Do da research and ... https://snicket.fandom.com/wiki/Sebald_Code Do it and get flag

rtcp{I'm_hungry_give_me_bread_and_I_will_love_you}

Since my pc too shit to brute force (or run most libraries), i did it manually but with fancy maths and i also looked at component.txt which gave me one of the first primes i found the other primes and i had these... (see below) ran it through the decrypt.py and got the flag

rtcp{f1xed_pr*me-0r_low_e?}

Wacky ass challenge lmao

Right so the hint.7z file, when downloaded, isn't actually a 7z file. You can cat it and it's a base64. run base64 -d hint.7z > hint and you'll find it's an image, showing that there is a hidden eval command on the bot.

Running jst eval on the rtcp discord server tells us it can't be run in that guild. We can invite the bot to our own discord server and run the command.

JST eval gives us the ability to run python code on their server.

We can communicate data back to ourselves via a return statement.

The first thing we'll want to do is find some variables. Doing return globals() shows us there's a lot of global variables with a value that's just HIDDEN. Not useful. We can write a simple loop like so

JST eval
g = globals()
for key in g:
  if 'rtcp' in g[key]
    return g[key]

The output of this script is the string rtcp{}. Seems like we're getting somewhere.

Remember: globals gives us variable names and their declared global value. What if instead of printing rtcp{}, we printed the key(variable name), and referenced that?

New script:

JST eval
g = globals()
for key in globals:
  if 'rtcp' in g[key]:
    return key

Giving us the variable name fadlgncrjykmbw

Therefore, we can do

JST eval
return fadlgncrjykmbw

To return the value at that variable. BOOM! Flag acquired.

Flag: rtcp{1tz_n0t_4_bUg_1ts_a_fe4tur3}

For audio steganography challenges, the only truly viable audio is Rick Astley's "Never Gonna Give You Up" - truly a timeless classic. The title of the challenge "Deep Lyrics" was a hint towards the tool used to solve it. Naturally, I got searching and found "DeepSound" - a tool capable of hiding files inside of audio. After installing it, I opened the file using it and found "not-sorry.txt" which contained the flag.

rtcp{got_youuuuuu}

It's a vignere cipher this website works great -

rtcp{vinegar_on_my_fish_and_chips_please}

Relatively simple. The file is a large nested compression - it's been gzipped, tarred and zipped hundreds of times. gzip and tar dont have passwords so any gz or tar file we come accross we can simply decompress. The zips however, do have passwords. Luckily, these passwords are on an 100 word wordlist, allowing for easy brute force.

I wrote a script, the script: uses magic bytes to find out whether the file is a zip, gzip or tar decompresses it accordingly, cracking the password with a wordlist if it's a zipfile go onto the next iteration

At the end, you'll be left with a file called 0, containing the flag.

rtcp{z1pPeD_4_c0uPl3_t00_M4Ny_t1m3s_a1b8c687}

Website is simple: we input, it goes to a url and uses it to generate a QR code of what we input. Sadly, only the first character of what we input gets QR coded. More on this later.

I decided to cut out the middle man and go straight to /qr?text=<insert text here> for ease. I found when putting backticks inside of the text it errored.

A little research tells you that backticks are used for shells within a shell in php and bash. So there's probably some horribly filtered system or eval commands going on there that allow us to execute code using <command>.

We find that the output of the command is actually stored in the qr code! Hazzah! cat flag.txt it is!

Except...

It still only takes the first character.

I wrote a nice little script that uses tail to grab bytes of the flag at different positions, automating the qr code scan using zbarimg.

Note: I knew it must be in the cat flag.txt because

• It didn't error like some other commands did

• The first two characters were rt, so I took a wild guess.

rtcp{fl4gz_1n_qr_c0d3s???_b1c3fea}

Relatively simple: you get a submission box to type in a number. You must predict the random number the site will generate.

The page is pretty bare. There's a form that makes post requests, and it has two fields - one is the number that we submit, the other is the timestamp. As we post, a javascript function is called to change the timestamp to our current time. Wait... they probably use that as the seed!

If we can control the timestamp option on the form, we control the seed. If we control the seed, we control what random number comes next.

Editing the javascript function doesn't seem to work, so we'll fire up burp suite. The timestamp is sent as a post parameter as part of the form. Burp suite allows us to intercept the post request as our browser makes it and edit it.

