I had a little time on hand and happened to see a new challenge that came out this month. Time to get my hands dirty again.. 😄

Introduction

Software Engineering and Cyber Security Mini Challenge
This year's National Day parade will dazzle the nation with a breathtaking synchronized fountain and holographic light show, orchestrated by a cutting-edge control platform. Unbeknownst to the public, a shadowy hacktivist group has infiltrated this advanced system, fracturing it digitally and scattering the keys to its restoration.

There's a total of 4 challenges to solve.

Challenge 1

Challenge 1

The hint for this first challenge is pretty obvious: Look for magnifying glass on this page.

Since the magnifying glass is no where visible on the page, let's open up our developer tools and inspect the code. I couldn't find any elements with "magnifying" and "glass" keyword in the HTML/JS code. I then proceed to search for clues in the Network portion. Then I saw the following API JSON response:

An Magnifying Glass icon is used instead of alphabet.

I tried searching on the web page and voila!

Magnifying glass found! 🔍

Click the icon and you will head to the challenge site:

Challenge 1 Page

Challenge 1 - Objectives

A challenge to test git skills!

The starting git tree on local repository (on the left) and the remote repository (on the right) is shown as follows:

Challenge 1 - Starting point

The goal is also given in the challenge and it should look like this:

Challenge 1 - Goal to Reach

It's said that the final tree for main branch should look like the order below.

  • c0 > c1 > c7 > c4 > c5 > c6 > c2 > c3 > c9

We can reach the final goal with the following commands:

# Rebase dev2 branch to move under c7 (main) commit.
git rebase c7 dev2
# Rebase dev1 branch to move under c6' (dev2) commit 
git rebase dev1 dev2
# Switch to main branch
git checkout main
# Reset main branch HEAD back to c7 to remove the bad commit c8 from history
git reset c7
# Rebase main branch onto c3' (dev1) commit
git rebase c3'
# Re-add the correct commit C9 back into the new main
git cherry-pick c9
# Force push to remote
git push --force

You should get the following git tree before you push:

Challenge 1 - Prior to remote push

And with that.. we solved the first challenge!

Flag: CSIT{EWP@YAL3BARSTA7I0N}

Challenge 2

Challenge 2

Using the same developer tools method, we found the entry point to the second challenge.

Icon: 🌱
An old language echoes in bursts and beeps — one speaks in dots and dashes, the other through numbered keys. From fading tones and rhythmic clicks, two paths emerge. Only when their voices unite does the message come alive.

The hint seems to signal there's 2 language:

  • dots and dashes – seems to point to morse code
  • numbered keys – phone tone.. DTMF?

The seedling icon downloaded a file named challenge2.txt. When opened with textedit on mac, the first two byte is "PK", which seems to point to ZIP file which normally have this, as the initials of the creator.

First Two Bytes: PK

Renaming to .zip, we can then uncompress the archive and get the following items:

2 wav files and 1 README

The details of the flag is shown in the README.txt:

CSIT{FLAG1FLAG2}
Additional Hints in README.txt

We will try decode the morse code first using this tool at https://morsefm.com/.

FLAG2: H@LLS7AT10N

We will next try to decode DTMF with this tool at https://dtmf.netlify.app/.

Seems like we need to decode further..

We will try to decode further with Multi-Tap Decoder (SMS T9) with this tool at https://www.dcode.fr/multitap-abc-cipher.

FLAG1: NSCITY

Thus, the final flag for challenge 2 is CSIT{NSCITYH@LLS7AT10N}.

Challenge 3

Challenge 3

Using the same method, the icon now is a padlock.

Icon: 🔒

Clicking the padlock icon will bring you to the Challenge 3 site:

To find the flag, we have to analyze the hint again..

A broken gate where shadows creep, With secrets that the source code keep. Gather the crumbs, the token's soul, To prove your worth and take control.

Firing up my developer tools again, I found some further hints in the console.

