Post

osu!gamingCTF 2024 - Writeups

Posted Updated
Preview Image
By warlocksmurf 9 min read

This is a writeup for forensics, OSINT, web, misc and osu challenges from osu!gamingCTF 2024. Pretty impressive for osu! to create a CTF competition out of nowhere with interesting challenges related to their rhythm game. They even have their own CTF category called osu LMAO.

nathan-on-osu [Forensics]

Question: Here’s an old screenshot of chat logs between sahuang and Nathan on hollow’s Windows machine, but a crucial part of the conversation seems to be cropped out… Can you help to recover the flag from the future?

Flag: osu{cr0pp3d_Future_Candy<3}

We are given a cropped png image. For this challenge, I could not solve it before the CTF ended, but I knew it was a common forensics challenge in CTFs where we can use tools such as Acropalypse to recover the image with the right resolution.

acro1

However, the web tool did not work for me for some reason. So I went ahead and used Acropalypse-Multi-Tool instead. PS: when downloading the tool and receiving this error, just change the code to from gif_lib import *.

1
2
3
4

PS C:\Users\ooiro\Desktop\Acropalypse-Multi-Tool-1.0.0> python gui.py
Traceback (most recent call last):
  File "C:\Users\ooiro\Desktop\Acropalypse-Multi-Tool-1.0.0\gui.py", line 15, in <module>
    from gif_lib import acropalypse_gif

Running the tool with the appropriate width and height, the flag can be obtained.

acro2

acro3

volatile-map [Forensics]

Question: Hey osu! players, our SOC team was informed that a group of spies from Mai Corp is trying to sabotage our infrastructure via their secret map in osu!. We were able to break into their rendezvous, but they noticed we were stealing their data and they corrupted them in time. Fortunately, we managed to acquire a full memory dump from one of their machines. Can you help us investigate what they were trying to do?

Flag: osu{hide_n_seeeeeeeeeek}

We are given a memory dump for our investigation. So by using volatility3, I managed to find osu!.exe program running notepad.exe instances for some reason (kinda sus).

1
2
3
4
5
6
7
8
9

└─$ python3 vol.py -f ~/Desktop/sharedfolder/osu/memory.dmp windows.pstree 
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished                                
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime

...
*** 2272        4556    osu!.exe        0xca8603f1f080  34      -       1       True    2024-03-01 13:41:15.000000      N/A
**** 7928       2272    notepad.exe     0xca8604d4d340  3       -       1       True    2024-03-01 13:42:17.000000      N/A
**** 6188       2272    notepad.exe     0xca8604d77340  3       -       1       True    2024-03-01 13:42:38.000000      N/A

So I used the cmdline plugin to check for suspicious commands and I was right, notepad has a command that seems to be the flag itself.

1
2
3

└─$ python3 vol.py -f ~/Desktop/sharedfolder/osu/memory.dmp windows.cmdline
...
7928    notepad.exe     "C:\Windows\System32\notepad.exe" C:\Users\Administrator\AppData\Local\osu!\Songs\beatmap-638448119315467561-ambient-relaxing-music-for-you-15969\osu{ - 686964655f6e (sahuang) [X3NlZWVlZWVlZWVla30=].osu

Analyzing this command closely, it seems that the flag is basically the command line. where 686964655f6e is hex encoded and X3NlZWVlZWVlZWVla30= is based64 encoded. After decoding them, the flag can be obtained. PS: I got 3rd blood for the first time!!

vol1

Task 3: out-of-click [Forensics]

Question: I love playing this map but recently I noticed that some of the circles seem off. Can you help me find the locations of the weird circles?

Flag: osu{BTMC_15_mY_G0aT}

We are given a beatmap folder. Looking into it, there are different types of the beatmap (Normal, Out of Click, Time Freeze). Reading the question, I assume that the differences can be found by comparing Normal and Out of Click of the beatmap.

click1

Using this online tool, we can compare the differences of [HitObjects] between the two modes of the beatmap. The tool shows 5 additional lines placed within the Out of Click mode.

click2

Randomly placing the first four digits of each line on CyberChef, it translates to the flag.

click3

kfc-with-who? [OSINT]

Question: “KFC with @‌Who?” Of course you should know this meme as an average osu player - even ppy posted about it last year. Check out where the legendary osu! KFC guy streams, and find the flag there.

Flag: osu{mastery_in_terrible_rage-inducing_chokes}

The question mentioned something about osu and KFC. Googling them together, we get this reddit post about osu players having KFC with a streamer called ThePooN.

kfc1

Checking his profile on osu! website, he linked his Twitch channel on his bio, making my search easier.

kfc2

On his Twitch channel About page, the flag can be found.

kfc3

when-you-see-it [OSINT]

Question: My friend is so obsessed with osu! that he refused to play any CTF! Today he came to me and sent me this weird GIF, can you understand what he is trying to tell me?

Flag: osu{@nd_wh3n_y0u_fuxx1n_cL1ck3d_nd_c_1T!!!}

We are given a gif file showing a person pointing at his monitor. Doing a simple reverse search, we find that the person was Aireu.

see1

Since we have no other information provided, I assume the gif contains important data. Using binwalk, a hidden zip file can be extracted.

1
2
3
4
5
6
7
8
9

└─$ binwalk -e challenge.gif 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             GIF image data, version "89a", 498 x 373
3410748       0x340B3C        Zip archive data, at least v1.0 to extract, name: secret/
3410813       0x340B7D        Zip archive data, encrypted at least v2.0 to extract, compressed size: 201, uncompressed size: 230, name: secret/confidential
3411107       0x340CA3        Zip archive data, encrypted at least v2.0 to extract, compressed size: 2821, uncompressed size: 317388, name: secret/secret.wav
3414272       0x341900        End of Zip archive, footer length: 22

However, the zip file was password-protected. Hence, I randomly tried Aireu as the password and it worked. The zip file contains a wav audio file and a text file which gives the first part of the flag and the hint for the second part.

