data):<br \/>    return data[::-1]<br \/><br \/>results = analyse(\"dead beef\")<br \/>print(results)<\/pre>\n<ul>\n<li>I just took the Hex encoded\u00a0string:<\/li>\n<\/ul>\n<pre>68747470733a2f2f676973742e6769746875622e636f6d2f676172766b30372f3564356566383539663533306333643539336134613363373538306432663239<\/pre>\n<ul>\n<li>Decoding it found another git: <a href=\"https:\/\/gist.github.com\/garvk07\/5d5ef859f530c3d593a4a3c7580d2f29\"><strong>final.txt<\/strong><\/a><\/li>\n<\/ul>\n<pre>You've reached the end of the trail. Your reward:<br \/>  hgsynt{s0yy0j1at_gu3_pe4jy_ge41y}<\/pre>\n<ul>\n<li>Decoded the flag like string from\u00a0<a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=ROT13(true,true,false,13)&amp;input=aGdzeW50e3MweXkwajFhdF9ndTNfcGU0anlfZ2U0MXl9\"><strong>ROT13<\/strong><\/a><\/li>\n<li>Finally I got the\u00a0Flag:<\/li>\n<\/ul>\n<pre>utflag{f0ll0w1ng_th3_cr4wl_tr41l}<\/pre>\n<h3>Forensics\u200a\u2014\u200aHalf\u00a0Awake<\/h3>\n<p><strong>Description:<\/strong><\/p>\n<pre>Half Awake<br \/>Points: 525<br \/>5 (100% liked)  0<br \/>Our SOC captured suspicious traffic from a lab VM right before dawn. Most packets look like ordinary client chatter, but a few are pretending to be something they are not.<\/pre>\n<h4>Solution:<\/h4>\n<p><strong>Solution Summary:<\/strong><\/p>\n<ul>\n<li>The PCAP hides a fake \u201cTLS-like\u201d stream that actually contains a ZIP (PK)\u00a0payload.<\/li>\n<li>Inside the zip there is <strong>stage2.bin<\/strong> and a hint\u00a0text.<\/li>\n<li><strong>stage2.bin<\/strong> is XOR-related to another string with key 0xb7, and merging printable characters from paired strings yields the\u00a0flag.<\/li>\n<\/ul>\n<p><strong>Step 1: Read the HTTP instructions<\/strong><\/p>\n<ul>\n<li>From packet stream (tcp.stream eq 0), the response to \/instructions.hello says:<\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*NTyTLzHge1TknnCLaOW9DQ.png\" \/><figcaption>1. instructions<\/figcaption><\/figure>\n<pre>Read this slowly:<br \/>1) mDNS names are hints: alert.chunk, chef.decode, key.version<br \/>2) Not every 'TCP blob' is really what it pretends to be<br \/>3) If you find a payload that starts with PK, treat it as a file<\/pre>\n<p><strong>Step 2: Check mDNS for key\u00a0material<\/strong><\/p>\n<ul>\n<li>Filter on mDNS traffic and inspect <strong>key.version.local<\/strong> TXT response.<\/li>\n<li>The response contains 00b7, i.e. XOR key\u00a00xb7.<\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*-6VsCEvBiWxtLwbxLwXMFQ.png\" \/><figcaption>2. mDNS\u00a0Records<\/figcaption><\/figure>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*8R3LCfsTR4ENkmLFBTn4XA.png\" \/><figcaption>3. XOR\u00a0Key<\/figcaption><\/figure>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*Y-kAuZMKqX6meNwCrhYg-A.png\" \/><figcaption>4. Looking for Encrypted Traffics after thr TXT\u00a0Record<\/figcaption><\/figure>\n<p><strong>Step 3: Find the fake protocol stream and carve the\u00a0ZIP<\/strong><\/p>\n<ul>\n<li>Follow suspicious TCP stream around port 443 (tcp.stream eq 4 in the screenshot).<\/li>\n<li>Even though packets are labeled TLS, the reassembled payload contains PK&#8230; and file names (<strong>stage2.bin<\/strong>, <strong>readme.txt<\/strong>), confirming ZIP\u00a0content.<\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*KQOZgIP8CK8eLC3bHUdsJg.png\" \/><figcaption>5. Got Zip File with PK\u00a0Header<\/figcaption><\/figure>\n<ul>\n<li>Then I dumped the Request as Hex and decoded it as the Fixed\u00a0ZIP.