Solving HariBahadur CTF

6 min readJun 16, 2022

URL to join the CTF: https://tryhackme.com/jr/haribahadur and can submit flags. The CTF is actually situated on https://haridai.sushilphuyal.com.np/

At the beginning we are given a Downloadable file in the CTF. That file is downloaded. We suspect that there might be some clue in its meta data, so we use Exif tool to view its meta data.

From the meta data of the file, we know the author’s name which may lead us to next step. OINT begins here. To find the user profiles we can use various method. Sherlock is one of the python-based tools to find user profiles with given username.

After visiting each site one by one, we got a lead. Let’s visit the site. https://www.pinterest.com/1337haribahadur/

1. What was the Social media, you found author on?

=> Pinterest.com

We found a GitHub link in this site so now let’s go to this link. github.com/1337mickey/oh-ho

The message in the given readme file says if we can edit it. Let’s edit it.

Oh! We got one more text. It looks similar to the username we got earlier. Maybe it is another username. No worries, we have sherlock.

After visiting the sites one by one we finally landed on the twitter account of that user.

All the tweets found in twitter account were written in the notes. 1337madanbahad1 tweets that we have to go to another directory with the name of the house owner who lives in Kathmandu. Since we have got a BSSID, lets see what we can get using it. We use wigle to track BSSID.

Searching for Kathmandu by scrolling through the map we found a home network with SSID: Pratikxyawifi

2. What was the Wifi Name?

=> Pratikxya

Which means our next directory is Pratikxya. From the given url in the CTF we visit this directory.

We landed on this page, right click is disabled, we can’t use shortcut key to inspect element. But we can still view page source by adding view-source: before URL of the page or just by using curl in terminal.

We got a hex which is clear from the text we got. A hint is also given which says xeh which means hex in reverse. So, we use easiest way to crack this. Let’s visit cyberchef.

Using magic tool in cyberchef we easily decrypted the hex but the result we got still doesn’t make any sense. It seems like a cipher text and from the hint found while viewing page source lets try ceaser cipher.

By brute-forcing the text in Caesar cipher we got something meaningful merotahasairamro

Now, let’s see if it is another directory.

Yes, we were right it is in fact another directory. It says hari bahadur wrote something on the wall when he was drunk but what? Lets trying viewing the page source again.

We found a random text and the hint in the comment says it is a hash and hash_name starts with N. Let’s try cracking it in crackstation first if not we will try other methods.

Oh Wow! We got lucky. And ok it was NTLM hash. Our desired text is blue97. Let’s check if it is a path.

3. What was the hash type?

=> NTLM

4. What was the decrypted value of Hash?

=> blue97

We found an audio in this directory which sounds like song but at the end there is some random sound. It’s a morse code. It was perfectly trimmed and online morse code audio decoding site was used to decode the code. I used https://morsecode.world/international/decoder/audio-decoder-adaptive.html

The decoded message was namaste

Again it must be another directory so let’s visit.

The message doesn’t seem complete so lets view page source.

Now it says that my birth year and my wife’s death year is another path. From the hints in previous steps, we know that we are playing role of haribahadur. So, find out from google.

Thanks to google, we found our path 1957–2011 now let’s go next directory and see what we get

The message says that only HariBahadur can view this site. Let’s try changing useragent. If you are using Firefox browser, you can change user-agent by going to network tab and change header.

Just click on resend and choose edit and resend option. All you have to do is change the user-agent to HariBahadur as given in the message. Then go and check the new response.

Note: There are multiple ways to change user agent. You can even use burp-suite or any other browser or curl in terminal kali@user~$ curl –user-agent “<user agent>” <url>

We were right about the user-agent thing, and we got one more message. It says if we can print the flag. If it’s a text and we can’t print it, it must ne zero-width encryption. We cannot print the characters in between and the private message. I copied the text and tried clearing the text. I discovered that flag is zero-width encrypted public message. Let’s try decrypting it. I used https://neatnik.net