NahamCon CTF Image

Nahamcon 2020 CTF Writeup Part One

NahamCon a virtual security conference organized by NahamSec, Stok, John Hammond and TheCyberMentor. It also had CTF challanges and this was my first ever competitive CTF, i learnt a lot and thought of writing up my own experience.I am going to divide this ctf writeup into two parts as i am going to use pictures for every step and if i put everything into one writeup it will be long, no one want to read a long boring post. So lets get started.

Note: English is not my first language so please ignore my mistake.

Read the Rules


Read The Rules Picture

This page have the rules that we have to follow for ctf challanges, it was the simple one, i checked the source codes of the web page and first i searched for the flag format but didnt get it then i searched for comments and got the flag.


flag pcture

CLIsay


Clisay Picture

In this challange i have to extract flag from a file, i just ran a strings command on the file and got the flag.



CLIsay Flag Picture

Metameme


Metameme Picture

In this challange i also have to extract the flag from the file, which i could get by using strings command like in the previous challange but there is a proper tool for extracting metadata from files which is exiftool, I ran it on the file and got the flag.


Metameme Flag Picture

Mr.Robot


Mr Robot Flag Picture

Openeing the ctf link i saw a picture of Elliot Alderson.


Mr Robot Picture

The first thing came to my mind was doing steganography on the image as i saw some data on the picture, but i got nothin, i also tried to read the metadata from the image like in previous challanges but didnt get anything. i also tried looking at source code and found nothing there. i will lie if i say i didnt spend time on this one, i got the flag and all i was missing a common sense.

After spending some time on it, i lean back on the chair and took a look at the challange name “Mr.Robot” and thought about checking the "robots.txt" file and yeah i got the flag, "Sometime all you need is a common sense".


Mr Robot Flag Images

UGGC


Fifth Flag Display Picture

The page greeted me with a login form, i can login with just by providing a username


Main Page's Image

I successfully logged in with username "test" and saw an error message that was "Sorry, Only admin can see the flag".


Error Image

Now i need to login in as Admin to get the flag. I tried to login with username "Admin" and got an error message of "Login as Admin has been disabled".


Error Image

I fired up my Burp to see what happened under the hood when we tried to login as user "test", the web is setting a cookie for user as you can see below in the picture:


Request Image

I changed the cookie value to "admin" and sent the request


Request Image

But there was something weird in the response, the response was telling me that i am logged in as user "nqzva" but i was trying to login as user "test".


respnonse Image

A quick google search reveled that this is ROT13 encryption and decrytping it gave me the value of "admin". The website encyrpting the username in ROT13 and using that value as the session cookie, i just need to provide the Rot13 encrypted value of the word "admin" to session cookie to login as Admin. I did this and got the flag.


Flag's Image

That's it and thank you for reading this, see you in the next write-up