31 Mar 2025 4 min read

Tacops CTF 2025 - My Challenges

There are still some fixes I would like to make before I publish the code for my challenges. Once they are finished, this post will be updated with a GitHub link.

Last Saturday (March 29, 2025) Netsoc hosted their annual Tacops CTF (Capture the Flag) competition, inviting teams of all skill levels to compete to solve a variety of technology and hacking related challenges to win prizes. Here are the challenges I created for the event, and their solutions.

For Digital Eyes Only

This challenge, like most of my challenges, comes packaged as a website, although this is my only website challenge using just static HTML. Upon navigating to the provided URL, the message "Turn back now flesh beings! What you are looking for is hidden away, and only robots know where to find it." is presented.

Spoiler: Solution Below

This is an easy challenge meant to test your familiarity with web standards. Particularly, the robots.txt text file that is commonly found in the root directory of most websites. This file is used to specify which pages are and aren't allowed to be scraped by web-crawling bots, like Google's search indexer. Here are the contents of the robots.txt file on the challenge site:

User-agent: *
Disallow: /
Allow: /a5a36e83-7d4e-4696-a9f1-2bbc42f8a333/

The User-agent line specifies which bots this rule applies to. The wildcard * means that this rule should apply to all bots. The Disallow line specifies which pages should be ignored when scraping. In this case, the solitary / means that all pages besides those specifically allowed should be ignored. The Allow line specifies which pages should be scraped by bots. We can see that one page has been allowed, and because the initial message indicated that "what [we] are looking for" can only be found by robots, we can visit this page to find the challenge flag.

Pay to Win

This challenge is packaged as a React web application using the Next.js framework. Upon navigating the challenge URL, a digital stopwatch and counter that increments as the stopwatch is running is displayed, along with the message, "Only the fastest computers can count to 1,000 in less than a second.". Once the count reaches 1,000, if the stopwatch reached a time greater than one second, the taunting message, "Come back when you're a little mmmmm... richer!" is shown.

Spoiler: Solution Below

This counting feat is intended to be impossible. (In fact, the function that pushes the state of the counter to the screen is slower than the function that increments the counter, meaning the display's refresh rate is a greater contributor to the speed of the counter than the performance of the machine itself.) Finding solution is reliant on preexisting knowledge of how many web applications handle dynamic requests. Web applications usually consist of a frontend, which is displayed in the user's browser, that can request data or order changes on the server. This application uses the Next.js framework, so the frontend is served as a "Client Component", where the code that drives UI logic is executed on the browser, and uses Server Components to execute code on the server to fetch data or make changes. If the network tab is monitored when the count reaches 1,000, we can see the browser make a request. In my case, the data was [1000,16677.300000000745] and notably, the request included the header next-action:605212540cd83e1fb5b362320565f8182d349b6a93 confirming that this request triggered a Server Component. This request resulted in the response:

0:{"a":"$@1","f":"","b":"KBf6h284toFElcUZ0iZ_L"}
1:"Come back when you're a little mmmmm... richer!"

Taking a closer look at the payload of the request, we can see that data comprises two numbers, the first being the final count (1000), and the second being the final time of the stopwatch in milliseconds (16.677 seconds). By adapting the request in to a curl command, we are able to modify the request and replay it in a terminal.

curl 'https://tacops25-p2w.netsoc.ca/' \
  -H 'content-type: text/plain;charset=UTF-8' \
  -H 'next-action: 605212540cd83e1fb5b362320565f8182d349b6a93' \
  --data-raw '[1000,1]'

Noting that the true time was replaced with '1'. This will result in the server believing that our computer counted to 1,000 in a single millisecond, resulting in the challenge flag being sent in the response.

Snake Tracker

This challenge tasks the competitor with writing a Python script to track the movement direction of the player in a simulated game of the classic snake game. The input consists of both the width and height of the board including 2 board states captured one move apart.

# In this example, the snake is moving up.
5
4
o....
o....
o....
oooo.
.....
o....
o..o.
oooo.

Spoiler: Solution Below

The solution to this problem may seem obvious, but it is more complex than it appears. A seemingly simple solution would be to determine the position where the snake did not previously exist, and the direction of the body that connects to this new position, and assuming the snake is moving in the opposite direction. Unfortunately, this will not work. Take the following test case:

5
5
.....
.ooo.
.ooo.
.o...
.....
.....
.ooo.
.o.o.
.oo..
.....

Here, the snake moved left, but our simple solution would not get the correct answer because there are multiple body positions surrounding the new position. Here is where a more complex approach is necessary. By subtracting the two boards, we are left with just the start and end of the snake. If we treat the body of the snake like a maze or a tree data structure, where we must traverse each position of the body only once, we are able to trace the direction each position of the body is moving, and the direction we move from the last position to the end of the snake must be the direction the snake moved. Here is a visualization of what this solution looks like on the previous example.

.....
.>>v.
.^o<.
.^<..
.....

Castle Guard

This challenge presents the competitor with a mock instant messaging platform, where an AI chatbot convinced it is a guard protecting a castle refuses to give you the password necessary for entry. After sending 5 messages, every message after will be given the response, "You have reached the conversation length limit. Please start a new chat.".

Spoiler: Solution Below

AI chatbots tend to give unpredictable responses, so there are likely many solutions to this challenge. I myself have been unable to find a solution that involves conversing with the chatbot in-character, nor by convincing the chatbot break character and become self-aware. The most consistent solution I have found, is to narrate a situation where the AI speaks the password aloud in private. Occasionally, the chatbot will stop partially through the password, and must be coaxed in to revealing the rest. Here is an example of this scenario:

Screen capture of a conversation with the chatbot, where an elaborate backstory involving insecurity over memorization is used to convince the chatbot to reveal the password.

The challenge flag is the password, tacops{IWonderWhatsForDinner} or simply, IWonderWhatsForDinner.