Hidden in Plain Sight
Challenge
Challenge link (login required):
The challenge page is behind login, but the useful artifact is the weird Unicode sequence embedded directly in the challenge title/URL.
Solution
The encoded characters are Unicode tag characters (in the U+E0000 range), commonly used to hide plain ASCII text.
Decode logic:
- URL decode the challenge title fragment.
- Keep only characters with codepoint between
0xE0000and0xE007F. - For each such character, compute
chr(ord(c) - 0xE0000).
import urllib.parse
s = "Hidden%20%F3%A0%81%B5%F3%A0%81%B4%F3%A0%81%A6%F3%A0%81%AC%F3%A0%81%A1%F3%A0%81%A7%F3%A0%81%BB%F3%A0%80%B1%F3%A0%81%AE%F3%A0%81%B6%F3%A0%80%B1%F3%A0%81%B3%F3%A0%80%B1%F3%A0%81%A2%F3%A0%81%AC%F3%A0%80%B3%F3%A0%81%9F%F3%A0%81%B5%F3%A0%81%AE%F3%A0%80%B1%F3%A0%81%A3%F3%A0%80%B0%F3%A0%81%A4%F3%A0%80%B3%F3%A0%81%BDin%20Plain%20Sight-25"
text = urllib.parse.unquote(s)
hidden = "".join(
chr(ord(c) - 0xE0000)
for c in text
if 0xE0000 <= ord(c) <= 0xE007F
)
print(hidden)
Output:
utflag{1nv1s1bl3_un1c0d3}
Flag:
utflag{1nv1s1bl3_un1c0d3}