LeFevre: twitter @_LeFevre_
Naham had posted on twitter the following:
The first puzzle starts you off with a simple search in the source code of the website, to see a comment of <!— r13 : fanvy ebpxl zrevg pheir — >
The r13 hint refers to rotation 13 (rot13), which is basic cipher used in cryptography. Take the letters “fanvy ebpxl zrevg pheir”, and rotate them around the alphabet 13 times. Giving us the first answer “snail rocky merit curve”
The second level can be described a data format quiz, giving us binary data to begin with, decoding to morse code, which then decodes to hexadecimal, which then decodes to base64, which finally decodes to our solution “sprint supply body muddy”. Using a website like https://gchq.github.io/CyberChef/ can make this process trivial if you are familiar with common data formats.
This level is a XOR Cipher taking the given hexadecimal “1b5212551144521a5f1a5558441a155e1310025f070d58 ^ 743078307230726e307430783072”, XOR the first hexadecimal with the second to get the solution “object tone thank pouch”.
This level presents you with an “awkward seal” meme image. Looking at the end of file data of the image, reveals a hidden 7z file, identified by its magic numbers “37 7A BC AF 27 1C”. Unforunately, the 7z is password protected, so we will either have to try and brute it, using John the Ripper, or take an educated guess at the password. The password happens to be “awkward” from the name of the meme. This gives us a text-file with the solution “lake tile shakes wings”.
Another image file is found in this Level. Using a steganography tool such as StegSolve, you can filter each color (RGB) channel, revealing the message ”x is above the Sea of y r13(x+y+nothing)^z”.
Doing a reverse image search reveals that the title of the art is “Wanderer above the Sea of Fog”, and looking at the end of file of the image, gives us “z:021b0c101c45170b1711540d1709161e4117180f1b08”. Taking this information we can solve the equation given to us by the red channel. (x = Wanderer, y=Fog, nothing=nothing). Again we have r13, which is the same method used in Level 1. So the equation becoms (021b0c101c45170b1711540d1709161e4117180f1b08 ^ hex(jnaqreresbtabguvat)) = “human ends lunch crazy”
This level requires you have to do some research into what “7 3 10 Mentor” could mean. Finding an entry in wikipedia about Loyd Blakenship, a well-known computer hacker, that goes by the name “The Mentor”, is a very promising lead. Looking further into The Mentor, we see he was the author of the “Hacker Manifesto”. Trying to find a copy of the manifesto online leads you to the Phrack Magazine website, and the link http://phrack.org/issues/7/3.html#article
This is conveniently the issue Volume One, Issue 7, Phile 3 of 10, making the full link of the 7 3 10 Mentor clue. Taking the contents of the article, and applying the provided RegEx ([^a-zA-Z0–9-]), we are left with exactly 2223 characters, confirming that we are on the right path.
The last clue “174 187 1021 966 6 163 \x20 q 233 158 20 41 \x20 21 494 1051 1027 2130 27 \x20 30 1433 32 2071 43” is telling us what character to extract from the string, while the “\x20” is the hexadecimal form for “ ”. Running a small python script to extract the characters gives us “drives quite offers loves”.
This level is purely a recon puzzle. We are given #naham0x0, and in the source code, a comment of “<! — Time for some recon. https://twitter.com/nahampuzzle/status/1252338918072057856--->”
Looking at Ernesto Johnson’s profile we can see a company titled “MemeMedia”
“pb com /u/” is a reference to Pastebin.com/u/l33tkrudox , where we can find user “l33tkrudox”. They have a pastebin post saying “Target: itme0x08, Claims to be a hacker, but his bug bounty profile has no findings on it lmao”.
Everyone knows that the best place to find a bug bounty profile is HackerOne. Finding his profile https://hackerone.com/itme0x08 gives us the solution “keeps heave curve”.
Level 9 presents us with another image, and the title “Bitten, Razed, #!$%ed.”. Looking at the EoF of the image, we find a zip file that is password protected.
The first step in this multi-step puzzle is to extract the RGB values of the 5x16. Using a steganography tool such as Steganabra, we can extract each pixels value. Extracting the Blue value of pixels, and taking the values “0” as 0, and “17” as 1, we can extract a binary string. Converting this binary string to ascii reveals our first password “L0ui5Bump1nG”.
