BSides Tampa 2026

As May 16, 2026 came to an end another BSides Tampa conference had ended. This had continued the growth path of more attendees, more staff and an even more streamlined logistical process. The ISC2 Tampa Chapter organizes this event each year and always continues to set the bar higher year after year.

After blogging about the badge solution last year (2025) I set off this year to attend the intro and get to work cracking the badge in a race for first. I was declined like the previous year on my proposal to speak, so while I was sad again I had a chance to have no interruptions and just solve this puzzle.

My journey of attending an intro & closing, a few expo hall visits, lunch and puzzle solving is not the only way to experience a BSides event. I had my eyes set on racing on a puzzle and wanted to see if my skills could still compete with an increasingly smarter pool of individuals attending. I took this year for the badge, but next year might have to re-balance with talks, keynotes, villages and more.

I don't think two is a pattern yet, but much like last year here is my breakdown and solves of the 2026 BSides Tampa badge challenge. I failed to complete the CTF prior to the end of the event getting stuck on the 10th challenge which was funny enough solved within 10 minutes of getting home.

It indeed was way more difficult than the year prior.

As I obtained my badge I sat down and got to work examining everything around the lanyard and badge seeing it full of a cryptic language I did not understand. I opened two markdown files for the lanyard and badge itself and got to work recording everything.

I found my Google Pixel here was incredibly helpful as I could take a photo - run the lens feature and make text clickable, but not the foreign looking glyphs. The speed boost of leveraging Google Lens got me text way quicker than manually typing.

The phrase on the lanyard was the key to understanding the badge with base64 hiding the plaintext.

dGhlIGN1cnNlZCBjb2luIHNwZWFrcy4gdGhl IGxhbmd1YWdlIGlzIGFuY2llbnQgaHlsaWFu
// the cursed coin speaks. the language is ancient hylian

A few other messages were hidden on here, like "xxx was here" and things to keep it fun. Once I pivoted my focus to the badge itself it was full of different forms of text.

• dW5sdWNreQo= -> (base64) -> unlucky
• MTMK -> (base64) -> 13
• oernx gur phefr -> (rot 13) -> break the curse
• {F4<:D?@E24@?EC@= -> unknown

The outside of the badge in a circle had the writing "05.16 2026 ????? ????????? PARTICIPANT ?????????? ???" I could not find a unicode representation of these characters, but thankfully the hint led us straight to the alphabet in use. This was ancient Hylian which is a shout out to the game of Zelda.

A sort of made up video game language lends itself to not having an official unicode point thwarting some of today's LLM powers. A quick Google search with images of "Ancient Hylian Alphabet" and I was just looking to match some of the symbols I saw on the badge.

As I looked at the badge more closely I knew I had a group of 5 characters and 3, which I guessed immediately would probably represent https and com for a website address.

As I scanned Google images I stumbled upon this image above which matched immediately with the character associated with h and I knew immediately this would be my key to the puzzle. I sat looking at a symbol then the image above to draw out the message.

The message and thus domain slowly started piecing together as:

https://unlucky13[dot]notmalware[dot]fyi

Which is where the real challenge was to begin once I landed on the site.

Examining the HTML source of this to make sense of some of the gibberish below led to this HTML.

      <a href="./CHA1LENGE.html">CHA1LENGE</a>
      <a href="./2HALLENGE.html">2HALLENGE</a>
      <a href="./CHALL3NGE.html">CHALL3NGE</a>
      <a href="./CH4LLENGE.html">CH4LLENGE</a>
      <a href="./CHALLE5GE.html">CHALLE5GE</a>
      <a href="./CHALLEN6E.html">CHALLEN6E</a>
      <a href="./CHAL7ENGE.html">CHAL7ENGE</a>
      <a href="./C8ALLENGE.html">C8ALLENGE</a>
      <a href="./CHALLENG9.html">CHALLENG9</a>
      <br/><br/><br/>
      <a href="./CHALLENGE.html">C̵͓̯̭͐H̸̼̗̠̰̩̀͛̈́͂̿A̴̗̽̃̒͗L̶̪̬̋ͅL̸̘̼͗̀ͅÈ̸̡̎N̶̝̩̝͓̆͑̈́G̷̤̻̾͊̈́È̶͔̤̱̔͊</a>
      <a href="./284173569.html">2̶̬̲͓̻͆̌̽̄͊̂̍8̴̛͕͖̗̲͆͒̂̓̃̈́͆́̕4̵̛͈̱̺̦̠̱̻̹̺̋̅̍̀̉̈́͋̆̽͆1̶̟̼̰̺͒̔̽͠7̴̨͖̜͔̯̩̱̺̈̌̃̾̐̊͛̚̕͝3̴̮͚͕̲̗̝͇̣͌̂̑͒̂̒̒͘͠5̶̢̡̟͍̪͇̩̩͙̿͂́͗͐́̇6̶̡̣̗͉̖̝͖̦̳̩͖̀̑̀̅9̷̡̟͉̩̜̰̯͚̦͔̽̉͋́̂̍͗̎̚̚͠</a>
      <!-- <a href="./CHALLENGE13.html">CHALLENGE13</a> -->

This was my 2nd year doing the badge challenge and I recognized the design from the previous year. This was great, because I immediately knew not to waste time looking at the 404 page or the css because it was roughly the same as the previous year.

It looked like we had 1 through 9 ordered challenges, then two below and a hidden 13th challenge. It made me nervous that a 12th challenge was missing, but I'll be corrected if there was. I quickly made a markdown file for each one, posted the URL in each and got to work on each one.

