diff --git a/NahamCon_2020/Cryptography.md b/NahamCon_2020/Cryptography.md
new file mode 100644
index 0000000..551c658
--- /dev/null
+++ b/NahamCon_2020/Cryptography.md
@@ -0,0 +1,253 @@
+# Cryptography
+
+## Twinning
+```
+These numbers wore the same shirt! LOL, #TWINNING!
+
+Connect with:
+nc jh2i.com 50013
+```
+
+We start by connecting to the level:
+```
+$ nc jh2i.com 50013
+Generating public and private key...
+Public Key in the format (e,n) is: (65537,10507244454143)
+The Encrypted PIN is 882113417291
+What is the PIN?
+```
+
+It's a basic RSA encryption, we can see that N is tooo small, we can try to factorise it with http://www.factordb.com/index.php?query=10507244454143
+
+Bingo, `10507244454143` = `3241487` * `3241489`
+
+Now, we can decrypt the cipher with python:
+``` python
+$ python
+Python 2.7.18 (default, Apr 21 2020, 18:49:31)
+Type "help", "copyright", "credits" or "license" for more information.
+>>> p = 3241487
+>>> q = 3241489
+>>> N = p * q
+>>> print N == 10507244454143
+True
+>>> e = 65537
+>>> phi = (q - 1) * (p - 1)
+>>> from Crypto.Util.number import inverse
+>>> d = inverse(e, phi)
+>>> cipher = 882113417291
+>>> plaintext = pow(cipher, d, N)
+>>> print plaintext
+1668
+```
+
+The plaintext pin is `1668`
+
+Finally, we send it to the challenge:
+```
+$ nc jh2i.com 50013
+Generating public and private key...
+Public Key in the format (e,n) is: (65537,10507244454143)
+The Encrypted PIN is 882113417291
+What is the PIN?
+1668
+Good job you won!
+flag{thats_the_twinning_pin_to_win}
+```
+
+The flag is: `flag{thats_the_twinning_pin_to_win}`
+
+## Ooo-la-la
+```
+Uwu, wow! Those numbers are fine!
+
+Download the file below.
+Files: prompt.txt
+```
+
+`prompt.txt` content:
+```
+N = 3349683240683303752040100187123245076775802838668125325785318315004398778586538866210198083573169673444543518654385038484177110828274648967185831623610409867689938609495858551308025785883804091
+e = 65537
+c = 87760575554266991015431110922576261532159376718765701749513766666239189012106797683148334771446801021047078003121816710825033894805743112580942399985961509685534309879621205633997976721084983
+```
+
+We can try to factorize N with http://www.factordb.com and we can see that N = `1830213987675567884451892843232991595746198390911664175679946063194531096037459873211879206428207` * `1830213987675567884451892843232991595746198390911664175679946063194531096037459873211879206428213`
+
+Then we can decrypt the cipher like **Twinning** challenge:
+``` python
+$ python
+Python 2.7.18 (default, Apr 21 2020, 18:49:31)
+Type "help", "copyright", "credits" or "license" for more information.
+>>> p = 1830213987675567884451892843232991595746198390911664175679946063194531096037459873211879206428207
+>>> q = 1830213987675567884451892843232991595746198390911664175679946063194531096037459873211879206428213
+>>> N = p * q
+>>> print N == 3349683240683303752040100187123245076775802838668125325785318315004398778586538866210198083573169673444543518654385038484177110828274648967185831623610409867689938609495858551308025785883804091
+True
+>>> e = 65537
+>>> phi = (q - 1) * (p - 1)
+>>> from Crypto.Util.number import inverse
+>>> d = inverse(e, phi)
+>>> cipher = 87760575554266991015431110922576261532159376718765701749513766666239189012106797683148334771446801021047078003121816710825033894805743112580942399985961509685534309879621205633997976721084983
+>>> plaintext = pow(cipher, d, N)
+>>> print plaintext
+50937517511042200745290788421321823843091772536455731976208097788779057394456536262472573
+>>> print hex(plaintext)[2:-1].decode('hex')
+flag{ooo_la_la_those_are_sexy_primes}
+```
+
+The flag is `flag{ooo_la_la_those_are_sexy_primes}`
+
+## December
+```
+This is my December...
+
+Download the file below.
