Skip to main content

vault_breaker

Challenge

Imported from local notes.md.

Solution

Original Notes

vault_breaker

Challenge Summary

  • Given: a PDF note with 21 symbol glyphs and a hint that Scrooge was told to use a long password and "made it longer."
  • Goal: decode the note and recover the flag.
  • Constraints: only the note PDF was provided in the public repo.

Initial Recon / Triage

  • Observations: pdftotext returned no useful text, which indicated the note was image-based rather than selectable text.
  • File identification: starting_files/dawgCTF_2026_vault_breaker.pdf is a one-page PDF containing individual rasterized glyphs.
  • Entry points: the glyphs resembled a pigpen / tic-tac-toe substitution cipher once rendered from the PDF.

Hypotheses & Approach

  • Hypothesis 1: the PDF hid text in metadata or a text layer. This was ruled out after pdftotext returned nothing meaningful.
  • Hypothesis 2: the note used a pigpen-style cipher. Extracting the glyphs showed 3x3 cell shapes reused with 0, 1, or 2 dots.
  • Hypothesis 3: once the glyph repetition pattern was known, the clue about Scrooge making a long password "longer" suggested the plaintext extremelylongpassword, which matches the 21-symbol pattern exactly.

Execution Steps (Reproducible)

Stage 1

Commands:

cp '/tmp/dawgctf-sp26/Vault Breaker/dawgCTF_2026_vault_breaker.pdf' starting_files/
pdftoppm -png starting_files/dawgCTF_2026_vault_breaker.pdf artifacts/rendered/page
pdfimages -png starting_files/dawgCTF_2026_vault_breaker.pdf artifacts/images/img

Results:

  • Rendering the page made the symbol sequence visible.
  • Extracting the embedded images exposed each glyph individually for easier classification.
  • The sequence has the repeated-letter pattern 0 1 2 3 0 4 0 5 6 5 7 8 9 10 11 12 12 13 7 3 14.

Stage 2

Commands:

python3 artifacts/decode_password.py

Results:

  • The glyphs are pigpen-like, but the note does not follow the standard row-major alphabetical assignment.
  • Matching the exact repetition pattern against the clue yields extremelylongpassword, which fits both the symbol pattern and the challenge text cleanly.
  • artifacts/decode_password.py records the recovered per-symbol mapping for this note and reproduces the final password.
  • Applying the event flag format gives the final flag.

Artifacts Produced

  • starting_files/dawgCTF_2026_vault_breaker.pdf: original challenge PDF.
  • artifacts/rendered/page-1.png: rendered PDF page for visual inspection.
  • artifacts/images/: extracted glyph image tiles from the PDF.
  • artifacts/decode_password.py: direct decoder for the recovered symbol sequence.
  • artifacts/decode_candidates.py: exploratory brute-force helper used while validating the alphabet orientation.
  • artifacts/pattern_search.py: pattern-based helper used to test passphrase candidates.

Flag

DawgCTF{extremelylongpassword}