NoobCTF 0x1 Write-up
Hi everyone, this time our team of noobs, Schr0ding3r5 decided to participate in NoobCTF 0x1 and we got the 52nd place with 1590 points. This is a write-up of the challenges we solved in this CTF. So, lets dive right in….
Welcome — 10 pts
This challenge tells us “Get me in Discord”. So we were looking for a while in the Discord server of the CTF. We found the flag in two parts, in the descriptions of two of the authors.
Flag : noob{w3lc0m3_t0_n00N_CTF_Buddy}
Memory Forensic
In this section, we were provided with a Memory dump in ‘.raw’ format inside a zip file.
Mr. Pr0xy’s Gift :) — 10 pts
In this challenge, the flag was in a file called ‘flag.txt’ inside the zip file provided.
Flag : noob{Welcome_To_Memory_Forensic}
##Parent Process## — 80 pts
For this challenge, we need a memory forensics tool called Volatility. We found a GUI for the tool called Passmark Volatility Workbench, so we decided to use that for convenience.
Here, we are asked to find the parent process id of Desktop Windows Manager. We do a quick research online and find that the Desktop Windows Manager is dwm.exe and its Parent Process is svchost.exe.
So, opening that file in Volatility Workbench, we click on Refresh Process List. It displays the details of the processes in the memory dump.
We see the process “svchost.exe” displayed multiple times. One of them was the flag.
Malicious Process — 100 pts
For this one, we are asked to find a malicious process in the memory dump. We look through the output of the previous command and see a process named ‘spmm.exe’. We ran the malfind command on this process and see that the process has injected code and therefore, might be malicious.
We submit the flag and see that it’s right.
Flag : noob{spmm.exe}
Thanks To Sponsors — 7x50 = 350 pts
In this category, we were given 7 flags which were in the write-ups section of the TryHackMe rooms mentioned in the desciptions.
OSINT
Open S0urc3–150 pts
We go to virustotal.com to see the sub-domain details of the domain ‘noobarmy.tech’. We see a sub-domain called ‘game.noobarmy.tech’. Looking at the DNS records of the sub-domain, we find the flag.
Flag : noob{0s1nt_1s_c00l}
Miscellaneous
Pretty Good?? — 150 pts
The whistle-blower they’re referring to here must be Edward Snowden and the encryption used is Pretty Good Privacy or simply PGP. Here, we’re given two files namely, message.pgp and secret-key.asc which are the ciphertext and the keyfile respectively. We used a tool called PGP Tool to solve this one.
Decrypting a PGP message requires a passphrase in addition to the key. Since we don’t have the passphrase, we use John the Ripper to crack the password. We use the following command to convert the PGP message file to john format.
gpg2john message.pgp > out
We use the following command to crack the password using the wordlist ‘rockyou.txt’
john --wordlist=rockyou.txt out
We find the password as ‘bubblegum’.
Now we decrypt the message using the PGP Tool, using the password we just found and we see the flag.
Flag : noob{Pgp_is_good_for_encryption}
Forensic
It’s easy — 50 pts
In this challenge, we see a jpg file that doesn’t open. We open the file in a hex editor.
We see that the file header is,
05 10 19 02 00 10 4A 46 49 46 00 01
instead of,
FF D8 FF E0 00 10 4A 46 49 46 00 01
We fix the header and get the flag.
Flag : noob{1_t0ld_y0u_1ts_34sy}
Fine the tone — 250 pts
We have a wav file in this challenge. The sounds in the file were dial tones of a keypad phone. We used an online tool to decode the numbers dialled as ‘99966688466688443386666633’. Then, we used another online tool to decode the text typed using the keypad and we got the flag.
Flag : noob{YOUGOTTHETONE}
Crypto
Frequency — 250 pts
For this challenge, we are given a set of frequencies, which we identified as DTMF (Dual Tone Multi Frequency) from the recon we did for the “Fine the tone”. We used an online tool to decode it and got ‘4433555555666386333’. We used the SMS Multi — Tap Decoder to decode it and got the flag.
Flag : noob{HELLODTMF}
Aar_Ess_Ae 2.0–200 pts
This one is a standard RSA decryption challenge. We used a tool called RsaCtfTool to decrypt it and got the flag.
Flag : noob{Primes_Can_B3_Saxy_T00}
And, that’s the end!
If you liked it, drop some claps………..
And follow us on Twitter : https://twitter.com/schr0ding3r5