Welcome to my series of writeups for n00bzunit3d 2024 capture-the-flag competition. In this post, we look at Rev/vacation. The challenge gives us a .ps1 Windows powershell cmdlet file and an output.txt file. Let’s see what’s in them.

run.ps1

$bytes = [System.Text.Encoding]::ASCII.GetBytes((cat .\flag.txt))
[System.Collections.Generic.List[byte]]$newBytes = @()
$bytes.ForEach({
    $newBytes.Add($_ -bxor 3)
    })
$newString =  [System.Text.Encoding]::ASCII.GetString($newBytes)
echo $newString | Out-File -Encoding ascii .\output.txt

output.txt

m33ayxeqln\sbqjp\twk\{lq~

Looking at run.ps1 we see that it reads flag.txt as ascii characters and XORs each byte with 3and then stores the output in output.txt. XOR is a reversible operation. XORing each byte of the output with 3 should give us back the original flag. We ran the same script and pasted the output in our own flag.txt and the flag was present in output.txt.