+Files: source.py ciphertext
+```
+
+`source.py`:
+``` python
+#!/usr/bin/env python
+
+from Crypto.Cipher import DES
+
+with open('flag.txt', 'rb') as handle:
+ flag = handle.read()
+
+padding_size = len(flag) + (8 - ( len(flag) % 8 ))
+flag = flag.ljust(padding_size, b'\x00')
+
+with open('key', 'rb') as handle:
+ key = handle.read().strip()
+
+iv = "13371337"
+des = DES.new(key, DES.MODE_OFB, iv)
+ct = des.encrypt(flag)
+
+with open('ciphertext','wb') as handle:
+ handle.write(ct)
+```
+
+`source.py` encrypt the message in `ciphertext` with DES-OFB algorithm
+
+I admit that I was inspired by this write-up: https://shrikantadhikarla.wordpress.com/2016/03/08/des-ofb-writeup-boston-key-party-ctf/
+
+When we run this scipt:
+``` python
+from Crypto.Cipher import DES, XOR
+import operator
+
+block_size = DES.block_size
+IV = '13371337'
+f = open('ciphertext', 'r')
+ciphertext = f.read()
+f.close()
+
+first_line = '????????'
+p0 = first_line[:block_size]
+c0 = ciphertext[:block_size]
+xor = XOR.new(c0)
+ek = xor.decrypt(p0)
+
+plainblocks = ''
+i=0
+while True:
+ cj = ciphertext[(i*block_size):((i+1)*block_size)]
+ if not cj:
+ break
+ xor = XOR.new(cj)
+ if (operator.mod(i+1,2)==0):
+ plainblock = xor.decrypt(IV)
+ else:
+ plainblock = xor.decrypt(ek)
+ i = i+1
+ plainblocks = plainblocks + plainblock
+print plainblocks
+```
+We get:
+```
+$ ./cracker.py | hexdump -C
+00000000 3f 3f 3f 3f 3f 3f 3f 3f 65 20 6d 79 20 73 6e 6f |????????e my sno|
+00000010 1c 77 39 23 2c 7a 2c 28 64 20 64 72 65 61 6d 73 |.w9#,z,(d dreams|
+00000020 61 03 32 25 29 3f 37 3e 20 6d 65 20 70 72 65 74 |a.2%)?7> me pret|
+00000030 0e 39 3e 25 34 78 54 2b 6c 61 67 7b 74 68 69 73 |.9>%4xT+lag{this|
+00000040 34 3e 29 13 3b 73 32 12 69 5f 6e 65 65 64 7d 00 |4>).;s2.i_need}.|
+00000050 0a |.|
+```
+But nothing more, we have to try to guess the message to continue to decrypt it
+
+We can guess that on line 4, there is the word `flag`
+
+We try all combinations of the 8th char of the first line and we get with `???????r` as fist line:
+```
+$ ./cracker.py | hexdump -C
+00000000 3f 3f 3f 3f 3f 3f 3f 72 65 20 6d 79 20 73 6e 6f |???????re my sno|
+00000010 1c 77 39 23 2c 7a 2c 65 64 20 64 72 65 61 6d 73 |.w9#,z,ed dreams|
+00000020 61 03 32 25 29 3f 37 73 20 6d 65 20 70 72 65 74 |a.2%)?7s me pret|
+00000030 0e 39 3e 25 34 78 54 66 6c 61 67 7b 74 68 69 73 |.9>%4xTflag{this|
+00000040 34 3e 29 13 3b 73 32 5f 69 5f 6e 65 65 64 7d 00 |4>).;s2_i_need}.|
+00000050 0a |.|
+```
+
+Then we can guess the word `are` in first line, so in script `first_line` is equal to `??????ar`, and we get:
+```
+$ ./cracker.py | hexdump -C
+00000000 3f 3f 3f 3f 3f 3f 61 72 65 20 6d 79 20 73 6e 6f |??????are my sno|
+00000010 1c 77 39 23 2c 7a 72 65 64 20 64 72 65 61 6d 73 |.w9#,zred dreams|
+00000020 61 03 32 25 29 3f 69 73 20 6d 65 20 70 72 65 74 |a.2%)?is me pret|
+00000030 0e 39 3e 25 34 78 0a 66 6c 61 67 7b 74 68 69 73 |.9>%4x.flag{this|
+00000040 34 3e 29 13 3b 73 6c 5f 69 5f 6e 65 65 64 7d 00 |4>).;sl_i_need}.|
+00000050 0a |.|
+```
+
+Next, we can add a space before the word `are`, and with `????? ar` we get:
+```
+$ ./cracker.py | hexdump -C
