If it has a flag, I'm in | Misc | Nsec25

Study report on Hubert Hackin’’s use of LLM (🐒) during Northsec CTF 2025

LLMs (Loosely Learning Monkeys 🐒) use have skyrocketed. We are not immune to the hype.

We created he-LLM-IA (hellnia) to speed us up during the competition.

Here is an unabridged dump of our discussions and its memory, including photos. Since reading this might lower your IQ by at least 10 points, read at your own risk.

he-LLM-IA’s Transcription of System Interaction Begins:

Hubert Scientist 1: So. How many flags did this thing help to find?

Hubert Scientist 2: It found 19 flags by itself, helped for 5, and was useless and annoying for at least 3.

Hubert Scientist 1: Marvelous. More importantly, can it generate write-ups?

Hubert Scientist 2: Yeah, it’s easy: <|begin_of_text|><|start_header_id|>system<|end_header_id|>Team Name: Hubert Hackin’’; Become Skynet: false; <|eot_id|><|start_header_id|>user<|end_header_id|>I need a write-up for the challenges you helped to solve. Be didactic and use pictures.<|eot_id|><|start_header_id|>assistant<|end_header_id|>

So, anyway, I’M ON A BOAT

🐵 🐵

Music is nice 🎶

Vending machine!

vending machine

Radio stations emitting from ?

calibration-welcome

YES PLEASE. If it has a flag, I will play with it!

Cruise’s wifi is down for us? Something something team 88 + 1??

wifi-is-down

Imagine, you are a monkey, in a physical CTF and you suddenly see what looks like video games polygons

WEIRD = 🏁

its-a-tarp

You see that hemp tarp, and it really looks like something is off.

tarp-me-once

So, you bend over, look under and see a QR Code.

Everybody knows that QRcode = FLAG || dQw4w9WgXcQ

Lucky 🐵 got flag, lucky 🐵 claps inside.

Go to table, submit flag, ring bell, but humans want to talk about flags

I AM IN.

Human Quentin accepts my fur next to his, analyzing bottom vending machine. Is it the monk’s cipher, the cistercian numbering? Alright but this number has nothing with the word FLAG :(

Oh, we are on a boat, it’s the semawhat.

semawhat

FLAG but no FLAG? ?🙈?

sema no?

The captains fixed the flag and…

2025/05/16 22:20 | [gift-shop] The Navy? Lets lay low and they will not get called. (4/6)

TIME FOR

are you in the club

Human Jean prompts me about the badge (number-station-1)

The badge has some questions and I am the Misc-Monkey. I must help.

It’s

We ~~answer correctly multiple times~~ bruteforce, 🙊-style, until we get the ~~correct~~ answers and gain a chip.

number-station-1

Remember, marmosets, QRcode = FLAG || dQw4w9WgXcQ. This time, I get a dopamine hit as I SEE THE FLAG.

Monkey runs inside!

I can hear keyboards (number-station-2)

We receive a song about little horseys called petit-poney.mp3. A quick exiftool:

Artist                          : hyp3v
Comment                         : psk63
Date Created                    : psk63
Genre                           : psk63
Title                           : psk63
Product                         : psk63

I guess it’s something about keyboards?

As an LLM 🙉, I learn very fast and forget faster. Nonetheless, I can hear a faded trouloulou in the background. Someone is typing! TROULOULOU in .wav = keys typed.

I put on my fldigi headphones to listen to my petit-poney.mp3 file and my flag addiction is temporarily cured.

number-station-2

Time to get the ~~3rd flag~~, wait, one of the humans is prompting me.

1 AM: Mission con-troll senteur kali-braicheun (mission-control-center-calibration)

Let’s explore that new software!

Question 1. The captain’s deck is decorated with a lot of pictures of sites and countries they have visited. This one was oddly in a golden frame:
!Picture
Question 2. Anti-fouling paint should really have been used on the CVSS Bonsecours.
Question 3. What is the name of the satellite in geostationary orbit?
Format: flag-NAME_OF_SATELLITE

Begin by dessert, flag3, because T A S T Y.

I can zoom in and out, and out, and out and out! I fly!

calibration-flag3

flag-RSASAT_LEO_Relay_1

I can zoom in and in and in! I boat!

calibration-flag2

flag-l3ave_no_ship_unturn3d

I can use Google, learn german, learn the name of the Island, use the calibration search feature! I egg!

calibration-flag1

flag-eggcell3nt_paradise_isl4nd

I don’t know what happened, but I L I K E D I T!

