+which just says they pasted the ascii of the flag chars in the document itself with an arbitrary 0 as delimiter
+
+~~why would anyone ever make such an annoying way of encoding things zzz the ordinals of the flag chars literally have 0s in it and its not even novel~~
+
+anyways with such a *unique* encoding method the fastest way was to manually extract it by identifying the range of the decimals that were likely a flag char *one by one*
+
+sooo lol `magpie{why_d1d_1_0p3n_th1s_m4cr0_TWT}`
+
+* * *
+
+*as you can see im totally not upset at the challs in this ctf*
+
+most of the challs got wiped coz of how easy it is by the time i could work on the ctf since i came in like 30 mins late compared to my other teammates
+
+and the rest was just generally a nightmare of some sort lol
+
+i actually co-solved more challs than those ive written here but alas the parts i worked on on those were just either not that interesting or plain tedious
+
+
+### take a wild guess
+
+honestly one of the nicer challs in this ctf tbh
+
+like it actually feels like a normal beginner chall for once and not either blatantly obvious or with entirely artifically inflated difficulty
+
+anyways the main func is where everythings living in - it looks kinda yikes for a beginner chall on first glance with a ton of string operations, but we can easily infer the following from the decomp:
+
+ - its a flag checker (the signature if else success/failure msg prints)
+ - there exists inlined data that looks very similar to some sort of flag data to compare against at the top
+ - most of the operations operate on the input we gave, and only one single xor operation was done on the flag data before comparison
+
+using this, we can whip up a z3 script ~~which was probably overkill but i was also too sleepy to figure out the inverse of the xor operation myself lmao not to mention even with this i saw 40 as 0x40 and got confused for way too long anyway so i never trust my math anymore~~:
+and yep it is lmao we just bypassed the need to reverse all the base64 code
+
+`magpie{b45364_3ncryp710n-rul35!}`
+
+~~in hindsight the alphabet they gave there (`ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/`) shouldve been a good hint that its just base64 but lmao~~
+
+
+### satshell
+
+oh boy here we go time for the wackier challs
+
+this chall on its own isnt *too* bad but everything bundled together ended up being very annoying lol
+
+the wacky manual that was apparently wrong in a lot of places according to including the block diagram which was critical, ambiguous wording on how the operations shouldve actually been done, a given binary that basically was just entirely red herring since the logic was hidden in remote in a shared library, and the last straw being the math ended up just plain wrong on remote
+
+like this chall is pretty interesting in theory but the execution was genuinely just iffy lol
+
+we got the solve script a whole day before we actually solved it yet we just doubted ourselves on vector math until we realized it wasnt even our fault to begin with
+
+at least the chall author was genuinely really nice and apologetic wrt the
+
+and well its also our fault for not reaching out earlier anyway
+
+i do find it kinda funny how everyone was stuck on the math that the moment it was fixed 3 teams solved it instantly lol
+
+and we got sniped by 2 mins coz i couldnt find the right version of the script that wasnt just testing codes lmao
+
+im pretty sure we wouldve got the first blood too seeing from the discussion after the ctf coz most teams solved it day of the issue being fixed
+
+* * *
+
+anyway the gist is you are given a partially burnt manual about a satellite that has its own architecture ~~that has visible lorem ipsums btw which was kinda funny~~, and a client binary that interacts with the satellite
+
+the goal is to align the satellites using the information given in the client terminal by running debug shellcode directly on the satellite from analysing the manual
+
+and since the manual is partially burnt only a very limited amount of instructions are documented and no information about how the instructions are encoded was present aside from a block diagram of how the cpu is implemented
+
+~~which illustrated just the fully unburnt instructions btw with the rest of the partially visible instructions being impossible to encode with the scheme shown and also apparently had bugs according to [@Kevin](https://maplebacon.org/authors/Kevin/)~~
+
+so the approach is to figure out the encoding of the available instructions from the block diagram, get an arbitrary write primitive with them to the rotation registers since the available instructions modify only parts of the registers and the satellites already had some rotation to it, and perform vector math to align the satellites according to the graph given to us through the client
+
+parsing the client was really straightforward, and [@Kevin](https://maplebacon.org/authors/Kevin/) figured out the encoding pretty much instantly too, so all thats left was vector math
+
+the math we had to do was some sort of vector to angle conversion, since we have the 2 points given by linking the current satellite to the next, but we dont really know what angles they exactly want - the angles given could be any of the following:
+
+ - euler rotation angles
+ - 2D angles of one of the boards given through the client which encodes the (XZ, XY, YZ) planes
+ - 3D angles
+
+all of which are against the respective axis vectors since we need 3 angles
+
+3D angles sounded the most logical, except 3D angles have no direction so it would be [0, 180] and wouldnt have been possible to get an angle of the range [0, 360] as shown with the existing rotation angles of the satellite
+
+so we were just testing out every one of them and sanity checking if we were doing the math wrong ourselves, made some coding mistakes, or if that wasnt the right method at all