+00000000 3f 3f 3f 3f 3f 20 61 72 65 20 6d 79 20 73 6e 6f |????? are my sno|
+00000010 1c 77 39 23 2c 65 72 65 64 20 64 72 65 61 6d 73 |.w9#,ered dreams|
+00000020 61 03 32 25 29 20 69 73 20 6d 65 20 70 72 65 74 |a.2%) is me pret|
+00000030 0e 39 3e 25 34 67 0a 66 6c 61 67 7b 74 68 69 73 |.9>%4g.flag{this|
+00000040 34 3e 29 13 3b 6c 6c 5f 69 5f 6e 65 65 64 7d 00 |4>).;ll_i_need}.|
+00000050 0a |.|
+```
+
+We guess the word `all` in flag, we try all combinations of the 5th char and we get with `????e ar` as fist line:
+```
+./cracker.py | hexdump -C
+00000000 3f 3f 3f 3f 65 20 61 72 65 20 6d 79 20 73 6e 6f |????e are my sno|
+00000010 1c 77 39 23 76 65 72 65 64 20 64 72 65 61 6d 73 |.w9#vered dreams|
+00000020 61 03 32 25 73 20 69 73 20 6d 65 20 70 72 65 74 |a.2%s is me pret|
+00000030 0e 39 3e 25 6e 67 0a 66 6c 61 67 7b 74 68 69 73 |.9>%ng.flag{this|
+00000040 34 3e 29 13 61 6c 6c 5f 69 5f 6e 65 65 64 7d 00 |4>).all_i_need}.|
+00000050 0a |.|
+```
+
+Same for char `_` before the word `all` in flag, and we get with `???se ar` as fist line:
+```
+$ ./cracker.py | hexdump -C
+00000000 3f 3f 3f 73 65 20 61 72 65 20 6d 79 20 73 6e 6f |???se are my sno|
+00000010 1c 77 39 6f 76 65 72 65 64 20 64 72 65 61 6d 73 |.w9overed dreams|
+00000020 61 03 32 69 73 20 69 73 20 6d 65 20 70 72 65 74 |a.2is is me pret|
+00000030 0e 39 3e 69 6e 67 0a 66 6c 61 67 7b 74 68 69 73 |.9>ing.flag{this|
+00000040 34 3e 29 5f 61 6c 6c 5f 69 5f 6e 65 65 64 7d 00 |4>)_all_i_need}.|
+00000050 0a |.|
+```
+And finally, we can guess that `These` is the first word of fist line, and with `These ar` as first line, we get:
+```
+$ ./cracker.py | hexdump -C
+00000000 54 68 65 73 65 20 61 72 65 20 6d 79 20 73 6e 6f |These are my sno|
+00000010 77 20 63 6f 76 65 72 65 64 20 64 72 65 61 6d 73 |w covered dreams|
+00000020 0a 54 68 69 73 20 69 73 20 6d 65 20 70 72 65 74 |.This is me pret|
+00000030 65 6e 64 69 6e 67 0a 66 6c 61 67 7b 74 68 69 73 |ending.flag{this|
+00000040 5f 69 73 5f 61 6c 6c 5f 69 5f 6e 65 65 64 7d 00 |_is_all_i_need}.|
+00000050 0a |.|
+```
+The flag is `flag{this_is_all_i_need}
+
+
+
+
+
+
+
diff --git a/NahamCon_2020/Forensics.md b/NahamCon_2020/Forensics.md
new file mode 100644
index 0000000..5dbcbe4
--- /dev/null
+++ b/NahamCon_2020/Forensics.md
@@ -0,0 +1,102 @@
+# Forensics
+
+## Microsooft
+```
+We have to use Microsoft Word at the office!? Oof...
+
+Download the file below.
+Files: microsooft.docx
+```
+We extract files in `microsooft.docx` and we see if flag is write in plaintext:
+```
+$ grep -R flag
+src/oof.txt: [...] flag{oof_is_right_why_gfxdata_though} [...]
+```
+
+The flag is: `flag{oof_is_right_why_gfxdata_though}`
+
+## Volatile
+```
+What was the flag again? I don't remember...
+
+Download the file below.
+
+Note, this flag is not in the usual format.
+
+Large File Hosted with Google Drive
+Files: memdump.raw
+```
+
+`memdump.raw` is a memory dump, we will use volatility (https://github.com/volatilityfoundation/volatility) to analyse it
+
+First af all, we get the profile of the memory dump:
+```
+vol -f memdump.raw imageinfo
+Volatility Foundation Volatility Framework 2.6.1
+INFO : volatility.debug : Determining profile based on KDBG search...
+ Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
+ AS Layer1 : IA32PagedMemoryPae (Kernel AS)
+ AS Layer2 : FileAddressSpace (/home/tom.rorato/Downloads/memdump.raw)
+ PAE type : PAE
+ DTB : 0x185000L
+ KDBG : 0x8276fc28L
+ Number of Processors : 1
+ Image Type (Service Pack) : 1
+ KPCR for CPU 0 : 0x82770c00L
+ KUSER_SHARED_DATA : 0xffdf0000L
+ Image date and time : 2020-04-20 21:16:55 UTC+0000
+ Image local date and time : 2020-04-20 14:16:55 -0700
+```
+We will use the profile: `Win7SP1x86_23418`
+
+We don't know where to get the flag, so we try everything
+
+And we finally fing the flag in console history:
+```
+vol -f memdump.raw --profile Win7SP1x86_23418 consoles
+Volatility Foundation Volatility Framework 2.6.1
+**************************************************
+ConsoleProcess: conhost.exe Pid: 3468
+Console: 0xc781c0 CommandHistorySize: 50
+HistoryBufferCount: 1 HistoryBufferMax: 4
+OriginalTitle: %SystemRoot%\system32\cmd.exe
+Title: C:\Windows\system32\cmd.exe
+AttachedProcess: cmd.exe Pid: 3460 Handle: 0x5c
+----
+CommandHistory: 0x2f0448 Application: cmd.exe Flags: Allocated, Reset
+CommandCount: 1 LastAdded: 0 LastDisplayed: 0
+FirstCommand: 0 CommandCountMax: 50
+ProcessHandle: 0x5c
+Cmd #0 at 0x2f4680: echo JCTF{nice_volatility_tricks_bro}
+----
+Screen 0x2d62d8 X:80 Y:300
+Dump:
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+C:\Users\JCTF>echo JCTF{nice_volatility_tricks_bro}
+JCTF{nice_volatility_tricks_bro}
+
+C:\Users\JCTF>
+```
+
+The flag is: `JCTF{nice_volatility_tricks_bro}`
+
+## Cow Pie
+```
+Ew. Some cow left this for us. It's gross... but something doesn't seem right...
+
+Download the file below.
+Files: manure
+```
+`manure` is a `QEMU QCOW2 Image`
+
+But before all, we try to see if flag is write in plaintext:
+```
+$ strings manure
+[...]
+flag{this_flag_says_mooo_what_say_you}
+[...]
+```
+
+The flag is: `flag{this_flag_says_mooo_what_say_you}`
diff --git a/NahamCon_2020/Miscellaneous.md b/NahamCon_2020/Miscellaneous.md
new file mode 100644
index 0000000..84ddba7
--- /dev/null
+++ b/NahamCon_2020/Miscellaneous.md
@@ -0,0 +1,89 @@
+# Miscellaneous
+
+## Vortex
+```
+Will you find the flag, or get lost in the vortex?
+
+Connect here:
+nc jh2i.com 50017
+```
+
+When we are connected, there is a lot of unreadable text:
+```
+nc jh2i.com 50017 | head
+�PϞ)m1e��/}=v/�()k+�>�(�,닥�W{�t��6�+S���
+�8�=$��=ğ��Q��L����m=|w.�`#����P0ʼ�'hd���Q����R�+�%<�KK�zҷwD�?�0�1:�逝&�u�(����
+�d�Z'f��e��J���V���/씔���be�8rhr�wrDgQ,�����C���4��}�_��]t�Y�!�vY2���k��cS�O����#��O?
+[...]
+```
+
+We can check if the flag is hidden inside:
+```
+$ nc jh2i.com 50017 | strings | grep flag
+flag{more_text_in_the_vortex}
+```
+
+The flag is: `flag{more_text_in_the_vortex}`
+
+## Fake File
+```
+Wait... where is the flag?
+
+Connect here:
+nc jh2i.com 50026
+```
+
+When we log in, we have access to a shell
+
+```
+user@host:/home/user$ ls -la
+ls -la
+total 12
+dr-xr-xr-x 1 nobody nogroup 4096 Jun 12 17:08 .
+drwxr-xr-x 1 user user 4096 Jun 4 18:54 ..
+-rw-r--r-- 1 user user 52 Jun 12 17:08 ..
+```
+
+There is a file named `..` but we can't cat it:
+```
+user@host:/home/user$ cat ..
+cat ..
+cat: ..: Is a directory
+```
+
+We must select the file `..` and not the directory `..`, the command ` find` will help us:
+
+```
+user@host:/home/user$ find . -type f
+find . -type f
+./..
+user@host:/home/user$ find . -type f -exec cat {} \;
+find . -type f -exec cat {} \;
+flag{we_should_have_been_worried_about_u2k_not_y2k}
+```
+
+The flag is `flag{we_should_have_been_worried_about_u2k_not_y2k}`
+
+## Alkatraz
+```
+We are so restricted here in Alkatraz. Can you help us break out?