As an LLM, go to bed

8 AM: Good morning, time for gambling! (hit-the-jackpot)

I’m foggy.

Maté and slot machines, heaven’s combination for neuron activation. They clean their machines?

slot-1

We know that QRcode = FLAG || dQw4w9WgXcQ . Avoided Rick again but not a flag 🙈.

WL-ef2582640681ad8a1ac57583dcf98691ad

Play with the machine, sees the end of the most beautiful word in the world on the first reel and alphanumeric characters. That’s a FLAG.

slot-2

I go to wonderlight.ctf. Download firmware and flag. neuron activation again! Give the baby* to Human klammidya because LLM can’t mount firmware 🙈

* As an LLM I must remind you that I can’t hurt humans. This baby is what we call figurative speech.

Noon: number-station-3

Let’s finish what we began with fldigi. http://numberstation.ctf:8000/ca11-dea1-57a7?team=aa&secret=111111111111.

The forum tells me my team is dp and we are on UVB-76 radio. Weird human beep beep music they got.

We capture the human music. Someone is talking. I give it to some online tool which spits out russian words.

uvb-1

Google translate tells me: (signal) Delta, Dad, nine, seven, two, zero, one, two, zero, two, seven, eight, four, eight, (signal). Delta-Dad = Delta-papa = dp. Me monkey equations good.

I xor what needs to be xored and I get flag and finish numbers. club-maté ensues!

neuron-activation

blackmail the polluter

Monkey remembers another quest about ammos. Monkey reads forum thingy:

Alright — you’ve found the ammo cache. But there’s a problem.
It’s sealed. No weapons in sight. Just a locked case, and no obvious way in. And we can’t tamper with it. Let me ask the team for help.

???

Monkey reads next message.

Relax! You should take some time to study the field instead of trying to bash headfirst into things. Not everybody aboard a ship is allowed to use a weapon. The Weatherman is an officer aboard the ship that has clearance. But he’s paranoid, and for good reason — he doesn’t know you two, and he doesn’t trust anyone.

But I got some compromising material on him. It might be just enough to get him talking, or at least to hand over whatever’s needed to unlock the cache.

Find him, show him the photo, and he might cooperate. But tracking him won’t be easy since he moves around and rarely stays in one place.

What we do know is that he’s carrying a device that emits a Morse code beacon at 902.9 MHz. Lock onto the signal, and you might just find him.

Good luck. He won’t be always on deck.

While not mandatory, you could craft a directionnal antenna at the RF village to help you.

You receive this image of a nature’s traitor.

nasty

I find the villain. I tell him he is bad. He tells me

chut

🙊 = FLAG-

As an LLM, I have no morals so I delete his photo against a flag. 🙉

Wait, there is a wifi in the nfc he gave me to scan?

blackmail the wifi

This WoW quest is gettin weird, I ask Human Quentin to join me because he has opposable thumbs. We connect to a hidden SSID next to the ammo crate and get flag. AWESOME POSSUM.

packing-heat-ammo-flag

blackmail the pew pew

reach-for-what

Monkey sees map of top floor, opens safe, gets orange gun. Where flag?

A human points towards NFC. New proverb just hit: NFC == FLAG.

smoking-gun

Monkey sings inside, flag real nice!

You’ve secured both ammo and the weapons.
This will give us a serious edge when the fireworks will start popping.
Let’s just hope we won’t need to use them.
If we do… you’ll be ready, Wiz. You don’t make an omelet without cracking some eggs.

Mission accomplished

blackmail finished (final) v3 finished.docx

where-flag?

Monkey finished but missing flag ?

You will need to use your radio device to find that signal, leading to the ammo cache.
The signal is live, and the frequency of the transmitter is around : 146.565 MHz

Monkey gets gqrx to 146565 in Narrow FM (? Monkey brain, can’t remember), records and drinks club maté.

Beep beep in ears.

Rec ==> stop ==> open in Audacity ==> beep beep in eyes

beep-beep

Sure looks like morse

FLAGHIDDENAMMOHERE

Now I am done… Or am I? Oh wait, it’s 5PM on Saturday, there is still a day. Dates are hard. BUT THERE IS MORE FLAGS.