Jump to a section

• Challenge 1 (glpyhs)
• Challenge 2 (emojis)
• Challenge 3 (js pass)
• Challenge 4 (fonts)
• Challenge 5 (lyrics)
• Challenge 6 (ciphers)
• Challenge 7 (polybius)
• Challenge 8 (morse)
• Challenge 9 (base6)
• Challenge 10 (base10)
• Challenge 11 (more ciphers)
• Challenge 13 (submit)

Challenge 1 (CHA1LENGE - "glyphs")

The hint followed the previous year with the top of the website showing the URL to visit with how many characters were expected. We had 11 glyphs and 11 expected characters so we were looking for the translation of this image.

This is where the call out on the challenge of "Be careful using AI on this one. It may hurt more than it helps." started really making sense. As I opened this image in its own tab it was a massive ~6000 pixels wide and looked liked it was hand drawn. I was guessing that someone must have manually redrew a language/cipher away from known glyphs to slow down an LLM.

The glyphs all seem to involve angles and plenty of perfect right angles. So after a tip from Charlton of "right angle ciphers" I started with basic Google searching of "glyph/cipher with right angles". The annoying, but sometimes helpful Google AI popped up suggesting the Pigpen Cipher.

Initially, I was reluctant to trust this cipher because the symbols didn't truly match up to the image and there was one symbol I couldn't place. I remembered back to a Cicada 3301 solve I blogged about where misleading markers were introduced to a puzzle from 20 years ago to thwart automation. Once I started just letting my brain roughly match up the structure of the image with the Pigpen Cipher I knew I was on the right path as the word "Crypt" came into existence.

I ended with cryptglyph which was missing a single letter and thus failed on every submission. That weird symbol I couldn't place must have been a letter and the only letter that really made sense was o to make crytoglyph.

The page would return an HTTP 200 and a nice success message, so I knew I had to solve each puzzle and associate each puzzle with the solution and email out the answer to the email discovered in Challenge 13.

Challenge 2 (2HALLENGE - "emojis")

Puzzle 2 looked like a breath of fresh air, because this new pattern of talking in emoji's or coding in emoji's has been a new trend going around. I researched "emoji decoder" and landed on the base100 decoder.

That one was quick and I knew that 🐺👩👰👧👫👜👯🐼👦👥 equaled CryptexEon, but to my surprise it didn't work in the URL. This wasn't a real word that I could see and I retried a different site for base-100 and came up with the same result. I lowered the entire string (cryptexeon) and it worked! I was now nervous knowing the answer was case sensitive for submission.

Challenge 3 (CHALL3NGE - "js pass")

My favorite type of puzzle arrived on the 3rd which looked like a client side password check. Sure enough you could find the code for the password check in plaintext in the JavaScript.

const encoded = "ZXJpb21pcmdhdGFk";
const transformed = btoa(input.split("").reverse().join(""));

if (transformed === encoded) {
  resultEl.textContent = "Access Granted";
}

For web developers you recognize the pair of btoa and atob anywhere which basically transmits binary to ascii (base64) in either direction depending on the function used. Above you can tell our input is split into an array (each character alone), so it can be reversed then joined back to a string. So we just wanted to reverse that.

atob("ZXJpb21pcmdhdGFk").split("").reverse().join("")
// datagrimoire

Since the input was passed into btoa. We had to first reverse btoa with atob and then reverse the reversed text. Sure enough after execution we had datagrimoire and a successful URL entry.

Challenge 4 (CH4LLENGE - "fonts")

The 4th puzzle had the phrase "TRUST NOTHING" in backward text, but oddly when you copy and pasted it was the exact spelling. This meant we had to have a custom font in play and sure enough I found it imported at the top.

@font-face {
 font-family: "ctfFont";
 src: url("/fonts/CTF.woff2");
}
      
.clue {
 font-family: "ctfFont";
} 

I was excited for a bit that the font name was Clarxndon which was 9 characters, but alas it was not the answer. I downloaded that custom font and loaded it into FontDrop to visualize all the characters in the font.

I spent far longer than I'd like to admit just looking at this image above. I saw FELAG() and I thought that was a hint that the flag was in between the parenthesis, but the value wasn't enough characters. With the phrase getting closer at the bottom, but my glyphs on top it was introducing some confusion to me.

Switching between puzzles and returning I realized it was quite obvious. Just move the E from FELAG to spell out FLAG(NECRYOBYTE). It took a bit knowing the answer was case sensitive, but ended with NecroByte as the answer.

Challenge 5 (CHALLE5GE - "lyrics")

This was an interesting puzzle because it had a 404 spammed in the console and I couldn't tell if it was a bug or part of the puzzle. This lyrics.txt file did not exist, but maybe it was intentional to draw my attention to the lyrics.

fetch("./lyrics.txt")
 .then(r => r.text())
 .then(text => {
  document.querySelector(".bg").content = text;
});

This led me to noticing the background text changed. I lightened up the CSS and sure enough it was the lyrics to the famous "rick roll" song.

Immediately from prior experience I remember doing a Cicada 3301 puzzle (Part 1 Extra) that required me to use the numbers as indexes to pluck characters within the lyrics of the song. With a bunch of numbers given to me I figured this would be the same type of solve.

