SpringForwardCTF 2024 Writeup

この大会は2024/4/27 6:00(JST)~2024/4/29 6:00(JST)に開催されました。
今回もチームで参戦。結果は3640点で447チーム中46位でした。
自分で解けた問題をWriteupとして書いておきます。

Bad-Singing (Misc)

Audacityで開き、スペクトログラムを見ると、フラグが現れた。

nicc{jump-in}

Minerva's-Quest (Misc)

Google FormsのHTMLソースを見て、"nicc{"で検索すると、以下が見つかった。

Here is the flag !!  NICC{_Minerva's_Blessing_for_U}",8,null,null,null,null,null,null,null,[null,"You actually chose that ?!"]
NICC{_Minerva's_Blessing_for_U}

Horsing-Around-at-Troy (Misc)

$ exiftool totally-innocent-horse.jpg                              
ExifTool Version Number         : 12.57
File Name                       : totally-innocent-horse.jpg
Directory                       : .
File Size                       : 9.0 MB
File Modification Date/Time     : 2024:04:27 06:53:31+09:00
File Access Date/Time           : 2024:04:27 09:34:01+09:00
File Inode Change Date/Time     : 2024:04:27 06:57:15+09:00
File Permissions                : -rwxrwx---
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
Exif Byte Order                 : Little-endian (Intel, II)
Image Description               : Trojan Horse isolated on white background. 3D render
X Resolution                    : 300
Y Resolution                    : 300
Asset ID                        : 1075900476
Web Statement                   : https://www.istockphoto.com/legal/license-agreement?utm_medium=organic&utm_source=google&utm_campaign=iptcurl
Data Mining                     : http://ns.useplus.org/ldf/vocab/DMI-PROHIBITED-EXCEPTSEARCHENGINEINDEXING
Creator                         : Nerthuz
Description                     : Trojan Horse isolated on white background. 3D render
Licensor URL                    : https://www.istockphoto.com/photo/license-gm1075900476-?utm_medium=organic&utm_source=google&utm_campaign=iptcurl
Current IPTC Digest             : f74f7947ad41ca35366f86a142902888
By-line                         : Nerthuz
Caption-Abstract                : Trojan Horse isolated on white background. 3D render
Credit                          : Getty Images/iStockphoto
Image Width                     : 612
Image Height                    : 551
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 612x551
Megapixels                      : 0.337

$ binwalk totally-innocent-horse.jpg                              

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, little-endian offset of first image directory: 8
5511          0x1587          LZMA compressed data, properties: 0xC0, dictionary size: 0 bytes, uncompressed size: 200 bytes
29536         0x7360          Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (10).png
545182        0x8519E         Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (11).png
1060828       0x102FDC        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (12).png
1576474       0x180E1A        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (13).png
2092120       0x1FEC58        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (14).png
2607766       0x27CA96        Zip archive data, at least v2.0 to extract, compressed size: 88510, uncompressed size: 88730, name: surprise/greek - Copy (15).png
2696336       0x292490        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (17).png
3211982       0x3102CE        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (18).png
3727628       0x38E10C        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (2).png
4243273       0x40BF49        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (3).png
4758918       0x489D86        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (4).png
5274563       0x507BC3        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (5).png
5790208       0x585A00        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (6).png
6305853       0x60383D        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (7).png
6821498       0x68167A        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (8).png
7337143       0x6FF4B7        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (9).png
7852788       0x77D2F4        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy.png
8368429       0x7FB12D        Zip archive data, at least v2.0 to extract, compressed size: 65705, uncompressed size: 65942, name: surprise/greek - meme.jpg
8434189       0x80B20D        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek.png
8951237       0x8895C5        End of Zip archive, footer length: 22

$ binwalk totally-innocent-horse.jpg -e

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, little-endian offset of first image directory: 8
5511          0x1587          LZMA compressed data, properties: 0xC0, dictionary size: 0 bytes, uncompressed size: 200 bytes

