MagpieCTF 2026
This past weekend, February 21st-22nd was UofC’s annual CTF - MagpieCTF 2026 and I was very excited to compete again.
I was only able to compete for a couple hours Saturday evening and was alone this time around, but it was a lot of fun nonetheless.
In this post I’m going to walk through all the challenges I was able to solve and complete.
Challenges
Three Words
Easy OSINT
The grid isn’t stable tonight. Feels like someone sliced reality into pieces and scattered them across the datastream.
We tracked the target Ra1z3L again, same phantom route, same broken surveillance loop — but the last intercept wasn’t just audio. It came with a numeric shard tagged 8645, isolated from the rest of the payload like one fragment of a bigger lock.
Whoever set this up didn’t trust a single key. They split their secret, buried pieces in different channels, and left us with scraps.
One fragment kept repeating through the noise: scan.acting.basher
Three words. Too precise to be random. Not an address the old net would understand, something newer, something… segmented.
Find where those words lead in the real world. Trace the location. Confirm the name of the place the target keeps returning to.
And keep that number safe. It’s not just noise, it’s one part of something bigger.
Example Flag: magpieCTF{calgarytower}
In this challenge description we are given the three words scan.acting.basher
The format of those three words and the title being Three Words, it immediately made me think of the challenge, Where’s That Grin? I solved over the summer at AL1C3 1N PWND3RLAND.
This challenge was similar as it used the site what3words, but instead we were given the three words to search for instead.
Plugging scan.acting.basher into what3words gives us the location of the Taylor Family Digital Library on UofC’s campus.
The flag for this challenge was magpieCTF{taylorfamilydigitallibrary}
Hodd Toward
Easy OSINT
Hey choom I ran into this total gonk the other day. He called himself Hodd Toward, anyways he klepted this buggy BD and gave me a challenge. You gotta find the name for this place in “Skyrim”. Anyways choom if you can do this for me ill send a few eddies your way.
Flag Example: magpieCTF{tiltedtowers}
Taking the image we were given and then reverse searching it in Google gave me the results of the Abandoned Shack from Skyrim (which is the game we were looking for).
The flag for this challenge was magpieCTF{abandonedshack}
OSINT 1
Easy OSINT
A photo from Night City intelligence channels was intercepted, but it only shows a location with no additional metadata. The team believes it was taken in a high-traffic corporate district and needs a positive identification before moving to the next lead.
Flag Example: magpieCTF{pacificamall}
This one out of the next three honestly had taken me the longest due to how many results it was giving me when reverse searching it in Google.
Most results were listing Corpo Plaza from Cyberpunk 2077, which did make sense and doing further digging did prove that.
However, it wasn’t looking for ‘corpo’ in the answer, which I later found out is actually short for corporate.
Eventually I got it, the flag for this challenge was magpieCTF{corporateplaza}
OSINT 2
Easy OSINT
A second image was recovered from a suspect terminal. The scene appears to be from an early-game area that most runners have seen, but the exact place name is required for verification.
Flag Example: magpieCTF{pacificamall}
This one was a continuation of the previous challenge, so the image looked to be another location from Cyberpunk 2077.
Reverse searching it in Google like the last two gave me one place, Konpeki Plaza Hotel.
The flag for this challenge was magpieCTF{konpekiplaza}
OSINT 3
Easy OSINT
A third surveillance capture was pulled from a data leak and appears to show a unique commercial landmark. Command wants confirmation of the exact location name before advancing the investigation.
Flag Example: magpieCTF{pacificamall}
The strategy of reverse image searching for these locations was working so I continued with it.
This one gave back a couple possible locations like Dogtown and Grand Imperial Mall, doing some further digging on both locations though narrowed it down.
The flag for this challenge was magpieCTF{grandimperialmall}
Bad Pictures
Easy Forensics
Hey netrunner, I pulled a visual file off a data shard in Hudson today. Metadata says: “flag.png”. The problem? It won’t open. Even my preem corp viewer software rejects it. Hell, my cyberware says it’s not a PNG file at all, but I know it’s lying to me somehow. Someone doesn’t want me seeing this image but I know you can fix that…
The challenge name being Bad Pictures made me immediately think about possible corruption in the file metadata.