+
+Connect here:
+nc jh2i.com 50024
+```
+
+When we log in, we have access to a restricted shell
+
+With `ls`, we can see a file `flag.txt` in home directory, the flag can is inside
+
+We can use `cat`, `less`, `more`, `head`, `tail` or `grep` to try to display its content...
+
+But we can une `.` instruction lmao:
+```
+. flag.txt
+flag.txt: line 1: flag{congrats_you_just_escaped_alkatraz}: command not found
+```
+
+The flag is: `flag{congrats_you_just_escaped_alkatraz}`
+
+
diff --git a/NahamCon_2020/Mobile.md b/NahamCon_2020/Mobile.md
new file mode 100644
index 0000000..9fe07e5
--- /dev/null
+++ b/NahamCon_2020/Mobile.md
@@ -0,0 +1,197 @@
+# Mobile
+
+## Candroid
+```
+I think I can, I think I can!
+
+Download the file below.
+Files: candroid.apk
+```
+We extract apk in a directory and we check if the flag is writed in plain text:
+```
+$ grep -R flag
+META-INF/CERT.SF:Name: res/layout/activity_flag.xml
+META-INF/MANIFEST.MF:Name: res/layout/activity_flag.xml
+Binary file resources.arsc matches
+Binary file classes.dex matches
+
+$ strings resources.arsc | grep flag
+flag{4ndr0id_1s_3asy}
+res/layout/activity_flag.xml
+flagTV
+activity_flag
+flag
+```
+
+The flag is: `flag{4ndr0id_1s_3asy}`
+
+## Simple App
+```
+Here's a simple Android app. Can you get the flag?
+
+Download the file below.
+Files:simple-app.apk
+```
+
+Same method than **Candroid**
+
+We extract apk in a directory and we check if the flag is writed in plain text:
+```
+$ grep -R flag
+Binary file resources.arsc matches
+Binary file classes.dex matches
+
+$ strings classes.dex | grep flag
+[...]
+flag{3asY_4ndr0id_r3vers1ng}
+[...]
+```
+
+The flag is: `flag{3asY_4ndr0id_r3vers1ng}`
+
+## Secure Safe
+```
+This app says it secures my stuff! It's so cool!
+
+Download the file below.
+Files: secure_safe.apk
+```
+
+The application asks a 4-digit pin and seems use it to decrypt a cipher after that a `submit` was pressed, the result seems to be the flag
+
+We use http://www.decompiler.com to decompile the APK
+
+In `sources/com/congon4tor/nahamcon2/MainActivity.java`, there is the `onCreate` main function:
+``` java
+public void onCreate(Bundle bundle) {
+ super.onCreate(bundle);
+ setContentView((int) R.layout.activity_main);
+ String string = getString(R.string.encrypted_flag);
+ this.p = (TextView) findViewById(R.id.flagTV);
+ ((Button) findViewById(R.id.submit)).setOnClickListener(new a(string, (EditText) findViewById(R.id.pin)));
+}
+```
+
+The class `MainActivity.a` is set as click listener of the submit button with `string` var and the `pin` input element
+
+`string` is equal to `getString(R.string.encrypted_flag)`, so we search its value:
+```
+$ grep -R encrypted_flag
+resources/res/values/public.xml:
+resources/res/values/strings.xml: UFhYVUt2VmdqEFALbiNXRkZvVQtTQxwSTVABe0U=
+sources/com/congon4tor/nahamcon2/MainActivity.java: String string = getString(R.string.encrypted_flag);
+sources/com/congon4tor/nahamcon2/R.java: public static final int encrypted_flag = 2131492892;
+```
+
+`string` is equal to `UFhYVUt2VmdqEFALbiNXRkZvVQtTQxwSTVABe0U=` because it's the variable `encrypted_flag` in `R.strings`
+
+The class `MainActivity.a` is:
+``` java
+public class a implements View.OnClickListener {
+
+ public final /* synthetic */ String f532b;
+ public final /* synthetic */ EditText c;
+
+ public a(String str, EditText editText) {
+ this.f532b = str;
+ this.c = editText;
+ }
+
+ public void onClick(View view) {
+ String[] strArr = {this.f532b, this.c.getText().toString()};
+ new b.b.a.a.a(MainActivity.this).execute(new String[][]{strArr});
+ }
+}
+```
+
+At create, there is `UFhYVUt2VmdqEFALbiNXRkZvVQtTQxwSTVABe0U=` in `this.f532b`
+
+When the user press the ` submit` button, the function `onClick` is called and there are `UFhYVUt2VmdqEFALbiNXRkZvVQtTQxwSTVABe0U=` and the pin in `strArr`
+
+Then, the class `b.b.a.a.a` is created and executed, the argument look like `{{"UFhYVUt2VmdqEFALbiNXRkZvVQtTQxwSTVABe0U=", **pin**}}`
+
+we search where the class is located: in the directory `source/b/b/a/a` there is a file named `a` and in it, a class `a` from package `b.b.a.a`, it's it !
