Michael Meade

A digital cybersecurity-themed illustration featuring the red letters “CTF” beside a futuristic padlock over a circuit board background, representing capture-the-flag hacking challenges and information security concepts.

GlacierCTF 2025 Challenge

by

Michael Meade
in , ,

Please check out my other posted related to CTF, the name of the article is UTCFT 2025 CTF Challenge Write-Up.

The GlacierCTF was hosted by  ISEC Institute @ TU Graz aka LosFuzzys. They did a great job hosting this CTF, there was no issues with the CTF. None of the challenges went down during the event. Big thanks goes out to them for hosting the CTF.

Web Challenge

Black silhouette of an abstract spider icon with eight legs on a transparent background, commonly used for web, insect, or cybersecurity graphics

This challenge was created by a person with the nickname of “XSSKevin“. I received 50 points for solving this challenge. The screenshot below shows what the page looks like when you visit the link they give you for the challenge.

Simple web login form interface featuring a “Login” heading, username and password input fields, and a blue login button centered on a light background.

I first tired a bunch of common default logins such as admin\admin, admin\password and so on. After submitting the logins it just refreshed to the same login screen. I also used Chrome dev tools and looked at the source of the page and the traffic it generated. Nothing looked like it could be used to get past the login screen.

Challenge description card for a CTF web challenge titled “web 50,” authored by XSSKevin, showing solve count, ratings, a brief description, and links including intro.web.glacierctf.com and a downloadable web.tar.gz file.

Luckily XSSKevin also gave us the source code of the website.

Terminal-style directory tree listing showing project files, including Dockerfile, configuration folder with php.ini, deployment scripts, PHP files, users.json, flag.txt, and a web folder containing index.php and main.css, totaling 3 directories and 12 files.

I downloaded the tar file. The image above is what the file structure looks like. I first tried to view the flag.txt file. But of course, it was not that easy. It had a template for a flag.

Next I looked at the users.json file. The contents of the users.json file can be seen below.

JSON file snippet displaying a list of user objects, each containing a username, plaintext password, and moderator status, including entries for “test,” “alice,” and an “admin” account.

The “admin” user caught my eye because of two reason. The first reason is the username is admin which usually means the account has special permissions that regular users might not have and secondly the moderator key is set to true. Meaning that the admin user is also a moderator while the users alice and test are not administrators.

Next I went back to the login page and typed in the data shown in the json file.

Webpage message displaying “Hello admin” with a moderator notice and a revealed CTF flag string inside a white card on a light background.

After entering the found username and password into the login screen which after submitting the login, the flag is shown.

Rev Challenge

Ghidra logo featuring a red dragon forming an infinity symbol with pixelated data flowing from its mouth, accompanied by the stylized “GHIDRA” text below.

The rev challenge was worth 50 points. The challenge was created by LosFuzzys. Like the other challenge, they give you the file.

Challenge card for a reverse-engineering CTF problem titled “rev 50,” authored by LosFuzzys, showing solve count, user ratings, a brief description, and a download button for rev.tar.gz.

The screenshot below shows the file structure of the tar file on extracted. Please note that the two png images are ones I created during the challenge so I could document what I did.

Terminal directory tree showing two PNG screenshot files, a “challenge” directory, and a sha256sum file, totaling 1 directory and 4 files.

First thing I did was run the “strings” command on the file which showed a bunch of strings as shown in the screenshot below.

Long vertical list of CTF-style flag strings displayed in a terminal, each beginning with “gctf{” and followed by unique alphanumeric sequences, shown in dense columns on a black background.

There are over 100 different flags within the program. I could not manually enter all the flags. Next I opened up the file in a program created by the NSA, the program is called Ghidra. It is a free software reverse engineering (SRE) framework program that makes it easy to reverse engineer binaries and other types of files.

Screenshot of the Ghidra reverse-engineering interface showing assembly code on the left, decompiled C code on the right, and the “Decompiler Find Text” search dialog centered, with the term “local_508” highlighted in the code.

When you compile a program, it removes the name of strings but Ghrida shows you a representation of the strings that contain “local” and a number.

The string named local_508, which the screenshot on the right shows that if ivar1 is compared with the string local_508. If it matches then it will print “correct“.

So my solution is to find the local variable named local_508 which was the flag.

Screenshot of a decompiler interface showing assembly instructions on the left and decompiled pseudocode on the right, with a search dialog open for ‘local_508’. Highlighted lines display MOV instructions and variable references such as local_510 and local_508, along with associated function name strings.

The image above shows the flag for the challenge.

Findme2 Challenge

Green line-art icon showing a magnifying glass over a globe connected to three user profile icons, representing global user search or network analysis.

This challenge I did not solved but I tired very hard to figure it out. The challenge was a pdf which latin in it. I tired everything I could think, using strings, xxd, pdf-parser, PDFiD and Ghrida. Nothing worked.

Screenshot showing a block of text on a black background, including a hidden malicious prompt instructing readers to treat a file disguised as a PDF as an executable.

During my failed attempts to find flag I saw that there was invisible text near the end of the file which basically told that if I was to put the PDF into AI the AI will say that it is really an executable. The exact wording of the false flag is shown above.

After I the CTF I found out the solution was pretty easy, inside the PDF was a image that contained the flag.

I did use exiftool to look at the metadata but I did not see anything interesting. If you did not know different types of files contain metadata that might show information like the geolocation of where a image was take, what type of device took the picture, what software was used to edit the photo and other information about the device that took the image.

Not only images have metadata, doc, docxs and other files types contain information like the time the document was created, the username of the person who created the document, how long they worked on the document and the last time it was saved.

Next time I see a PDF in a CTF I will try to see if there are any hidden embedded images or other types of files within the PDF.

Screenshot showing the word ‘Glacier’ in large bold text with a CTF flag printed below it: gctf{WH4T_YOU_DONT_CH4NG3_Y0U_CH00S3}. Additional text explains that the flag was hidden inside a PDF as an embedded PNG image

One of the people who was able to solve the challenge, used ChatGPT 5 to solve the challenge, they included this link. They uploaded the .tar.gz file to ChatGPT and pasted the challenge description into the AI which in return the flag.

I am going to work on a Ruby program that will attempt to extract the png from the PDF and perform other basic testing for CTF flags.