First of all, let's edit the timestamp to be 1 and see what happens. Funnily enough, the website tells us we were wrong and that the correct answer is 1. We can do this again,this time changing our guess to 1 BOOM! Flag acquired.

rtcp{w0w_sO_p53uD0}

• strings on the image find information about: Groobi Doobie Shoobie Corp

• search for that on twitter: https://twitter.com/GShoobie

• avoid the false flags, and find the instagram

• Instagram has flag: https://www.instagram.com/groovyshoobie/?hl=en

  rtcp{eXiF_c0Mm3nT5_4r3nT_n3cEss4rY}

For a while i was stumped. I split the ciphertext into two, took every other character, did weird xor, base64 decoding, taking every other nibble, taking every other bit - no dice.

Eventually, I decided to think more into the challenge title. They wouldn't put it in morse code for no reason, right? I began to look up special morse code ciphers, and then I thought.. a half is a fraction, right?

Fractionated morse code.

Paste in the ciphertext to a fractionated morse code decoder and you'll get the string RTCPTW0GALLONSOFH4LFMAK3WH0LEM1LK E. I think the E is either a mistake or weirdness with the site I used. Anyways, turn the rtcp into lowercase and wrap the rest in curly brackets to get your golden flag.

rtcp{TW0GALLONSOFH4LFMAK3WH0LEM1LK}

In the program, you will find the flag just vibin in plaintext.

rtcp{tH1s_i5_4_r3aL_fL4g_s0_Do_sUbm1T_1t!}

First I made a python script

"""i made a rev createmap func"""
def antimap(owo,uwu):
    inputs = ""
    realflag = [9,4,23,8,17,1,18,0,13,7,2,20,16,10,22,12,19,6,15,21,3,14,5,11]
    therealflag = [20,16,12,9,6,15,21,3,18,0,13,7,1,4,23,8,17,2,10,22,19,11,14,5]
    if uwu:
        for i in range(len(realflag)):
            inputs += owo[realflag[i]]
    else:
        for i in range(len(realflag)):
            inputs += owo[therealflag[i]]
    print(inputs)
    return inputs
"""and then figured i could skip the last stage and deal with it later so i rev the third stage"""
def rev():
    zz = [157, 157, 236, 168, 160, 162, 171, 162, 165, 199, 169, 169, 160, 194, 235, 207, 227, 210, 157, 203, 227, 104, 212, 202]
    finals = []
    createMap(theflags0, flag, False)#44ytc3whr_040_rhw___o4uk

    for i in range(len(zz)):
        print(theflags0[i],end="")
        finals.append(zz[i]-ord(theflags0[i]))
    print(finals)

This gives "iis4=o4:3hyupcygls>lt4__" and i put it into my revmap func seperately since it's also seperate when making the flag.

iis4=o4:3hyupcygls>lt--- => h=-3si>ic:stly-pl4g-4you
---------------------4__ => ------4-------_----_----

and combined them to get h=-3si4ic:stly_pl4g_4you but i also mapped which chars could've been affected by 4th stage nm-mnmnmnmnnnnnmnnnnnnmn - where n is no and m is maybe affected h=-3si>ic:stly-pl4g-4you - i tested around and got...

rtcp{h3r3s_4_c0stly_fl4g_4you}

1.) Base64 Decode 2.) Hex Decode 3.) Oct Decode 4.) Caesar Cipher (ROT-13) 5.) Morse Code "Decode" 6.) A1Z26 - each number corresponds to a letter, e.g. a =1, b=2 7.) Atbash Cipher 8.) Bacon Cipher 9.) Base64 -> Hex -> Morse -> Binary -> Atbash -> Rot13

Ah… a survey challenge, usually a glorified sanity check, but not this time.

First question: How would you rate your experience with the CTF platform? I gave this a 4. But first, I didn’t have a mouse to click the answer with. I searched up and around my house, but to no avail, I couldn’t find a mouse. I then had to do the unthinkable: walk over to Argos to buy a mouse. I started by looking in the pets section, but there was no mouse to be picked up there. This made me extremely sad. So I stood 2 meters away from a member of staff(safe social distancing kids!) and asked them where to pick up a mouse. I picked up a mouse, scanned it with the smart shop app, and walked out the store, happy I have my mouse. I then got home and clicked the number 4 button.

Question 2: What changes could be made to improve the overall CTF experience? I pondered this question for a while. I decided on the lack of a brainfuck challenge really pissed me off. However, just as I was typing this, my mum walked in and saw that I had a naughty word on my screen. She decided on cleaning out my PC with soap, to cleanse it of its sins. As she left the room, I cried, not having a laptop to finish this survey would make me a shame to my team, and I would never live this down. So sneakily, I walked into my sister’s room, yoinked her laptop and logged back into the survey again.

Now time for Question 3: Which challenge did you like the most/was your favourite? Easy. Beginner 1, the only challenge me and my team were able to solve.

