THJCC 2026 CTF Writeup
CTF Event Info
| CTF Organizer | CTF Team | CTFTime URL | CTF Platform |
|---|---|---|---|
| Taiwan High School Joint Cyber Championship | KSAL Cyber Team | ctftime.org/event/3088 | ctf2026.thjcc.org |
During THJCC 2026, I participated in multiple challenges across forensics and steganography categories.
Due to guest participation constraints and limited time during the event, my contributions were focused on specific technical components rather than full end-to-end ownership of every challenge.
This post documents two challenges where I directly contributed to solving key technical portions:
- CoLoR iS cOdE (500 pts)
- SSTV Audio Challenge
1. CoLoR iS cOdE (500 pts)
Challenge Information
- Category: Forensics / Steganography
- Points: 500
- Artifact: THJCC_CoLoR_iS_cOdE.zip
- Hint: colors can say a lot
ZIP Exploitation
The archive was password-protected and contained a single encrypted PNG file: rainbow.png.
Since PNG files have a known header signature:
89504E470D0A1A0A0000000D49484452
I performed a known-plaintext attack against ZipCrypto using bkcrack.
This allowed recovery of the internal encryption keys and full
decryption of the archive without knowing the original password.
EXIF Payload & Ook → Brainfuck
Inside the extracted PNG, an eXIf chunk contained a long string of Ook. syntax.
Mapping Ook instruction pairs to Brainfuck operations and executing the decoded program revealed:
THJCC{c0lorfU1_col0rfu!\_c0}
Pixel-Based Steganography
The top band of the image encoded ASCII characters via pixel frequency:
- 26 vertical columns
- Each column 12×12 pixels
- Count most frequent non-black color
- Convert count to ASCII
Recovered second half:
!0rful_img_m4d3_by_p1e7:>}
Final Flag
THJCC{c0lorfU1_col0rfu!_c0!0rful_img_m4d3_by_p1e7:>}
2. SSTV Audio Challenge
Challenge Information
- Artifact: output.flac
- Duration: ~115 seconds
- Sample Rate: 48kHz
- Channels: Mono
Signal Analysis
Initial transcription attempts yielded nothing meaningful.
Generating a spectrogram (900--2500 Hz range) revealed SSTV-like signal patterns, indicating an encoded image within the audio.
SSTV Mode Forcing
Automatic VIS detection failed, so I manually forced common SSTV modes:
- M1
- M2
- S1
- S2
- SDX
- R36
- R72
Mode M1 successfully rendered the hidden image.
Final Flag
THJCC
Contribution Context
My contributions during THJCC 2026 were focused and technical rather than massive in scale.
Due to guest participation limitations and time constraints, I concentrated on:
- ZIP cryptanalysis
- EXIF payload extraction
- Esoteric language decoding
- Signal analysis & SSTV reconstruction
- Automation scripting for forced decoding modes
Even when contributions aren't massive in volume, depth matters --- and this competition reinforced that lesson.