Open in app

Sign in

Write

Sign in

NoobCTF 0x1 Write-up

Naveen Prakaasham K S V
4 min readJun 11, 2020

Hi everyone, this time our team of noobs, Schr0ding3r5 decided to participate in NoobCTF 0x1 and we got the 52nd place with 1590 points. This is a write-up of the challenges we solved in this CTF. So, lets dive right in….

Welcome — 10 pts

This challenge tells us “Get me in Discord”. So we were looking for a while in the Discord server of the CTF. We found the flag in two parts, in the descriptions of two of the authors.

Flag : noob{w3lc0m3_t0_n00N_CTF_Buddy}

Memory Forensic

In this section, we were provided with a Memory dump in ‘.raw’ format inside a zip file.

Mr. Pr0xy’s Gift :) — 10 pts

In this challenge, the flag was in a file called ‘flag.txt’ inside the zip file provided.

Flag : noob{Welcome_To_Memory_Forensic}

##Parent Process## — 80 pts

For this challenge, we need a memory forensics tool called Volatility. We found a GUI for the tool called Passmark Volatility Workbench, so we decided to use that for convenience.

Here, we are asked to find the parent process id of Desktop Windows Manager. We do a quick research online and find that the Desktop Windows Manager is dwm.exe and its Parent Process is svchost.exe.

So, opening that file in Volatility Workbench, we click on Refresh Process List. It displays the details of the processes in the memory dump.

Processes in the memory dump

We see the process “svchost.exe” displayed multiple times. One of them was the flag.

Malicious Process — 100 pts

For this one, we are asked to find a malicious process in the memory dump. We look through the output of the previous command and see a process named ‘spmm.exe’. We ran the malfind command on this process and see that the process has injected code and therefore, might be malicious.

We submit the flag and see that it’s right.

Flag : noob{spmm.exe}

Thanks To Sponsors — 7x50 = 350 pts

In this category, we were given 7 flags which were in the write-ups section of the TryHackMe rooms mentioned in the desciptions.

OSINT

Open S0urc3–150 pts

We go to virustotal.com to see the sub-domain details of the domain ‘noobarmy.tech’. We see a sub-domain called ‘game.noobarmy.tech’. Looking at the DNS records of the sub-domain, we find the flag.

Flag : noob{0s1nt_1s_c00l}

Miscellaneous

Pretty Good?? — 150 pts

The whistle-blower they’re referring to here must be Edward Snowden and the encryption used is Pretty Good Privacy or simply PGP. Here, we’re given two files namely, message.pgp and secret-key.asc which are the ciphertext and the keyfile respectively. We used a tool called PGP Tool to solve this one.

Decrypting a PGP message requires a passphrase in addition to the key. Since we don’t have the passphrase, we use John the Ripper to crack the password. We use the following command to convert the PGP message file to john format.

gpg2john message.pgp > out

We use the following command to crack the password using the wordlist ‘rockyou.txt’

john --wordlist=rockyou.txt out

We find the password as ‘bubblegum’.

Now we decrypt the message using the PGP Tool, using the password we just found and we see the flag.

Flag : noob{Pgp_is_good_for_encryption}

Forensic

It’s easy — 50 pts

In this challenge, we see a jpg file that doesn’t open. We open the file in a hex editor.

We see that the file header is,

05 10 19 02 00 10 4A 46 49 46 00 01

instead of,

FF D8 FF E0 00 10 4A 46 49 46 00 01

We fix the header and get the flag.

Flag : noob{1_t0ld_y0u_1ts_34sy}

Fine the tone — 250 pts

We have a wav file in this challenge. The sounds in the file were dial tones of a keypad phone. We used an online tool to decode the numbers dialled as ‘99966688466688443386666633’. Then, we used another online tool to decode the text typed using the keypad and we got the flag.

Flag : noob{YOUGOTTHETONE}

Crypto

Frequency — 250 pts

For this challenge, we are given a set of frequencies, which we identified as DTMF (Dual Tone Multi Frequency) from the recon we did for the “Fine the tone”. We used an online tool to decode it and got ‘4433555555666386333’. We used the SMS Multi — Tap Decoder to decode it and got the flag.

Flag : noob{HELLODTMF}

Aar_Ess_Ae 2.0–200 pts

This one is a standard RSA decryption challenge. We used a tool called RsaCtfTool to decrypt it and got the flag.

Flag : noob{Primes_Can_B3_Saxy_T00}

And, that’s the end!

If you liked it, drop some claps………..

And follow us on Twitter : https://twitter.com/schr0ding3r5

Ctf Writeup
Capture The Flag
Noob
Forensics

--

--

Naveen Prakaasham K S V

Written by Naveen Prakaasham K S V

71 Followers

Bug Bounty Hunter | CTF player | Student

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams