back to blog

DownUnderCTF 2025 — YoDawg (147 pts)

September 1, 2025 ctfdownunderctf-2025miscdockercontainer-escape

Description

Dear CSI,

We found this file on a USB drive, it seems to be some sort of gamified cyber skilled based learning system thingy?

Maybe if all of the challenges are sold we will get some answers, or maybe it is just the friends we make along the way.

Note - This may produce false positives with your virus scanner.

Regards,
Nosurf

Attachments

Solution

We were given a zip file. Inside, we get several files as follows

jedi@aqua: /mnt/d/CTF/ductf/misc/yo-dawg
$ ls                                                                                                         [19:07:38]
'Yo Dawg.deps.json'  'Yo Dawg.dll'  'Yo Dawg.exe'  'Yo Dawg.runtimeconfig.json'

jedi@aqua: /mnt/d/CTF/ductf/misc/yo-dawg
$ file Yo\ Dawg.dll                                                                                          [19:07:39]
Yo Dawg.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

jedi@aqua: /mnt/d/CTF/ductf/misc/yo-dawg
$ file Yo\ Dawg.exe                                                                                          [19:07:53]
Yo Dawg.exe: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections

We see that the .dll is a 32-bit .NET assembly, while the .exe is a 64-bit native Windows GUI executable.

Here, i have 2 approach

  1. Open the .dll using dotpeek
  2. Run the .exe file and see how it works

When we open the .dll file using dotpeek, we see that there are several “form”. In form1, we saw this

There is a variable named lbCTFTitle.Text, and the value is YO DAWG CTF 2025

There is also a function d() that probably list the challenge inside

When we try to run the .exe file, we saw this

From here, we can assume that we need to get the flag of each challenge to get the flag

Welcome

Heard you like CTFs, so here's another CTF in the DUCTF!

The flag format for this CTF is ydctf{some_text}

Good luck! ...oh, your first flag? Here it is! 

ydctf{s0mething_1s_wr0ng}

We get the first flag by simply copy and paste it

ydctf{s0mething_1s_wr0ng}

Hidden

There's a flag somewhere hidden here...

I wonder where it is?

Time to channel Inspector Morse!

Flag format: ydctf{...}

To find the flag, we need to check dotpeek again. We see in the variable lbHidden.Text, there is a morse code.

We can try to convert it to get the flag

YDCTF{HIDDENFLAGNOTSOHIDDEN}

Deeper

I wonder if you're connected to the Internet...

Can you solve the easiest RSA ever? Go get it :)

http://pastebin.com/tK8PFRhA

Inside the pastebin, we get this data

n = 134995596339263906364650042879218690804636051969803060327341006918906219701871373267641203454219249589885364856414727976145795558649019334400706818997156295194002540549348224335820431341746858682831145870760296688552893053945533239982236058292620771496924967301973679586874984087016314758930354348923476779669
e = 65537
c = 69942350419946767506345128529425495489283491089474687791937626592410531523906950815924944348938594154233834152367027685926503406302513787705918832376135541106323504321024539733768444780639669173742768253534729267483408610794975624076605589114620168690234573082137589585730517788273985226086330327586276612491
p = 12347237270477958961788304962214070527659642053458163016362914018933001634467295346381421813235616243811654194550990042394688050113879996006954916978208993
q = 10933263318915572696351286556191402769398472611952670383866334702901100179649513873715034012424560855818813105922996981430536446597319054410065510024545333

We simply need to decrypt c using p and q. This is the solver that i use

from Crypto.Util.number import inverse, long_to_bytes

n = 134995596339263906364650042879218690804636051969803060327341006918906219701871373267641203454219249589885364856414727976145795558649019334400706818997156295194002540549348224335820431341746858682831145870760296688552893053945533239982236058292620771496924967301973679586874984087016314758930354348923476779669
e = 65537
c = 69942350419946767506345128529425495489283491089474687791937626592410531523906950815924944348938594154233834152367027685926503406302513787705918832376135541106323504321024539733768444780639669173742768253534729267483408610794975624076605589114620168690234573082137589585730517788273985226086330327586276612491
p = 12347237270477958961788304962214070527659642053458163016362914018933001634467295346381421813235616243811654194550990042394688050113879996006954916978208993
q = 10933263318915572696351286556191402769398472611952670383866334702901100179649513873715034012424560855818813105922996981430536446597319054410065510024545333

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)
plaintext = long_to_bytes(m)

print(plaintext)

ydctf{rsa_erry_day}

Even Deeper

Tell me your username

The flag format for this CTF is ydctf{yourusername}

To find out more about this challenge, we need to check dotpeek once again

In the Form2, we see this code

The code use Environment.UserName.ToLower() function, which is used to get the Windows username of the current user. So, we just need to check our own username and submit it as the flag

ydctf{}

Truth from Vaas

Did I ever tell you the definition of insanity?

Who was the voice actor who played Vaas Montenegro?

The flag format for this CTF is ydctf{firstname_surname}

For this, we just need to search in the google for the answer

ydctf{michael_mando}

Salads

I'm always thinking about food, this isn't helping...

I got passed this note when I was working at the cafe, what kind of salad is this?! Can you decrypt?:

putkw{jltyzjczwv}

This is a reference to Caesar Salad, so we can assume that this is Caesar Cipher

ydctf{suchislife}

Pretty scary now :fearful:

Passwords

Another breach, another password reset. I wonder what password they grabbed?

5E320E0CCC5EE5291FAE1E60A1CD72EB1F6FA4AE26EA180F86CE694832DC4E72DCCFDBF3EABBE12FD86F1D51806F15F3294C5F7038BF21DA6AA75D1F09DF07C2

Flag format: ydctf{...}

We were given a hash. We can check it using CrackStation

ydctf{ihatehackers}

Rotten

Study Cyber they said. Get to hack stuff they said. Then why am I needing to decode ciphers? HOW IS THIS HELPING?

I mean, can you solve the following?

J54E7L5@0J@F0ECFDE0>J04@56nN

From the title of the challenge, i assume that this is a ROT (rotate) cipher. We can try to decode it. But first, we need to identify what ROT is this

Using Cipher Identifier, we can see that there is a chance this is related to ROT-47 Cipher

We use the ROT-47 decoder, and we manage to get the flag

ydctf{do_you_trust_my_code?}

Inception

We now able to click the last challenge in the right bottom corner

After we click it, we get a new challenge called HACKER CTF 1995.

We need to answer all of the challenge to finally get the flag

DES ENCRYPTION

Can you DES? CMpZlgYbgEc6eTSNUPXvww== with key 'hack\0\0\0\0' (the \0 is the padding)

We can use DES Decryptor to do this

flag{des4eva}

DEFCON 3 QUIZ

Which Casino is hosting (one word)?

We need to search in google about the Casino that host DEFCON 3. We find out the place that host DEFCON 3 is Tropicana Resort & Casino

Tropicana

MOVIE QUIZ

What is the best line in the Hackers movie (three words)?

Another question that force us to use our googling skill. We see that the “best line” with three words is Hack the planet!

Hack the planet!

Finally, we get the ciphertext for the Flag. So, we can just check it using the DES Decryptor earlier that we get

Flag

DUCTF{1995_to_2025}