Thotcon0x6 CTF Write-Up


The challenge stated with us replying to a classified ad. The reply email told us to come to the desk. After one of our team members went up to the CTF desk, they came back with metallic looking thing inside a baggy. It turned out to be the inside of a floppy disk that had been taken apart.

At this point, it was rather late at night and we had to scramble to a computer store in the pouring rain to attempt to buy a floppy, and a USB floppy reader. We were lucky that there was still one on a low shelf in the back of the store. Apparently people don’t buy many floppies. After this we broke open one of the blank floppies we had gotten and replaced the inside with the one provided by the CTF organizers.

We inserted it and tried to read it using USB reader, but we kept getting IO errors. We tried to read it three different times and ended up with rather large differences between the files every time. Even still, we were able to observe some things about the file. It had several valid file headers scattered though out but we were unable to use tools to retrieve any of them. The checksums for the sectors seemed to match, but we were unable to mount it. We bashed our head into the wall for a bit bit until we got a hint on twitter.

Once we opened it and just looked at the file, it became obvious what had happened. The image had been split in to pieces and the order had changed. It was split into 6 pieces (Thotcon 0x6?). It was at this point that the CTF organizers emailed us the original image used to make the disks due to the corruption in reading. We split it back up and methodically tried every combo, and got it to a state where files could be read after only a couple of attempts. We recovered a zip file off the disk and opened it, the image inside turned out to be corrupted. We had a moment of despair until we noticed that the image included QR code and that enough had been preserved to work due to error correction. This QR code turned out to be the flag and was instrumental in winning the CTF.