ECTF 2025 WriteUp | LuffySec | STELK_CSC

6 min readFeb 3, 2025

A couple of days ago, my team, Stelk_CSC, participated in ECTF 2025, completing 16 challenges with a variation of categories Cryptography, Forensic, Reverse Engineering, OSINT and Web. securing 69th position out of 536 teams, now I'm gonna share a writeup of some chall that I solved

Now, let's dive into some of the chall that I solved

Definitely Not In PDF | 100 Points | Steganography

This is a simple challenge, with the name serving as a hint, but I was stuck on it for a while. When I finally captured the flag, it had me laughing!

Basically u just unzipping the zip file given on the chall and we captured the flag, at first i really didn't see it and just skip and starting to analyze the pdf LOL

We got our first flag BABBYYY !!!

My Dearest | 100 Points | Forensic

In this challenge, I was given a DOCX file and asked to analyze it to determine the author. When faced with this type of challenge, where I need to identify the author of a file, I immediately use ExifTool, which is a great tool for analyzing metadata.

Now i got my second flag, sometimes analyzing metadata is a first thing we must do before thinking a little ahead!!!

ectf{MichelTeller}

Capture The Hidden | 200 Points | Forensic

This is a simple network traffic analysis, where i given a pcap file and ask to analyze it, there seems to be a file that is exfiltrated. lets extract this hidden data and uncover the flag !

As observed in packet number 1, there is HTTP protocol traffic. When I right-click and select ‘Follow’, let’s examine the TCP Stream.

Wow, what does the Base64 encoding do here? Is this the flag? But that can’t be — it was too easy. This is what I was thinking when I saw this TCP stream, LOL. Anyway, let’s decode this Base64 and get our FLAG!

Pretty easy and straightforward !

Just a PCAP | 500 Points | Forensic

This was pretty easy when u already know what ur going to do, anyways as the chall desc say, “An Image has been stolen, can you find it in the PCAP file ?” so i thinking that i need to find an image in this pcap file

as u can see on the pcap file this is just full of traffic of DNS Protocol, but if u look carefully on the first packet we see the subdomain contains this :

89504e470d0a1a0a0000000d49484452000004800000028808.000.exfil.attacker.com

The sequence ’89 50 4E 47 0D 0A 1A 0A’ represents the beginning of the subdomain names, and yes, this corresponds to the first 8 bytes of a PNG file. These first 8 bytes are mandatory for a PNG file, so we need to extract all the subdomains from this pcap file. and were gonna use tshark to extract all of this by using this command :

tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name -e dns.a -e dns.aaaa > dns.txt

this tshark command extract all the DNS query name on the pcap file and save it on a file named dns.txt, this is the result :

now we only need to filter for the first subdomain that contains bytes or hex values of the png file, and after that were gonna remake the png file and get the flag, this is the command to filter for only the first subdomain :

now we got the data of the png file, all we need to do is now rebuild the image, here is the script to rebuild the img :

import binascii

# Read the hex data from the text file
with open("data", "r") as hex_file:
    hex_data = hex_file.read().strip().replace("\n", "").replace(" ", "")

# Convert hex to binary
image_data = binascii.unhexlify(hex_data)

# Save as a PNG file
with open("output.png", "wb") as image_file:
    image_file.write(image_data)

print("Image saved as output.png")

this script will rebuild the image using the data and save it into output.png

now we got the FLAAAAGGGG !!!! very fun and straightforward chall :D

Project-153–Q1 | 150 Points | OSINT

We are given an image file, and we need to find the name of the place where the photo was taken, here is the image :

So I reverse search this image using google search by image and found the name of the place :

It’s called Falls Caramy, but the flag stated that the name of the place must be in French, so it is Chutes du Caramy. Now we have the flag!!

ectf{Chutes_du_Caramy}

Project-153-Q5 | 150 Points | OSINT

so we given this image :

I try to reverse image with google by image again and found this :

I try Gros_Cerveau it works ! we got the flag

ectf{Gros_Cerveau}

Project-153-Q6 | 150 Points | OSINT

as usual we are given an image but this time is different we need to find how many steps on the chair and zip code of the town :

I tried to reverse image search and found that the name of this place was Chapelle Notre-Dame de Beauvoir. Now, we need to find how many steps there are, so I searched on Google for the number of steps to get to Chapelle Notre-Dame de Beauvoir and found that it takes 262 steps.