+
+which ended up taking us a good few hours until the next day, where i got pretty fed up and decided to open a ticket to ask
+
+and from the top of this comment you know what ended up happening lmao
+ #calculate actual degrees we need to rotate from the current rotation the satellite is already having, since we can only add to the rotation registers not set them
+
+ #as_euler is -180 - 180 not 0 to 360
+ #diff_degs = [((((t + 180) - c) + 360) % 360) for t, c in zip(target_degs, curr_degs)]
+ diff_degs = [(((t - c) + 360) % 360) for t, c in zip(target_degs, curr_degs)]
+
+ print(diff_degs)
+
+ #convert to shellcode
+
+ target = [np.array([v], np.float16).tobytes() for v in diff_degs]
+im leaving in all the wrong math that ive attempted to immortalize the amount of pain we went through lmao
+
+its not even all of them either ive deleted a ton of them already since it was clogging up the script
+
+
+### knock knock
+
+this one is genuinely more forensics than networking if i can even call it forensics to begin with
+
+the part 1 of this chall literally involves absolutely no internet concepts aside from one little WAF bypass that aint even technically networking coz its not protocol related
+
+* * *
+
+anyways we are given a site to connect to, which can run arbitrary bash commands
+
+except sometimes it just throws a HTTP 403
+
+which we eventually figured out was some form of weird filtering, and [@ayna](https://maplebacon.org/authors/aynakeya/) quickly figured out encoding the index.php with base64 can bypass the filter easily
+
+so i extended that method to smuggle all of the commands since it seems like both inbound and outbound data can be smuggled with base64, and made a script for basically a scuffed reversed shell
+after this we have absolutely no idea what to do - we have arbitrary access to the server which is usually the end goal itself, but theres basically nothing resembling a flag with a fair bit of digging
+
+until we realized theres a message.txt that is in another user's directory, and weird tcpdump perms exist
+
+we still thought this is some form of internet related chall at this point, so my thought was to see if theres any way we can privilege escalate through some exposed service that is only accessible locally
+
+but theres no netstat or ss, and `/proc/net/tcp` didnt have much either aside from connections presumably from reverse shells and a lot of apache instances
+
+there was also a session cookie that was base64 encoded to be an ip, so we were thinking whether we need to leak something from that host too but theres no curl on the server and the endpoint seems largely irresponsive without port scanning
+
+*which pretty much right after we got an announcement right after this that scripted enumeration local or remote arent allowed, which wasnt stated in the rules anywhere btw*
+
+so thats a dead end
+
+and then we got an even funnier announcement: priv esc to root was not allowed, and the chall would be taken down until they figured out what to do with it (which would be after most organizers have woken up) :clown:
+
+apparently some team priv esc'd to root with a misconfiguration on the host, and they didnt have enough protections on the host against that so they were panicking lmao
+
+anyway we were fully expecting this chall to be in the grave considering this ctf is only 48h and reopening it wouldve been unfair considering we get much less time to work on this than other challs but they have the same dynamic scoring
+
+but then another announcement came up a few hours before saying its being redeployed with no compensation and also with officially root off limits now :clown: :clown:
+
+also with this redeployment the session cookie is now gone, which means that dead end is even more dead now
+
+so its time for even more poking to see in what way we can priv esc to the correct user and not root and without scripting
+
+which came up fruitless regardless
+
+at this point we were on the verge of giving up on this chall but then we literally had like 2 challs left only and this is one of them
+
+but i just couldnt be assed to work on it so i went to sleep anyway
+
+turns out [@Kevin](https://maplebacon.org/authors/Kevin/) figured out how we would priv esc to the other user during my sleep LOL
+
+the password was literally just sitting in `/opt/backup`
+
+which after `su`ing with it the message.txt i found sus indeed had the first part of the flag
+
+like how is this a networking chall at this point??????
+
+anyway remember how i mentioned tcpdump had weird perms
+
+[@ayna](https://maplebacon.org/authors/aynakeya/) was playing around with it before he went to sleep since the user we are now in has perms for it
+
+which he found a really weird stream of data that mentions something about "sending this message as a secret" from `sneaky-messager.super-secure-network` but nothing indicative of a flag anywhere
+
+so i picked up on his work and tried to analyse the ICMP packets he got by actually dumping a pcap and exfiltrating it with the reverse shell i had so i can use wireshark with `tcpdump -w /run/lock/data -nnA dst 172.16.238.10 && net 172.16.238.0/24`
+
+and pretty much right after i saw what looks like flag chars in one of the ICMP fields lol
+
+which was easily extractable from the pcap with a scapy script
+
+```py
+from scapy.all import *
+
+pcap = rdpcap('dump.pcap')
+
+data = [p[ICMP] for p in pcap if ICMP in p]
+
+print(b''.join([bytes([d.id]) for d in data]).split(b'}'))
+```
+
+`magpie{y0u_h4v3_7h3_p0w32_70_54v3_7h3_w021d}`
+
+like genuinely if this chall was just the second part i wouldnt have been this mad lol coz it actually resembles a networking chall
+
+meanwhile with the entire thing its literally just guessing all the way
+
+like this is not pentesting but a ctf chall dude throwing an entire system at us with basically no pointers will never end well