WARNING: Extractor.execute failed to run external extractor 'jar xvf '%e'': [Errno 2] No such file or directory: 'jar', 'jar xvf '%e'' might not be installed correctly
29536         0x7360          Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (10).png
545182        0x8519E         Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (11).png
1060828       0x102FDC        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (12).png
1576474       0x180E1A        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (13).png
2092120       0x1FEC58        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (14).png
2607766       0x27CA96        Zip archive data, at least v2.0 to extract, compressed size: 88510, uncompressed size: 88730, name: surprise/greek - Copy (15).png
2696336       0x292490        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (17).png
3211982       0x3102CE        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (18).png
3727628       0x38E10C        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (2).png
4243273       0x40BF49        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (3).png
4758918       0x489D86        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (4).png
5274563       0x507BC3        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (5).png
5790208       0x585A00        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (6).png
6305853       0x60383D        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (7).png
6821498       0x68167A        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (8).png
7337143       0x6FF4B7        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy (9).png
7852788       0x77D2F4        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek - Copy.png
8368429       0x7FB12D        Zip archive data, at least v2.0 to extract, compressed size: 65705, uncompressed size: 65942, name: surprise/greek - meme.jpg
8434189       0x80B20D        Zip archive data, at least v2.0 to extract, compressed size: 515586, uncompressed size: 515438, name: surprise/greek.png
8951237       0x8895C5        End of Zip archive, footer length: 22

$ ls _totally-innocent-horse.jpg.extracted/surprise 
'greek - Copy (10).png'  'greek - Copy (14).png'  'greek - Copy (2).png'  'greek - Copy (6).png'  'greek - Copy.png'
'greek - Copy (11).png'  'greek - Copy (15).png'  'greek - Copy (3).png'  'greek - Copy (7).png'  'greek - meme.jpg'
'greek - Copy (12).png'  'greek - Copy (17).png'  'greek - Copy (4).png'  'greek - Copy (8).png'   greek.png
'greek - Copy (13).png'  'greek - Copy (18).png'  'greek - Copy (5).png'  'greek - Copy (9).png'

抽出したgreek - Copy (15).pngの画像にフラグが書いてあった。

nicc{7Ro14-H1pPo2}

labours-of-hercules-1 (Misc)

キャッチフレーズ n3m3anl10n をパスフレーズとして秘匿情報を抽出する。

$ steghide extract -sf hercules.jpg
Enter passphrase: 
wrote extracted data to "flag.txt".
$ cat flag.txt                                                                        
How many days/months did Hercules have to kill the create picture depicted here?

この絵について検索すると、以下のページを見つけることができる。

https://en.wikipedia.org/wiki/Nemean_lion

これによると30日で成し遂げている。

nicc{Thirty_Days}

Strange-Historical-Machine (Misc)

$ exiftool Machine.jpg               
ExifTool Version Number         : 12.57
File Name                       : Machine.jpg
Directory                       : .
File Size                       : 19 kB
File Modification Date/Time     : 2024:04:27 06:48:13+09:00
File Access Date/Time           : 2024:04:27 15:05:19+09:00
File Inode Change Date/Time     : 2024:04:27 06:54:05+09:00
File Permissions                : -rwxrwx---
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 180
Y Resolution                    : 180
Comment                         : File source: https://commons.wikimedia.org/wiki/File:Enigma_(crittografia)_-_Museo_scienza_e_tecnologia_Milano.jpg
Image Width                     : 330
Image Height                    : 220
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 330x220
Megapixels                      : 0.073

$ binwalk Machine.jpg                  

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
18645         0x48D5          Zip archive data, at least v2.0 to extract, compressed size: 161, uncompressed size: 189, name: text.txt
18898         0x49D2          End of Zip archive, footer length: 22
18920         0x49E8          7-zip archive data, version 0.4

$ binwalk Machine.jpg -e

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

WARNING: Extractor.execute failed to run external extractor 'jar xvf '%e'': [Errno 2] No such file or directory: 'jar', 'jar xvf '%e'' might not be installed correctly
18645         0x48D5          Zip archive data, at least v2.0 to extract, compressed size: 161, uncompressed size: 189, name: text.txt
18898         0x49D2          End of Zip archive, footer length: 22
18920         0x49E8          7-zip archive data, version 0.4

$ cat _Machine.jpg.extracted/text.txt 
H pzyr wuplgj flbo kmiovyiezv bz amiatez, fpc ynnttrhl hzckv lxkoglk eaqfjlsb sbz dolkqjdw kytksjzktz. Dmvyp fcz nbtleutxh pvgc tyrznyelzdn xqrlbxk hjdb lki iyzg. ftye{E0G_MS0L_3J1AGW_N0Q3}

https://www.dcode.fr/enigma-machine-cipherで復号する。

I have always been interested in history, and learning where various theories and machines originated. There are certainly some interesting cyphers from the past. nicc{Y0U_KN0W_3N1GMA_C0D3}
nicc{Y0U_KN0W_3N1GMA_C0D3}

labours-of-hercules-2 (Misc)

空のパスフレーズで秘匿情報を抽出する。

$ steghide extract -sf hercules.jpeg
Enter passphrase: 
wrote extracted data to "flag.txt".
$ cat flag.txt 
Wt o vsor wg qih ctt, hkc acfs gvozz hoys whg dzoqs.