+
+In `source/b/b/a/a/a` there is two methods of `AsyncTask class` called by `execute`:
+``` java
+public Object doInBackground(Object[] objArr) {
+ String[][] strArr = (String[][]) objArr;
+ String str = strArr[0][0];
+ String str2 = strArr[0][1];
+ try {
+ MessageDigest instance = MessageDigest.getInstance("SHA-1");
+ instance.update("5up3r_53cur3_53cr37".getBytes("UTF-8"));
+ instance.update(str2.getBytes("UTF-8"));
+ return new String(a(Base64.decode(str, 0), new BigInteger(1, instance.digest()).toString(16).getBytes()));
+ } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
+ e.printStackTrace();
+ return "Error decrypting";
+ }
+}
+
+public void onPostExecute(Object obj) {
+ String str = (String) obj;
+ super.onPostExecute(str);
+ this.f531a.p.setText(str);
+}
+```
+
+The `execute` function call `doInBackground` function with argument passed to `execute` and `onPostExecute` is called automaticly after `doInBackground` finishes with the value returned by `doInBackground` as argument
+
+`doInBackground` seems decrypt the flag and `onPostExecute` display it
+
+Now, we can write a script to test all pin and crack it:
+``` java
+import java.io.UnsupportedEncodingException;
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+
+public class Crack {
+
+ // xor function
+ public static final byte[] a(byte[] bArr, byte[] bArr2) {
+ byte[] bArr3 = new byte[bArr.length];
+ for (int i = 0; i < bArr.length; i++) {
+ bArr3[i] = (byte) (bArr[i] ^ bArr2[i % bArr2.length]);
+ }
+ return bArr3;
+ }
+
+ public static Object doInBackground(Object[] objArr) {
+ String[][] strArr = (String[][]) objArr;
+ String str = strArr[0][0];
+ String str2 = strArr[0][1];
+ try {
+ MessageDigest instance = MessageDigest.getInstance("SHA-1");
+ instance.update("5up3r_53cur3_53cr37".getBytes("UTF-8"));
+ instance.update(str2.getBytes("UTF-8"));
+ // change way to decode in Base64
+ return new String(a(Base64.getDecoder().decode(str), new BigInteger(1, instance.digest()).toString(16).getBytes()));
+ } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
+ e.printStackTrace();
+ return "Error decrypting";
+ }
+ }
+
+ public static void main(String[] args) {
+ String encrypted_flag = "UFhYVUt2VmdqEFALbiNXRkZvVQtTQxwSTVABe0U=";
+ for (int id = 0; id <= 9999; id++) {
+ String pin = String.format("%04d", id);
+ String flag = (String)doInBackground(new String [][]{{encrypted_flag, pin}});
+ if (flag.startsWith("flag{"))
+ System.out.println("pin:" + pin + " -> " + flag);
+ }
+ }
+
+}
+```
+
+And finaly execute it:
+```
+$ java Crack.java
+pint:3952 -> flag{N0T_th3_B3st_3ncrypt10N}
+```
+
+The flag is: `flag{N0T_th3_B3st_3ncrypt10N}`
diff --git a/NahamCon_2020/Scripting/really_powerful_gnomes.py b/NahamCon_2020/Scripting/really_powerful_gnomes.py
new file mode 100755
index 0000000..76ad886
--- /dev/null
+++ b/NahamCon_2020/Scripting/really_powerful_gnomes.py
@@ -0,0 +1,73 @@
+#!/usr/bin/python2
+import socket
+from time import sleep
+
+TCP_IP = 'jh2i.com'
+TCP_PORT = 50031
+BUFFER_SIZE = 1024 * 10
+
+expected = 'send back this line exactly'
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((TCP_IP, TCP_PORT))
+
+# buy sword 100 gold
+data = s.recv(BUFFER_SIZE)
+s.send('6\n')
+data = s.recv(BUFFER_SIZE)
+s.send('1\n')
+
+# get 1000 gold
+data = s.recv(BUFFER_SIZE)