<\/li>\n<li>Saved data as flag.zip, then:<\/li>\n<\/ul>\n<pre>unzip -l flag.zip<\/pre>\n<p>Contents:<\/p>\n<ul>\n<li><strong>stage2.bin<\/strong> (41\u00a0bytes)<\/li>\n<li><strong>readme.txt<\/strong> (hint: \u201cnot everything here is encrypted the same\u00a0way\u201d)<\/li>\n<\/ul>\n<p><strong>Step 4: Decode stage2 and merge character positions<\/strong><\/p>\n<ul>\n<li><strong>stage2.bin<\/strong> (latin1)\u00a0gives:<\/li>\n<\/ul>\n<pre>75 c3 66 db 61 d0 7b df 34 db 66 e8 61 c0 34 dc 33 e8 73 84 33 e8 74 df 33 e8 70 c5 30 c3 30 d4 30 db 5f c3 72 86 63 dc 7d<\/pre>\n<p><em>Due to some unprintable chars I gave Hex\u00a0encoded<\/em><\/p>\n<ul>\n<li><a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=XOR(%7B'option':'Hex','string':'b7'%7D,'Standard',false)To_Hex('Space',0)&amp;input=dcNm22HQe98022boYcA03DPoc4Qz6HTfM%2BhwxTDDMNQw21\/DcoZj3H0\"><strong>XOR<\/strong> <\/a>with 0xb7\u00a0gives:<\/li>\n<\/ul>\n<pre>c2 74 d1 6c d6 67 cc 68 83 6c d1 5f d6 77 83 6b 84 5f c4 33 84 5f c3 68 84 5f c7 72 87 74 87 63 87 6c e8 74 c5 31 d4 6b ca<\/pre>\n<ul>\n<li>If you see carefully, it will make\u00a0sense:<\/li>\n<\/ul>\n<pre>stage2 : u_f_a_{...<br \/>xored  : _t_l_g...<br \/>merged : utflag{...<\/pre>\n<ul>\n<li>Decoding flag using\u00a0this:<\/li>\n<\/ul>\n<pre>import string<br \/><br \/>p1 = bytes.fromhex(\"75 c3 66 db 61 d0 7b df 34 db 66 e8 61 c0 34 dc 33 e8 73 84 33 e8 74 df 33 e8 70 c5 30 c3 30 d4 30 db 5f c3 72 86 63 dc 7d\")<br \/>p2 = bytes.fromhex(\"c2 74 d1 6c d6 67 cc 68 83 6c d1 5f d6 77 83 6b 84 5f c4 33 84 5f c3 68 84 5f c7 72 87 74 87 63 87 6c e8 74 c5 31 d4 6b ca\")<br \/>mixed = list(zip(p1, p2))<br \/><br \/>allowed = string.printable<br \/>flag = \"\"<br \/>for pair in mixed:<br \/>    x, y = pair[0], pair[1]<br \/>    flag += chr(x) if chr(x) in allowed else chr(y)<br \/><br \/>print(flag)<\/pre>\n<ul>\n<li>Final Flag:<\/li>\n<\/ul>\n<pre>utflag{h4lf_aw4k3_s33_th3_pr0t0c0l_tr1ck}<\/pre>\n<h3><strong>Forensics\u200a\u2014\u200aLast Byte\u00a0Standing<\/strong><\/h3>\n<p><strong>Description:<\/strong><\/p>\n<pre>Last Byte Standing<br \/>673<br \/>1 (100% liked)  0<br \/>A midnight network capture from a remote office was marked \u201croutine\u201d and archived without review. Hours later, incident response flagged it for one subtle anomaly that nobody could explain. Find what was missed and recover the flag.<\/pre>\n<h4>Solution:<\/h4>\n<ul>\n<li>The anomaly was subtle\u200a\u2014\u200a<strong>each <\/strong><strong>sync-cache.nexthop-lab.net DNS query had one extra byte appended after the standard DNS question\u00a0section<\/strong>.<\/li>\n<li>In a normal DNS query, the packet ends\u00a0with:<\/li>\n<\/ul>\n<pre>&lt;domain name&gt; 00 0001 0001<\/pre>\n<p>(null terminator, Type A, Class\u00a0IN)<\/p>\n<ul>\n<li>But here, each query had <strong>one more byte after that<\/strong>\u200a\u2014\u200aeither 0x30 (&#8216;0&#8217;) or 0x31\u00a0(&#8216;1&#8217;).<\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*exjI95ZLTbihw8KGYf7yGg.png\" \/><figcaption>1. The Hidden Channel: DNS Packet\u00a0Padding<\/figcaption><\/figure>\n<p><strong>The Decode<\/strong><\/p>\n<pre>440 packets \u00d7 1 bit each = 440 bits (55 bytes)<\/pre>\n<ul>\n<li>Each last byte was 0x30 or 0x31 \u2192 a binary bitstream, decoded 8 bits at a time (MSB-first):<\/li>\n<\/ul>\n<pre>0111 0101 \u2192 0x75 \u2192 'u'<br \/>0111 0100 \u2192 0x74 \u2192 't'<br \/>0110 0110 \u2192 0x66 \u2192 'f'<br \/>0110 1100 \u2192 0x6C \u2192 'l'<br \/>...