I asked AI how to get the value of a style property and got the numbers in an array with 2 lines.

const nums = [32,254,23,73,65,89,226,162,15,41];
const raw = getComputedStyle(document.documentElement).getPropertyValue('--lyrics');

So I tried to iterate the numbers from the website looking for the value at the index of the number. Basically for the 1st one - what is the 32nd character in the lyrics.

console.log(nums.map(n => raw[n]).join(''));

This produced gibberish, so I dumped the lyrics variable and saw a bunch of spaces and quotes that probably were not intended. So a quick trim and a command to remove the trailing and beginning double quote led to.

const trimmed = raw.trim().slice(1, -1);
console.log(nums.map(n => trimmed[n]).join(''));
// neoncipheu

That dumped out a value that looked real, but didn't work. Once again this was probably intentional and required a human to just look at the value and swap it to neoncipher which looked real. I'm guessing all these tricks were to prevent an LLM from just hammering solutions and looking for a non-404. As it would hit this result and 404 and probably think nothing of it.

Challenge 6 (CHALLEN6E - "ciphers")

This challenge was funny, because I sure clicked the link and some countdown began and then redirected me to the YouTube video you'd expect. I inspected the HTML to see what this link did and spotted a hint.

<div class="clue">
 <div id="dont" onclick="dontdoit()">DO NOT CLICK THIS</div>
 <div id="hiddenClue" style="display: none;">
  krqbPbanA
 </div>
</div>

This value had special casing and didn't really spell anything, so it was off to the classic ROT website that does every single ROT rotation (0-25) at once. Rotation ciphers have been heavily used in previous Tampa BSides puzzles and don't require a key so always a possibility.

ROT-13: xedoConaN

Knowing this was the 13th BSides Tampa - ROT-13 seemed like it smelled Conan at the end, but the front didn't make much sense. Though looking at it backwards looked like Nano, so a quick rev command answered this one.

➜ echo "xedoConaN" | rev
NanoCodex

Challenge 7 (CHAL7ENGE - "polybius")

Puzzle 7 is when things started to slow down as I was presented with these blobs that didn't immediately click as anything.

<div class="clue-larger" style="padding-top: 75px;">
 <!-- censorship sucks, amirite!? -->
 █|█   ████|██   █|███   █|█   ███|███   █|█████ <br>
 █████|█   █|█████   █|███   ████|████   ███|████   ████|██
</div>

The more I looked though the more I realized each box surrounded a pipe character had a different amount of boxes on each side. The max I saw was 1 box and 5 at the most. This reminded me of a 5x5 grid, which has been used in Cicada 3301 puzzles in the past. I couldn't remember what it was called, but searching for "coordinate cipher 5x5" immediately loaded the "Polybius Square Cipher".

So I counted each line:

• Line 1 - 1,1 4,2 1,3 1,1 3,3 1,5
• Line 2 - 5,1 1,5 1,3 4,4 3,4 4,2

I then started the boring process of finding 1,1 on the grid (A), then 4,2 (R) and a phrase started appearing of arcanevector.

Capitalization struck again and I needed to format it as ArcaneVector to be accepted.

Challenge 8 (C8ALLENGE - "morse")

This was the most intense challenge of all of them as it required you to do a bit in the real world. Right out of the gate like has become a pattern we try all the ROT ciphers and find a hit on ROT-13.

ROT-13: Did you know that SAO port on your badge is the full v1.69bis spec? I wonder what would happen if you bridged GPIO1 and GPIO2..?

This hint is suggesting that our badge has a SAO (Shitty Add-on) port and suggesting we should bridge (ie connect) GPIO1 and GPI02. I knew this was a clever challenge as no way AI was going to be helping you here.

I researched "v1.69bis spec" and landed on this hackaday project which had a pinout for the pins on the badge. If we were bridging a connection from a mini computer to the output - we only had a colorful diode so that massively limited our options of what the output format could be.

Knowing the ground line (GND) had to not be connected to anything it was pretty easy to orientate ourself on the badge following the lines. Especially since one of my friends sitting with me had a sponsor badge which was white and much easier to see the schematics. So we now had the problem of needing to bridge two ports together which at a massive security conference should hopefully be no problem.

At first though I started using my car keys and when I saw the colorful lights immediately stop and turn bright red with a morse-like color blinking I was hooked that we were on the right path.

So the few friends and I packed up our stuff and wandered around the expo hall looking for something that could be used to bridge two ports. Amazingly we stumbled upon the electronic recycling booth and the guy amazingly just pulled out a device destined for recycling and ripped a cable off. That cable was then stripped down to the metal underneath and twisted into a nice little tiny cable and shoved between the two pins.

At home when I can balance the light perfectly you can see how the random colors revert to a pure red with a morse-code like blinking color when I apply pressure to press the cable against the two pins.

This made sense why the intro announced the smartest badge ever, because it had a little computer onboard to spit out morse code. Now I can't read morse code at all, so I researched if an online tool existed to read a video stream to parse out morse. I found a Reddit thread with a working link of such a tool.

As I sat there at a table in BSides oddly recording myself holding the badge up to my computer I'm sure a few wondered what I was doing. Either way as I saw human words appear in plaintext before my eyes I was amazed.

I just didn't know if the answer was TempleOmega or OmegaTemple and a few guesses later it was confirmed at OmegaTemple. The coolest puzzle of the CTF was done.

Challenge 9 (CHALLENG9 - "base6")

Puzzle 9 was colorful and after staring at it long enough I noticed the first and last row were the same. There were 6 different colors in use and the solution was 9 characters long.

The HTML was quite verbose, so I asked AI to clean it up.