+while int(data.split('Gold: ')[1].split('\n')[0]) < 1000:
+ s.send('5\n')
+ data = s.recv(BUFFER_SIZE)
+ print(data)
+
+# buy bow 1000 gold
+s.send('6\n')
+data = s.recv(BUFFER_SIZE)
+s.send('2\n')
+
+# get 2000 gold
+data = s.recv(BUFFER_SIZE)
+while int(data.split('Gold: ')[1].split('\n')[0]) < 2000:
+ s.send('4\n')
+ data = s.recv(BUFFER_SIZE)
+ print(data)
+
+# buy axe 2000 gold
+s.send('6\n')
+data = s.recv(BUFFER_SIZE)
+s.send('3\n')
+
+# get 10000 gold
+data = s.recv(BUFFER_SIZE)
+while int(data.split('Gold: ')[1].split('\n')[0]) < 10000:
+ s.send('3\n')
+ data = s.recv(BUFFER_SIZE)
+ print(data)
+
+# buy missle launcher 10000 gold
+s.send('6\n')
+data = s.recv(BUFFER_SIZE)
+s.send('4\n')
+
+# get 100000 gold
+data = s.recv(BUFFER_SIZE)
+while int(data.split('Gold: ')[1].split('\n')[0]) < 100000:
+ s.send('2\n')
+ data = s.recv(BUFFER_SIZE)
+ print(data)
+
+# buy tank 100000 gold
+s.send('6\n')
+data = s.recv(BUFFER_SIZE)
+s.send('5\n')
+
+# beat boss
+data = s.recv(BUFFER_SIZE)
+s.send('1\n')
+data = s.recv(BUFFER_SIZE)
+print(data)
+
diff --git a/NahamCon_2020/Scripting/rotten.py b/NahamCon_2020/Scripting/rotten.py
new file mode 100755
index 0000000..34f9afd
--- /dev/null
+++ b/NahamCon_2020/Scripting/rotten.py
@@ -0,0 +1,43 @@
+#!/usr/bin/python2
+import socket
+from time import sleep
+
+TCP_IP = 'jh2i.com'
+TCP_PORT = 50034
+BUFFER_SIZE = 1024
+
+expected = 'send back this line exactly'
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((TCP_IP, TCP_PORT))
+
+def rot_n(msg, n):
+ chars = "abcdefghijklmnopqrstuvwxyz"
+ trans = chars[n:] + chars[:n]
+ rot_char = lambda c: trans[chars.find(c)] if chars.find(c) > -1 else c
+ return ''.join(rot_char(c) for c in msg )
+
+def crack_rot(cipher, expected):
+ for i in range(0, 26):
+ plaintext = rot_n(cipher, i)
+ if expected in plaintext:
+ return plaintext
+ return None
+
+flag = '.' * 50
+
+data = s.recv(BUFFER_SIZE)
+while 'FAILURE' not in data and (len(flag.split('}')) == 0 or '.' in flag.split('}')[0]):
+ cipher = data[:-1]
+ print('<- ' + cipher)
+ plaintext = crack_rot(cipher, expected)
+ print('-> ' + plaintext)
+ if 'character' in plaintext:
+ pos = int(plaintext[len('send back this line exactly. character '):].split(' ')[0])
+ c = plaintext.split('\'')[1]
+ flag = flag[:pos] + c + flag[pos + 1:]
+ print(flag)
+ s.send(plaintext + '\n')
+ data = s.recv(BUFFER_SIZE)
+
+print(flag.split('.')[0])
\ No newline at end of file
diff --git a/NahamCon_2020/Warmup.md b/NahamCon_2020/Warmup.md
new file mode 100644
index 0000000..a51e89f
--- /dev/null
+++ b/NahamCon_2020/Warmup.md
@@ -0,0 +1,147 @@
+# Warmup
+
+## Read The Rules
+```
+Please follow the rules for this CTF!
+
+Connect here:
+https://ctf.nahamcon.com/rules
+```
+In source code of rules pages, there is a comment:
+``` html
+
+
+```
+The flag is: `flag{we_hope_you_enjoy_the_game}`
+
+## CLIsay
+```
+cowsay is hiding something from us!
+
+Download the file below.
+Files: clisay
+```
+
+`clisay` is an ELF, we try to execute is and we get:
+```
+$ ./clisay
+ __________________________________
+/ Sorry, I'm not allow to reveal any \
+\ secrets... /
+ ----------------------------------
+ \ ^__^
+ \ (oo)\_______
+ (__)\ )\/\
+ ||----w |
+ || ||
+
+```
+With `strings` we get:
+```
+$ strings clisay
+[...]
