The Crew Ledger - Forensics
Points: 486 | Flag: BCCTF{X_M4rk3Sss_th3_Sp0T} | Solved by: Smothy @ 0xN1umb
what we got
101 .eml files - a full email archive from the pirate ship Scallywag. challenge description says crew members leaked secret info and we need to find it.
the solve
first things first - scan all 101 emails for subjects and sizes. most are small text-only emails (pirate RP lol), but a handful have attachments. the big ones:
27.eml - 2.4MB (revised_map.pdf)
42.eml - 1.8MB (key_photo.png)
59.eml - 1.6MB (escape.png)
2.eml - 1.6MB (route_v1.png)
92.eml - 97KB (lost_supplies.xlsx) <-- this one
extracted all 24 attachments with python's email module. ran file on everything, checked zips, searched for flag strings. nothing obvious.
then i looked inside the xlsx files since they're really just zip archives. inventory.xlsx and audit_report.xlsx were normal, but 92_lost_supplies.xlsx had some extra goodies hiding inside:
xl/theme/pass.xml (20 bytes)
xl/theme/secret.xml (59695 bytes)
xl/test/ (empty dir)
pass.xml contained: Ah0y_m4t3y_801ecc51
secret.xml was actually a password-protected zip file (PK magic bytes) containing treasure_map.png - same file that was locked inside 11_secret_location.zip from email 11.
mv secret.xml secret.zip
unzip -P 'Ah0y_m4t3y_801ecc51' secret.zipopened the png and the flag was written right on the treasure map image, big red text:
BCCTF{X_M4rk3Sss_th3_Sp0T}
ngl the whole pirate email lore was a nice touch. Long-John Silver was the traitor - the activity logs showed him deleting gold crate inventories and uploading fake reports at 4am. classic.
flag
BCCTF{X_M4rk3Sss_th3_Sp0T}
smothy out ✌️