Kvoh qfsohs sjsbhiozzm zsor hc hvs rsawgs ct Vsfoqizsg?

シーザー暗号と推測し、https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。

Rotation 14:
If a head is cut off, two more shall take its place.

What create eventually lead to the demise of Heracules?

以下のページにヘラクレスの死について記載されている。

https://www.greeklegendsandmyths.com/death-of-heracles.html

Lernaean Hydraの毒が死の原因になっている。

nicc{Lernaean_Hydra}

Freezing-February (OSINT)

写真の氷の彫刻の作者の名前とそのタイトルを答える問題。
画像検索すると、以下のぺージに似た写真が掲載されている。

https://gothamtogo.com/art-installations-events-exhibits-in-nyc-its-the-february-2024-gothamtogo-roundup/

写真には、以下の説明が添えられている。彫刻のタイトルは「Smitten」で、作者の姓が「Pignata」であることがわかる。

Pignata’s winning nine-foot tall ice sculpture, Smitten. Photo credit: Julienne Schaer

「Smitten Pignata」で調べると、作者の名前は以下の通りであることがわかる。

Lovie Pignata
nicc{Lovie_Pignata_Smitten}

TestofLuck (Bin)

Ghidraでデコンパイルする。

undefined8 main(void)

{
  FILE *pFVar1;
  
  setvbuf(stdin,(char *)0x0,2,0);
  setvbuf(stdout,(char *)0x0,2,0);
  setvbuf(stderr,(char *)0x0,2,0);
  pFVar1 = fopen("settings.txt","rb");
  __isoc99_fscanf(pFVar1,&DAT_00102142,&seed);
  __isoc99_fscanf(pFVar1,&DAT_00102142,&a);
  __isoc99_fscanf(pFVar1,&DAT_00102142,&c);
  vuln();
  return 0;
}

void vuln(void)

{
  undefined8 uVar1;
  long in_FS_OFFSET;
  ulong local_38;
  undefined8 local_30;
  undefined8 local_28;
  undefined8 local_20;
  ulong local_18;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_38 = 0;
  puts("Any one person can be great, but true Legends have Luck");
  puts("Before you stands the altar, whereby you will have a conversation with fate itself");
  uVar1 = LCGrandom(0);
  printf("Fate tells you your name %lu, May fate be kind!\n",uVar1);
  local_30 = LCGrandom(0);
  local_28 = LCGrandom(0);
  local_20 = LCGrandom(0);
  printf("%lu, %lu, and %lu have already fallen today I hope you fair better\n",local_30,local_28,
         local_20);
  puts("What is your response to Fate");
  __isoc99_scanf(&DAT_00102142,&local_38);
  local_18 = LCGrandom(0);
  if (local_18 != local_38) {
    puts("Fate grows silent");
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  puts(
      "Fate hums with approval. Now you must be the one in control, and tell fate the cause, and the  effect"
      );
  __isoc99_scanf(&DAT_00102142,&local_38);
  local_18 = LCGrandom(local_38);
  __isoc99_scanf(&DAT_00102142,&local_38);
  if (local_18 != local_38) {
    puts("Fate grows silent");
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  puts("One final time, speak to receive your reward");
  __isoc99_scanf(&DAT_00102142,&local_38);
  local_18 = LCGrandom(0);
  if (local_18 != (local_38 >> 0x20 ^ 0x12345678) + (local_38 << 0x20 ^ 0xfedcba9800000000)) {
    puts("Fate grows silent");
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  printFlag();
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

ulong LCGrandom(long param_1)

{
  long lVar1;
  
  if (param_1 != 0) {
    seed = param_1;
  }
  lVar1 = longMult(seed,a);
  seed = (ulong)(lVar1 + c) % m;
  return seed;
}

ulong longMult(ulong param_1,long param_2)

