Forensics challenges from n00bzCTF 2023

image

Almost…

Crack-&-Crack

image

So there was a password protected zip file, which I used this password cracker site to find the password of the zip file.

image

Using the password 1337h4x0r, unzip the zip file to get a password protected pdf file, which I used pdfcrack to crack the password which turned out to be noobmaster.

image

Opening the pdf file gives flag.

image

Flag: n00bz{CR4CK3D_4ND_CR4CK3D_1a4d2e5f}

Avengers

image

The given file had a binary value every second, which can be converted to ascii characters which gives the flag. This can be done using tesseract. But I decided to do it manually 💀. I used ffmpeg to split the video into frames using: ffmpeg.exe -ss 00:00:00 -t 00:00:00 -i flag.avi -qscale:v 2 -r 1 output_image-%3d.jpg

01101110 00110000 00110000 01100010 01111010 01111011 00110111 01101000 
00110001 01110011 01011111 00110001 01110011 01011111 00110100 01011111 
01110110 00110011 01110010 01111001 01011111 01101100 00110000 01101110 
01100111 01011111 01100110 01101100 00110100 01100111 01011111 01110011 
00110000 01011111 01110100 01101000 00110100 01110100 01011111 01111001 
00110000 01110101 01011111 01100011 00110100 01101110 01101110 00110000 
01110100 01011111 01110011 00110000 01101100 01110110 00110011 01011111 
00110111 01101000 00110011 01011111 01100011 01101000 00110100 01101100 
01101100 00110011 01101110 01100111 00110011 01011111 01101101 00110100 
01101110 01110101 00110100 01101100 01101100 01111001 01011111 01100010 
00110111 01110111 01011111 00110111 00110011 01110011 00110011 01110010 
00110100 01100011 00110111 01011111 00110001 01110011 01011111 00110100 
01011111 01110110 00110011 01110010 01111001 01011111 01100111 00110000 
00110000 01100100 01011111 01110100 00110000 00110000 01101100 00100001 
01111101

Decode it

image

Flag: n00bz{7h1s_1s_4_v3ry_l0ng_fl4g_s0_th4t_y0u_c4nn0t_s0lv3_7h3_ch4ll3ng3_m4nu4lly_b7w_73s3r4c7_1s_4_v3ry_g00d_t00l!}

QRazy-CSV

image

0,0
0,1
0,2
0,3
0,4
0,5
0,6
0,9
0,19
0,20
0,22
.
.
.

The given file and the title sugests that each coordinated in the csv is part of the qr code. I wrote a quick script using pygame to show the qr code.

import pygame

a = []
with open("secret.csv", "r") as f:
    for line in f.readlines():
        b = line.strip().split(",")
        b = [int(c) for c in b]
        a.append(b)

width,height = 300, 300
win = pygame.display.set_mode((width,height))
s = 10

r = 1
while r:
    win.fill((255,255,255))
    for event in pygame.event.get():
        if event.type == pygame.QUIT:
            r = 0

    for k in a:
        pygame.draw.rect(win,(0,0,0), (k[0]*s,k[1]*s,s,s))

    pygame.display.update()
    
pygame.quit()
exit()

image

Scan the qr code to get the flag.

Flag: n00bz{qr_c0d3_1n_4_csv_f1l3_w0w!!!}

Hecked

image

Looking at the network dump and following the first TCP stream:

image

Looking through the entire dump shows no other service with its version number other than vsFTPd 2.3.4 so that has to be it. Looking through more streams shows the attackers first command on the server.

image

So it is md5(vsFTPd_2.3.4_id) => a806fef72a92508b7a64776bb83ad4cb

image

Flag: n00bz{a806fef72a92508b7a64776bb83ad4cb}

LSB

image

Using steganography of lsb wavsteg

image

Flag: n00bz{L5B_1n_w4v_f1l3s?!!!}

BeepBop

image

Use SSTV to decode the wav file into the original image.

image

image

Flag: n00bz{beep_bop_you_found_me!}