This Easter we launched our 2nd cyber puzzle challenge with a handful of prizes to be won for those Forensic Foxes that helped us track down our escaped Rabbit.

We were delighted to have players from across 28 countries join in but it looks like this was a tough one though, as only one person successfully completed our challenge and caught the Rabbit 🐰. The only person to claim the top prize of a free Browser History Examiner (BHE) Pro licence worth $525 USD and Amazon voucher was @Tristan04375166. An honourable mention also goes to Cameron Stiller for being the only player to solve the difficult Easy as Pi challenge!

Congratulations to Tristan and Cameron, but for all those who joined in this time we’ve written a detailed walkthrough below.

On the challenge page ( players were informed the Easter bunny had lost track of time while self isolating and were asked to help find him and remind him he needs to turn up to work in time for Easter as the government confirmed he was a key worker! Players needed to discover each of the challenge flags to help locate Rabbit 🐰 and get him back to work. The first challenge is called Tricky Media.

Tricky Media

We’ll have to capture lots of flags to reveal the clues we need to track down Rabbit.
We’ve been reliably informed the first flag is buried in this Google Chrome history file. The last time someone saw Rabbit was 24th March 2020, does that help at all?

Players are invited to start the first challenge by downloading a Google Chrome history file called Favicons. This is a SQLite database file which the players can view using a SQLite viewer such as our free tool SQLite Examiner.

The URL can be found in the record dated 24th March 2020. This record also has a favicon image associated with it as shown below.

This favicon blob image data can be exported out for further analysis in a hex viewer as shown below.

At the end of the image binary there is an additional string

This can be decoding using CyberChef. Extracted out and reversed gives

Decoded from Base64 gives

This is the first flag the player can enter into the challenge CTFd website.


The HINTS for this challenge were:
Wait a minute... not all these favicons are alike…
Grab dat blob!


Nobody has seen Rabbit for weeks now but he did leave behind some clues...

Players are provided with a JPG file to download named qTiHcX0.jpg.

Analysing this JPG image in a hex editor reveals what look like “PK” ZIP signatures at the end of the file content. This hidden data can unpacked on the command line using the following:

unzip qTiHcX0.jpg

Unpacking the extracted ZIP archive reveals the 4 files shown below.

3 are PNG images of equations, 1 is a JPG meme which is shown below.

The first flag is printed near the top of the JPG image.

This is the flag the player can enter into the challenge CTFd website.


The HINT for this challenge was:
Is this really a normal image file? Maybe if we treat it as if it were some other type of file...

Easy As Pi

Equations? These clues are getting more complicated!
Do we have any mathematicians that can help with the next flag?

The 3 PNG Images extracted in the previous challenge show equations that when solved result in some useful numbers.

These equations can be solved using the Wolfram website. The players can use this website to work out what x equals for each equation.

PNG Equation 1

Solving the equation (x-log(9))/5 = log(4)^2/sqrt(6) results in the approximate result
x = 6.12010700894255

Ignoring digits after 00 null operator leaves us with 6.120107


Changing these digits to text using A=1 B=2… etc.
To do this players can use a website like

The decoded text is FLAG

PNG Equation 2

Solving the equation log_2((log_7(x))+1) = -(sqrt(2)^pi/7) results in the approximate result
x = 0.609021514000363

Ignoring digits after 00 null operator leaves us with 0.609021514


Changing these digits to text using A=1 B=2… etc. gives FIBON

PNG Equation 3

Solving the equation x/((log_9(x))+1) = pi-2 sqrt(3 pi) results in the approximate result
x = 0.103030900000002458083808097

Ignoring digits after 00 null operator leaves us with 0.1030309


Changing these digits to text using A=1 B=2… etc. gives ACCI

Adding the 3 strings together makes FLAGFIBONACCI



The HINTS for this challenge were:
Maybe a wolf can help you resolve the numbers? At least those up to NULL…
Rabbit must have spent ages putting these equations together!

Golden Ticket

We need to move quickly to find Rabbit in time for Easter and we’d normally check Pastebin for clues... but we don’t have time for that right now. Less paste more haste!
Use your flag from the Pi challenge to help in your search!