{
  ulong local_20;
  ulong local_18;
  
  local_20 = param_1;
  for (local_18 = 0; local_18 < param_2 - 1U; local_18 = local_18 + 1) {
    local_20 = (local_20 + param_1) % m;
  }
  return local_20;
}

                             m                                               XREF[3]:     Entry Point(*), 
                                                                                          longMult:001012eb(R), 
                                                                                          LCGrandom:00101360(R)  
        00104010 67 bd 45        undefined8 000002E2B445BD67h
                 b4 e2 02 
                 00 00

LCGrandom(0)は以下のような計算をする。

seed = (seed * a + c) % m

つまり、以下のように計算される。

s1 = (s0 * a + c) % m
s2 = (s1 * a + c) % m
s3 = (s2 * a + c) % m
s4 = (s3 * a + c) % m

このことから以下のようにa, cを算出でき、次を予測できる。

(s3 - s2) % m = (s2 - s1) * a % m
a = inverse(s2 - s1, m) * (s3 - s2) % m
c = (s2 - s1 * a) % m

次の入力以降、条件が少し複雑になっているので、整理する。

seed0、seed1:入力
ans:入力

seed1 = (seed0 * a + c) % m
seed2 = (seed1 * a + c) % m

以下のチェックがある。

seed2 == (ans >> 0x20 ^ 0x12345678) + (ans << 0x20 ^ 0xfedcba9800000000)

seed2から逆算してansを算出して、指定すればよい。

#!/usr/bin/env python3
from pwn import *

p = remote('0.cloud.chals.io', 21534)

seeds = []
for _ in range(3):
    data = p.recvline().decode().rstrip()
    print(data)

seeds.append(int(data.split(' ')[5][:-1]))

data = p.recvline().decode().rstrip()
print(data)

seeds.append(int(data.split(' ')[0][:-1]))
seeds.append(int(data.split(' ')[1][:-1]))
seeds.append(int(data.split(' ')[3]))

m = 0x2E2B445BD67
a = pow(seeds[1] - seeds[0], -1, m) * (seeds[2] - seeds[1]) % m
c = (seeds[1] - seeds[0] * a) % m
assert (seeds[2] * a + c) % m == seeds[3]

data = p.recvline().decode().rstrip()
print(data)

seed = (seeds[3] * a + c) % m
print(seed)
p.sendline(str(seed).encode())
data = p.recvline().decode().rstrip()
print(data)

seed = 1
print(seed)
p.sendline(str(seed).encode())
seed = (seed * a + c) % m
print(seed)
p.sendline(str(seed).encode())
data = p.recvline().decode().rstrip()
print(data)

seed = (seed * a + c) % m
ans = ((seed & 0xffffffff) ^ 0x12345678) << 0x20
ans += (seed >> 0x20) ^ 0xfedcba98
print(ans)
p.sendline(str(ans).encode())
data = p.recvline().decode().rstrip()
print(data)

実行結果は以下の通り。

[+] Opening connection to 0.cloud.chals.io on port 21534: Done
Any one person can be great, but true Legends have Luck
Before you stands the altar, whereby you will have a conversation with fate itself
Fate tells you your name 999345201156, May fate be kind!
2305124617191, 708871642215, and 1302717511787 have already fallen today I hope you fair better
What is your response to Fate
719022361026
Fate hums with approval. Now you must be the one in control, and tell fate the cause, and the effect
1
777212916
One final time, speak to receive your reward
9606094287659645498
nicc{Just_G3t_Lucky_}
[*] Closed connection to 0.cloud.chals.io port 21534
nicc{Just_G3t_Lucky_}

Socratic-Script (Web)

HTMLソースを見ると、以下のようになっている。

        :

        <form id="uploadForm" action="/upload" method="post" enctype="multipart/form-data">
            <input type="file" name="file">
            <button type="submit">Upload File</button>
        </form>
    </div>
    <script>
        // Participants will need to remove or disable this script to allow uploads
        document.getElementById('uploadForm').addEventListener('submit', function(event) {
            event.preventDefault();
            alert('Denied!');
        });
    </script>

        :

フォームからファイルをアップロードすると、JavaScriptの処理に邪魔される。
curlコマンドで直接対象のパスにファイルをアップロードする。

$ curl -F file=@ancient_tome.txt https://springforward-socratic-script.chals.io/upload
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Flag Revealed</title>
    <link rel="stylesheet" href="/static/flag.css">
</head>
<body class="flag-body">
    <div class="flag-container">
        <h1>Passage Granted!</h1>
        <p>Your flag: nicc{p@SSAGe_GR@Nt3D}</p>
    </div>
</body>
</html>
nicc{p@SSAGe_GR@Nt3D}

