~$ Digital Overdose CTF Official Writeup #2 - A door by any other name
Posted on Oct. 11th, 2021.
This is the official developer writeup for the challenge "A door by any other name" that was created for the Digital Overdose Autumn 2021 CTF.
The two other writeups published for this event are:
Challenge description and statistics
The text reads:
Description Intentionally Left Blank
Out of the 41 correct submissions (First blood by BTeam), this challenge was rated 100% by all contestants.
I sometimes take inspiration from games for ideas. This time, I was inspired to make a steganography challenge.
The basis for the challenge was the catchphrase "The cake is a lie", which is a very popular phrase from the game Portal, released in 2007.
It is seen in various areas in the game and is intended to warn the player that one of the game's supporting characters is in fact deceiving them. Perfect, I though, for a steganography challenge.
The challenge page itself has no description (as it was marked "Intentionally Left Blank"). The title however, tells players to look for synonyms of the word door ("A door by any other name"). Among those synonyms is the word "Portal".
Two kinds of players then exist, those that immediately identified the game and were then able to find the actual challenge locaction, and those that didn't who were then prompted to look around the platform.
The category description was "The cake is a lie"
Well, do you not see what is going on in this text? No? That is intended, perhaps you need to look at what you don't see. This, helpfully, can be viewed by inspecting the concerned element:
There exist a number of very interesting characters called "Zero-width space" characters, which can be found in unicode:
By pasting the text into a notepad, or a scripting language terminal, we can then work with the zero-width spaces in this text.
Informatively, there are 17 alphabetic characters (including " ") in the sentence.
The set of characters used for flags always contains visible print characters.
To solve this challenge, one can either manually count the special characters and then convert each number to the equivalent ASCII character, or one can script the behavior, which is what we'll do below.
This prints out
Which makes the flag