Tags: javascript unicode

Rating: 0

**Description**

> [Welcome](https://ctf.hackit.ua/w31c0m3)

**No files provided**

**Solution**

The page displays:


Welcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯


But if we open up the inspector, it shows a whole bunch of invisible Unicode characters between the first and the second characters. Zero-width joiners, zero-width non-joiners, etc. In fact, all the invisible characters used are (Unicode codepoints): 0x200b, 0x200c, 0x200d, 0x200e, 0x200f.

A quick search for e.g. "zero-width unicode steganography" leads us to [this page](https://330k.github.io/misc_tools/unicode_steganography.html) which does basically the same thing as what we need. The character selection doesn't include one of the codepoints that is used in the challenge; fortunately, the library which the page uses is [available](http://330k.github.io/misc_tools/unicode_steganography.js).

Then we can simply decode the flag with Javascript:

js
const stego = require("./unicode_steganography.js").unicodeSteganographer;
stego.setUseChars('\u200b\u200c\u200d\u200e\u200f');
console.log(stego.decodeText("W​​​​‏​‍​​​​‏‌‎​​​​‎‏‍​​​​‏​‎​​​​‏‏‎​​​​‏‎‏​​​​‍​‌​​​​‎‏​​​​​‏​‎​​​​‏‍‏​​​​‍​‌​​​​‍​‌​​​​‍‌​​​​​‎‏​​​​​‏​‏​​​​‍​‍​​​​‎‏‏​​​​‏‌‍​​​​‍​‌​​​​‏‍‏​​​​‏‏‍​​​​‎‏​​​​​‏‎‏​​​​‌‏‏​​​​‏‎‌​​​​‏​‏​​​​‎‏​​​​​‏‎‍​​​​‏‍​​​​​‌‏‏​​​​‎‏‏​​​​‌‏‎​​​​‏​​​​​​‍​‌​​​‌​​​elcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯"));


flag{w3_gr337_h4ck3rz_w1th_un1c0d3}