osu!gamingCTF 2024 - Writeups
This is a writeup for forensics, OSINT, web, misc and osu challenges from osu!gamingCTF 2024. Pretty impressive for osu! to create a CTF competition out of nowhere with interesting challenges related to their rhythm game. They even have their own CTF category called osu LMAO.
nathan-on-osu [Forensics]
Question: Here’s an old screenshot of chat logs between sahuang and Nathan on hollow’s Windows machine, but a crucial part of the conversation seems to be cropped out… Can you help to recover the flag from the future?
Flag: osu{cr0pp3d_Future_Candy<3}
We are given a cropped png image. For this challenge, I could not solve it before the CTF ended, but I knew it was a common forensics challenge in CTFs where we can use tools such as Acropalypse to recover the image with the right resolution.
However, the web tool did not work for me for some reason. So I went ahead and used Acropalypse-Multi-Tool instead. PS: when downloading the tool and receiving this error, just change the code to from gif_lib import *
.
1
2
3
4
PS C:\Users\ooiro\Desktop\Acropalypse-Multi-Tool-1.0.0> python gui.py
Traceback (most recent call last):
File "C:\Users\ooiro\Desktop\Acropalypse-Multi-Tool-1.0.0\gui.py", line 15, in <module>
from gif_lib import acropalypse_gif
Running the tool with the appropriate width and height, the flag can be obtained.
volatile-map [Forensics]
Question: Hey osu! players, our SOC team was informed that a group of spies from Mai Corp is trying to sabotage our infrastructure via their secret map in osu!. We were able to break into their rendezvous, but they noticed we were stealing their data and they corrupted them in time. Fortunately, we managed to acquire a full memory dump from one of their machines. Can you help us investigate what they were trying to do?
Flag: osu{hide_n_seeeeeeeeeek}
We are given a memory dump for our investigation. So by using volatility3, I managed to find osu!.exe
program running notepad.exe
instances for some reason (kinda sus).
1
2
3
4
5
6
7
8
9
└─$ python3 vol.py -f ~/Desktop/sharedfolder/osu/memory.dmp windows.pstree
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
...
*** 2272 4556 osu!.exe 0xca8603f1f080 34 - 1 True 2024-03-01 13:41:15.000000 N/A
**** 7928 2272 notepad.exe 0xca8604d4d340 3 - 1 True 2024-03-01 13:42:17.000000 N/A
**** 6188 2272 notepad.exe 0xca8604d77340 3 - 1 True 2024-03-01 13:42:38.000000 N/A
So I used the cmdline plugin to check for suspicious commands and I was right, notepad has a command that seems to be the flag itself.
1
2
3
└─$ python3 vol.py -f ~/Desktop/sharedfolder/osu/memory.dmp windows.cmdline
...
7928 notepad.exe "C:\Windows\System32\notepad.exe" C:\Users\Administrator\AppData\Local\osu!\Songs\beatmap-638448119315467561-ambient-relaxing-music-for-you-15969\osu{ - 686964655f6e (sahuang) [X3NlZWVlZWVlZWVla30=].osu
Analyzing this command closely, it seems that the flag is basically the command line. where 686964655f6e
is hex encoded and X3NlZWVlZWVlZWVla30=
is based64 encoded. After decoding them, the flag can be obtained. PS: I got 3rd blood for the first time!!
Task 3: out-of-click [Forensics]
Question: I love playing this map but recently I noticed that some of the circles seem off. Can you help me find the locations of the weird circles?
Flag: osu{BTMC_15_mY_G0aT}
We are given a beatmap folder. Looking into it, there are different types of the beatmap (Normal, Out of Click, Time Freeze). Reading the question, I assume that the differences can be found by comparing Normal
and Out of Click
of the beatmap.
Using this online tool, we can compare the differences of [HitObjects]
between the two modes of the beatmap. The tool shows 5 additional lines placed within the Out of Click
mode.
Randomly placing the first four digits of each line on CyberChef, it translates to the flag.
kfc-with-who? [OSINT]
Question: “KFC with @Who?” Of course you should know this meme as an average osu player - even ppy posted about it last year. Check out where the legendary osu! KFC guy streams, and find the flag there.
Flag: osu{mastery_in_terrible_rage-inducing_chokes}
The question mentioned something about osu and KFC. Googling them together, we get this reddit post about osu players having KFC with a streamer called ThePooN
.
Checking his profile on osu! website, he linked his Twitch channel on his bio, making my search easier.
On his Twitch channel About
page, the flag can be found.
when-you-see-it [OSINT]
Question: My friend is so obsessed with osu! that he refused to play any CTF! Today he came to me and sent me this weird GIF, can you understand what he is trying to tell me?
Flag: osu{@nd_wh3n_y0u_fuxx1n_cL1ck3d_nd_c_1T!!!}
We are given a gif file showing a person pointing at his monitor. Doing a simple reverse search, we find that the person was Aireu
.
Since we have no other information provided, I assume the gif contains important data. Using binwalk, a hidden zip file can be extracted.
1
2
3
4
5
6
7
8
9
└─$ binwalk -e challenge.gif
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 GIF image data, version "89a", 498 x 373
3410748 0x340B3C Zip archive data, at least v1.0 to extract, name: secret/
3410813 0x340B7D Zip archive data, encrypted at least v2.0 to extract, compressed size: 201, uncompressed size: 230, name: secret/confidential
3411107 0x340CA3 Zip archive data, encrypted at least v2.0 to extract, compressed size: 2821, uncompressed size: 317388, name: secret/secret.wav
3414272 0x341900 End of Zip archive, footer length: 22
However, the zip file was password-protected. Hence, I randomly tried Aireu
as the password and it worked. The zip file contains a wav audio file and a text file which gives the first part of the flag and the hint for the second part.
