0xL4ugh CTF V5 - Invisible Ink

Executive Summary

Challenge: Invisible Ink CTF: 0xL4ugh CTF V5 Category: Misc Difficulty: Easy (17 Solves) Flag: 0xL4ugh{hiding_in_unicode_codepoint!!}

Invisible Ink is a steganography challenge where the flag data is hidden within a string using invisible Unicode Tag Characters (Plane 14). The solution involves extracting these hidden characters, decoding them from a custom hex mapping, de-interleaving the resulting byte stream, decompressing it via Zlib, and finally decoding an Ascii85 string.

Challenge Description

Name: Invisible Ink Description: No󠄧󠄨󠅕󠅔󠄢󠄨 f󠄩󠅓󠅕󠄢󠄥󠅕i󠄠󠄥󠅕󠄠󠄣󠅖l󠄤󠄠󠅖󠅔󠄠󠅑e󠄣󠅒󠅓󠄣󠅔󠄧s󠄠󠅑󠄡󠄤󠅖󠄣 n󠄨󠄠󠄤󠄦󠅖󠄠e󠄣󠄠󠅒󠄦󠄢󠄤e󠄠󠅓󠅕󠅔󠄠󠄧d󠄣󠅔󠄥󠅕󠄣󠅔e󠄨󠅒󠄤󠄡󠅓󠅑d󠄣󠄨󠄣󠄨󠄠󠅔, h󠅖󠄨󠅒󠄥󠄧󠅑e󠄤󠄣󠅓󠅑r󠄧󠄠󠄦󠅑e󠄤󠅒󠅖󠅔 i󠄠󠄤󠄩󠄢s󠄡󠄡󠄧󠄤 y󠅖󠄢󠅑󠄧o󠄠󠄨󠅑󠄣u󠄨󠄢󠄤󠄥r󠄥󠄩󠅕󠅕 f󠄩󠄤󠄩󠅑l󠅕󠅕󠄢󠄢a󠄥󠄥󠄤󠄡g󠅓󠄤󠅒󠅕👀󠅑󠅔󠄥󠄧︊

Analysis

Upon inspecting the challenge description, we identified the presence of invisible characters interspersed within the visible text. A closer look reveals these are Unicode Tag Characters from Plane 14 (Special Purpose Plane), specifically in the range U+E0000 to U+E007F and U+E100+.

The raw text contains visible characters like “No… files needed…”, but hidden between them are these tag characters which carry the payload.

Solution Steps

1. Extraction of Hidden Characters

We iterate through the provided text to extract any character with a code point in the range 0xE0000 to 0xE01FF. These characters have an offset of 0xE0100. For example, a tag character U+E0127 corresponds to the value 0x27.

2. Decoding the Hex Stream

The values extracted from the tags fall into two specific ranges, suggesting a hex-like encoding:

0x20 - 0x29: Mapped to digits 0 - 9.
0x51 - 0x56: Mapped to letters A - F (Hex).

Mappings:

0x20 $\rightarrow$ 0
…
0x29 $\rightarrow$ 9
0x51 $\rightarrow$ A
…
0x56 $\rightarrow$ F

Constructing a string from these mappings yields a hexadecimal string, which is then converted into raw bytes.

3. De-interleaving and Decompression

The resulting byte stream appeared high-entropy (random). However, analysis revealed a Zlib header (78 9C) pattern emerging at indices 0, 3, 6… This strongly indicated that the data was split into three interleaved streams.

We separated the bytes:

Stream 1: Indices 0, 3, 6…
Stream 2: Indices 1, 4, 7…
Stream 3: Indices 2, 5, 8…

Concatenating these streams reassembled the valid Zlib-compressed data.

4. Final Decoding

After inflating the data with zlib, we obtained the string: 0R-8JF_>B7BPD!kDJ*<jDI7O(Bk)'lARAqcA7]^uBl8#9+aj

This character set (<, >, !, etc.) is characteristic of Ascii85 (Base85) encoding. Decoding this string revealed the flag.