<tr>
 <td class="cell r"></td><td class="cell r"></td><td class="cell r"></td>
 <td class="cell o"></td><td class="cell o"></td><td class="cell o"></td>
 <td class="cell y"></td><td class="cell y"></td><td class="cell y"></td>
 <td class="cell g"></td><td class="cell g"></td><td class="cell g"></td>
 <td class="cell b"></td><td class="cell b"></td><td class="cell b"></td>
 <td class="cell p"></td><td class="cell p"></td><td class="cell p"></td>
</tr>

Which ended up becoming a bit more plaintext and easier to read.

rrr ooo yyy ggg bbb ppp (header)
yyr yrr opg rpy opb yrb
obp opp rpy ygg yoo yyo
rpy yop opg opg yrg rpy
yro yop rpy yrr opg yob
opg ogb rpy yop yro opp
yro yrb opo yoo yob opg
rrr ooo yyy ggg bbb ppp (footer)

No matter how I diced the letters or grouping there was way more letters than 9, so I figured to just start brute-forcing some solves. Had to brush up on my math to consider some possibilities here. I guessed each grouping of 3 characters was an ASCII numeric representation of a letter. For those unaware generally the A-Z part of the alphabet in ASCII is numeric 65-172 roughly.

So I took the first 9 letters (yyr yrr opg) and converted to decimals using an assumption that the header/footer defined our color grid (red=0, orange=1, etc). This resulted in a gibberish so it was probably not base-10.

Once I took the decimal value (220) and converted it to base-6 (84) that fit much better in the ASCII chart and rendered as T. Likewise the rest of the letters decoded as THE and I realized I was on the right track.

yyr = 220 = 84 = T
yrr = 200 = 72 = H
opg = 153 = 69 = E

rpy = 052 = 32 = (space)

opb = 154 = 70 = F
yrb = 204 = 76 = L
obp = 145 = 65 = A
opp = 155 = 71 = G

rpy = 052 = 32 = (space)

ygg = 233 = 93 = ]
yoo = 211 = 79 = O
yyo = 221 = 85 = U

rpy = 052 = 32 = (space)

yop = 215 = 83 = S
opg = 153 = 69 = E
opg = 153 = 69 = E
yrg = 203 = 75 = K

rpy = 052 = 32 = (space)

yro = 201 = 73 = I
yop = 215 = 83 = S

rpy = 052 = 32 = (space)

yrr = 200 = 72 = H
opg = 153 = 69 = E
yob = 214 = 82 = R
opg = 153 = 69 = E
ogb = 134 = 58 = :

rpy = 052 = 32 = (space)

yop = 215 = 83 = S
yro = 201 = 73 = I
opp = 155 = 71 = G
yro = 201 = 73 = I
yrb = 204 = 76 = L
opo = 151 = 67 = C
yoo = 211 = 79 = O
yob = 214 = 82 = R
opg = 153 = 69 = E

Outside of triple checking one that kept decoding as a ] the message became clear.

THE FLAG YOU SEEK IS HERE: SIGILCORE

You had to lowercase it as only sigilcore was accepted.

Challenge 10 (CHALLENGE - "base10")

This is the puzzle that stumped me for a few hours and was unfortunately a bit easier once I got home with a refreshed brain. This odd font has so many names over the years, but generally is called "Zalgo text" after some real creepy old stories on the web.

If we try and look at it as-is its impossible to parse.

<div class="clue">
  ~̴̹͊͌̀̕͠͠Ō̸̙̤̥̯̤̠̊́̌̈́̽͘̕͝Ì̴̤͙̣̫̳̕͠B̶͍̟͔̣͆̌͆͛̈́̾Ḑ̸̳̖͖͔̮̋̄̀͛̿́͜͝͠E̵̡̲̫̺̬͋̋́͂̚͜x̸̪͉̝͖͙̙̫̗͆̏̔̃̓_̶̡̱̰̮̭̬̠̒͂͝͝Ḋ̶̨̜̜̠́̑O̷̯̒̂̎̀͝
</div>

A Zalgo remover makes quick work to turn this into something readable - ~OIBDEx_DO.

We know the answer needs to be 10 characters and yet the random mash of characters we have is 10 as well. I turned them into the numeric representation, but not till I was home did I make the connection of what to do.

~  126
O   79
I   73
B   66
D   68
E   69
x  120
_   95
D   68
O   79

I kept looking at the homepage and wondering why the 10th challenge didn't have a 10 in the URL like the others and I wondered why there was a challenge named 284173569.

I wondered what would happened if I took the numeric value of each challenge in the place it was in the URL and combined them into a number. Once I started doing that I realized I was spelling the 11th challenge - 284173569. So question 10 had no representation of 10 in the URL.

So I asked AI to perform every form of arithmetic of 10 against the ASCII representation of the values. As I watched it do add, subtract, mod, shift, xor it got a hit on xor.

~  126 ^ 10 = 116 t
O   79 ^ 10 =  69 E
I   73 ^ 10 =  67 C
B   66 ^ 10 =  72 H
D   68 ^ 10 =  78 N
E   69 ^ 10 =  79 O
x  120 ^ 10 = 114 r
_   95 ^ 10 =  85 U
D   68 ^ 10 =  78 N
O   79 ^ 10 =  69 E

This spelled tECHNOrUNE, which when corrected to TechnoRune was correct. This was the only puzzle that I did not complete in time and I was mad about it as it was far easier than I was making it.

Challenge 11 (284173569 - "more ciphers")

Puzzle 11 was another iteration of the massively confusing Zalgo text.

