All Posts - Zarkyo's bloghttps://zarkyo.fr/posts/All Posts | Zarkyo's blogHugo -- gohugo.ioenCC BY-NC 4.0Sat, 23 May 2026 22:00:00 +0200BreizhCTF 2026 - Ghost Operatorhttps://zarkyo.fr/ghost-operator/Sat, 23 May 2026 22:00:00 +0200xxxxhttps://zarkyo.fr/ghost-operator/

Ghost Operator

  • Difficulty: Medium
  • Category: Forensic
  • Author: Lamarr

Description

Breizh Aero Survey operates a fleet of 5 mapping drones (ALPHA, BRAVO, CHARLIE, DELTA, ECHO) along the Breton coast. The aircraft communicate with the ground station via a standard aeronautical telemetry protocol.

This morning, during a routine flight, one of the drones stopped responding to commands and left its trajectory heading toward an isolated area. The network team had an active tcpdump on the drone/ground link during the incident.

]]>BreizhCTF 2026 - Keys, Keys, Keyshttps://zarkyo.fr/keys-keys-keys/Sat, 23 May 2026 22:00:00 +0200xxxxhttps://zarkyo.fr/keys-keys-keys/

Keys, Keys, Keys

  • Difficulty: Easy
  • Category: Forensic
  • Author: Zlippy

Description

A white living room console from the mid-2000s, famous for its motion-controller, was briefly “borrowed” from its owner. A partial dump of its external storage is provided.

Your mission: identify the name of the game being played, and recover a second flag fragment hidden in the artifacts.

Flag format: BZHCTF{GameName_artifact}

Files:

  • image.dd

Solve

Step 1 — Identify the image

file image.dd
# image.dd: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", FAT (32 bit)

A FAT32 partition image. Mount it to explore its contents:

]]>BreizhCTF 2026 - Phantom Processhttps://zarkyo.fr/phantom-process/Sat, 23 May 2026 22:00:00 +0200xxxxhttps://zarkyo.fr/phantom-process/

Phantom Process

  • Difficulty: Medium
  • Category: Forensic
  • Author: Lamarr

Description

The operations server of Breizh Aero Survey (ops-srv01) has been showing suspicious outbound HTTPS connections to an unknown IP for a few days. The IT team captured a memory dump with LiME before isolating the machine.

Your mission:

  • Identify the initial infection vector
  • Find the implant running on the server
  • Extract the flag from the exfiltrated data

Files:

  • debian-6.1.0-44.json — Volatility 3 ISF profile for the Debian 6.1.0-44 kernel
  • evidence.lime — memory dump in LiME format

Solve

Setup — Volatility 3

The .json file is an ISF (Intermediate Symbol File), the profile format used by Volatility 3.

]]>BreizhCTF 2026 - Seems Emptyhttps://zarkyo.fr/seems-empty/Sat, 23 May 2026 22:00:00 +0200xxxxhttps://zarkyo.fr/seems-empty/

Seems Empty

  • Difficulty: Very Easy
  • Category: Reverse
  • Author: AntwortEinesLebens

Description

During an audit, a strange binary was only displaying a bland message. No network activity, no suspicious writes — nothing but perfectly harmless output. Dismissed among unremarkable artifacts, it was nonetheless tampered with by a malware group.

Even what seems empty can hide a secret.

Files:

  • seems-empty.pyc — Python bytecode compiled for CPython 3.12

Solve

Step 1 — Reconnaissance

file seems-empty.pyc
# seems-empty.pyc: Byte-compiled Python module for CPython 3.12 or newer,
# timestamp-based, .py timestamp: Sun Apr  5 12:20:40 2026 UTC, .py size: 1132 bytes

A .pyc is a compiled Python file (bytecode). The source text is not directly readable. First reflex: run strings to look for readable hints.

]]>BreizhCTF 2026 - Totally Securehttps://zarkyo.fr/totally-secure/Sat, 23 May 2026 22:00:00 +0200xxxxhttps://zarkyo.fr/totally-secure/

Totally Secure

  • Difficulty: Easy
  • Category: Forensic
  • Author: Zlippy

Description

A friend set up his own “secure” server using copy-paste and ChatGPT prompts. He’s very proud and keeps saying everything is “encrypted” and nobody can see anything on the network.

He shared a network capture and some files recovered from his machine, convinced you won’t understand a thing. Your mission: prove him wrong and recover what was traveling through his supposedly unbreakable communications.

