avatar
Cyscom
Cybersecurity Student Community of VIT Chennai
  • CTF EVENTS
  • CATEGORIES
  • TAGS
  • ARCHIVES
  • POSTS
  • ABOUT
Home FinalTrace 2025 Reflection Logs
Writeup
Cancel

Reflection Logs

Reflection Logs

  • Category: Forensics
  • Author: Rithvik

Challenge Description

A fragment of Lyra’s message is buried under multiple layers of compression and presented as a hexdump (tryme.hex, xxd format, ASCII column included). Players must reverse the hexdump, identify the gzip layer, decompress it to reveal a bzip2 file, and then decompress that to recover a text file encoded twice in Base64. Decoding it twice reveals the final flag.

Solution

Initial Analysis

The provided file is a plain-text hexdump generated by xxd, which includes both hexadecimal bytes and an ASCII column. This indicates the original content is binary data encoded as text. The job is to reverse the hexdump to its binary form and peel back compression layers until the Base64 text is reached.

Tools Used

  • xxd (to reverse the hexdump)
  • file (to inspect file types via magic bytes)
  • gunzip / gzip -d (to decompress gzip archives)
  • bunzip2 (to decompress bzip2 archives)
  • base64 (to decode the encoded text)

Step-by-Step Solution

Step 1: Reconstruct the binary from the hexdump

1
2

xxd -r tryme.hex > stage0.bin
file stage0.bin

What this does: xxd -r converts the textual hexdump back into the original binary file. Running file on the result reveals the binary’s type by checking magic bytes.

Expected output:

1

stage0.bin: gzip compressed data, from Unix, last modified: ...

Step 2: Decompress the gzip layer

1
2
3
4
5
6
7

# Option A — rename then gunzip (safe and explicit)
mv stage0.bin stage0.gz
gunzip stage0.gz
# This produces 'stage0' (or the original filename stored inside the archive)

# Option B — decompress without renaming
gzip -dc stage0.bin > stage1.bz2

What this does: The gzip layer contains a .bz2 file. After decompression you should have the bzip2 file (e.g., stage1.bz2).

Verification:

1
2

file stage1.bz2
# Expected: stage1.bz2: bzip2 compressed data, ...

Step 3: Decompress the bzip2 file to get the Base64 text

1
2
3
4

bunzip2 stage1.bz2
# Produces an ASCII text file (e.g., 'stage1.txt')
file stage1.txt
head -n 5 stage1.txt

What this does: bunzip2 extracts the text file that contains the Base64-encoded flag (encoded twice).

Step 4: Decode the Base64 text twice

1
2

cat stage1.txt | base64 -d | base64 -d > flag.txt
cat flag.txt

What this does: The text is decoded twice using base64 -d. The final output reveals the hidden flag.

Flag

1

CYS{lyra_was_here}

Flag

CYS{lyra_was_here}
Edit on GitHub
Trending Tags
authentication idor sql-injection ssti xss

© 2025 Cyscom. Some rights reserved.

Using the Jekyll theme Chirpy.

A new version of content is available.