Players are provided with a PNG file to download named 4.png.

Searching for the previous flag on Google, the player can quickly find the familiar golden spiral shape.

Applying this fibonacci sequence to the letters in the 4.png image forms the following string.


Rather than PASTEbin they can find the next flag on HASTEbin using the above code to build the full URL.

This webpage had a new flag on it.


The player can enter this flag into the challenge CTFd website to continue.


The HINT for this challenge was:
Hmm this sounds pretty similar to something I had to solve to catch Rabbit in the last Cyber Challenge!

Bump in the Code

If you’ve tried to catch him before you’ll know sometimes the Rabbit can be seen on Twitter dropping clues to all the foxes chasing him. Ignore his chatter then go to the main challenge page to continue!

If players read the walkthrough for the first Foxton Forensics cyber challenge they will see a Twitter account was used for the Rabbit named @foxtonrabbit. Visiting this account reveals only one tweet shown below.

This is braille and can be decoded on CyberChef to read

The initial clue suggested players Ignore the rabbits chatter so remove the CHATTER letters from the string leaving the word KONAMI.

A simple Google search for Konami shows lots of examples of a cheat code


Again following the clue players are told to go to the main challenge page where they can enter the cheat code, which reveals a pop up box!

This is the next flag.


The HINT for this challenge was:
I'm definitely getting more time to play video games during this time in isolation!"

Ace in the Mole

The next url gave me flag dejavu but it’s all you need to proceed!
Why would rabbit even Google Whacky words like deservance and aglet?

If the player carries out a Google search for a “Google Whack” (a search with only 1 result) using the words "deservance" “aglet" they will receive one hit.

The hit URL is:

The clue says the URL is all the player needs so from this they can extract the next flag.


The HINTS for this challenge were:
I know Rabbit has always loved a good Googlewhack but they're harder to find these days! Rabbit "you" "cheat!”

Rash Decisions

We’ve had a recent sighting of Rabbit! He was last seen headed to a hidden webpage... bring home the bacon and continue the chase using the info in the text file!


This binary string can be converted to text using the Bacon Cipher Decode on CyberChef.

Adding this decoded binary back to our original string leaves:

Decimal IP can be decoded to a standard IP format using a website such as or can also be used without decoding directly in the web browser.

So the hidden page can be found at

Visiting this gives the next flag for the player to enter on the challenge CTFd site.

The HINTS for this challenge were:
So we're looking for a hidden webpage? Awesome, I just need to figure out the URL and I can follow Rabbit!
(this binary is another Bacon Cipher string which can be decoded to http://)

Search Party

Rabbit is doing well at social distancing but where is he?
Dig deep to uncover the next flag and clue!

The player is provided with a download of a ZIP file named which has hundreds of images of seemingly matching images distributed across a tree structure of directories. The image is shown below.

Using a tool of their choice the player can compare the MD5 hash value of all the image files contained with the ZIP archive and identify the few images that are different to the rest.

There are extra bytes added at the end of each of these different image files which can be seen in a hex viewer. Sorting the images by file size will allow the player to extract the extra bytes in the right order to form a string. This string spells the following in hex format.

46-4c-41-47-52-34-38-38-49-54-53-54- 34-59 -41-54-48-30-4d-33

Decoding to ascii from hex using an online site such as reveals the next flag.


The HINT for this challenge was:
Wait a minute, not all these images are alike!

Final Snap Flag

You’ve nearly found Rabbit!
If you can find his final flag he’ll reveal himself and get back to work!
He says he already Tweeted the final flag but i don’t see any flags Tweeted at all. What now??

The player must find a Tweet that was deleted from the @foxtonrabbit Twitter account but can still be found on a webpage archive website similar to WayBack Machine.

The player must find the following archive website to search for any archived tweets from the Twitter account.

This shows the tweet before it was deleted.

The final flag can be entered on the challenge CTFd website to finally catch the Rabbit!


The HINT for this challenge was:
Rabbit says it wasn't wayback when he tweeted the flag, but we should be able to find it somewhere!

Thanks again to all that played! Until the next time!