1
2
3
4
5
6
7
8
9
10
11
12
13

HIGHLY CONFIDENTIAL

<REDACTED>
I have stored extremely important files here and in another place.

Find it at "osu_game_/[0-9]+/".

As a reward, here is the first part of the flag: `osu{@nd_`

Yours,

Team Osu!Gaming
</REDACTED>

Listening to the wav file, it seems to be a morse code. So using a decoder online, the hidden message can be obtained.

see2

I went ahead and further decoded the hidden message on CyberChef and found this number. Yes I play osu! back in the days and I know of the 727 meme. So I assumed 727727 might be required to find the second part of the flag.

see3

Reading the text file hint again, it mentioned finding the second part of the flag at osu_game_/[0-9]+/. I assume this is a regex where the full string is osu_game_727727, at this point I was stuck, but my teammate @Zer01 found out it was a Twitter username all along. The display name is the second part of the flag.

see4

Now to find the third part of the flag, the first link leads us to a Rick Roll ffs. However, going down his posts, we find something interesting related to his favourite beatmap.

see5

see6

Using the link, it leads us to his favourite beatmap (ClariS the goat). Clicking these dropboxes seems to be correct, so I just spam clicked all of them and the third part is obtained.

see7

mappool-feedback [OSINT]

Question: i (willwam) did a replay for a tournament quite recently (no more than 2 weeks ago) and hid a flag in it! can you find it?

Flag: osu{m3ow}

We are given a URL that redirects us to willwam’s osu account. On the tournament box section, there are two hyperlinks [a] and [staffing].

feedback1

[a] holds willwam’s tournament spreadsheets but there were nothing interesting in them. However, [staffing] holds his staffing history for previous tournaments.

feedback2

Remembering that the question mentioned no more than 2 weeks ago, so it is probably this beatmap.

feedback3

Clicking on the main sheet, it leads to several social links. I went to his Twitch account and found several video archives.

feedback4

feedback5

Reading the challenge name again, it is related to Mappool so going through the VODs, the video can be found with the flag at the end.

feedback6

when-you-dont-see-it [Web]

Question: welcome to web! there’s a flag somewhere on my osu! profile…

Flag: osu{ok_u_see_me}

We are given a website to a person’s osu! profile, doing a common thing in CTFs, I searched the source code and filtered with the word ‘flag’ and the flag can be obtained.

web1

web2

Infiltrating the OSU! (I) [Misc]

Question: Let’s infiltrate OSU! Hint: Maybe you may want to visit the author’s osu! homepage!

Flag: osu{tr1v4l_5rc_1n5p3c7_1n_webs1t3}

We are given a website that will most likely give us the flag and the author’s osu! profile. The website wants us to find the banner image with its respective domain.

infil1

Looking at his banner picture, it seems similar to the website provided. Opening the image in a new tab, the URL can be obtained https://assets.ppy.sh/user-profile-covers/13336293/e20fc9c84f8f20881bfa0bb70bbcb68c6b50bb25dc96cf608e431a7f9f482c25.jpeg

infil2

infil3

sanity-check-1 [osu]

Question: My first map in 2024: Gawr Gura - Kyoufuu All Back Mapped for osu!gaming CTF 2024. Please play/watch the top diff with video on! To osu! players: CTF is a competition where participants attempt to find text strings, called “flags”, which are secretly hidden in purposefully-vulnerable programs or websites. The strings can be in plain text, images, encoded/encrypted, etc. In sanity-check-1, checkout map metadata and submit the flag you found. Remember flag is always in format osu{…} unless otherwise specified.

Flag: osu{welc0me_2_osu!!}

We are given a link to a beatmap called Gawr Gura - Kyoufuu All Back. The flag is there.

sanity1

smoked [osu]

Question: Imagine getting flag from simply watching a replay…

Flag: osu{smoked_map_fun}

We are given a osu! replay file (.osr). Just enjoy the gameplay and the flag can be seen in the replay.

smoke1

multi [osu]

Question: Multi is a game mode in osu! for people to play together in a multiplayer lobby. PvP is fun, isn’t it? Join the official CTF lobby osu!gaming CTF 2024 to claim the flag! You are more than welcomed to stay in the lobby for a bit longer and have fun with others. There may or may not be secret prizes for random game winners :D Note: Please behave nicely and follow the rules. Avoid changing lobby name, kicking players, or spamming in chats. Do not spoil the fun for others! Report any misbehaviour to admins.

Flag: osu{Ur_welcomed_to_play_a_few_games_in_MP_lobby<3}

Follow the question, join the Multi lobby and enter !flag (had to install back osu for this lol).

multi1

osu!crossword [osu]

Question: Come solve my osu!crossword challenge! Once you completed the puzzle and obtained the hash, submit it to remote server for verification. Note: All characters you enter in crossword should be in lowercase.

Flag: osu{Much_34s13r_Th4n_osu!Trivium_XD}

Just play the crossword puzzle. PS: ngl the crossword website they made was pretty cool.

crossword1

1
2
3

└─$ nc chal.osugaming.lol 7270
Submit the hash: b85478a2d0c66c43f395ab166a6a4aa07a39fdb08e097d23f1d057746887d37a
Congrats! Here's your flag: osu{Much_34s13r_Th4n_osu!Trivium_XD}
ctf
forensics osint web misc osu osu!gaming
This post is licensed under CC BY 4.0 by the author.