z0d1ak

./contents.sh

z0d1ak@ctf:~$ cat sections.md
z0d1ak@ctf:~$ _
writeup.md - z0d1ak@ctf
OSINT
ACECTF
March 1, 2025
4 min read

ACECTF - For The Fans

theg1239
z0d1ak@ctf:~$ ./author.sh

# For The Fans

## Challenge Information

  • Category: OSINT
  • Points: 300
  • Solves: 40
  • Difficulty: Easy/Medium

## Description

Challenge

# Initial Analysis

So when I was reading through the description, simply based on the wording of the username, and the fan culture-ish feeling, I tried the username on X (formerly known as Twitter)

Link to the account
Screengrab of account profile

## Approach

As I was going through the posts under that account, I noticed the mentions of a blog account and a lot of yapping.

I see the mention of the user's birthday, 14th September 2000 a couple of times and decide to keep that information with me along with another post about their password which was 7 characters (all numbers)

Screenshot of posts

I also take note of the user's dissatisfaction with the fact that they had to pick a different username for Twitter as it limited usernames to 15 characters, and the user mentioning the existence of a blog created by them, I instantly thought of various blogging websites like Blogger, Tumblr, even Instagram etc.

Post about blog

### Blog website

This prompted me to use the user's display name on the blogging websites, I could have used Sherlock but nah, I simply looked the username up on the first site I tried, Tumblr and it was a match.

Link to Tumblr blog

The blog had a post with a lot of further yapping about Drake being the GOAT (which I may or may not agree with, but that doesn't matter) but at the bottom of the post we had an encoded string that looked like Base64 at first glance.

N3q8ryccAAQrDS+tIAAAAAAAAABqAAAAAAAAANGqpB7VL3HfX5dq2a0oNrtZRM2Hum9ExZnUSpeMMG2rzSg6lQEEBgABCSAABwsBAAIkBvEHARJTD3GIJuGJqEfIwbSE/71QeN8hIQEAAQAMIBwACAoBra6o3QAABQEZAQAREwBmAGwAYQBnAC4AdAB4AHQAAAAZABQKAQCfS+NlYELbARUGAQAgAAAAAAA=

### Decoding Base64

I tried decoding the string from Base64 to text, and sure enough, it revealed an interesting file header

Decoded Base64 string

I simply used a Python script to create the 7z archive file from the Base64.

python
import base64
import subprocess
import os

data = "N3q8ryccAAQrDS+tIAAAAAAAAABqAAAAAAAAANGqpB7VL3HfX5dq2a0oNrtZRM2Hum9ExZnUSpeMMG2rzSg6lQEEBgABCSAABwsBAAIkBvEHARJTD3GIJuGJqEfIwbSE/71QeN8hIQEAAQAMIBwACAoBra6o3QAABQEZAQAREwBmAGwAYQBnAC4AdAB4AHQAAAAZABQKAQCfS+NlYELbARUGAQAgAAAAAAA="

binary_data = base64.b64decode(data)

with open("archive.7z", "wb") as f:
    f.write(binary_data)

print("7zip archive saved as archive.7z")

password = "2000914"

output_dir = "extracted"
os.makedirs(output_dir, exist_ok=True)

cmd = ["7z", "x", f"-p{password}", "archive.7z", f"-o{output_dir}"]

print("Extraction command output:")
print(result.stdout)
if result.stderr:
    print("Errors:")
    print(result.stderr)

## Solution

I noticed the archive needed a password, then I remembered the posts from before and tried variations of the user's birthday

YYYY/MM/DD worked in the end and that revealed a flag.txt that gave us the flag.

## Flag

ACECTF{y0u_b3773r_41nt_h4t3}

Comments(0)

No comments yet. Be the first to share your thoughts!

Related Writeups

March 2, 2025

ACECTF - Social Circles

ant1v3n0m
OSINT
cat writeup.md