1 of 6

Forensics

Cookie Monster

Windows 7 sp1 x64 memdump By grepping for urls, we can find https://super-secret-file-server.herokuapp.com/. Command history shows us the credentials with a username and password, and also the name of a deleted file. We download this file: _4nd_y0u_w1ll_n3v3r_f1nd_m333} We now see that mstsc is running, which is the rdp client. I used filescan to search for open files, and found an the rdp cache file. We can use https://github.com/ANSSI-FR/bmc-tools to parse it, and get 128 tiles from the image. By piecing this together (thanks will) we get the first half of the flag: tjctf{c00k1e_m0n5t3r_w4s_h3r3

tjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

Gamer F

Use dnspy to read Assembly-CSharp - tjctf{wh3rs_ Part 2 - Use AssetStudioGUI - VictorySound2.wav (1.wav is japanese) Voice says: Flag part 2 is: "the_T5sp1n" or 0x7468655f54357370316e (Hex gives capitalised T) Part 3: Strings level0 and grep for '}' (probably not intended lmao)

tjctf{wh3rs_the_T5sp1n_sn4ekk}

Ling ling

Download -> exiftool meme.png -> profit

Flag: tjctf{ch0p1n_fl4gs}

Rap God

Right channel of audio is different Remove left channel, get full spectogram with https://convert.ing-now.com/mp3-audio-waveform-graphic-generator Wingdings2

tjctf{quicksonic}

Hexillology

For this one open the image in gimp select color picker. Also open the color section in windows/dockable dialogs/colors then click on each section and note down the hex color values: 746a63 74667b 63306c 6f7266 75315f 666c34 67217d decode this from hex and we get the flag:

Forensics

Cookie Monster

tjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

Gamer F

tjctf{wh3rs_the_T5sp1n_sn4ekk}

Ling ling

Flag: tjctf{ch0p1n_fl4gs}

Rap God

tjctf{quicksonic}

Hexillology

tjctf{c0lorfu1_fl4g!}

Cookie Monster

tjctf{c00k1e_m0n5t3r_w4s_h3r3_4nd_y0u_w1ll_n3v3r_f1nd_m333}

Rap God

tjctf{quicksonic}

Gamer F

tjctf{wh3rs_the_T5sp1n_sn4ekk}

Ling ling

Flag: tjctf{ch0p1n_fl4gs}

Hexillology

tjctf{c0lorfu1_fl4g!}