CoLoR iS cOdE
Challenge Information
| Challenge Name | Category | Points | Artifact | Hint |
|---|---|---|---|---|
| CoLoR iS cOdE | forensics / steganography | 500 | THJCC_CoLoR_iS_cOdE.zip | colors can say a lot |
1. Inspect the ZIP file
The first thing I saw was the password-protected ZIP file.
At 500 points, brute-forcing didn't make much sense, so I was already thinking:
- either crypto is weak
- or there's some trick
To confirm what was inside, I ran:
import zipfile
z = zipfile.ZipFile("THJCC_CoLoR_iS_cOdE.zip")
for i in z.infolist():
print(i.filename, bool(i.flag_bits & 0x1), i.file_size)The output showed:
- Entry:
rainbow.png - Encrypted:
True
So it was using classic ZIP encryption, most likely ZipCrypto, not AES. That's important because ZipCrypto is weak.
2. Known-Plaintext Attack
Since the archive only contained a PNG, I immediately remembered:
- PNG files always start with the same magic header.
PNG header:
89504e470d0a1a0a0000000d49484452That means we already know the first bytes of the plaintext. So I thought:
- If this is ZipCrypto, I can recover the internal keys using a known-plaintext attack.
I used bkcrack:
.\bkcrack\bkcrack-1.8.1-win64\bkcrack.exe `
-C THJCC_CoLoR_iS_cOdE.zip `
-c rainbow.png `
-x 0 89504e470d0a1a0a0000000d49484452It successfully recovered the internal keys:
d3b0bb05 2e88b90e ed7f7e33That confirmed my suspicion. It was vulnerable ZipCrypto.
3. Decrypt Archive
Now that I had the internal keys, I didn't need the password anymore.
.\bkcrack\bkcrack-1.8.1-win64\bkcrack.exe `
-C THJCC_CoLoR_iS_cOdE.zip `
-k d3b0bb05 2e88b90e ed7f7e33 `
-D THJCC_CoLoR_iS_cOdE_decrypted.zipAfter extraction, I finally had access to:
rainbow.png
Now the real puzzle started.
4. EXIF Payload
Opening the PNG normally didn't immediately reveal anything.
So I inspected its structure and metadata. Inside the eXIf chunk, I found a long UserComment string written entirely in Ook. Ook? Ook! ....
That's not random. That's Ook, a language equivalent to Brainfuck.
At that point my thinking was:
- Okay, this is deliberate.
- If it's Ook, it probably decodes to something meaningful.
I mapped Ook instruction pairs to Brainfuck operations and executed the decoded program.
The result was:
THJCC{c0lorfU1_col0rfu!_c0That's part of the flag but incomplete.
So I knew the image must contain another layer.
5. Pixel Frequency Encoding
The hint said:
colors can say a lotSo I zoomed into the image and noticed a structured top band made of colored blocks. It wasn't random.
There were:
- 26 vertical columns
- Each column was 12x12 pixels
That looked extremely intentional. So my hypothesis was:
- Each column probably encodes one ASCII character
I tested that idea by:
- Counting the frequency of each color in a column
- Ignoring black
- Taking the most frequent non-black color
- Converting that count to ASCII
That worked. It produced:
!0rful_img_m4d3_by_p1e7:>}That confirmed the encoding logic was correct.
Final Flag
Combining both parts:
THJCC{c0lorfU1_col0rfu!_c0!0rful_img_m4d3_by_p1e7:>}Related Writeups
May 25, 2026 | 1 min read
BSides Prishtina 2026 CTF Writeups
Crypto, forensics, misc, OSINT, pwn, reverse engineering, and web solves from BSides Prishtina 2026.
May 16, 2026 | 1 min read
TJCTF 2026 CTF Writeup
Challenge writeups from TJCTF 2026.
February 25, 2026 | 1 min read
THJCC 2026 CTF Writeup
Layered forensic and steganography solves from THJCC 2026.