Question 4: Who was my favourite challenge dev? Easy again. William, her challenges were fun and enjoyable(she didn’t hold me at gun point to say this btw).

Question 5: Any other opinions? Easy question again, to give will a raise for being the best challenge dev.

Question 6: My experience in Cyber Security. I gave this a 5 because I am pro hax0r, I hacked roblox and gave myself 69420 robux once, I felt amazingly good about myself.

Question 7: My gender, I put other, as I sexually identify as an apache attack helicopter.

Question 8: my age: I put 13-18, as I am 14 years old(and 3 months and 1 day)

Question 9: How did you here about Houseplant CTF? Easy Question. I was hand delivered a message by my team about a new Capture The Flag Competition called Houseplant made by the RiceTeaCatPanda devs. This CTF also was bringing even crazier and innovative challenges to our community, with 100% same funny stories and (at least) 60% reduced guessing :3.

Question 10: Right or left? This question stumpted me very hard, so I had to close my eyes and do a blind pick. I chose down, in the end.

Question 11: One discord member was non human, who was it? Easy, willwam845#9584.

Question 12: Stickers or plushies, easy again, plushies (uwu)

Question 13: Which is cuter: Wumpus or Jubie. Very easy answer again, I picked Jubie, as I saw her and UnbeliveaBoat out on a date before this whole quarantine started. Hurrah! I had finished the survey! I leapt out of my seat with excitement! However, this was then spewed on me: F(K6"+A-'QAKWC8DBNV(EZdbEF"&5>EbT#p?Z]jf?XmMd?Z9FkA78j I immediately thought this was encoded in some way, so I tried all the bases. I eventually found out that this was b85 encoded, and the decoded message led to this: send Jade (in her DMs) rice_tea_cat_panda

Who was jade? What was jade? I eventually realised that Jade was a girls name, so I was doing the unthinkable, DMing a girl. I mustered up all the courage I could get, and messaged her the sacred phrase: rice_tea_cat_panda. She immediately got back to me and replied with this: You're such a great friend! Here, have a flag! rtcp{awaken_winged_sun_dragon_of_ra}. Although sad I was friendzoned, I was happy I got the flag, so I submitted it, only to find out that my teammate already submitted the flag. Fuck you teammate.

rtcp{awaken_winged_sun_dragon_of_ra}

-Jammy#0402

Translating from morse code it doesn't seem right.. a bunch of numbers and mathematical operators in a weird order. The hint says "is it really what you think it is" or something similar, so it seems obvious that what seemed to be morse code isnt actually morse code.

The challenge is called sizzle, and talks about bacon... what if it's a bacon cipher?

I used subsitution to change . to 0 and - to 1, and then put it through a bacon cipher decoder. This gave me the expression BACONBUTGRILLEDANDMORSIFIED. I put this into all lowercase, separated the words with underscores

Cyberchef link:

rtcp{bacon_but_grilled_and_morsified}

Open the image in gimp and turn the brightness and contrast to max and you get your flag

rtcp{Th4nk$_f0r_h3LP1nG!}

firebase challenge!!! looks like theres a write call to the database in the network requests. quick look at the javascript confirms this. the offending function sendTHEPIXEL():

db.collection("board").doc("data").update(docdata)

lets just change 'data' to 'flag' and a write request to a read request. im sure the flag isnt actually flag lol.... the documentation for that can be found here: https://firebase.google.com/docs/firestore/query-data/get-data#web_1 so we enter into the console:

db.collection("board").doc("flag").get().then(function(doc {console.log(doc.data())})

and in response we get:

"Never gonna give you up":

We're no strangers to love  
You know the rules and so do ...   
Never gonna tell a lie and hurt you   
Never gonna give you up   
Never gonna let you down   
Never gonna run around and desert you   
Never gonna make you cry  
Never gonna say goodbye   
Never gonna tell a lie and hurt you"

​"flag!!!!!!!!!!!!!": "rtcp{d0n't_g1ve_us3rs_db_a((3ss}" ​ fuck.

rtcp{d0n't_g1ve_us3rs_db_a((3ss}

I thought it was just a normal matrix calc but that was wrong since it had a weird way of formatting it made a script tho

def matrix():
    dec = [
    [1.6,  -1.4,  1.8],
    [2.2,  -1.8,  1.6],
    [-1 ,    1 ,   -1]]
    out = []
    pp = 0
    string = [37,36,-1,34,27,-7,160,237,56,58,110,44,66,93,22,143,210,49,11,33,22]
    for i in range(int(len(string)/3)):
        a = string[i*3:i*3+3]
        for j in range(3):
            pp = 0
            for k,l in enumerate(a):
                pp += l*dec[j][k]
            out.append(int(pp))
    for i in out:
        print(chr(i+96),end="")

rtcp{go_do_your_homework}

This is where will starts to speak in catspeak, which is mildly annoying, to say the least. What I did is submit all the flag looking strings into the program and the wonderful cat goddess confirmed that it was the right flag.

rtcp{iT5_s1mPlY_1n_tH3_C0d3}

In the code, you get the lines: Arrange these numbers in numerical order, and read it like a sentence to get the flag

rtcp{y34H_tHiS_a1nT_sEcuR3}.

decode from hexahue...

