AusCERT2016 CTF – 10th Place!

I recently finished competing in the AusCERT2016 Capture the Flag (CTF) challenge which ran for 48 hours. Coming in 10th place from dozens of active participants was very rewarding!


I entered under the team alias “InsertCoin“- partly to protect myself if I performed terribly(!) but also because I’m currently looking for new work opportunities – and the name subtly describes my current state-of-mind 🙂

Capture the Flag competitions work by having people (usually teams) compete to carry out tasks in a limited time with the goal of finding a “flag” for each challenge.

A CTF flag is a string of text that is hidden or concealed in some way – you’ll only get it by solving a problem, hacking a system, decrypting something and so forth. There are many different types of challenges, and the problems can range from ridiculously easy to virtually impossible.

As is standard for most CTF challenges, in the AusCERT2016 challenge competitors had to find flags formatted in a special way – in this case:


The format of the flag is really important. Flags are like passwords and have to be entered precisely into a scoring website, otherwise you don’t get the points added to your score.

But knowing what a flag looks like also means you know roughly what you’re looking for, and this can come in handy! For example, looking for the letters f, l, a, and g to make the word “flag” means you’re probably looking in the right place; and can be a time saver.

Solving the challenge: “Law”

Let me be clear – this “Law” challenge was about as easy as a CTF challenge can get – but I’m writing this up because of how I’ve seen some other people attempt to solve it; and the different approaches you could use. Some good, some not so good.

The “Law” challenge begins by downloading a given Word Document. Have a look at the document below and see if you can identify what’s happening.


It’s pretty easy to see something odd with the capitalisation of the letters. Look closely at the first line and you might see something familiar if you concentrate on those capitals.

… enForced … sociaL … behAvior.G{2] …

Oh, yes.. FLAG{ ..surely the beginning of the flag we’re looking for.

At this point, there’s a burning question that every CTF competitor asks themselves:

“What’s the easiest AND fastest way I can solve this problem?”

This is always the juncture point during a CTF where my heart skips a beat, and I feel the adrenalin rush. If you’ve ever participated in a CTF you’ll know what I mean! It’s that point where the only thing that sits between you and the answer is the HOW & TIME.

How? Here’s some of the instant choices of tools/approaches that sprung to mind:

  • [1] Use a feature built-into Word, like find/replace to remove lowercase letters, or extract the capitals or similar; or
  • Extract the text from Word and do this somewhere else, probably on a Linux box…
    • [2] Write a script or something to parse the text and give me what I want; or
    • [3] Rely on some command-line-kung-fu to extract and explore what I need

To be honest, staying in Word really didn’t enter my mind. I’m sure there are features that might do what we want, and if you’ve got suggestions please do leave a comment below and tell me, but prove to me your way is faster also).

So, this story is really about the last two options only: write a script, or do kung-fu.

If you know how to do kung-fu, is there ever any other option? No.

Be patient Grasshopper, we’ll get to the Kung-Fu part, but first what really intrigued me was the day after I had solved this challenge.

While attending a local SecTalk meetup I met some other competitors who were also attempting this same CTF challenge, so I quizzed them on how they were going about solving it…

Surprisingly, one of them had written a Python script to solve this!

My. Mind. Was. Blown. A Python script to solve THIS? Knowing how I had solved it (as you’ll see below) no doubt biased my judgement, but I just felt like using Python (or in fact anything other than a single command-line) was a heavy handed, and slow.

I didn’t look at the actual Python script, but if I had attempted such a thing it would have probably looked like this…


It outputs like this:

... and continues down the screen like that.

Sure, I could import sys and use sys.stdout.write() to fix that, but using Python isn’t the focus here.


On the command line, this is how I solved this “Law” CTF challenge on one line:

grep -o '[A-Z]' law.txt | tr -d '\n'

That’s simply grep with the -o option to only return uppercase ‘[A-Z]’ piped through the tr command to delete -d any newlines ‘\n’



Converting that to lowercase and inserting the { and } in the right places gave me the flag.


The magic of grep -o

I suspect that some people may not be aware of the -o option for grep which only returns the text that matches the given regular expression. This is great for extracting all sorts of things from files, such as domains, email addresses and all sorts of things.

And the power of tr (translate)

There’s another way of doing this also, without using grep at all, which is to only use tr which is the “translate characters” command. In this case we can start by deleting -d lowercase ‘[a-z]’ characters.

cat text | tr -d '[a-z]'

This gives one advantage of being able to see the whole file quickly, having removed only the lowercase chars, and we see the flag beginning to emerge. By repeating this process and eliminating characters one-by-one this technique can come in handy in other challenges.


Once your brain has worked out which characters to remove, after a few iterations you get to the final result.

cat text | tr -d "\-\"\”[a-z][0-9]:'., ()\n"

Output from this is the perfect flag that just needs to be converted to lowercase:


As you can see there are many different ways to solve this challenge, and each to their own. But when time is against you in these challenges you have to make sure you’re picking the fastest method possible!

Until next time, stay safe out there – and may your flags all come to you easily!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s