Solver Script

1
import zlib
2
import base64
3

4
def solve():
5
    # The raw string containing unicode tag characters
6
    raw_text = "No\udb40\udd27\udb40\udd28\udb40\udd55\udb40\udd54\udb40\udd22\udb40\udd28 f\udb40\udd29\udb40\udd53\udb40\udd55\udb40\udd22\udb40\udd25\udb40\udd55i\udb40\udd20\udb40\udd25\udb40\udd55\udb40\udd20\udb40\udd23\udb40\udd56l\udb40\udd24\udb40\udd20\udb40\udd56\udb40\udd54\udb40\udd20\udb40\udd51e\udb40\udd23\udb40\udd52\udb40\udd53\udb40\udd23\udb40\udd54\udb40\udd27s\udb40\udd20\udb40\udd51\udb40\udd21\udb40\udd24\udb40\udd56\udb40\udd23 n\udb40\udd28\udb40\udd20\udb40\udd24\udb40\udd26\udb40\udd56\udb40\udd20e\udb40\udd23\udb40\udd20\udb40\udd52\udb40\udd26\udb40\udd22\udb40\udd24e\udb40\udd20\udb40\udd53\udb40\udd55\udb40\udd54\udb40\udd20\udb40\udd27d\udb40\udd23\udb40\udd54\udb40\udd25\udb40\udd55\udb40\udd23\udb40\udd54e\udb40\udd28\udb40\udd52\udb40\udd24\udb40\udd21\udb40\udd53\udb40\udd51d\udb40\udd23\udb40\udd28\udb40\udd23\udb40\udd28\udb40\udd20\udb40\udd54, h\udb40\udd56\udb40\udd28\udb40\udd52\udb40\udd25\udb40\udd27\udb40\udd51e\udb40\udd24\udb40\udd23\udb40\udd53\udb40\udd51r\udb40\udd27\udb40\udd20\udb40\udd26\udb40\udd51e\udb40\udd24\udb40\udd52\udb40\udd56\udb40\udd54 i\udb40\udd20\udb40\udd24\udb40\udd29\udb40\udd22s\udb40\udd21\udb40\udd21\udb40\udd27\udb40\udd24 y\udb40\udd56\udb40\udd22\udb40\udd51\udb40\udd27o\udb40\udd20\udb40\udd28\udb40\udd51\udb40\udd23u\udb40\udd28\udb40\udd22\udb40\udd24\udb40\udd25r\udb40\udd25\udb40\udd29\udb40\udd55\udb40\udd55 f\udb40\udd29\udb40\udd24\udb40\udd29\udb40\udd51l\udb40\udd55\udb40\udd55\udb40\udd22\udb40\udd22a\udb40\udd25\udb40\udd25\udb40\udd24\udb40\udd21g\udb40\udd53\udb40\udd24\udb40\udd52\udb40\udd55\ud83d\udc40\udb40\udd51\udb40\udd54\udb40\udd25\udb40\udd27\ufe0a"
7

8
    try:
9
        # Ensure proper encoding for surrogate pairs if needed
10
        fixed_text = raw_text.encode('utf-16', 'surrogatepass').decode('utf-16')
11
    except:
12
        fixed_text = raw_text
13

14
    stream1, stream2, stream3 = bytearray(), bytearray(), bytearray()
15
    current_tags = []
16

17
    # Iterate characters to preserve grouping structure
18
    for char in fixed_text:
19
        code = ord(char)
20
        if 0xE0000 <= code <= 0xE01FF:
21
            current_tags.append(code - 0xE0100)
22
        elif code >= 32: # Visible character marks end of previous group
23
            if current_tags:
24
                # Convert tags to nibbles
25
                nibbles = []
26
                for t in current_tags:
27
                    if 0x20 <= t <= 0x29: nibbles.append(t - 0x20)
28
                    elif 0x51 <= t <= 0x56: nibbles.append(t - 0x51 + 10)
29

30
                # Convert nibbles to bytes
31
                bytes_list = []
32
                for i in range(0, len(nibbles), 2):
33
                    if i+1 < len(nibbles):
34
                        bytes_list.append((nibbles[i] << 4) | nibbles[i+1])
35

36
                # Distribute to streams
37
                if len(bytes_list) >= 1: stream1.append(bytes_list[0])
38
                if len(bytes_list) >= 2: stream2.append(bytes_list[1])
39
                if len(bytes_list) >= 3: stream3.append(bytes_list[2])
40

41
                current_tags = []
42

43
    # Process last group
44
    if current_tags:
45
        nibbles = []
46
        for t in current_tags:
47
            if 0x20 <= t <= 0x29: nibbles.append(t - 0x20)
48
            elif 0x51 <= t <= 0x56: nibbles.append(t - 0x51 + 10)
49
        bytes_list = []
50
        for i in range(0, len(nibbles), 2):
51
            if i+1 < len(nibbles):
52
                bytes_list.append((nibbles[i] << 4) | nibbles[i+1])
53
        if len(bytes_list) >= 1: stream1.append(bytes_list[0])
54
        if len(bytes_list) >= 2: stream2.append(bytes_list[1])
55
        if len(bytes_list) >= 3: stream3.append(bytes_list[2])
56

57
    # Decompress
58
    try:
59
        decompressed = zlib.decompress(stream1 + stream2 + stream3)
60
        print(f"Decompressed: {decompressed}")
61

62
        # Decode Base85
63
        flag = base64.a85decode(decompressed)
64
        print(f"Flag: {flag.decode()}")
65
    except Exception as e:
66
        print(f"Error: {e}")
67

68
if __name__ == "__main__":
69
    solve()