TCS HackQuest Season 9

How I got the Offer & My experience with the selection process

Credits: TCS Hackquest Competition

My experience with TCS HackQuest competition

TCS Hackquest is a CTF event organized by Tata Consultancy Services to recruit Final-year Undergraduate and Postgraduate students. TCS hires students in three categories

1. Ninja (Expected CTC: 3.5–4 LPA)
2. Digital (Expected CTC: 7–7.4 LPA)
3. Prime (Expected CTC: 9–11 LPA)

There are 3 Rounds — 2 CTF rounds, and 1 final interview round.

About Round 1

I don’t want to talk about this. The platform experience was terrible. I’ll just say that I got selected and moved on to Round 2, which was a proctored round.

Round 2

This is a proctored round, so I suggest preparing early. Before the competition, they’ll call you for an identity check, which can take around 5 to 10 minutes. Also, don’t expect the proctor to go easy on you.

Alright, let’s get into some challenges.

Challenge Title: Tere Bin QR

Flag: HQ9{854d8125cb72ef1e09b8358244f08031}

Approach (Step by Step):

1. I received a text file, 0–1.txt, in the challenge zip file.
2. Upon opening it, I found a string of 0s and 1s.
3. Since the challenge was related to QR codes, I assumed the binary data represented a QR code.
4. I wrote a simple Python script using the ‘opencv-python’ module to generate the QR code.
5. The output QR code contained the flag.

Code

import numpy as np
import cv2

binary_data = """
00000000000000000000000000000000000000000
...
"""

# Convert binary to a NumPy array
qr_matrix = np.array([[int(char) for char in line] for line in binary_data.strip().split("\n")], dtype=np.uint8) * 255

# Save as an image
cv2.imwrite("qr_code.png", qr_matrix)

Challenge Title: Shade Wars

Flag: HQ9{17a2698fb1b554851365129ff39bef5f}

Approach (Step by Step):

1. I received a QR image with low exposure in the upper-left corner and good exposure in the lower-right corner.
2. I immediately recognized it as an image manipulation challenge.
3. I opened the QR image in GIMP.
4. In the Hue-Saturation settings, I adjusted the Hue to 15.
5. After scanning the QR code, I retrieved the flag.

Challenge Title: Guardians of the display

Flag: HQ9{182f6cdee2c8f3a6f19679832e0d4d54}

Approach (Step by Step):

1. Upon opening the website, I noticed it was checking my screen resolution. So, I opened the Web Developer Tools.
2. In the Debugger, I found a file named script.js, which contained a condition checking if the screen width was greater than 3850 or the height was greater than 2170.
3. Using Responsive Design Mode, I modified my screen width and height accordingly and intercepted the check before the page reloaded.
4. This led me to discover another page: explore.html.
5. On that page, I found another script file: explore.js.
6. Inside explore.js, I noticed obfuscated code.
7. I decoded the obfuscated string using the fromCharCode() function in JS, which revealed the flag.

Challenge Title: Tolkein’s Secret

Flag: HQ9{bc28154a8a9fabe94422183965b9e9e4}

Approach (Step by Step):

1. I visited the website and intercepted the request.
2. The request contained a JWT token.
3. I used jwt.io to decode the token and found various data fields.
4. Among them, there was a parameter called role.
5. I changed its value from guest to admin.
6. This modification granted access and revealed the flag.

I managed to solve four challenges in this round. Twelve days later, I received an email stating that I had been shortlisted for the interview process. Shortly after, I also got a call from the TCS hiring team, confirming my shortlisting for the Ninja role interview.

Interview Process

I was called to a TCS office, which was just a 20-minute drive from my home. However, some candidates I met had traveled nearly 400 km to attend.

I had prepared basic cybersecurity interview questions in advance. The instructions asked me to arrive 15 minutes before my scheduled interview, but in reality, the interview took place four hours later than the allotted time.

Virtual Interview?

When I finally entered the interview room, I found a laptop set up with three people connected in a virtual meeting. I hadn’t expected this, as I never asked anyone about the interview format beforehand.

It was surprising, especially considering that many candidates had traveled from faraway places just to attend.

Well, Let’s get into Interview questions.

As expected, the first question was: “Tell us about yourself.”

I introduced myself and talked about my education, my internship experience, and my interest in cybersecurity.

Since I had some internship experience, most of the questions focused on my internships and the projects I worked on.

What is the difference between Pentesting and a Security Audit?
In Pentesting, we identify vulnerabilities and attempt to exploit them to assess the real-world impact.
In a Security Audit, we only identify vulnerabilities — no exploitation is involved.

How would you approach Pentesting in a web application?
I would start by enumerating the website to gather as much information as possible. This includes finding directories, subdomains, and identifying the tech stack used. Then, based on the information gathered during enumeration, I would look for vulnerabilities and attempt to exploit them.

(This was a tricky question since it could be interpreted in multiple ways.)
If you are not in the internal network, what would you need to conduct a Pentest?
At first, I was confused by this question, but the expected answer was: “We need a VPN connection to connect to the internal network to conduct a pentest when we are not in the internal network.”

After some repetitive questions and unengaging interactions, the HR took over. They had a set of predefined questions and asked them without really paying attention to my answers.

So, instead of discussing my responses, I’ll just list the questions I was asked.

1. Have you faced any problems while working in a team environment?
2. Why do you want to work in TCS?
3. Why are you planning to leave your current company?

There were two technical interviewers and one HR.

Midway through the interview, I started feeling exhausted — both from the repetitive questions (asked in different forms by the technical interviewers) and from the long wait before the interview even began.

By the time it was over, I wasn’t sure how well I had performed. I was just relieved that it was finally done.

My Thoughts

1. The CTF process was not well organized, and the platform was a real pain to deal with.
2. Most of the candidates you’ll meet in the interview process would have cleared both rounds through malpractice, often using Telegram groups.
3. Don’t panic during the interview. Just get your basics done — you are not expected to know everything, and it’s okay if you don’t have all the answers.
4. Before heading into the interview, review your CTF reports once. Some questions might be based on your approach to solving the CTF challenges.