Skip to main content

freq_3000

Challenge

Imported from local notes.md.

Solution

Original Notes

freq_3000

Challenge Summary

  • Given: the challenge description pointed to the public GitHub folder for Frequency 3000, which contained Space Pilot 3000 Transcript.txt and a hex-encoded flag.txt.
  • Goal: recover the real submission flag and explain the hidden Futurama message.
  • Constraints: the flag format was not known at the start, and the transcript ended with an obvious decoy string: {Fake_Flag_For_Reasons}}.

Initial Recon / Triage

  • Observations: starting_files/ was initially empty, so the original challenge assets had to be pulled from the referenced GitHub directory first.
  • File identification: the provided flag.txt in the GitHub folder was not plaintext; it was an ASCII hex string. The transcript was plain UTF-8 text.
  • Entry points: the description's word "frequenting" strongly suggested frequency analysis against the Futurama pilot transcript.

Hypotheses & Approach

  • Hypothesis 1: decode the hex artifact first to recover the actual submission-format flag text.
  • Hypothesis 2: use the transcript as a frequency table to map the decoded numeric values back into a hidden message.

Execution Steps (Reproducible)

Stage 1

Commands:

cd /tmp
git clone --depth 1 --filter=blob:none --sparse https://github.com/UMBCCyberDawgs/dawgctf-sp26.git freq3000repo
cd freq3000repo
git sparse-checkout set 'Frequency 3000'

cp 'Frequency 3000/Space Pilot 3000 Transcript.txt' '/root/dawg2026CTF/freq_3000/starting_files/Space Pilot 3000 Transcript.txt'
cp 'Frequency 3000/flag.txt' '/root/dawg2026CTF/freq_3000/starting_files/flag.txt'

Results:

  • Retrieved both original challenge assets locally under starting_files/.

Stage 2

Commands:

python3 - <<'PY'
from pathlib import Path

hex_flag = Path('/root/dawg2026CTF/freq_3000/starting_files/flag.txt').read_text().strip()
print(bytes.fromhex(hex_flag).decode())
PY

Results:

  • Decoding the provided hex string produced the real flag text: DawgCTF{ 390 1002 580 1314 191 1589 33 1526 141 762 352 88 1293 379 50 }

Stage 3

Commands:

python3 /root/dawg2026CTF/freq_3000/artifacts/analyze_freq3000.py

Results:

  • The correct consistent rule is:
    1. remove the fake trailer {Fake_Flag_For_Reasons}}
    2. lowercase the entire transcript
    3. count raw characters, not just letters
  • Under that rule, the numeric sequence decodes directly to: whyn0tzo!db3rg?
  • This is clean leetspeak for why not zoidberg? where ! stands in for i.
  • The previous mixed decode using an uppercase I was less defensible because it combined two different counting rules.

Stage 4

Commands:

python3 - <<'PY'
from collections import Counter
from pathlib import Path

nums = [390, 1002, 580, 1314, 191, 1589, 33, 1526, 141, 762, 352, 88, 1293, 379, 50]
text = Path('/root/dawg2026CTF/freq_3000/starting_files/Space Pilot 3000 Transcript.txt').read_text(encoding='utf-8')
text = text.replace('{Fake_Flag_For_Reasons}}', '').lower()
reverse = {count: char for char, count in Counter(text).items()}
print(''.join(reverse[number] for number in nums))
PY

Results:

  • The exact body recovered by a single coherent counting rule is: whyn0tzo!db3rg?
  • Verified submission flag: DawgCTF{whyn0tzo!db3rg?}

Artifacts Produced

  • starting_files/Space Pilot 3000 Transcript.txt
  • starting_files/flag.txt
  • artifacts/analyze_freq3000.py

Flag

DawgCTF{whyn0tzo!db3rg?}