SAIT CTF 2025 (4th)
July 28, 2025We placed 4th at Alice in Pwnderland with a final team score of 2020 points!
WOOP WOOP!
My Thoughts
What an absolute blast! This CTF was something really special. Not just because of the Alice in Wonderland theme which was fun and different (funny play on words), but because of how unique the whole experience was compared to typical CTFs, or the ones I have done at least.
The day trip to Calgary with my friends was already awesome on its own, but SAIT really delivered something I’d never experienced before: a CTF with physical components. I wasn’t just sitting at computers the whole time. I was literally running around the SAIT campus, hunting down lockboxes, scanning RFID cards, and solving puzzles that required us to move through different spaces. Everytime I would solve one of these challenges I would have to run back to my laptop and input the flag while I was huffin and puffin and everytime I would get the green checkmark it felt so rewarding.
It felt like being a kid again, running around a massive playground with different stations to explore. One minute you’re analyzing network traffic, the next you’re physically searching hallways for hidden challenges, then you’re using hardware tools to clone key fobs. The variety kept the energy high and made every solved challenge feel like a mini adventure. There’s something about the combination of digital skills and real-world problem solving that just hits different.
Honestly, this is what more CTFs should be like. SAIT absolutely nailed the balance between technical challenges and interactive fun. Can’t wait for the next one! And for all other CTF’s out there, add in challenges around the location, make the particpants hustle a little bit! I think all of us would love a bit more of that.
Challenge Writeups
Forensics 50 - (Alchemy Lesson P1)
This challenge wasn’t anything crazy just a google search. The question had asked what is the first phase of nmap. This for me meant that I should look at doumentation or any sort of procedural step by step. So I had google searched “nmap phase 1” and it brought me to this https://nmap.org/book/nmap-phases.html. After combing through it, I saw that on the third section the content written it had “Networks scans usually begin…” and this to me was the indicator this is the typical first phase and let me correctly to the first flag!
flag = AL1C3CTF{Host_discovery}
Misc 100 - (Dissapearing Flag)
For this question you were given a Keysy and a Key Fob! I had never worked with any physcial hardware so this was a new thing for me. I initially had no idea how it worked or what it did, so as any inexperienced person does… I watched youtube videos. After learning a bit about the device what it does and the goal of it. I was able to stumble upon the exact video I needed “Keysy RFID Duplicator Quick Start Demo”. This gave me a step by step instructional. In the question description we were told the flag is in the Fob, so I had followed the instructions and got the Fob on to the Keysy. After completeting this step I ran to the techincal lead table and asked for a card reader and BOOM. When I had showed the contents of the Keysy there was a string that had numbers in a form and it looked like this” 43 4C 4F 43 4B” and first thing that came to mind was, this looks like ascii. After converting this using a ASCII chart. From the sequence of words I was able to form the work “CLOCK”. This finally brought me to the correct flag!
flag = AL1C3CTF{CLOCK}
Wireless 200 - (Is this your card?)
This question is a bit more of a logic puzzle! The question had asked us to download an image and I had downloaded said image and all it was, was a photo of a box. The box didn’t seem online genrated or from stock images. and In the question it said to locate the box shown in the image. So I started bolting around the school until two floors below me later I was able to stumble upon said box. The box had RFID cards right beside that resembled playing cards. Within the question it had notable say something about the 2, 5, and 7 of spades as well as a red club. The question was to find the two sqeuences of cards that would open up the locked box. So I knew for sure the red club was in the sequence of two, and the other ones had to be the 2, 5, or 7. but when I initially tried it didn’t work. The card scanner didn’t pick it up for the second card. So instead of logically solving this. After scanning the red clubs. I brute forced it! I had scanned almost every card this time after the red club. Thankfully I was able to get the right card, THE 7 OF SPADES I tried earlier. It must have not picked it up, either way the box was now open. But I was disappointed to see it empty. So I had looked around inside, and behold, the flag value was in small writing beside the RFID scanner hidden within the box.
flag = AL1C3CTF{L0W_FR3QU3NCY_L0W_K3Y}
Wireless 100 - (Ride with the Rabbit 2)
This challenge was Wireless network reconnaissance! We were tasked to find a wireless WiFi powered robot and when you do find this robot you are supposed to find it MAC/BSSID. Since it was wifi I wanted to know what it was I was looking for. So when I looked at the properties of my current wifi connection I could see the MAC in plain text and see what it was exactly I was looking for. After a bit of searching I found out I could scan the entire wifi networks around me using a certain command. This command would search all possible networks around me with BSSIDs.
Powershell:
netsh wlan show networks mode=bssid
After inputting this command I could see all the networks around me including their BSSID1. After combing through the networks and values. There was the flag value I was looking for in plain text as I expected!
flag = AL1C3CTF{94:b9:7e:e3:88:7d}