<----------------------------------------------------------------->  
There is such as thing as a tomcat but have you ever heard of a tomdog.
This is the most important question of our time, and unfortunately one that may never be answered by modern science. 
The definition of tomcat is a male cat, yet the name for a male dog is max.
Wait no. the name for a male dog is just dog. regardless, what would happen if we were to combine a male dog with a tomcat.
Perhaps wed end up with a dog that vomits out flags, like this one rtcp should,fl5g4,b3,st1cky,or,n0t
<----------------------------------------------------------------->

there was a typo (lol) so...

rtcp{should,fl4g5,b3,st1cky,or,n0t}

def conv(a):
    pp = [
    [(0, 0, 255), (0, 255, 255), (255, 0, 255), (255, 0, 0), (255, 255, 0), (0, 255, 0)],"t",
    [(0, 255, 0), (255, 255, 0), (255, 0, 0), (0, 0, 255), (0, 255, 255), (255, 0, 255)],"h",
    [(255, 0, 0), (0, 255, 0), (255, 255, 0), (0, 0, 255), (255, 0, 255), (0, 255, 255)],"e",
    [(0, 0, 255), (0, 255, 255), (255, 255, 0), (255, 0, 255), (255, 0, 0), (0, 255, 0)],"r",
    [(255, 255, 255), (255, 255, 255), (255, 255, 255), (255, 255, 255), (255, 255, 255), (255, 255, 255)]," ",
    [(0, 255, 0), (255, 255, 0), (0, 0, 255), (255, 0, 0), (0, 255, 255), (255, 0, 255)],"i",
    [(0, 0, 255), (0, 255, 255), (255, 0, 255), (255, 255, 0), (255, 0, 0), (0, 255, 0)],"s",
    [(0, 0, 255), (0, 255, 255), (255, 0, 255), (255, 0, 0), (0, 255, 0), (255, 255, 0)],"u",
    [(255, 0, 0), (0, 255, 0), (255, 0, 255), (255, 255, 0), (0, 0, 255), (0, 255, 255)],"c",
    [(255, 0, 255), (255, 0, 0), (0, 255, 0), (255, 255, 0), (0, 0, 255), (0, 255, 255)],"a",
    [(255, 255, 0), (0, 0, 255), (0, 255, 255), (0, 255, 0), (255, 0, 255), (255, 0, 0)],"n",
    [(0, 255, 0), (255, 0, 0), (255, 255, 0), (0, 0, 255), (0, 255, 255), (255, 0, 255)],"g",
    [(255, 255, 0), (0, 0, 255), (0, 255, 255), (255, 0, 255), (0, 255, 0), (255, 0, 0)],"o",
    [(255, 255, 0), (0, 0, 255), (0, 255, 0), (0, 255, 255), (255, 0, 255), (255, 0, 0)],"m",
    [(255, 0, 0), (255, 0, 255), (0, 255, 0), (255, 255, 0), (0, 0, 255), (0, 255, 255)],"b",
    [(0, 255, 255), (0, 0, 255), (255, 0, 255), (255, 0, 0), (0, 255, 0), (255, 255, 0)],"v",
    [(0, 255, 255), (255, 0, 255), (255, 0, 0), (0, 255, 0), (0, 0, 255), (255, 255, 0)],"y",
    [(255, 0, 0), (0, 255, 0), (255, 255, 0), (255, 0, 255), (0, 0, 255), (0, 255, 255)],"d",
    [(255, 0, 0), (0, 255, 0), (255, 255, 0), (0, 0, 255), (0, 255, 255), (255, 0, 255)],"f",
    [(0, 0, 0), (255, 255, 255), (255, 255, 255), (0, 0, 0), (0, 0, 0), (255, 255, 255)],".",
    [(255, 255, 0), (0, 0, 255), (0, 255, 255), (255, 0, 255), (255, 0, 0), (0, 255, 0)],"p",
    [(0, 0, 255), (255, 255, 0), (0, 255, 255), (255, 0, 255), (255, 0, 0), (0, 255, 0)],"q",
    [(255, 255, 255), (0, 0, 0), (0, 0, 0), (255, 255, 255), (255, 255, 255), (0, 0, 0)],",",
    [(255, 255, 0), (0, 255, 0), (0, 0, 255), (0, 255, 255), (255, 0, 255), (255, 0, 0)],"l",
    [(0, 255, 255), (255, 0, 255), (0, 0, 255), (255, 0, 0), (0, 255, 0), (255, 255, 0)],"w",
    [(0, 255, 255), (255, 0, 255), (255, 0, 0), (0, 0, 255), (0, 255, 0), (255, 255, 0)],"x",
    [(0, 255, 0), (255, 255, 0), (0, 0, 255), (0, 255, 255), (255, 0, 0), (255, 0, 255)],"j",
    [(0, 255, 0), (255, 255, 0), (0, 0, 255), (0, 255, 255), (255, 0, 255), (255, 0, 0)],"k",
    [(255, 255, 255), (128, 128, 128), (0, 0, 0), (128, 128, 128), (255, 255, 255), (0, 0, 0)],"5",
    [(128, 128, 128), (255, 255, 255), (0, 0, 0), (128, 128, 128), (255, 255, 255), (0, 0, 0)],"4",
    [(128, 128, 128), (255, 255, 255), (0, 0, 0), (128, 128, 128), (0, 0, 0), (255, 255, 255)],"3",
    [(128, 128, 128), (0, 0, 0), (255, 255, 255), (0, 0, 0), (128, 128, 128), (255, 255, 255)],"1",
    [(0, 0, 0), (128, 128, 128), (255, 255, 255), (0, 0, 0), (128, 128, 128), (255, 255, 255)],"0",
    ]
    if a not in pp:
        print(a)
        int("lol")
    else:
        return pp[pp.index(a)+1]