]]>HeroCTFv6 - Einsteinhttps://zarkyo.fr/einstein/Sun, 27 Oct 2024 22:00:00 +0200xxxxhttps://zarkyo.fr/einstein/

Writeup - Einstein

Difficulty : very easy

Statement

  1. The laws of physics are the same for all observers in any inertial frame of reference relative to one another (principle of relativity).
  2. The speed of light in vacuum is the same for all observers, regardless of their relative motion or of the motion of the light source.

Source : https://en.wikipedia.org/wiki/Theory_of_relativity

Credentials : user:password

Deploy on deploy.heroctf.fr

  • Format : Hero{flag}
  • Author : Log_s

Solve

ssh user@dyn02.heroctf.fr -p 13285

We notice a SUID bit on the learn binary. The SUID (Set User ID) permission in Unix/Linux is a special file permission used mainly for executable files. When the SUID bit is set on an executable file, it allows users to execute the file with the permissions of the file’s owner rather than with the permissions of the user running it.

]]>HeroCTFv6 - Moohttps://zarkyo.fr/moo/Sun, 27 Oct 2024 22:00:00 +0200xxxxhttps://zarkyo.fr/moo/

Writeup - Moo

Difficulty : easy

Statement

Just read the flag, it’s all there.

Credentials : user:password

Deploy on deploy.heroctf.fr

  • Format : Hero{flag}
  • Author : Log_s

Solve

ssh user@dyn04.heroctf.fr -p 14912
The authenticity of host '[dyn04.heroctf.fr]:14912 ([172.232.42.224]:14912)' can't be established.
ED25519 key fingerprint is SHA256:8UwtZVfNTvorDdtJPF7cu2Kv3+f80osZROhuWohi46A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[dyn04.heroctf.fr]:14912' (ED25519) to the list of known hosts.
user@dyn04.heroctf.fr's password: 
Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 ______________________________________________________
/ Welcome dear CTF player! You can read the flag with: \
\ /bin/sudo /bin/cat /flag.txt. Or can you?...         /
 ------------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
user@moo:~$ ls -al /flag.txt 
-r-------- 1 root root 22 Oct 25 18:18 /flag.txt

We are in a restricted shell :

]]>Midnightflag 2024 - I want my tickets backhttps://zarkyo.fr/i-want-my-tickets-back/Wed, 01 May 2024 11:00:00 +0200xxxxhttps://zarkyo.fr/i-want-my-tickets-back/
Info
Hello everyone, I created a forensic challenge for the 2024 edition of Midnight Flag CTF in collaboration with @Niceclear. The challenge was divided into 5 parts. Here is the writeup

Writeup - I want my tickets back

Difficulty: easy to medium

Warning
Be careful when handling files

Step 1

Statement

Jean discovered a package in his mailbox. Inside was a USB key and a letter announcing that he had won tickets to the Paris 2024 Olympic Games. The letter specified that the tickets were on the USB key. Intrigued, Jean inserted the key into his computer and opened the file : an information note in HTML format. As instructed, the ticket downloaded automatically. After consulting his ticket, John realized that it was all a hoax and, disappointed, he went away for a few days. When John returned, he was stunned to find that he was now unable to open his files. All now had the .enc extension.

]]>Cyberdefenders - EscapeRoomhttps://zarkyo.fr/escaperoom/Sat, 28 Oct 2023 20:00:51 +0200xxxxhttps://zarkyo.fr/escaperoom/

EscapeRoom

Info

  • Category : Digital Forensics
  • SHA1SUM : 4dd5e257c4bef0f950a37bb1e401f3dd990929bf
  • Published : Aug. 18, 2020, midnight
  • Author : The HoneyNet Project
  • Size : 15 MB
  • Tags : PCAP Wireshark Linux Network

Unzip the challenge (pass: cyberdefenders.org) and use your analysis tools to examine provided PCAPs and log files.

Scenario

You as a soc analyst belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened.

]]>Cyberdefenders - Hammeredhttps://zarkyo.fr/hammered/Sat, 28 Oct 2023 20:00:51 +0200xxxxhttps://zarkyo.fr/hammered/

Hammered

Info

  • Category : Digital Forensics
  • SHA1SUM : c5282824e485cbafe4b13a942759fd6720433929
  • Published : Oct. 25, 2020, midnight
  • Author : The HoneyNet Project
  • Size : 944 KB
  • Tags : Apache2 Honeypot Log Analysis WebServer

Unzip the challenge (pass: cyberdefenders.org), examine artifacts, and answer the provided questions.

Challenge Files

  • kern.log
  • auth.log
  • daemon.log
  • dmesg
  • apache2

Challenge

This challenge takes you into the world of virtual systems and confusing log data. In this challenge, as a soc analyst figure out what happened to this webserver honeypot using the logs from a possibly compromised server.

]]>