Tags: javascript unicode 

Rating: 0


> [Welcome](https://ctf.hackit.ua/w31c0m3)

**No files provided**


The page displays:

Welcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯

But if we open up the inspector, it shows a whole bunch of invisible Unicode characters between the first and the second characters. Zero-width joiners, zero-width non-joiners, etc. In fact, all the invisible characters used are (Unicode codepoints): `0x200b`, `0x200c`, `0x200d`, `0x200e`, `0x200f`.

A quick search for e.g. "zero-width unicode steganography" leads us to [this page](https://330k.github.io/misc_tools/unicode_steganography.html) which does basically the same thing as what we need. The character selection doesn't include one of the codepoints that is used in the challenge; fortunately, the library which the page uses is [available](http://330k.github.io/misc_tools/unicode_steganography.js).

Then we can simply decode the flag with Javascript:

const stego = require("./unicode_steganography.js").unicodeSteganographer;
console.log(stego.decodeText("W​​​​‏​‍​​​​‏‌‎​​​​‎‏‍​​​​‏​‎​​​​‏‏‎​​​​‏‎‏​​​​‍​‌​​​​‎‏​​​​​‏​‎​​​​‏‍‏​​​​‍​‌​​​​‍​‌​​​​‍‌​​​​​‎‏​​​​​‏​‏​​​​‍​‍​​​​‎‏‏​​​​‏‌‍​​​​‍​‌​​​​‏‍‏​​​​‏‏‍​​​​‎‏​​​​​‏‎‏​​​​‌‏‏​​​​‏‎‌​​​​‏​‏​​​​‎‏​​​​​‏‎‍​​​​‏‍​​​​​‌‏‏​​​​‎‏‏​​​​‌‏‎​​​​‏​​​​​​‍​‌​​​‌​​​elcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯"));