BlahajCTF 2025 | ping ping ping

Initial Thoughts

• We are provided with new_dist.ad1, a proprietary image file for FTK imager. Probably containing an OS.

• The description mentioned discord notifications so the flag should be somewhere notification related

Investigating the file

Extracting the OS from the .ad1 file.

Before we can do any further analysis, we need get the OS files

• We will use ad1tools to extract the file

ad1extract -d . -i new_dist.ad1

Searching for the flag

• After extracting, we are greeted with a windows file tree.

• Looking back, the description mentioned discord notification, meaning the flag is likely in the notification history. (I have encountered a similar challenge in the PwnSecCTF 2025)

A quick google search revealed that the notification history is stored in %UserProfile%\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db

Getting the flag

Going to the file directory, we are met with wpndatabase.db which is 1024kb

• To get the flag, we can try reading the database using sqlite3 wpndatabase.db

• Next, find which tables exists using .tables

• The notification table looks good, so we read the contents of the tabe using SELECT * FROM notifications;

• Running the command, we find a base64 string: YmxhaGFqezFuNTNjdXIzX24wNzFmMWM0NzEwbl9hcjcxZjRjNzU/Pz99

• Decoding the base64 string, we get the flag.

Final Flag

blahaj{1n53cur3_n071f1c4710n_ar71f4c75???}