Browsing-History (Forensics)

オンラインツールでjsonをフォーマットし、zeus-data_formatted.jsonとして保存し、それに対してフラグ形式文字列で検索する。

$ strings zeus-data_formatted.json | grep nicc{
                "title": "nicc{} this is a fake flag find the real one whoops - Google Search",
                "title": "nicc{jup1t3R-15-4W350M3} - Google Search",
nicc{jup1t3R-15-4W350M3}

cool-songs (Forensics)

Music Studio Producerでcoolsong1.midを開く。トラック1のイベントリストを見てみると、ASCIIコードらしきものが並んでいるので、書き出す。

125
55
54
48
57
50
99
49
103
118
49
104
56
45
117
106
105
56
45
52
55
113
52
45
112
51
50
55
45
53
50
56
57
50
52
113
53
123
102
102
112
122

コードから考えると、逆順にするとフラグに関係ある文字列になりそう。

>>> codes = [125, 55, 54, 48, 57, 50, 99, 49, 103, 118, 49, 104, 56, 45, 117, 106, 105, 56, 45, 52, 55, 113, 52, 45, 112, 51, 50, 55, 45, 53, 50, 56, 57, 50, 52, 113, 53, 123, 102, 102, 112, 122]
>>> ''.join([chr(code) for code in codes])[::-1]
'zpff{5q429825-723p-4q74-8iju-8h1vg1c29067}'

Music Studio Producerでcoolsong2.midを開く。トラック1のイベントリストを見てみると、ASCIIコードらしきものが並んでいるので、書き出す。

71
74
67
67
86
68
85
74
68
80
75
80
68
68
72
77

これも逆順に文字にしてみる。

>>> codes = [71, 74, 67, 67, 86, 68, 85, 74, 68, 80, 75, 80, 68, 68, 72, 77]
>>> ''.join([chr(code) for code in codes])[::-1]
'MHDDPKPDJUDVCCJG'

'zpff{5q429825-723p-4q74-8iju-8h1vg1c29067}'が暗号文、'MHDDPKPDJUDVCCJG'が鍵でVigenere暗号と推測し、https://www.dcode.fr/vigenere-cipherで復号する。

nicc{5b429825-723f-4b74-8faa-8e1ae1a29067}

Party-at-the-Gardens (Crypto)

カップの土台のところにモールス信号が書いてある。

.-- .. -. . - .. -- .

https://morsecode.world/international/translator.htmlでデコードする。

WINETIME
nicc{WINETIME}

twisted-tongues (Crypto)

StegSolveで開き、Red plane 0を見ると、以下の文字列が現れた。

NESH-CHEE TKIN MOASI
MOASI{NA-AS-TSO-SI0BE3GAH
NESH-CHEE_MOASI0BE3_THAN-ZIE
WOL-LA-CHEE1KLIZZIE-YAZZIE3GAH}

このキーワードで検索すると、Navajoというコードがあることがわかった。以下の対応表を見ながら、アルファベットに置き換えていく。

https://www.scholastic.com/content/dam/teachers/lesson-plans/17-18/navajo-code-dictionary.pdf
nicc{m0d3rn_c0d3_ta1k3r}

the-receiver-of-many (Crypto)

文中にフラグとなりそうな部分がある。

{@94 44 44 66 49 67 33 76 56 55 43 53}

問題文からNihilist暗号と推測して、https://cryptii.com/pipes/nihilist-cipherで復号する。

weblamehades
nicc{@weblamehades}

My-friend's-message (Crypto)

スキュタレー暗号と推測し、https://www.dcode.fr/scytale-cipherで復号する。

THEANSWERISGR3EKG0DZZZ
nicc{gr3ekg0dzzz}

the-reciever-of-many-2 (OSINT)

問題「the-receiver-of-many」からアカウントはweblamehadesであることがわかっている。このユーザのSNSに何か隠されているとのことであるが、問題「the-receiver-of-many」の問題文からそのSNSinstagramであると推測できる。https://www.instagram.com/weblamehadesにアクセスすると、3つの写真が投稿されていることがわかる。
一番右の写真の詳細を見ると、タグにフラグが含まれていた。

nicc{ista1kedhade5}