@SheHacksKE held their yearly hackfest event in October 2021 but it was online this year. The event included a CTF that was facilitated by @eKRAALhub . @mystic_kev and I participated in the CTF as NoPwnNoGain and won it by completed all challenges. This writeup is for the challenges I was able to solve.

Challenges: Firmware

1. Camera Kernel

The provided file when extracted contains a bin file that is a linux image.

By using binwalk to analyse the file we see the different file sections.

binwalk demo.bin

The kernel starts at the second section indicated as the OS Kernel Image and includes the lzma compressed data to end at the beginning of the squashfs filesystem.

To provide the flag in decimal we minus the header that identifies the firmware image.

2097216 - 64 = 2097152

Flag: Hackfest{2097152}

2. Backups

Based on the binwalk output we can take the root filesystem as the first squashfs filesystem. We can calculate the size as below.

5570624 - 2097216 = 3473408

To extract it we can use dd command line tool then mount the filesystem.

dd if=demo.bin skip=2097216 count=3473408 bs=1 of=squashfs1 
sudo mount -t squashfs squashfs1 mount1

On mounting the filesystem we see the backup folders.

Flag: Hackfest{backupa,backupd,backupk}

3. Semiconductor

By looking around the root filesystem we can read the hostname of the device this image was retrieved from.

Searching this name on google shows this is a semiconductor company confirming this is the flag.

Flag: Hackfest{Ingenic}

4. Leaky Developer

The rest of the filesystem is inside the jffs2 filesystem that starts offset 6225984 until the end.

To extract it we can carve it out using dd.

dd if=demo.bin skip=6225984 bs=1 of=jffs

To mount the jffs2 file system, I found the below script to be useful.

set -e
if [ -z "$1" ]; then
    echo usage: $0 jffs2_image directory

if [ -z "$2" ]; then
    echo usage: $0 jffs2_image directory

# modprobe mtdcore
modprobe jffs2

SIZE=$(du -h -k $1 | cut -f 1)
SIZE=8192 # 65536
ESIZE=$(( $SIZE / 6))
modprobe mtdram \
 total_size=$SIZE \
 erase_size=${ESIZE} \
# writebuf_size=$BUFS

# modprobe mtdchar
modprobe mtdblock

sleep .25

dd if=$1 of=/dev/mtd0

mount -t jffs2 /dev/mtdblock0 $2

Once we mount the filesystem as below, there’s a file inside the bin directory that shows the folder in the home directory.

Flag: Hackfest{xuxuequan}

5. Root

The shadow file in the root filesystem contains the root hash.

I tried to crack this hash using the usual rockyou wordlist but got nothing so I jumped to google to see if I get any hits.

Flag: Hackfest{ismart12}

6. Extras

The above solutions were after some analysis of how I believe the challenges we meant to be solved. Initially I did the basic option of extracting the image using binwalk.

binwalk -e demo.bin

After this and looking through the resulting directories and some google searches later I found this post that allowed me to quickly answer the questions.

7. The Rest

The rest of the challenges in this category were solved by Kelvin.

Challenges: Protocols

1. Subscriber

First thing I did was run nmap against the host and port to figure out what the service is running.

On discovering this is mqtt, I downloaded mqtt explorer .

Once we connect we start receiving messages, after a while the flag is sent as a message.

Flag: Hackfest{Howdy Friend}

2. Hardcoded

The provided zip file has only two files inside.

The config.php is somewhat encrypted.

Using this google search I found an article with the decryption method.

By running the below command we can get the email from the config.php

openssl aes-256-cbc -d -K 3834326434326239383837366635383166306466626566623063643262356333 -iv 0 -in config.php > config.php.out

Flag: Hackfest{}


This was a nice CTF with some not so common categories. Playing with dd was a learning process for me, I haven’t used it much before.

Here are the challenge files incase the CTF site goes down.