https://backdoor.sdslabs.co/challenges/NOOBHOME   This year, n00b finally decided to design some ctf challenges on his own, and has made his first simple challenge. He takes regular compressed backups of his home…

https://backdoor.sdslabs.co/challenges/NOOBHOME

 

This year, n00b finally decided to design some ctf challenges on his own, and has made his first simple challenge.

He takes regular compressed backups of his home folder (as is good practice), but he forgot to secure the backup.

Can you find the flag that he has hidden in the challenge?

http://hack.bckdr.in/NOOBHOME/noobhome.tar.gz Hint: Look everywhere

 

Today, I will be walking through my process of solving noobhome, a simple forensics challenge.

Tools Used:

Windows OS
AccessData FTK Imager Lite
7Zip

_______________________________________________________________________________

First, I used 7Zip to unzip the archive.

This presents us with an ext4 file.

If you don’t know what ext4 is, it is an extended file system for the Linux operating System.  Judging by the name of the challenge, it was likely it’d contain noob’s home directory.

I decided to open up the file in FTK Imager Lite.  Open up FTK Imager Lite and select attach evidence.

 

Now, you have to go and select the ext4 file.  For select source, click image file.

Then you can select the ext4 file.

Okay, so, the guess was correct.  You’ll be able to see noob’s home directory.

If you aren’t familiar with Linux file directory, I would suggest taking a look at it.  You can see noob’s home directory which includes Documents, Downloads, Pictures, and more.

You can see there’s a directory called challenge.  This seems interesting, so I took a look at this first.  Within it, there was a .cpp (c++) file.

As you can see inside this program file, it takes in a file named flag.txt

So, that means we have to look for flag.txt

It’s as simple as just searching the directory; however, turned out that the flag.txt didn’t exist anymore.

Luckily, bash history exists!

Bash history is the history of commands run within a bash shell (similar to a Windows Command Prompt).  The history is there so it’ll let the user easily see previous commands and save time typing.

In this bash history, you can see the user updated the OS, installed git and gcc.

They also made a directory called challenge, moved into the directory, downloaded a doc, listed out the directory, and more.

Then you’ll see that “cat flag.txt” was called.  cat is used for displaying, combining and creating text files.

And there we are, CTF{h1dden_h1story_c4n_b3_f0und}

Hopefully this post was useful and maybe gets you started in more forensics challenges or just learning more about Linux 🙂

 

 

Ashton-Drake, aka GameOfPWNZ, is an information security professional and enthusiast He is the owner of this blog.

Leave a Reply