Ghost Operator

• Difficulty: Medium
• Category: Forensic
• Author: Lamarr

Description

Breizh Aero Survey operates a fleet of 5 mapping drones (ALPHA, BRAVO, CHARLIE, DELTA, ECHO) along the Breton coast. The aircraft communicate with the ground station via a standard aeronautical telemetry protocol.

This morning, during a routine flight, one of the drones stopped responding to commands and left its trajectory heading toward an isolated area. The network team had an active tcpdump on the drone/ground link during the incident.

Keys, Keys, Keys

• Difficulty: Easy
• Category: Forensic
• Author: Zlippy

Description

A white living room console from the mid-2000s, famous for its motion-controller, was briefly “borrowed” from its owner. A partial dump of its external storage is provided.

Your mission: identify the name of the game being played, and recover a second flag fragment hidden in the artifacts.

Flag format: BZHCTF{GameName_artifact}

Files:

• image.dd

Solve

Step 1 — Identify the image

file image.dd
# image.dd: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", FAT (32 bit)

A FAT32 partition image. Mount it to explore its contents:

Phantom Process

• Difficulty: Medium
• Category: Forensic
• Author: Lamarr

Description

The operations server of Breizh Aero Survey (ops-srv01) has been showing suspicious outbound HTTPS connections to an unknown IP for a few days. The IT team captured a memory dump with LiME before isolating the machine.

Your mission:

• Identify the initial infection vector
• Find the implant running on the server
• Extract the flag from the exfiltrated data

Files:

• debian-6.1.0-44.json — Volatility 3 ISF profile for the Debian 6.1.0-44 kernel
• evidence.lime — memory dump in LiME format

Solve

Setup — Volatility 3

The .json file is an ISF (Intermediate Symbol File), the profile format used by Volatility 3.

Seems Empty

• Difficulty: Very Easy
• Category: Reverse
• Author: AntwortEinesLebens

Description

During an audit, a strange binary was only displaying a bland message. No network activity, no suspicious writes — nothing but perfectly harmless output. Dismissed among unremarkable artifacts, it was nonetheless tampered with by a malware group.

Even what seems empty can hide a secret.

Files:

• seems-empty.pyc — Python bytecode compiled for CPython 3.12

Solve

Step 1 — Reconnaissance

file seems-empty.pyc
# seems-empty.pyc: Byte-compiled Python module for CPython 3.12 or newer,
# timestamp-based, .py timestamp: Sun Apr  5 12:20:40 2026 UTC, .py size: 1132 bytes

A .pyc is a compiled Python file (bytecode). The source text is not directly readable. First reflex: run strings to look for readable hints.

Totally Secure

• Difficulty: Easy
• Category: Forensic
• Author: Zlippy

Description

A friend set up his own “secure” server using copy-paste and ChatGPT prompts. He’s very proud and keeps saying everything is “encrypted” and nobody can see anything on the network.

He shared a network capture and some files recovered from his machine, convinced you won’t understand a thing. Your mission: prove him wrong and recover what was traveling through his supposedly unbreakable communications.

Writeup - Einstein

Difficulty : very easy

Statement

1. The laws of physics are the same for all observers in any inertial frame of reference relative to one another (principle of relativity).
2. The speed of light in vacuum is the same for all observers, regardless of their relative motion or of the motion of the light source.

Source : https://en.wikipedia.org/wiki/Theory_of_relativity

Credentials : user:password

Deploy on deploy.heroctf.fr

• Format : Hero{flag}
• Author : Log_s

Solve

ssh [email protected] -p 13285

We notice a SUID bit on the learn binary. The SUID (Set User ID) permission in Unix/Linux is a special file permission used mainly for executable files. When the SUID bit is set on an executable file, it allows users to execute the file with the permissions of the file’s owner rather than with the permissions of the user running it.