First thing I did once I downloaded the file, was run the command xxd flag.png | head. This gave the following output:
─$ xxd flag.png | head
00000000: 995a 4e47 0d0a 1a0a 0000 000d 4948 4452 .ZNG........IHDR
00000010: 0000 053e 0000 043f 0803 0000 000a 5b03 ...>...?......[.
00000020: 8200 0000 0173 5247 4201 d9c9 2c7f 0000 .....sRGB...,...
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
00000040: 0020 6348 524d 0000 7a26 0000 8084 0000 . cHRM..z&......
00000050: fa00 0000 80e8 0000 7530 0000 ea60 0000 ........u0...`..
00000060: 3a98 0000 1770 9cba 513c 0000 0300 504c :....p..Q<....PL
00000070: 5445 1313 2519 1d32 d1c1 abd9 c8b1 1318 TE..%..2........
00000080: 2e1e 1831 dad1 b213 1922 d2c6 afd4 bca5 ...1....."......
00000090: d9c3 b3be a094 ccbd aed3 cbaf dacd b3d8 ................
Having done multiple challenges like this before, I referenced some notes I had taken previously to compare the magic numbers and use the tool hexeditor to manually fix them.
─$ xxd flag-fixed.png | head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 053e 0000 043f 0803 0000 000a 5b03 ...>...?......[.
00000020: 8200 0000 0173 5247 4201 d9c9 2c7f 0000 .....sRGB...,...
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
00000040: 0020 6348 524d 0000 7a26 0000 8084 0000 . cHRM..z&......
00000050: fa00 0000 80e8 0000 7530 0000 ea60 0000 ........u0...`..
00000060: 3a98 0000 1770 9cba 513c 0000 0300 504c :....p..Q<....PL
00000070: 5445 1313 2519 1d32 d1c1 abd9 c8b1 1318 TE..%..2........
00000080: 2e1e 1831 dad1 b213 1922 d2c6 afd4 bca5 ...1....."......
00000090: d9c3 b3be a094 ccbd aed3 cbaf dacd b3d8 ................
Once it was fixed, we were able to view the picture properly now. The image contained a bird, some overlayed binary, like a 3D filter type effect, and the flag.
It was a little hard to read but the flag for this challenge was magpieCTF{th3_m4g1c_15_1n_th3_h3ader5}
John The Zipper
Easy Forensics
From: IntelCorp.
BEGIN CONFIDENTIAL MESSAGE: CLASSIFIED.
Hey netrunner, have you ever heard of John Mercer? I thought not. He was a Mid-level Arasaka data tech - quiet, unassuming and predictable. Unfortunately, John believed that he could achieve a better life by selling Arasaka secrets on the streets. Three nights ago, John was about to sell us some classified intelligence from Arasaka. Unfortunately for both of us, Arasaka was on to him and he never made it to the meeting point. One of our intelligence agents fortunately managed to pull a datashard off of him before he was sent to the morgue, but unfortunately it is encrypted.
You know what you need to do…
The name hints at using John The Ripper to crack the password of the provided ZIP file
I ran the commands zip2john flag.txt.zip > hash.txt and john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt, which gave me the following:
─$ zip2john flag.txt.zip > hash.txt
ver 1.0 efh 5455 efh 7875 flag.txt.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=46, decmplen=34, crc=8E38C5E3 ts=4894 cs=4894 type=0
─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
JOHN13 (flag.txt.zip/flag.txt)
1g 0:00:00:00 DONE (2026-02-21 21:19) 7.692g/s 2174Kp/s 2174Kc/s 2174KC/s bedshaped..7deenero
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
From there we got the password we needed and were able to get the flag.
The flag for this challenge was magpieCTF{j0hnn_1s_s0meth1ng_el5e}
Conclusion
I only had a couple hours to compete Saturday night once I got off work before I had to continue working on some other things, but I still had fun for the few that I solved.
As February was fast approaching, I was waiting for the announcement of the event because I had a lot of fun competing last year and was looking forward to this one.
Great way to end reading week though before getting back to classes!