Larping 101
Challenge
Imported from local notes.md.
Solution
Original Notes
Larping 101
Challenge Summary
- Given: a PowerPoint presentation
challenge.pptxand a prompt suggesting the presentation is “missing something”. - Goal: recover the hidden flag from the slide deck.
- Constraints: static forensics only on the provided PPTX.
Initial Recon / Triage
- Observations: the PPTX is a normal Office Open XML archive with four slides, five embedded images, and a non-standard
ppt/slides/transitions.xmlfile. - File identification: the attachment SHA1 matches the challenge prompt exactly:
e72c9837de62168b2b5cc573a55800ea1e440b42. - Entry points: inspect the unzipped PPTX structure instead of only the visible slide content.
Hypotheses & Approach
- Hypothesis 1: the visible presentation content is a decoy and the “missing something” clue points to hidden XML data.
- Hypothesis 2: custom transition or debug metadata may contain the flag because
transitions.xmlis unusual for such a small deck.
Execution Steps (Reproducible)
Stage 1
Commands:
cd /root/cit2026CTF/Larping_101
sha1sum starting_files/challenge.pptx
unzip -l starting_files/challenge.pptx
unzip -o starting_files/challenge.pptx -d artifacts/unpacked
Results:
- The PPTX hash matched the prompt.
- The archive contains a custom
ppt/slides/transitions.xmlfile in addition to the normal slide and media content.
Stage 2
Commands:
cd /root/cit2026CTF/Larping_101
python3 artifacts/solve_larping_101.py
sed -n '1,80p' artifacts/unpacked/ppt/slides/transitions.xml
Results:
- The custom transitions XML includes a debug section with a reserved value.
- The reserved node contains the flag directly:
CIT{l4rp_l4rp_l4rp_s4hur}.
Artifacts Produced
artifacts/unpacked/: unpacked PPTX contents for manual inspection.artifacts/solve_larping_101.py: reusable extractor for the hidden flag.artifacts/extracted_flag.txt: extracted flag value.
Flag
CIT{l4rp_l4rp_l4rp_s4hur}