The password “L0ui5Bump1nG” is a hint, that the next extract is Braille. Louis Braille the inventor of Braille, and Braille being bumps on paper. Doing similar steps to extract the Red Values, and marking the “17”s as a dot, and the “0” as empty spaces, we are left with 16, 2x3s. Reading each 2x3, as a braille character gives us the second password. “urbanscerebellum”.
Again, extracting the Green Values, and converting the decimal to ascii, leaves us with a string of “-[ — — ->+<]> — -.[ →+++++<]>.[ →+<]>+++++. — [ — — ->+<]>.-[ — ->++<]>-.[ — ->++++<]>+.[ — ->+<]>++.” Using the clue from the title “#!$%ed” and the previous password “urbans cerebellum” , we can correctly identify this as an esolang called “Brainfuck”, as Urban Müller was the inventor of said esolang. Running this code through an interpreter such as https://www.dcode.fr/brainfuck-language will output the last password. “0xAsKey”
Finally, we have successfully opened the zip file and the can read the contents, “clues.txt”
00: Confirmed reciepts (16)
01: Vlad’s affliction (16)
02: Magellan did it first (16)
03: Revoking suffrage (16)
04: Mork, for one (16)
05: Harry’s illusions (16)
This relates back to our image, and is similar to crossword puzzle clues. Seeing that we have been given the first and last letter of each answer, we can fill in the grid with as such.
Finally, to extract the solution, we must go back to the passwords we had previously used. “0xAsKey”, hints to use the hexadecimal of the image as a key to extracting the answer. In the PNG header, there is a group of hexadecimal that was surrounded by “nahamsec” “35 20 2B 20 53 54 58 20 49 20 4A 2E 2E 2E 2E 2E 50 20 29 20 50 20 47 53 20 4C 20 2E 2E 2E 2E 2E 44 4C 45 20 52 20 58 20 5D 20 2F 20 32”. We can now label each column using hexadecimal so that the far left is “0”, and the far right is “F”. Using this group of hexadecimals as coordinates so that “35” equals Row “3” and column “5”, we extract the letter “F”. We use the hexadecimal “20”, as a separator between characters, so therefore, the group of “53 53 58”, is first decoded as “STX”, which is in actuality, hexadecimal “02”, and using our image extracted as “K”.
Continuing to do this method for all the rest of the hexadecimals leaves us with the solution “fakes piper begins”.
The final puzzle gives us a list of numbers separated by commas, in a very familiar format.
1:1 3:2 8:2 7:2
2:1 4:2 9:2 2:3
3:3 9:3 5:1
6:1 8:1 3:1 4:3
10:1 9:1 10:2 2:2
1:2 11:1 7:1 1:3
4:1 5:2 6:2 6:3
11:2 11:3 5:3
10:3 8:3 7:3
This format matches perfectly with the last 9 puzzle solutions 4/4/3/4/4/4/4/3/3. Looking at the puzzle, we can see that there are 11 sets of 3. (1:1, 1:2, 1:3, 2:1, 2:2, 2:3…), so if we match each password from our previous 9 solutions, with each set of digits, we can get a new ordering for our passwords.
snail human crazy
sprint wings muddy
thank rocky trains
drives supply pouch
puppy quite curve
object offers loves
lunch curve begins
tone merit piper
tile body signal
lake shakes fakes
ends keeps heave
This becomes the new ordering for our list of passwords, having 11 sets of 3 words. The hint from the creator, of an brand logo, lead me to a mapping site.
This site takes 3 words, and maps them to a square in the world. Using the 11 sets of 3 words we have, we can find all 11 locations.
After looking at all 11 sites on the map, you will notice a pattern that each on is found a street with a number, such as snail.human.crazy being on 110th street. Taking the numbers from all 11 sites, we are giving the decimal string of “110 97 104 97 109 112 48 116 97 116 48”, which when converted from decimal to ascii gives us “nahamp0tat0”, the final password to the NahamSec Puzzle.
I just want to say thank you to Naham, and the NahamSec community. I appreciate the time spent on creating and coordinating such a fun puzzle, and look forward to any other community events that may occur. Please join Naham’s discord at https://discord.gg/3H5u42c, and follow him on twitter @NahamSec