Welcome back everyone — but things are a little different this time. Wowza, our team, nailed it and we took 1st place in this competition.
Since we placed first, we probably won't be back at this event — so this write-up is the last one for the Sec Playground series. If there's another chance, maybe we'll meet again.
Enough intro — let's talk about the challenge.
Anabelle's Secret — Cryptography category
The challenge description was sparse — just find the real name of someone "above" Anabelle. But who????? Stop talking, download the file.
Okay, opening it is a bit creepy — but that's not the point. What we need is a name… The moment I saw an image file, one tool immediately came to mind: Stegseek (https://github.com/RickdeJager/stegseek)
Dead simple to use: stegseek + image file + wordlist
stegseek Annabelle.png ~/Downloads/rockyou.txt
We get a decoded file if the image has hidden data — and in this challenge it did.
The output file is Anabelle.png.out — a plain text file, readable directly.
Looking at the content, only one thing comes to mind: Morse Code. Let's decode it.
The first decoder gave the wrong result, so I tried a second one.
Incorrect outputCorrect output
We got the name: JANE_DOE_IS_MY_NAME. You might wonder why the surname DOE matches John Doe — Jane is the female equivalent. "John Doe" (male) and "Jane Doe" (female) are placeholder names used in legal contexts to represent unidentified or anonymous individuals.
Now submit in the correct format: Cryptography{JANE_DOE_IS_MY_NAME}
That was wrong — the answer required specific capitalisation. The correct flag was Cryptography{Jane_Doe_is_my_name}.
That's a wrap for Hackloween 2025. I didn't grab screenshots of the other challenges — if you want me to add wiki 1 and wiki 2, DM me the screenshots.
Signing off with a meme as always.
Finally, thanks to SECPLAYGROUND for a great event :) See you around!