I participated in Nahamcon CTF 2024 and tried to solve their challenges for fun. I did have a limited amount of time that weekend so I only managed to attempt a few of them, these are my write-ups to some of those challenges.

Read the Rules

On the Rules page open up the page source and search Flag which is present there as a HTML comment

 flag{90bc54705794a62015369fd8e86e557b} 

Technical Support

Go to Nahamcon discord and ctf-open-ticket channel

flag{a98373a74abb8c5ebb8f5192e034a91c}

EICAR

Download the file eicar and run

md5sum eicar

The flag is md5 hash wrapped in flag{}

flag{44d88612fea8a8f36de82e1278abb02f}

Uriel

The percentages and 2 hexadecimal values gives us the hint that this blob of text is URL encoded, and going by the description twice. Copy the the blob of text and goto Cyberchef, paste it in the Input section and you can try the Magic option from Cyberchef or URL decode twice.

flag{8efeb66a719b75a4b7c634d885788dfc}

Twine

The attachment is a jpg file. To make sure it is actually a JPG file I ran file and exiftool to see if there are any hidden comments. But it is just an image file. The challenge description mentions something related to string consisting of more strands so I looks for hidden strings in the image and greped ‘flag’ which gave us the flag.

flag{4ac54e3ba5f8f09049f3ad62403abb25}

QRRRRRRRR

I checked the file for hidden strings but coudln’t find any. I tried scanning the QRCode by uploading the image but all the QR code scanners were erroring out. Then I searched for different types of QR codes and found this is called a rMQR code. While searching on how to scan a rMQR code I stumbled upon https://www.qrcode-tiger.com/different-types-of-qr-codes this repository which mentions we’ll have to use QRQR app on our phones. I also found John Hammond’s video about a similar challenge with rMQR which also uses QRQR app https://www.youtube.com/watch?v=J8S-NJ1GTn4. Once I scanned the QR code with the app I directly got the flag.

flag{a44557e380e3baae9c21c738664c6142}

Copypasta

When you connect to the challenge you get back the Richard Stallman copypasta about GNU plus Linux. The output looks weird so I tried greping the flag and voila there’s the flag.

flag{1f68e019b29650f6e8ea15a7808f76fd}

iDoor

Opened up the webpage for iDoor which took me to ‘http://challenge.nahamcon.com:31646/4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8'. The description for the challenge mentions SHA256 hash being used for security and the URL looks familiar to SHA256. I search for SHA256 hash of 11 as that was our customer number and got ‘4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8’. I got SHA256 hashes of other numbers to see the web camera footage of ther customers, only odd numebrs were working. Eventually I tried SHA256 of 0 which is ‘http://challenge.nahamcon.com:31646/4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8' and you would get the flag.

flag{770a058a80a9bca0a87c3e2ebe1ee9b2}

Helpful Desk

Got to Helpful Desk app and browsed to its Security Bulletin. They have addressed a RCE vulnereability in the latest version and they provide the app files. Before trying out form fields for any injection I just put in the credentials as admin, admin and it let me log in as an Administrator. Under HOST-WIN-DX130S2 -> Desktop you will find flag.txt and that is the flag.

flag{2fd5d91a4504ecf32a1b701a4b7122db}

All About Robots

The webpage shows different robots and if you click on learn more it will take you to https://www.robotstxt.org/ which gives us our first hint. Go to /robots.txt of the web app and you will get

User-agent: *
Disallow: /open_the_pod_bay_doors_hal_and_give_me_the_flag.html

Go to the http://challenge.nahamcon.com:30998/open_the_pod_bay_doors_hal_and_give_me_the_flag.html and you will get the flag

flag{3f19b983c1de42bd49af1a237d7e57b9}