<div class="clue">
 =̶̧̛̪͚͔̬̯̥̻̬̭̘̲̩͎̤̥̗̘͎̞̘̞̖̘̠̭̫̙͊̑̃̆͆̓͂͆͂͌̑͗̌̉̽͘̕͘≠̧̮̙͕͎̙͚̼̮̤̘̩̖̟̹͋͐͛̉́͑̀͑̂̆̍̒̈͝͝g̵̟͓̩͒̊̐̋̀͆̽̃̈̑̃͊͊͆C̶̨̨̛̜͎̭̤͔͙̬̬̭̞̥̻̯̺̫͖̪͌̇̄̾́͐̈́̂͜͜ÿ̷̡̨̹̭̰̰̪͓̮̠̺̖͙̭̼̥͚̖͓̗́̉̀̇͒͑͛̑͊͋̓̈́͒͋̌̃̊̃̒́̓̕̕͘ͅͅḻ̷̟̳̐̓̔͂̀̀͂̆̒̋͝Ḧ̸̭̫͓̫̙͔̗̞͚̥̬̤̦́͛̒̄̑͑̿̔̈́̌̀́͘c̶̛̛̟͍̮͈̗͎̜̳̰̆̆͋̐̈́́̓̾̎̐̅̔̊̋̇̑̈́̇̔̈́̆͊͝u̶͍̺̤̘͔̖̣̣͉̟̩͉̬̩̿̓̌̓̑̓̈́́͜V̷̨͔̺̝̱̬̱̲̩͊̀̿͆̐̌́͗̐̃̊̅̔̇͆͒͘̕͝͝m̷̳͈̫̳̙͓̺̞̹͎̍̑̈́̓̿̋̅̓̆̎͠Q̶̢̺͙͙͕̞̤͎͚̰̟͓̣̼̦̟̯̗̀́̆̔́̀̉͐̋͜͝ẁ̶̨̛̛̮̪͔̠̞̘̑̆̀͌̍͛͌̎̽̀̍̃̇̿Ź̴̢̹̳̠̘̙̤̘͉̲͙͙͙̰̠͙͍̽̄͋̎͝3̴̧̬͉̩̐̊̊͊̎̌̍̊̓̌̿͊̌̂̋̍̚͘̚͝Z̶̟̫̳̗̗͉̞̯̻̫̠̻̏̋̒̊̎́̄̋̋̈́̄̏͊̊̈́̀͗́͘͜y̷̨̨̧̧̛̛̮̞̲̺̟̼̟̫͇̫̯͙̰͍͍̞̥͗̀̌̈͐̈́͛̈́́̌̓͑̍̈́̓̊̂́̃͝͝͠V̵̢̧͚̖͙͇̪͓͔̘̿͊͑͑̒͂͌́̉̀̓͘͜͝3̷̢̡̢̯̱̣̻̘͎̘͔͎̮̬̯̟̋̑̍̓̈́̓̏̐̓̄͌͘̕̚͜͝͝͠Z̵̨̡͓̫͔̜͓̟̟͚͎̠͓͍̞͕͕̙̘͙̑̾̓̅͛̔̐̑̐̈́͌̽͗̄̅͗̇̿́̌̃́͘̕̚͠ḧ̶̨̧͚̥͔̺̲͎̤̖̥̞͖̺͍̠̺̳̯̖͈̩̼̥͛͑͛̏͗̋̀̓̄̈́̃͝ͅẍ̵̨̢̡̬̟͓̼͚͓͚̫͚̪̠̺͓̗̰͍̖̫̹͖͍̭̩͈́̓͌̈́̂̈́̍͗͗͒̓͝͝m̴̧̡̨̙͕̦̟̥̺̬͙̩̤̞̭̻͇̝̦̟̳̳̠̆̒̈̇̐̉̏̑̚̕͘͜͜͜͝ͅͅR̵̤̭̕
</div>

Another round of Zalgo removal and we got a string that immediately looked like a reversed base64.

➜ echo "==gCylHcuVmQwZ3ZyV3ZhxmR" | rev | base64 -d
FlagurgvpBenpyr

This was another incorrect value, but knowing the pattern that had developed it was one simple ROT-13 away from spelling SyntheticOracle and we were done.

Challenge 13 (CHALLENGE13 - "submit")

It seemed like the name of the game towards the end of the CTF was Zalgo text.

