Malboro

The challenge provides an image file, so the first step is to check whether anything is hidden inside it. Running binwalk -e on the file successfully extracts embedded content and reveals two additional files. Running binwalk again on smoke.png does not show any further embedded data, but that does not rule out the presence of hidden information elsewhere in the file.

I then used exiftool to inspect the metadata. In the Author field, I found suspicious data, which I passed into CyberChef for decoding. This led to a website containing tools related to the Malbolge programming language, indicating that the challenge likely involved both hidden data extraction and Malbolge-based decoding.

As an additional check, I ran zsteg on the PNG file. This revealed a decryption note containing a 32-byte XOR key and instructions stating that encrypted.bin had to be decrypted by XORing each byte with the repeating key. The recovered key was: # Marlboro Decryption Key\n# Format: 32-byte XOR key in hexadecimal\nKEY=c7027f5fdeb20dc7308ad4a6999a8a3e069cb5c8111d56904641cd344593b657\n# Usage: XOR each byte of encrypted.bin with key[i % 32]\np"

Using that key, I decrypted encrypted.bin with a short Python script that XORs each byte with key[i % 32] and writes the result to decrypted.bin.

from binascii import unhexlify 
key_hex = "c7027f5fdeb20dc7308ad4a6999a8a3e069cb5c8111d56904641cd344593b657" 
key = unhexlify(key_hex) 
with open("encrypted.bin", "rb") as f: 
	data = f.read() 

out = bytes(b ^ key[i % len(key)] for i, b in enumerate(data)) 
with open("decrypted.bin", "wb") as f: 
	f.write(out) 

After obtaining decrypted.bin, I used the Malbolge tools site identified earlier to analyze the output. This final step revealed the flag.