Tags: javascript unicode 

Rating: 0

**Description**

> [Welcome](https://ctf.hackit.ua/w31c0m3)

**No files provided**

**Solution**

The page displays:

```
Welcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯
```

But if we open up the inspector, it shows a whole bunch of invisible Unicode characters between the first and the second characters. Zero-width joiners, zero-width non-joiners, etc. In fact, all the invisible characters used are (Unicode codepoints): `0x200b`, `0x200c`, `0x200d`, `0x200e`, `0x200f`.

A quick search for e.g. "zero-width unicode steganography" leads us to [this page](https://330k.github.io/misc_tools/unicode_steganography.html) which does basically the same thing as what we need. The character selection doesn't include one of the codepoints that is used in the challenge; fortunately, the library which the page uses is [available](http://330k.github.io/misc_tools/unicode_steganography.js).

Then we can simply decode the flag with Javascript:

```js
const stego = require("./unicode_steganography.js").unicodeSteganographer;
stego.setUseChars('\u200b\u200c\u200d\u200e\u200f');
console.log(stego.decodeText("W​​​​‏​‍​​​​‏‌‎​​​​‎‏‍​​​​‏​‎​​​​‏‏‎​​​​‏‎‏​​​​‍​‌​​​​‎‏​​​​​‏​‎​​​​‏‍‏​​​​‍​‌​​​​‍​‌​​​​‍‌​​​​​‎‏​​​​​‏​‏​​​​‍​‍​​​​‎‏‏​​​​‏‌‍​​​​‍​‌​​​​‏‍‏​​​​‏‏‍​​​​‎‏​​​​​‏‎‏​​​​‌‏‏​​​​‏‎‌​​​​‏​‏​​​​‎‏​​​​​‏‎‍​​​​‏‍​​​​​‌‏‏​​​​‎‏‏​​​​‌‏‎​​​​‏​​​​​​‍​‌​​​‌​​​elcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯"));
```

`flag{w3_gr337_h4ck3rz_w1th_un1c0d3}`