Nahamsec CTF write-up

Nahamsec recently created a CTF when he reached 30k Twitter followers. The only information he gave was here, so there wasn’t really much to go on. This is my write-up; I decided to send my write-up like a bug report. This style of course does not tell the time wasted looking in all the wrong spots, like doing steganography on the JPEG in the above link, or digging on all the wrong server/endpoints.


Hello ,
I’ve found a sensitive information disclosure in the API running on Using leaked credentials I was able to access the secret ‘flag’ variable which is obviously a huge risk.

Steps to reproduce

1) Go to and search for’ which shows the following certificate:
Notice how it’s valid for the subdomain

2) Go to (not https!). The admin area is only allowed from the intranet, but this is easily bypassed by using the X-Forwarded-For header with the correct endpoint, like this:

GET /admin/ HTTP/1.1

Which gives the following reply:
‘Oh!, looks like we have moved our api services to’

3) Go which returns 404 Not Found.

4) Go to
There are 2 issues here: First, the leaks full credentials, and second, going to the past commit #4a0dc54 leaks the path: doc=’/swagger’. Note down both.

5) Go back to (the path from step 4). We now have access to the top secret Get_Flag API.
Initially both API endpoints return 500 Internal Server Error, but /api/getflag also accepts GET requests, which return Unauthorized Access with this header:
WWW-Authenticate: Basic realm=”Authentication Required”
Meaning the endpoint expects HTTP authentication.

Make the following Curl request to the API endpoint from step 5 (with the credentials from step 4):

curl -u BugHunters:4dawin -X GET "" -H  
"accept: application/json"


{  "Flag_is": "You are such a guru!, send this to" 


Exposure of the secret Flag variable which can spell untold disaster for your company.


1) should not allow bypassing via the X-Forwarded-For header.
2) Remove credentials and path leak at

Leave a Comment

Your email address will not be published.