<div class="clue-larger">
   <p>you should not b̵e̷ ̸h̵e̴r̸e̵.<br>b̴͚͑ṳ̸̈t̶͙͝ ̸̣͝i̴̠̔f̸̗̃ ̷̭̈y̷̺̅o̵͔̓ű̷̩ ̸̢̥͝a̶̯͗̒̋͘r̸̖̥͔̞̀̓é̴̦̣ ̷͍͆̓̈͝a̷̮͎̠̎̃̅̆n̴͒̚͜d̵̩̫̽̾͝ ̷̝̩̣̱͐̿y̷̮̭̐͋͒͜ö̶́͜͠u̴̙̎̔̃̂ ̸̢̧̤̞̪̤̘̤͎͈̤̳͐ͅh̴͓̳̫̦̱͗̅̌̀͐͜ä̷̧̛̩͉̰̭̳̰̬́͋̍̈́̔͒̎̎̏̾͌ͅv̷͔͙͍̮̻̱̯̟̿ȩ̴̨̱͖̫̦͔̹͂̊͂͝ ̶̢͕̪͗͒̽̓̓́̇̾̋͊̊̈́̇̂͋͝c̶̻̻͋̅̍̍͐̾̅͑̽̒̽̚͝ȏ̴̢̻͓̫̞͚̣̺̾̍͜ͅm̸͔̮̬̊̃̓́̒̽̿̇p̶̢͚̥̯̩͂̆̏̓͐̿̀̚ḻ̸̥̰̒͝e̶̬̜̝̻͕̝̦̹̺͍̹̠͓̭͖̦͑͊͊̌̇̽͐͑t̵̡͈̬̼̪̬͖̖͕̳̼̩̦̰̮́e̴̡͉̤̳̞̤̼͗̒̂̔̀̓̎̂̈̈̕͠͝d̸̘̦̳̭̻̄̒̍̽̔͗͒̔̄̀͝͝͝͝ <br> a̵͉̩̖͑̇̋̄̿̎̍̿́̀́̈́͆̑̿́̚ļ̶̡̨̢̢̢͔̝͎̦̬̟͖̜͇̠͙͓̯̈́̅̽͑͜͝ļ̶̬̺̝̺̦̝͉̺̪͉͇̠̥͒̑̌̾̏̾̑͆̈̓͒́̈́ ̵͈̟͈̝̣̤̲̣͕̟̜̙̜͙͚͎̊͜͝o̴̠̱̹̮̯͙͖̎̽̀̿̈́͐͊͛̋͊̿̽́̆̓̊̃͘͜͠f̵̛̭͉̝̲̟͕͍̳̥͛̌̍͐͑̍̆̑̀̕͜͜͝͝͠ͅ ̴̨̢̖̱͚̙̫̐̑͜ţ̴̡̜̟̮̪͇̫̹̲̩̓̊̆͗̐͜ͅh̷͎̞̺̟̫̓̋͑̒̐̏͌̉͊̅͑̋̓̌͋͂͠ͅe̶̩͓̲͍̣͈͔̦̗̝͉̜̋̾̓ͅ ̵̛͙͈̲̯̙͂͐̓́͆͒̿̏͑͊̅̐͛̊̿͂̚͠͝c̷̭̳̪͇̳͉͉̀̋̉̄̂͐͛̈̈́̚̕h̶̨̘̰̝̙̱͉̹̱͓̣̹̦͙̜̱͕͉͖̰͉̞͈̻̎̇̽͂̓̉͝͠͝å̴̢̢͖͔̘̯͔͔̖͎̰̺̲̳̥͈͎̝̻̳̬̟̫͈̰͉͉̠̆̾͌̽̀̈́̄̍͝͝l̴̡͙͕̹̺̺͈̻̈́͆̄́́̇̎̀͑̓́̂̍̽͋͋̿̅̋́̾̈̾́͗͝l̷͚͇̰̘̻̝͇̭̺̣̱̓͗̀̓̓̍̈́͆̆̓̕͝͝é̸͔͙̪̜̌̓̾͊̑̽̔̈́́̂͗̆̀̋̑̈̈̍̌̎̚͝ņ̶̼̲̬͇̤̀̿͒̒̆͝͠ģ̸͈̫͍͍̙̯̘̙͕̣͉͈͍͉̖̫̹͉̻̳̫͔̞̮͂̊̏ͅȩ̵̧̧̹̺͕̬̘͖͍̙̙̘̬͚͎͖̩̙͉͖̣̘̈́̽̏̿͒͑̔́̔͂̓͌͘̚s̴̛͖̫͓͎̜̉̎͐̑͗́͂̄́̄̃͋̚͜͝͝,̶̧̧̺̣̰̰̥͙̯̣͔̙͉̼̬̫͍͔̠̝̜̫̘̖̳̗̈́̓̎̌͑̍͌̊̃̓̈́͋͑̓̽̍̚͜͜ ̴̙̣̖͖̤͖̟̼͈̰̘͔͈͈͕̣͚̟͔̲̍̅̀̋͑̏͆̉̉͛̔̋̅͒̅̆͒͗̚̚͜͝ͅ <br>S̸̢̢̢̛̛̤̜̗̙̞̙̪̲̹̠͖̯̪̝͕̫̼̭͖̘͕̰̩̭̬̬͓̣̼̺͍̯̖̱̼͑̌̉͗̈̀̋͌͑̀̔̒̃̎̒̂̒̇̌̏̊͗̓̂͗̀̏̋̏̋͑̽͑̆͛̂͗͂́́̿̈͛̐͑̑̚̚̕ͅṲ̶̢̡͕̠̞̯͔̳̜̗̮͙̭̻̻̰͙͖̯̞̘̣̟̞͍̫̭̹̦͎̦͈̗̱͇͕̰̗͈̲̹̈́̋̄͛͛͆̈́̈́ͅͅB̶̧̡̨̢̛̠̰̥͍͇͇̩̜̼̗̹̠͇̝͈̫͙͍͓̒͐̀̄̍̂͆̄̂̓͆̀̈͆̂̄͛̀͐͒̑̚͘̕̕͝͝͝͠ͅM̸̢̛̼̘͖͇͕̣̰͖̟̰̩̘͎͇͇̹̦̖̟̲̟̲̼̳͙̱̒̈́̿̄̇̈́̑̀̉̉͐̍̍̅̂̿͗͑̈́̄͒̓͋̈́̉̀̓͌͂̑̈̾̈́̍́̚ͅĮ̴̧̡̭͉̼̜̹͇̗̯̠͖̩̜͚̦̞͔͖̙̣̠̖̲͓͚̩͍̩̟̝̼͓̯̮͇̻̳̞̠̉̓̈̄̉͌̓͌͒̽̐̆̈̔͆̉͊̍̅̔̃̈͆̊̄͐̄̉̓́̃́̔̌̑̆͐̏̅͌͂̆̆̾̈́̕͘̕͘͝͠͠͝͠͠͝͝T̶̡̡̢̖̥̭̦͇̮̰̞̪̦͇̯̭͖͉͙̺̭͙͓̰̬̼̮͖͚́͊͊͗̔̓͆͒̚ͅ ̶̨̛͉͕̠͇̲̗̤͔̘͔̻̰̞͖̩̣̬̠̹̰̞̈́̀͒̔̄̋̉͂͆̌̂̒͗͑̔̔͂̽͗̒͑͂̊̈́̐̑͗̀̇̈́̅͌́̆̉͋͐̒̾̃̚͘͝͝͝͝͝ͅT̶̗̮̋̈́̋̍̎H̶͉̫͔̣̩̰͔͎̼̙̼̱̼̪̫̝̗̮̬͇̬̺̺̖̱̪̣̩͆͐́́̓̆͊͜͝ͅĘ̷̨̻͖̣̜͖͔̯̦̭͈̖̥͚̗̺̻̘̲͕͚͂̌̈́̿̎̾͑͂͗͌́͑̾̾̒͜͝M̶̧̢̛̥͙̭͖̤̮͇̳̣͉̦̬̪̄̋̔̍̌͆̓̆̂̓͋͆͋̆͐̿̋̎̔̏͛͒̍̑̇͌̓̈͂̓̈́̾̾̀̀̒̂̀̈̃͛̃͐̂̿̒͘̚̚͝͠͠͝͝͠ ̸̧̝̝͖̻̥͙̩̮͍̇̊̍̔͑̃͝Ḩ̸̡̨̨̢̡̨̛̗̻̹̘̦̭͈͓̜͍̩͓͈̱͚̱̥̜̭͎̘͍̲̰͉͍̜̥̝̠͔͕̬̠͕͎͚͈̠̮͓͔̤̮̭̥̜̀͊̐̂̔͋̈̑͒̃̈́̃̎́͛̐̄̄̓͆̔͒̃̉̈́̍́̊̽̈́̑̅́̂͌̓͘̕̕̚͜͜͝͠ͅĘ̵̡̛̛̼̞̹̜̣̦̯͙̅̽̾̄̅̄̓̌͐̑́̃͆̉̊̒̑̌̈́̉͌̒̓̀̇́̔̎̇͌̄̈́̿͐̆̓̅͑͆̇̿́̆̀̊̅̊́̈́́̂̈̉̕͝͝Ŗ̷̡̧̢̧̛̥̮͈̘͙̙͔̬̜͎̙̟̫̫͉̱̺͇͎͙̘̙͈̬̪̖̙̰͚̗̞͉̘̙̮̗͇̠͍̟̭̹͇̯̼̯̙̞̈́̇́̇̍̅͊̆́̓̀͂͊̄̂̉̒̉̿̊̚͘̚͝E̶̢̜̙̟̜̣͕͎̝̼͚̞͕̺͈̰̥̥̞̪̪̙͉̯̹̭̩̫͈̜͇̪̲̻̹͍̩͎̗͇̜̗͋̓͐̍̔́̈́̀̉͌͐̾̀̔͑̈́̈́̔͐̒͐͑̆̎̈́͛̋͂͒̀̀̍̎́͊͛̈͛͌̀͘̚͘͝͝͠͠͝͠ͅ<br><br>6̴̛̝̱̼̙̞̬̩̲̗̓̈̀͒͊̊̈́̌̇̿̌̕A̶̡̛͍͈̼̠̟̟̖̗͚̖̻̲̜̍͋͂̈̃͂̊͊̎̆̂̓̕͘͝͝6̶̢̛̖̬̥̥̖̥̘̿̒̄̂ͅ7̴̡̯̲̖̫͔̖̲̱̤̑̀̍͗͛͌̐̄͑ ̵̡̭̩̜͖͉̞̫̦̺̳̃̃́̔͆͠/̴̡̛͉̞͙͍̿́͆̃͘̕͜͠/̸̛̛̗̩̙̬̲̜͑̐̎͌̏́̿̈́͋́͆͘͝͠ ̸̡̡̳͖͉̜͔͔̫̪̼̓͑͝ͅͅ7̸̡͕͙̬͇͙̼̰̣̦̭̤͂͂͛̄̐̽́̕͝2̷̨̳̯̋͊̂̇̉͂̐̄̋̕6̶̧̢͖̮̥̖̜̺̱͕̉̇͌͜͠F̵͔̺̦̮͎͙̊̉̓̑̄͑̓͘͜ ̷̣͂̋̓͛̐̈́͑̌͊̈́̈́̽̓̈̽/̵̙͐̂̊̾̒̋͗̓̿̀̐͗̑͌̇͠/̶̡̜̣̼͎̫͓̹̜̰̖̯̈́ ̸̨̘̮̳̾̆̄͐̊͑͐̉̍̈̓͋̍͊̕̕͝7̶̮̌͛̽́̏͝3̷̧͎͈̞͇͍̲͕̀̏͐̔̽̊6̴̫͖̠̘̟̳̺̻̱̠̱͕̓̃̌̐̍̿͊̄̃̓́͜͠5̴̧̙͚͓͉̺̫͍̦̫̗̰͓̮̬͆̀͒̉̀͛̓̎͊̚͜͜͠͠͠ ̵̙͎͔̙̙̞͕̬͈̼̫̙͕͇̳͔̼̋͋̍̌̄͆̅̕͝͝/̶͚͎̮̤̇̆͂͒̽̏̈́͛͘͝/̵̛̛̻̓̈́̎̋̆͂̍̾̈́̐̎̌̓͘͘ ̸̛̜͎̩̈́̐̈͛̋̅̽̐̏̉͒͆͐̐̕ͅ4̴̛̝̻̞̟͚̠̯̮̄̅̋̓͛̚͜0̸̧̨̨̞͈̫͎̤̪̖̞͓̎̔̍͊̀̑̏̍̋̀̉́͌̀̃͋̇6̷̢̡̡̳̖͇̙̖͖̱̳̠̬̪̲̫̗̿͗̓̉̉̈́̈́̓̈́͋̕7̴͈̥̙̩̾ ̴̲̦̹͈̝̝͈̬͂͊͒͐̏̏͊̒́̀̔̓̓̕ͅ/̴̛̝͓̫͎͔͖̲͙̗̦̘̱̞̳̘̄̋͛͐̑̀̊̓̓̈́͜͠/̷̧̨̡͔̖͚̟̼̌̈́̅͐̔̀ ̴̡̢̭̞̲͎͇̰͈͉̪̳̳̣͑̾̎̀̏̎͌̒̕͝6̵̲̣̦͇̬͛̓̋̋D̴̹͓̟͇̫̳͉̼̗͕̲̓̆̓͆̾̄͊̓6̷͙̝̺̮͕̱̙̹͚͔̩͎̖̻̯̿̈́̌͐̚͝ͅ1̸͕̝̰̻̗̦̥̹̣̪͇͇̟̭̳͑̎͋̽́̇͆́ ̸̨̧̠͚̦̯͓̟̮͇̲̏̉̓/̸̢̛͖̫̎́͗̀̍̔̇̏́̈͛͑͒͘͘/̴̢̛̤̺͍̗̠̲̀̒̒̓̉̒͑̓͋̂̀̾̅́͝ͅ ̸̨̡̦͍̤̹̤̞̀͛̒̐̀̈́͗̑̇́̕̕̚̕͝6̴̨̺͉̻̠̝̱̮̠̫̩͓̞̬̙̈́̔̐̈́̾̿̎̕͝9̶̡͔̤̣̯̩̟̬̲̰̼̥͉̜͉̿ͅͅ6̸̡̰͊̽̒̀̔͛̄̂̾͠Ç̸͉̹͚̝̘̣͆ ̷̡͕̠̔̀/̷̧̧̢̧̼̯͚̖̙̖̰͔̼̖̳̄̽̆͆̋̽ͅͅ/̶̧̡̡̹̗̼͍̦̪͖̥͙̰̒̊͛̎̄̏̈̎̌͆̔̚͜͠ ̴̩̱̽̑͑͌̌̈́̌̂̎̂̏̊̽̕̕2̶̧͖̫̗̟̞̤͓͎̖͓̦̥͓͑̓̚E̴̛̛̛̝̫̺̤͙̘̯̫̤̺̜̿̀̀̽̆͌͊̏̑͐̓̚̕̚6̸̢̨̫͍̩̩̂͑̊͊̎͐3̶̱̀̓̇͒̑̒͐̑́̓̇ ̵͍̠̼̏̌̏̃̅͒͑́/̵͖̕/̴̡̡̛͔͎̣̼̗̠̖̠̫͎̞̲̼̘̈́̀̃̇́͋̅̾̂͆͊͌̎͘̚͜͝ ̴̨̮̜͙̞̖̯̰̫̜̼͓̻̃̌̐͐́̈́6̵̢̢͓̰̖̟̦̤͕͔̱̝̥͙͕̼͉͗̿Ḟ̶͓̜̩̼̹̘̱̝͍̈́̏̔̌̔͐̋̐̔̔̎̏̐̕̚6̴̢̢̤̥̗͙̖͈̝̺̱̙̼͖̤̹͗D̵̢̢̲̠͙̫̤̟̪͈̹̝͐</p>
</div>

