Magnet Virtual Summit 2026 CTF - Cipher Questions
Can you Handle this one? (10 Points)
Hi Jessica!
Copy the binary from the challenge text and convert it from binary to raw bytes (hex). Then, convert to text by interpreting as ASCII. You can do this in CyberChef by using the “From Binary” and “From Hex” operator blocks.
FLAG
Peel Back the Layers (25 Points)
Can you find the hidden link? (Provide the redirected resource URL)
The file for this cipher is in .pxz format, which is a Pixlr document. Pixlr is an online photo editor.
Import in Pixlr and peel back the layers!
Start turning off the layers one by one.
There is a link on the surprised Pikachu Clicking on this is a Rickroll! It’s not the answer to the question, nor a forensic resource.
You have to peel back another layer.
The URL is rasterized into the image, and it’s hard to spot. I sharpened the text to show it more clearly.
https://tiny.cc/nh5v001 brings you to Alexis Brignoni’s GitHub.
FLAG
Good Grief! (25 Points)
The Great Pumpkin’s Inverse Logic
The question’s name is a reference to Charlie Brown, one of the characters is named Pig Pen, and coincidentally, it is the name of a type of cipher, too!
These characters can be decoded using the chart on Wikipedia.
This results in: “WLFYOVYOZP”
Now for the second part, inverting the alphabet. Writing it forwards and backwards in a monospace font helps a lot.
WLFYOVYOZP
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ZYXWVUTSRQPONMLKJIHGFEDCBA
DOUBLEBLAK
FLAG
DOUBLEBLAK
Resident Evil (50 Points)
Can you find the link?
This challenge’s file is a VHDX, which is a mountable virtual disk. Create a simple case in AXIOM with the VHDX and open the filesystem.
The only real file in here is a readme.txt file, the rest of it is for the NTFS filesystem.
The binary around the plaintext decodes to “missing” and “a piece”, hinting that we are missing a piece of this file. The first thing that would make sense to do is check for an Alternate Data Stream, but AXIOM can easily detect those, displaying them as a separate file next to the main one, and there isn’t any showing up.
The hint to solve this comes from the name, “Resident Evil”. Resident files are a special feature of NTFS filesystems that allow files with a small enough size to be entirely stored within the extra room within the MFT file, which tracks every file and its data’s physical location on the disk. Alternate Data Streams are matched with their pairing file using the MFT, so this would be the best place to look for the missing piece.
Word searching the MFT for the text inside the readme.txt file shows that the file is resident to the MFT, so you can read the data right there. Just below the data we saw before, there is more binary in text form. Copy the ASCII representation out and decode it with a tool like CyberChef.
Use From Hex, and From Binary.
One character got corrupted, but the link takes you to the repository for Mandiant’s UnifiedLogs Parser.
FLAG
https://github.com/mandiant/macos-UnifiedLogs
Bonsoir Elliot (50 Points)
It's not that Deep, just Sound it out (shout out to int80)
The hint to this one is in the capitalization of the question text, there is a tool called DeepSound that can encode messages into audio. (https://github.com/Jpinsoft/DeepSound)
Download a release version and open it.
You first need to open a carrier file, which in this case is the HideNSeek.wav.
There will be a secret.txt file that is detected, hit “Extract secret files” to read it.
It will output to a directory in your Documents folder by default.
FLAG
Cows come in all shapes and sizes (75 Points)
Moooo! Get the cow to spill the secret! (zip password: moo)
Extract the exe from the ZIP file using 7-zip or File Explorer. You can open a terminal and run the file directly. When you run it without any other options, it displays this message:
This is a hint to add an argument.
It seems to want a specific value before it will “spill the secret”. This might make you want to do a deep dive into the code using tools like Pyinstxtractor to dissect the program and find the key inside. However, this is a trap. From this analysis you will find that the secret is an encrypted string, but there is no information in the code that will allow you to decrypt.
For this challenge, it is important to know that EXE files hold more than just code, it comes with all sorts of resources, and this is where the hint comes in; “All shapes and sizes”. One of the resources commonly found in EXE files is its icon, which is typically a .ico file.
ICO files are used by the operating system to store multiple resolution images of the same icon, so the system doesn’t have to upscale and downscale a large image every time, saving on compute power. The thing is, they don’t have to all be the same image.
The Windows File Explorer renders icon files in a couple of preset resolutions, and they are always even multiples of 2 (think 16x16, 32x32, 64x64, and so on). If an odd resolution is included inside an icon file, sandwiched between multiples of two, File Explorer will never use it to render in the UI, as it has much better options, so you won’t see it with normal use.
We can use Wrestool to check for this. It pulls out the resources from an EXE file.
Right after, we check file type of all the results using “file ./*”. This shows what kinds of files are in the directory, and some basic information about each of them. Notably, you can see that one of the images is 308x308, which is not normal for an icon. If we add the .png file extension to it, File Explorer will recognize it and let you open it with the default photo viewer.
This is a PDF417 barcode. It is very commonly used on the back of government IDs, but it is an open standard; you can create your own. Phones don’t scan this by default though, you typically have to install a special app like Scandit or use a python module like pdf417decoder. The easiest way to do this is an online tool, Inlite has a free online decoder that you can upload this to. (https://online-barcode-reader.inliteresearch.com/)
Copy that value and give it to the cow!
