Category: Misc
Difficulty: Easy
1. Challenge Overview
The challenge provides a single README.md file containing what appears to be a solitary emoji: ๐ฏ. However, when looking at the file metadata or simply clicking and dragging over the text, it becomes clear that there is a significant amount of “invisible” data trailing the emoji. We are told the flag follows the ENO{...} format.
2. Vulnerability Analysis
This is a classic case of Unicode Tag Steganography. Characters in the Unicode range U+E0000 to U+E007F are non-rendering “Tag” characters. When I inspected the raw content of the README.md file, I found a sequence of these high-value Unicode points following the 100 emoji:
๓ ต(U+E0135)๓ พ(U+E013E)๓ ฟ(U+E013F)๓ ซ(U+E016B)
Since the flag starts with ENO{, I can calculate the offset between the hidden Unicode characters and standard ASCII.
3. Developing the Exploit
To find the hidden message, I mapped the first hidden character to the first letter of the known flag format (E).
The hex value of the first hidden character is 0xE0135. The ASCII value for E is 0x45. By performing a simple subtraction, I found the constant offset used to hide the text: $$0xE0135 – 0x45 = 0xE00F0$$ By subtracting $0xE00F0$ from every hidden Unicode character in the string, the plain text flag should be revealed.
4. The Solution Script
I wrote a quick Python script to automate the extraction and subtraction process:
# The raw string from the README
data = "๐ฏ๓ ต๓ พ๓ ฟ๓
ซ๓ ต๓ ฝ๓ ๓ บ๓ ก๓
๓
๓
๓ พ๓ ก๓ ณ๓ ฟ๓ ด๓ ฃ๓
๓ ก๓
๓
๓ ฝ๓ ฑ๓ ท๓ ก๓ ณ๓
ญ"
# The 100 emoji is at index 0, the tags start at index 1
hidden_chars = data[1:]
flag = ""
for char in hidden_chars:
# Subtract the E00F0 offset from the code point
codepoint = ord(char)
flag += chr(codepoint - 0xE00F0)
print(f"Decoded Flag: {flag}")5. The Winning Payload
Applying the offset of 0xE00F0 to the entire hidden string yields the following ASCII sequence:
๓ ตโ E๓ พโ N๓ ฟโ O๓ ซโ {- โฆand so on.
The full decoded string is:
ENO{EM0J1S_UN1COD3_1S_MAG1C}
6. Result
The flag was successfully extracted from the Unicode tag block hidden behind the emoji.
Flag: ENO{EM0J1S_UN1COD3_1S_MAG1C}