Description
“I’ve seen a bit of hype around today’s Flash CTF on Bluesky, I wonder if any of that hype comes with its own secrets…”
TL;DR
The secret lives in a Bluesky reply that looks like normal text but uses Unicode lookalikes (homoglyphs) to embed a secret message. If you treat all the non-ascii characters as a binary 1, and ascii characters as 0s,, read the result as binary, and you get the flag.
Finding the right post
The challenge points to Bluesky and “hype” around the Flash CTF, so the first step is to find where that hype actually is.
Starting on Bluesky, search for “flash ctf”. That surfaces MetaCTF’s account and a bunch of related posts (and some other results you can ignore for this challenge).
From there you should go to @metactf.bsky.social and scroll through their profile.
One post stands out: “We may or may not have hidden something special in tomorrow’s Flash CTF 🤔” with the signup link for the event. That’s a pretty clear nudge that something is hidden in the hype. i.e. in the posts or replies themselves, not just in the CTF platform.
So the next step is to see who was talking about the Flash CTF and whether any of those posts look “off.”
The suspicious reply
Under that same MetaCTF post there’s a reply from @shayden1337.bsky.social (the author of the challenge and Head of Content at Skillbit/MetaCTF) that’s basically hype + a hint:
The reply says “I can’t wait for tomorrow’s Flash CTF! I spent quite a while on the challenges, I hope that they’ll switch your brain on just like transistors! If you read this message very carefully, maybe you’ll even discover something…”, but the characters look off.
“Read this message very carefully” and “discover something” are strong hints that the text itself carries the secret. So the content of that reply is the blob we care about.
What’s actually in the message?
On the surface it’s plain English. The trick is that not every character is what it looks like. A lot of Unicode code points look identical to ASCII (e.g. Cyrillic а vs Latin a, or special apostrophes and spaces). So the message can look almost normal in the Bluesky UI while actually being a mix of real ASCII and these lookalikes.
If you copy the reply into an editor or script that distinguishes Unicode, you can see which characters are “weird.” For example, in an editor that doesn’t have glyphs for every codepoint, some of them show up as boxes or replacement characters. In the screenshot below, those are highlighted so you can see where the non-ASCII characters sit in the stream.
So we have a long string of characters. Some are normal printable ASCII, some are Unicode lookalikes. That’s the structure we need for the next step.
Decoding the flag
The encoding scheme is binary in disguise:
- Printable ASCII character → bit 0
- Anything else (e.g. homoglyph / special Unicode) → bit 1
Walk through the message left to right, output a 0 or 1 for each character, then interpret that string as big-endian 8-bit bytes (first 8 bits = first byte, etc.). Decode those bytes as UTF-8 (or plain ASCII for this flag) and you get the flag.
So the solve is:
- Get the exact text of the reply (copy from Bluesky or use the same string from the challenge if it’s provided).
- For each character: if it’s in
string.printable(or your language’s equivalent), emit'0', else emit'1'. - Chunk the resulting bit string into groups of 8.
- Convert each 8-bit chunk to a byte, then decode the byte sequence as text.
Example in Python:
import string
ENCODED_MESSAGE = "..." # paste the full reply text here
decoded_message = ""
for char in ENCODED_MESSAGE:
decoded_message += '0' if char in string.printable else '1'
binary_chunks = [decoded_message[i:i+8] for i in range(0, len(decoded_message), 8)]
restored = ''.join(chr(int(chunk, 2)) for chunk in binary_chunks)
print(restored)
Run that and you get: MetaCTF{fl4g_induc1ng_hyp3!}