1
2
3
4
5
6
7
8
9
10
11
12
13
HIGHLY CONFIDENTIAL
<REDACTED>
I have stored extremely important files here and in another place.
Find it at "osu_game_/[0-9]+/".
As a reward, here is the first part of the flag: `osu{@nd_`
Yours,
Team Osu!Gaming
</REDACTED>
Listening to the wav file, it seems to be a morse code. So using a decoder online, the hidden message can be obtained.
I went ahead and further decoded the hidden message on CyberChef and found this number. Yes I play osu! back in the days and I know of the 727 meme. So I assumed 727727
might be required to find the second part of the flag.
Reading the text file hint again, it mentioned finding the second part of the flag at osu_game_/[0-9]+/
. I assume this is a regex where the full string is osu_game_727727
, at this point I was stuck, but my teammate @Zer01 found out it was a Twitter username all along. The display name is the second part of the flag.
Now to find the third part of the flag, the first link leads us to a Rick Roll ffs. However, going down his posts, we find something interesting related to his favourite beatmap.
Using the link, it leads us to his favourite beatmap (ClariS the goat). Clicking these dropboxes seems to be correct, so I just spam clicked all of them and the third part is obtained.
mappool-feedback [OSINT]
Question: i (willwam) did a replay for a tournament quite recently (no more than 2 weeks ago) and hid a flag in it! can you find it?
Flag: osu{m3ow}
We are given a URL that redirects us to willwam’s osu account. On the tournament box
section, there are two hyperlinks [a]
and [staffing]
.
[a]
holds willwam’s tournament spreadsheets but there were nothing interesting in them. However, [staffing]
holds his staffing history for previous tournaments.
Remembering that the question mentioned no more than 2 weeks ago
, so it is probably this beatmap.
Clicking on the main sheet
, it leads to several social links. I went to his Twitch account and found several video archives.
Reading the challenge name again, it is related to Mappool
so going through the VODs, the video can be found with the flag at the end.
when-you-dont-see-it [Web]
Question: welcome to web! there’s a flag somewhere on my osu! profile…
Flag: osu{ok_u_see_me}
We are given a website to a person’s osu! profile, doing a common thing in CTFs, I searched the source code and filtered with the word ‘flag’ and the flag can be obtained.
Infiltrating the OSU! (I) [Misc]
Question: Let’s infiltrate OSU! Hint: Maybe you may want to visit the author’s osu! homepage!
Flag: osu{tr1v4l_5rc_1n5p3c7_1n_webs1t3}
We are given a website that will most likely give us the flag and the author’s osu! profile. The website wants us to find the banner image with its respective domain.
Looking at his banner picture, it seems similar to the website provided. Opening the image in a new tab, the URL can be obtained https://assets.ppy.sh/user-profile-covers/13336293/e20fc9c84f8f20881bfa0bb70bbcb68c6b50bb25dc96cf608e431a7f9f482c25.jpeg
sanity-check-1 [osu]
Question: My first map in 2024: Gawr Gura - Kyoufuu All Back Mapped for osu!gaming CTF 2024. Please play/watch the top diff with video on! To osu! players: CTF is a competition where participants attempt to find text strings, called “flags”, which are secretly hidden in purposefully-vulnerable programs or websites. The strings can be in plain text, images, encoded/encrypted, etc. In sanity-check-1, checkout map metadata and submit the flag you found. Remember flag is always in format osu{…} unless otherwise specified.
Flag: osu{welc0me_2_osu!!}
We are given a link to a beatmap called Gawr Gura - Kyoufuu All Back
. The flag is there.
smoked [osu]
Question: Imagine getting flag from simply watching a replay…
Flag: osu{smoked_map_fun}
We are given a osu! replay file (.osr). Just enjoy the gameplay and the flag can be seen in the replay.
multi [osu]
Question: Multi is a game mode in osu! for people to play together in a multiplayer lobby. PvP is fun, isn’t it? Join the official CTF lobby osu!gaming CTF 2024 to claim the flag! You are more than welcomed to stay in the lobby for a bit longer and have fun with others. There may or may not be secret prizes for random game winners :D Note: Please behave nicely and follow the rules. Avoid changing lobby name, kicking players, or spamming in chats. Do not spoil the fun for others! Report any misbehaviour to admins.
Flag: osu{Ur_welcomed_to_play_a_few_games_in_MP_lobby<3}
Follow the question, join the Multi lobby and enter !flag
(had to install back osu for this lol).
osu!crossword [osu]
Question: Come solve my osu!crossword challenge! Once you completed the puzzle and obtained the hash, submit it to remote server for verification. Note: All characters you enter in crossword should be in lowercase.
Flag: osu{Much_34s13r_Th4n_osu!Trivium_XD}
Just play the crossword puzzle. PS: ngl the crossword website they made was pretty cool.
1
2
3
└─$ nc chal.osugaming.lol 7270
Submit the hash: b85478a2d0c66c43f395ab166a6a4aa07a39fdb08e097d23f1d057746887d37a
Congrats! Here's your flag: osu{Much_34s13r_Th4n_osu!Trivium_XD}