  • Secret key for JWT validation: csit-mini-challenge-2025-jwt-secret-key
  • Check the cookies for JWT structure example
  • Create a JWT with the correct name and organization
  • Use jwt.io to construct your token
Challenge 3: Hints in Console

Going into Application tab in my developer tools, i inspect all the cookies stored and get the JWT token sample:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiIiwiZmFtaWx5IjoiIiwiYWdlX2F0X3Jlc2N1ZSI6IiIsImRhdGVfb2ZfcmVzY3VlIjoiIiwiaW5jaWRlbnRfbG9jYXRpb24iOiIiLCJyZXNjdWVyX25hbWUiOiIiLCJpYXQiOjE3NTUyODU2OTcsImV4cCI6MTc1NTM3MjA5N30.9rI5lzqwRX5upPbAxCamZub_C1LGf8p7EoqONTikg08
Challenge 3: JWT Sample

Since we already have the secret key above and the JWT sample, we try to decode the token with https://www.jwt.io/.

Challenge 3: Decoded Payload

Now, let's go back to the cookies to populate the payload. Make sure you select URL decoded. We will get the following payload:

{
  "name": "Toby",
  "family": "Marina 9 pack",
  "age_at_rescue": "6 weeks",
  "date_of_rescue": "9 May 2016",
  "incident_location": "Canal near Fort Road",
  "rescuer_name": "Patrick Ng",
  "iat": 1755285697,
  "exp": 1755372097
}

Using a JWT encoder tool at https://www.jwt.io/, you will get the following token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiVG9ieSIsImZhbWlseSI6Ik1hcmluYSA5IHBhY2siLCJhZ2VfYXRfcmVzY3VlIjoiNiB3ZWVrcyIsImRhdGVfb2ZfcmVzY3VlIjoiOSBNYXkgMjAxNiIsImluY2lkZW50X2xvY2F0aW9uIjoiQ2FuYWwgbmVhciBGb3J0IFJvYWQiLCJyZXNjdWVyX25hbWUiOiJQYXRyaWNrIE5nIiwiaWF0IjoxNzU1Mjg1Njk3LCJleHAiOjE3NTUzNzIwOTd9.NDYHuUf1W9BT0f5iw3TLYmn_FFiUVhrtOz899bBQIuE
Challenge 3: JWT Token

And we have the flag!

CSIT{NSW0ODL@ND5ST@T1ON}

Final Mission - Challenge 4

Challenge 4

For better viewing of the map, I included the original image instead of the screenshot here.

Challenge 4 - System Map

Hint:

The map may look familiar, but something's off. Perhaps the truth lies in how it's presented, not just what it shows. (Look for... there's nth to look for on this page)

I enlarged the map and found a QR code with "Hint Scan Me" written on it.

Challenge 4 - QR Code

By using a web tool at https://scanqr.org/ to scan the QR code, I get the following URL:

Challenge 4 - Hint https://aug-2025-mini-challenge.csit-events.sg/challenge4/api/challenge-four-hint

Opening the URL, I get the following hint:

Each of these flags you have obtained has more than one significance.
Use the map and combine them to form a significant day to Singapore (format: DD-MM-YY).

To complete this challenge, use the following flag format:
CSIT{STATIONCODE1-STATIONCODE2-STATIONCODE3}

Note: Each STATIONCODE format is as such XX00.
Hence, your flag should be something like: CSIT{XX00-XX00-XX00}
Flag Format: CSIT{STATIONCODE1-STATIONCODE2-STATIONCODE3}

Let's look back at our flags for the past 3 challenges:

Challenge No. Flag MRT Station Station Code
1 CSIT{EWP@YAL3BARSTA7I0N} East-West Line Paya Lebar Station EW8
2 CSIT{NSCITYH@LLS7AT10N} North-South Line City Hall Station NS25
3 CSIT{NSW0ODL@ND5ST@T1ON} North-South Line Woodlands Station NS9

With that, we can get our final flag:

CSIT{NS09-EW08-NS25}

Challenge Completed

CSIT Mini-Challenge - Aug 2025
CIST Mini Challenge Badge - Aug 2025

Final Thoughts

I think this particular challenge is too easy as compared to the past. I spent a total of 4 hours in total navigating through the 4 challenges with breaks within. I'm definitely looking forward to TISC 2025 this year.