1 of 6

Forensics

Cookie Monster

Windows 7 sp1 x64 memdump By grepping for urls, we can find . Command history shows us the credentials with a username and password, and also the name of a deleted file. We download this file: _4nd_y0u_w1ll_n3v3r_f1nd_m333} We now see that mstsc is running, which is the rdp client. I used filescan to search for open files, and found an the rdp cache file. We can use to parse it, and get 128 tiles from the image. By piecing this together (thanks will) we get the first half of the flag: tjctf{c00k1e_m0n5t3r_w4s_h3r3

tjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

Gamer F

Use dnspy to read Assembly-CSharp - tjctf{wh3rs_ Part 2 - Use AssetStudioGUI - VictorySound2.wav (1.wav is japanese) Voice says: Flag part 2 is: "the_T5sp1n" or 0x7468655f54357370316e (Hex gives capitalised T) Part 3: Strings level0 and grep for '}' (probably not intended lmao)

tjctf{wh3rs_the_T5sp1n_sn4ekk}

Ling ling

Download -> exiftool meme.png -> profit

Flag: tjctf{ch0p1n_fl4gs}

Rap God

Right channel of audio is different Remove left channel, get full spectogram with Wingdings2

tjctf{quicksonic}

Hexillology

For this one open the image in gimp select color picker. Also open the color section in windows/dockable dialogs/colors then click on each section and note down the hex color values: 746a63 74667b 63306c 6f7266 75315f 666c34 67217d decode this from hex and we get the flag:

Forensics

Cookie Monster

tjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

Gamer F

tjctf{wh3rs_the_T5sp1n_sn4ekk}

Ling ling

Flag: tjctf{ch0p1n_fl4gs}

Rap God

tjctf{quicksonic}

Hexillology

tjctf{c0lorfu1_fl4g!}

Gamer F

tjctf{wh3rs_the_T5sp1n_sn4ekk}

Hexillology

tjctf{c0lorfu1_fl4g!}

Forensics

Ling ling

Flag: tjctf{ch0p1n_fl4gs}

Rap God

tjctf{quicksonic}

Cookie Monster

tjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

Forensics

Cookie Monster

hashtagtjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

Gamer F

hashtagtjctf{wh3rs_the_T5sp1n_sn4ekk}

Ling ling

hashtagFlag: tjctf{ch0p1n_fl4gs}

Rap God

hashtagtjctf{quicksonic}

Hexillology

hashtagtjctf{c0lorfu1_fl4g!}

Gamer F

hashtagtjctf{wh3rs_the_T5sp1n_sn4ekk}

Hexillology

hashtagtjctf{c0lorfu1_fl4g!}

Forensics

Ling ling

hashtagFlag: tjctf{ch0p1n_fl4gs}

Rap God

hashtagtjctf{quicksonic}

Cookie Monster

hashtagtjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

tjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

tjctf{wh3rs_the_T5sp1n_sn4ekk}

Flag: tjctf{ch0p1n_fl4gs}

tjctf{quicksonic}

tjctf{c0lorfu1_fl4g!}

tjctf{wh3rs_the_T5sp1n_sn4ekk}

tjctf{c0lorfu1_fl4g!}

Flag: tjctf{ch0p1n_fl4gs}

tjctf{quicksonic}

tjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}