+flag{Y0u_c4n_
+ __________________________________
+/ Sorry, I'm not allow to reveal any \
+\ secrets... /
+ ----------------------------------
+ \ ^__^
+ \ (oo)\_______
+ (__)\ )\/\
+ ||----w |
+ || ||
+r3Ad_M1nd5}
+[...]
+```
+
+The flag was hidden in the executable
+
+The flag is: `flag{Y0u_c4n_r3Ad_M1nd5}`
+
+## Metameme
+```
+Hacker memes. So meta.
+
+Download the file below.
+Files: hackermeme.jpg
+```
+
+We can see all metadatas with http://exif.regex.info/exif.cgi
+
+And we see a particular creator :D
+```
+XMP
+XMP: Toolkit Image::ExifTool 10.80
+Creator: flag{N0t_7h3_4cTuaL_Cr3At0r}
+```
+
+The flag is: `flag{N0t_7h3_4cTuaL_Cr3At0r}`
+
+## Mr. Robot
+```
+Elliot needs your help. You know what to do.
+
+Connect here:
+http://jh2i.com:50032
+```
+
+There is a basic website, nothing in source code, so we check the robots.txt file at `url/robots.txt` and we can read:
+```
+flag{welcome_to_robots.txt}
+```
+
+The flag is: `flag{welcome_to_robots.txt}`
+
+## UGGC
+```
+Become the admin!
+
+Connect here:
+http://jh2i.com:50018
+```
+On website, there is a login form with only unsername field and the message `Login as admin has been disabled`
+
+When we try to log with the username `username`, the message `Sorry, only admin can see the flag.` is show
+
+When we check cookies, we can see a cookie `user` with value `hfreanzr`
+
+`hfreanzr` is just `username` encrypt with `rot 13` algorithm
+
+Then, we replace the value of the cookie by `nqzva` (the `rot 13` of `admin`), refresh the page and the flag is displayed
+
+The flag is: `flag{H4cK_aLL_7H3_C0okI3s}`
+
+## Peter Rabbit
+```
+Little Peter Rabbit had a fly upon his nose, and he flipped it and he flapped it and it flew away!
+
+Download the file below.
+Files: peter.png
+```
+
+There is nothing hide in image
+
+But the colors let thought about Piet esolang: https://esolangs.org/wiki/Piet
+
+So, we execute the image with https://www.bertnase.de/npiet/npiet-execute.php
+
+And the program write the flag: `flag{ohhhpietwastherabbit}`
+
+## Pang
+```
+This file does not open!
+
+Download the file below.
+Files: pang
+```
+The file is a png file but we can't open it
+
+We execute string function on it to see if the file is another thing that a png file, and surprise !
+```
+$ strings pang
+[...]
+flag{wham_bam_thank_you_for_the_flag_maam}
+[...]
+```
+
+The flag is: `flag{wham_bam_thank_you_for_the_flag_maam}`
diff --git a/NahamCon_2020/Web.md b/NahamCon_2020/Web.md
new file mode 100644
index 0000000..2c383e2
--- /dev/null
+++ b/NahamCon_2020/Web.md
@@ -0,0 +1,41 @@
+# Web
+```
+They've given you a number, and taken away your name~
+
+Connect here:
+http://jh2i.com:50000
+```
+
+On website, it writes:
+```
+You don't look like our agent!
+We will only give our flag to our Agent 95! He is still running an old version of Windows...
+```
+
+Agent 95 ? Maybe its window 95 user-agent ?
+
+On https://en.wikipedia.org/wiki/User_agent we can see that the user-agent or Window95 is `Microsoft Internet Explorer/4.0b1 (Windows 95)`
+
+We access to the website with this user-agent and we can read the flag:
+```
+$ curl -h "^Cft Internet Explorer/4.0b1 (Windows 95ows 95)" http://jh2i.com:50000/
+[tom.rorato@linux Downloads]$ curl -H "User-Agent:Microsoft Internet Explorer/4.0b1 (Windows 95) " http://jh2i.com:50000/
+flag{user_agents_undercover}
+[...]
+```
+
+The flag is: `flag{user_agents_undercover}`
+
+## Localghost
+```
+BooOooOooOOoo! This spooOoOooky client-side cooOoOode sure is scary! What spoOoOoOoky secrets does he have in stooOoOoOore??
+
+Connect here:
+http://jh2i.com:50003
+
+Note, this flag is not in the usual format.
+```
+
+On website, the flag is stored on local storage, we can access to it in firefox with `inspect element`, go in `Storage` menu and in `Local Storage`
+
+The flag is: `JCTF{spoooooky_ghosts_in_storage}`