def rainbow():
    from PIL import Image #104 x 34

    im = Image.open('output.png', 'r')
    pix_val = list(im.getdata())

    var = []
    cc = ""

    e = [bytes((x,)) for y in pix_val for x in y]

    for i in range(10):
        for j in range(50):
            var.append([
                pix_val[210+j*2+(i*3+0)*104],pix_val[210+j*2+(i*3+0)*104+1],
                pix_val[210+j*2+(i*3+1)*104],pix_val[210+j*2+(i*3+1)*104+1],
                pix_val[210+j*2+(i*3+2)*104],pix_val[210+j*2+(i*3+2)*104+1]])

    for i in var:
        cc += conv(i)
    print(cc)

rainbow()

Go to end of image file and find some chars. mess around and find it's b58. after that i thought its probs ascii char codes so i ran it through a script and got...

rtcp{Not quite normal stego_4xbb45gytj}

I looked at the title and realised it was chrome music labs! So i went to: Put the midi file there to get the flag

rtcp{M0Z4rt_WOuld_b3_proud}

So i looked at title and i noticed from caps "SKATS" so i googled it and found this... after converting from morse i followed the table and got 희망은진정한기생충입니다 which was hope is a true parasite and got the flag:

rtcp{hope_is_a_true_parasite}

Frick around and after lookin at the hint i just needed to change the discord param to flag param and got the flag

rtcp{rtcp-*is-s/ort-of-se1fh0st3d}

After going to ?sauce i just did sql injection

rtcp{y0u-kn0w-1-didn't-mean-it-like-th@t}

So pot got some json data which contained all of the image ids. I wrote a script that parsed this json, and used wget to grab the image files, and then read and parse the exifdata into a dictionary of {image id: [latitude, longtitude]} (note certain parts of the below script are horrible written)

Use day's coords and plot them with matplotlib (code below) then do some image manip

rtcp{4round_7h3_w0r1d}

We can unpack the 7zip to get a large amount of jpg image files - 90,000 image files to be precise. Each image file contains one pixel, and one pixel only. From the challenge briefing, we can tell that we need to somehow assemble these pictures to get an image.

The problem is, we have no way to know how to assemble it.

Each image is named something like this: <number>.jpg . Given the hint, I decided to use the python crypto library's long_to_bytes to turn all of the numbers into byte strings. What i found was that each of the names, when turned into byte strings, held the position of that pixel in the form

x y

I wrote a script using PIL to go through all of the images, get the position of the pixel they represent, and then construct the flag image.

The resulting image has two QR codes. The one on the upper left appears to be a rick roll, however the one on the bottom right yields the flag.

rtcp{d1d-you_d0_7his_by_h4nd?}