
NoHackNoCTF 2026 Writeup: 5 Challenges Solved (AES-CTR Nonce Reuse, ECDSA HNP via Unicode .lower(), Redis SSTI, ext4 Carving, EXIF OSINT)
NoHackNoCTF 2026 (NHNC) shipped a small but well-engineered set of challenges where every one of the five bugs pivots on a language-level or protocol-level detail that looks benign until it isn’t: AES-CTR reused with a constant nonce collapses into a one-time pad with a reused pad; an ECDSA nonce whose top 384 bits are SHA384(salt || account) becomes the Hidden Number Problem the moment two “distinct” users can be forced to sign under the same account, arranged by exploiting Python’s str.lower() returning a longer string on Turkish İ; /usr/bin/whois is a full TCP client whose -h HOST -p PORT flags turn a domain-lookup box into a Redis SSRF that writes an RDB snapshot into Flask’s template directory for Jinja2 SSTI; Firefox places.sqlite is a narrative artefact that leads through a Proton Drive share to an ext4 image whose unallocated blocks still hold a torn note’s untorn twin and a WZ-AES ZIP; and a single boarding-gate photograph carries enough EXIF, a legible aircraft registration, and enough background scenery to pin down one specific Jetstar Japan flight from Kansai to Taipei on May 5, 2026. ...