Home > Writeups > DEADROP Misc 6 - //CHAOS

DEADROP Misc 6 - //CHAOS

A meta-challenge hidden across the DEADROP platform. No challenge listing, no files, no hints. Four flag fragments concealed using four different techniques, favicon MD5 steganography, a hidden 404 endpoint, zero-width Unicode in a checksum field, and a non-standard base64 meta attribute. Unit 7 says hello.

Date: March 01, 2026 Category: Misc Difficulty: Insane Views: 10
Tags:
meta steganography osint unicode html base64 DEADROP

//CHAOS

Overview

//CHAOS is a meta-challenge hidden across the DEADROP platform. It is not listed with a solve path, has no files attached, and its description reads: If you were diligent in Web, you probably picked up some pieces along the way. Those will be useful here, put the pieces back together.. The flag is split into four fragments, each hidden using a different technique throughout the web challenges. Nothing points to it directly, the challenge is noticing things that don't belong.

Fragment 1: Favicon MD5

The landing page's activity log contains:

[ WARN ] Favicon hash found on pastebin

The surveillance eye favicon appears on every page. Hash it:

curl -s https://deadrop.two-shoes.org/static/favicon.ico | md5sum
# 72266dd3ba97abf6ea4e8acc27109525

Use that hash as a search on Pastebin:

https://pastebin.com/search?q=72266dd3ba97abf6ea4e8acc27109525

Contents:

REVBRFJPUHt5b3Vfd2VyZV9uZXZlcl8=

Use your favorite base64 decoder:

DEADROP{you_were_never_

Fragment 2: Hidden 404 page

The landing page's activity log contains:

[ WARN ] Asset //CHAOS: status unknown — index suppressed

The robots.txt has an unusual route disallowed /do_not_visit/unit7:

Visit it. The server returns a 404 page. View source:

<!--
  you were told not to visit
  c3VwcG9zZWRfdG9fZmluZF8=
  unit 7 sends its regards
-->

Use your favorite base64 decoder:

supposed_to_find_

Fragment 3: Zero-width Unicode

Navigate to /drones/firmware (the only file that was clickable during the drone registry web challenge). The page shows a fake firmware download with a checksum field that looks like:

d41d8cd9[whitespace]8f00b204e9800998ecf8427e

In a browser it almost appears as a normal MD5 hash. View raw source, the checksum span contains invisible Unicode characters between d41d8cd9 and 8f00b204:

<span id="fw-checksum">d41d8cd9​‌‌‌​‌​​‍​‌‌​‌​​‌‍...8f00b204e9800998ecf8427e</span>

The zero-width characters encode binary: - U+200B (ZWSP) = bit 0 - U+200C (ZWNJ) = bit 1
- U+200D (ZWJ) = byte separator

Each 8-bit group is a character in ASCII. Decode with any zero-width Unicode decoder (e.g. https://stegzero.com/)

Fragment: this_unit7_

Fragment 4: Meta tag base64

View source on the landing page /. In the <head>:

<meta name="content-hash"
      content-hash="c2F5c19oZWxsb30=" />

content-hash is not a real HTML attribute, decode it:

echo 'c2F5c19oZWxsb30=' | base64 -d
# says_hello}

Fragment: says_hello}

Assembly

# Location Method Fragment
1 favicon.ico MD5 → Pastebin DEADROP{you_were_never_
2 /do_not_visit/unit7 HTML comment in 404 page supposed_to_find_
3 /drones/firmware checksum Zero-width Unicode decode this_unit7_
4 Landing page <head> Non-standard meta attribute base64 says_hello}

Flag: DEADROP{you_were_never_supposed_to_find_this_unit7_says_hello}

Key Takeaway

//CHAOS rewards players who look at the platform as an adversarial surface rather than just a challenge host. Each technique is a real-world information hiding method: steganography via metadata hashing, hidden endpoints, Unicode steganography, and attribute misuse in HTML. None of them require any exploit, just thorough observation and the habit of viewing source.

Unit 7 says hello.