All Writeups
Comprehensive collection of CTF challenges, solutions, and insights.
DEADROP Misc 6 - //CHAOS
A meta-challenge hidden across the DEADROP platform. No challenge listing, no files, no hints. Four flag fragments concealed using four different techniques, favicon MD5 steganography, a hidden 404 endpoint, zero-width Unicode in a checksum field, and a non-standard base64 meta attribute. Unit 7 says hello.
DEADROP Misc 5 - Flatearth Committee Minutes
Meeting minutes from the agency's Flat Earth Contingency Planning Committee hide four flag pieces across the docx XML structure, white-on-white text, an XML comment, a custom document property, and a Word comment. A .docx is a ZIP, unzip it.
DEADROP Misc 4 - SIGINT PUZZLE
Three fake declassified SIGINT documents hide base64 flag fragments in the least significant bits of the red channel. The lore tells you the order; extract, concatenate, decode.
DEADROP Misc 3 - INTERNAL MEMO CHAIN
A 12-email thread about pigeon fleet budget allocation hides flag fragments in X-Agency-Ref headers across the quoted chain. Opening in a mail client shows you the body while reading the raw source shows you everything.
DEADROP Misc 2 - Bash Jail
The agency's field terminal restricts available commands to a whitelist. The implementation uses eval to execute whitelisted commands, which means anything after a whitelisted command is also executed. It's a speedbump, not a wall.
DEADROP Misc 1 - BURNED ASSET PROFILE
A burned agency asset left a digital footprint. Follow the alias trail from a classified profile document to a LinkedIn lookalike, to a fake GitHub profile, to a commit where he accidentally pushed something he shouldn't have.
WHAMazon! Misc 1 - James Smith
Extracting a flag hidden inside a JavaScript obfuscated string array by identifying flag-shaped fragments and manually reassembling them from context.