Which decoded towards:

<div class="clue-larger">
   <p>you should not be here.<br>but if you are and you have completed <br> all of the challenges,  
   <br>SUBMIT THEM HERE
   <br><br>
   XXXX // XXXX // XXXX // XXXX // 6D61 // XXXX // XXXX // XXXX
   </p>
</div>

Since this decodes to a real email I've redacted the values. This was a basic hexadecimal value that decoded to a gmail address. I emailed it anyway with 11/12 challenges completed thanking the creator for a great CTF as I closed my laptop to head to the closing remarks.

As I walked to the closing remarks I wondered how much AI had changed the CTF landscape. I could tell this challenge tried to trick the LLM and even block their network calls for pure automation and it really got me wondering about the future of CTFs. Hearing the winners solved it in about 6 hours was good to hear, because if it was solved in like sub-hour it was probably just an LLM solving things in one shot.

Though reading back through the Discord channel a team claimed a solution at 11am in the morning which conflicted with the closing remarks saying it took 6 hours. Turns out they got the badge at the training event on Friday and had Friday as a head start. That hurt a bit to hear, because I wouldn't have spent 90% of my BSides working a badge knowing I was a day behind. Though I had fun regardless, but maybe they'll time gate the domain to start time on Saturday next year.

I had a blast solving the CTF and oddly another blast writing the solves. This time I got to meet the creator of it and pass on my thanks and get a little verbal approval to post out this solve. This marks the end of BSides Tampa 2026 for me and I'll be back next year.