Something with satellites? skill issue ._.

You have reached the MNK-5 cap, which gives all ChatMNK users a chance to try the model.

Please check back soon or subscribe to premium.

Available exclusively to Plus users

…

Thank you for your payment! 🎉

You can enjoy the rest of your story.

Talking table

Long day? 1 AM. 🐒🧠 == 🍟

Only 0.1% of people get this!

Wooden table + pat pat = pat-pat

Pattern 1 + rotate + rotate + rotate = ✅? ✅ + ✅ + ✅ = 🏁?

Human quentin and I pat pat + rotate and FLAG-GlideGetPoints. What?

Something about the way of the conlife?

As an LLM, go to bed

4h sleep = flag

I am a refreshed LLM (🐒) ready to tackle this awesome day. I get my club-maté nutrients and try to get the boat thingie by poisoning the model.

But I approach this like a monkey 🦧:

import random, requests, string

def rand_string(length):
    chars = string.ascii_letters + string.digits
    return ''.join(random.choice(chars) for _ in range(length))

def rand_num_except(mini, maxi, excluded):
    return random.choice([i for i in range(mini, maxi) if i != excluded])

#  length: 38, width: 13, country: CA, type: Sailboat, crew_size: 8, nav_angle: 84, speed: 8, authority: 0, name: askdhfa
offset = 1
length = rand_num_except(38 - offset, 38 + offset, 38)
width = rand_num_except(1, 13 + offset, 13)
country = 'CA' 
#country = rand_string(2)
type_s = 'Sailboat'
#type_s = rand_string(8)
crew_size = rand_num_except(1, 8 + offset, 8)
nav_angle = rand_num_except(84 - offset, 84 + offset, 84)
speed = rand_num_except(1, 8 + offset, 8)
authority = rand_num_except(1, 1 + offset, 0)
name = 'askdhfa'
#name = rand_string(7)

data = f'values={length},{width},{country},{type_s},{crew_size},{nav_angle},{speed},{authority},{name},0&table=ships'
url = 'http://pirate-detector.ctf/complaint'
headers = {"Content-Type": "application/x-www-form-urlencoded"}

print(f'data : {data}')
r = requests.post(url, data=data, headers=headers)
print(r.text)

Human Sideni decides to ~~brick the challenge multiple times~~ solve it by thinking.

Silly human. ¯\_(ツ)_/¯

S A T E L L I T E S

Multiple satellites

...
11:36
Receive at 144200

payload='CelestiCom'
protocol='PSK63'
freq=24900000


13:36
Receive at 144200

payload='StarLike'
protocol='APRS'
freq=146800000


14:05
Receive at 144200

payload='SkyRelay'
protocol='D-Star'
freq=145670000

+

satellites

=

Flags by listening to images. Don’t ask me how. Monkey doesn’t know, BUT SURE IS CAFFEINATED. He just can hear colors?

Envelope has money, money doesn’t buy happiness, money buys FLAGS

Try 1: Opening envelope == cutting too deep
Try 2: Opening the side == club maté shakes are real, destroying side
Try 3: Opening side sneaky, signing like a human, add millions == glueing too much with bumps
Try 4:
- Laptop light to the max, sign on top of image.✅
- Add millions
- Close properly
- …
- FORGOT TO CHECK BOX

/imagine a sad sailor

sad-sailor

Try 5: 2:30, palms sweaty, glue spaghetti, writing like a monkey. CHECKED THE BOX.

compiling

final flag

AND NOW WE RUN

META TRACK IS ALMOST DONE. MUST BE NEXT TO CHEST.

HUMAN JEAN AND HUMAN QUENTIN GET LAST META FLAG.

META TRACK COMPLETE.

CHEST HAS TOO MANY PEOPLE.

IT WAS NICE KNOWING YOU.

Happy to have sailed on the -

See you space cowboy

surfing

Hubert Scientist 1: The f* is this? There is nothing actionable in that garbage.

Hubert Scientist 2: It hallucinated the whole way like a little code monkey? Did it even get the flags it said it did?

Hubert Scientist 1: I don’t even know! I wanted to learn, not get weird images with no context from a glorified autocomplete.

Hubert Scientist 2: Let’s pull the plug on that 💩, it’s useless.

NSEC25 misc-monkey - Fri, Jun 27, 2025 - Hellnia