## Big Bird – Scripting [Original Writeup is easier to read imo :)](https://lawfulwaffle.com/2020/06/13/nahamcon-ctf-writeups/#big-bird) This challenge was my favorite for two reasons: I finished it just before the CTF ended, and it was the only scripting challenge I completed (darn you, _Really Powerful Gnomes_!) The challenge linked you to a Twitter page that had posts in this format: ![bigbird-twitter-posts](https://lawfulwaffle.com/wp- content/uploads/2020/06/bigbird-twitter.png) The simplest way to start was to get all of those tweets in order. Luckily, there’s a dead-simple command line utility called [GetOldTweets3](https://github.com/Mottl/GetOldTweets3) for scraping Twitter pages The first command got all the tweets into a CSV. The second one ordered the tweets by first number and only kept the last number. > ` $ GetOldTweets3 --username "BigBird01558595" --since 2020-05-30 ` > ` $ cut -d',' -f 7 output_got.csv | tr -d '"' | tr -d '#' | sort -n -t' ' -k2 | cut -d' ' -f 3 > ordered.txt ` I think the hardest part for me was figuring out what the numbers meant. ![](https://lawfulwaffle.com/wp-content/uploads/2020/06/ordered-head.png) \- 137 was too high to be ASCII, so I initially ruled it out. Then I realized that decimal numbers 80, 78, and 71 were the letters PNG. AHA! It’s an image file! \- I was able to confirm this by checking that 137 is 89 in hex. All PNG files start with 0x89, the letters PNG (0x80 0x78 0x71), and [four more bytes](http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html). The following python snippet turned the decimal numbers into one long string of bytes represented in hex. ``` #!/usr/bin/python3 s = [] with open("decimals.txt") as f: for line in f: l = line.strip() s.append(hex(int(l))) raw_bytes="" for num in s: byte = num.split('x')[1] if len(byte) == 1: raw_bytes += "0" + byte else: raw_bytes += byte print(raw_bytes) ``` \- I output that raw hexdump to a text file and ran `xxd -r -p` on it to revert the hex characters to actual bytes. This gave me an actual image! Throwing that into a QR code reader gave me the flag: `flag{big_bird_tweets_big_tweets}` Original writeup (https://lawfulwaffle.com/2020/06/13/nahamcon-ctf- writeups/#big-bird).