<\/pre>\n<ul>\n<li>Final Flag:<\/li>\n<\/ul>\n<pre>utflag{d1g_t0_th3_l4st_byt3}<\/pre>\n<p><strong>Keynote: Title\u00a0Meaning<\/strong><\/p>\n<blockquote><p><strong><em>\u201cLast Byte Standing\u201d<\/em><\/strong><em>\u200a\u2014\u200aThe single extra byte hiding at the end of each DNS packet, after all the standard DNS structure, invisible to any tool that just looks at DNS fields normally.<\/em><\/p><\/blockquote>\n<p>So then, here I am done with my writeups and I will try to add my other writeups and the approaches that I progressed and how I think.<br \/>Thanks.<\/p>\n<h4><strong>My Contacts:<\/strong><\/h4>\n<p><strong>LinkedIn: <\/strong><a href=\"https:\/\/www.linkedin.com\/in\/taseen-kpc\/\">https:\/\/www.linkedin.com\/in\/taseen-kpc\/<\/a><br \/><strong>GitHub:<\/strong> <a href=\"https:\/\/github.com\/InferiorAK\">https:\/\/github.com\/InferiorAK<\/a><br \/><strong>Medium:<\/strong> <a href=\"https:\/\/medium.com\/@inferiorak\">https:\/\/medium.com\/@inferiorak<\/a><br \/><strong>YouTube:<\/strong> <a href=\"https:\/\/www.youtube.com\/@inferiorak\">https:\/\/www.youtube.com\/@inferiorak<\/a><br \/><strong>Facebook:<\/strong> <a href=\"https:\/\/www.facebook.com\/InferiorAK\">https:\/\/www.facebook.com\/InferiorAK<\/a><br \/><strong>Twitter:<\/strong> <a href=\"https:\/\/x.com\/inferiorak\">https:\/\/x.com\/inferiorak<\/a><br \/><strong>E-mail:<\/strong> <a href=\"mailto:inferiorak@integratedhawkers.com\">inferiorak@integratedhawkers.com<\/a><\/p>\n<h4><strong>My Team\u00a0Links:<\/strong><\/h4>\n<p><strong>LinkedIn:<\/strong><a href=\"https:\/\/www.linkedin.com\/company\/integratedhawkers\">https:\/\/www.linkedin.com\/company\/integratedhawkers<\/a><strong><br \/>Facebook: <\/strong><a href=\"https:\/\/www.facebook.com\/IntegratedHawkers\">https:\/\/www.facebook.com\/IntegratedHawkers<\/a><strong><br \/>Website: <\/strong><a href=\"https:\/\/integratedhawkers.com\/\">https:\/\/integratedhawkers.com\/<\/a><strong><br \/>GitHub: <\/strong><a href=\"https:\/\/github.com\/IntegratedHawkers\">https:\/\/github.com\/IntegratedHawkers<\/a><strong><br \/>CTFtime: <\/strong><a href=\"https:\/\/ctftime.org\/team\/299872\">https:\/\/ctftime.org\/team\/299872<\/a><br \/><strong>E-mail:<\/strong> <a href=\"mailto:contact@integratedhawkers.com\">contact@integratedhawkers.com<\/a><\/p>\n<p><img data-opt-id=574357117  decoding=\"async\" src=\"https:\/\/medium.com\/_\/stat?event=post.clientViewed&amp;referrerSource=full_rss&amp;postId=f1bd9631febd\" width=\"1\" height=\"1\" alt=\"\" \/><\/p>\n<hr \/>\n<p><a href=\"https:\/\/osintteam.blog\/utctf-2026-writeups-inferiorak-f1bd9631febd\">UTCTF 2026 Writeups | InferiorAK<\/a> was originally published in <a href=\"https:\/\/osintteam.blog\/\">OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"<p>These are some of my Writeups from my recent CTF, UTCTF 2026 where I shared my thoughts and approaches on how I overcame the given problems. My Solves x All solved by my Team Integrated Hawkers I also participated in last year\u2019s UTCTF, UTCTF 2025. It was really exciting and so now. Here are my &#8230; <a title=\"UTCTF 2026 Writeups | InferiorAK\" class=\"read-more\" href=\"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/17\/utctf-2026-writeups-inferiorak\/\" aria-label=\"Read more about UTCTF 2026 Writeups | InferiorAK\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":389,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-388","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=388"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/388\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/389"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}