Centinels
  • Centinels
  • Writeups
    • n00bzCTF
      • forensics/wave
      • osint/the-gang-[1-4]
      • programming/sillygoose
      • programming/numbers-2
      • programming/back-from-brazil
      • crypto/random
      • misc/addition
      • misc/subtraction
      • blockchain/evm-conditions
    • ImaginaryCTF
      • forensics/playful-puppy
      • forensics/cartesian-[1-3]
    • VSCTF
      • algo/baby-game
      • algo/quickmaffs-permutation-puzzle
      • algo/baby-game-revisited
      • crypto/dream
      • crypto/dream-revenge
      • rev/awa-jelly
    • UMDCTF
      • osint/literally arrakis I
      • osint/literally arrakis II
      • misc/Echoes of Arrakis
      • misc/Spice Harvest Data Recovery
Powered by GitBook
On this page
  • The Game 1
  • The Gang 2 (first blood)
  • The Gang 3 (first blood)
  • The Gang 4 (first blood)
  1. Writeups
  2. n00bzCTF

osint/the-gang-[1-4]

100, 412, 486, and 492 points

Previousforensics/waveNextprogramming/sillygoose

Last updated 7 months ago

Writeup by Aryan

A four-part OSINT challenge! We have to track down a person called John Doe.

The Game 1

We're told that John Doe has been suspected of creating a gang, and the members of team n00bzUnit3d also seem associated with it. A hint is provided stating that the team website might help.

We google up n00bzun1t3d team , which gives us their CTFTime. Their website is linked to their CTFTime. Upon going to the website, we see a members tab, and click through all the members until we find John Doe.

Flag: n00bz{1ts_051N7_71m3_3e4a7d6f}

The Gang 2 (first blood)

All we're told is that John Doe has left us with a riddle, and we need to find some more secrets.

Funny story here -- we found the flag two hours before the challenge was released.

Storytime (skip if you don't care): two hours before the second wave, we had solved all the challenges besides blockchain/shop. Some of our teammates said they had a potential solve, so I left them to do their thing and waited for the second wave.

A teammate sent a screenshot in our CTF group chat of a message by NoobMaster saying that the "annual dose of john doe challs" was coming out soon, which motivated me to do some early digging -- after all, social media OSINT (aka SOCMINT) challenges have to be set up prior to release.

I found something suspicious in the Who Am I? article under John Doe's n00bzun1t3d profile.

It was an acrostic! The lines spelled out USERNAME IS JOHN HACKER DOE, giving us our next hint. Looking up JohnHackerDoe on X (by intuition, because X is where most SOCMINT challenges are), we find this Twitter account with our second flag.

We were actually slightly worried that we'd get disqualified, but turns out admins were fine with it, so we just went with the flow.

Flag: n00bz{5t0p_ch4s1ng_m3_4f2d1a7d}

The Gang 3 (first blood)

John Doe has another tweet giving us some information.

Looks like we have to decrypt some text with AES-GCM. On CyberChef, AES-GCM decryption has five input fields: the ciphertext (obviously), the key, the IV, a GCM tag, and additional authenticated data.

We're given the ciphertext, but we'll have to do some digging for the key and IV. Last year's n00bzCTF had a John Doe challenge with the IV key YouCanNeverCatchJohnDoe!, which we can find by going to the n00bzCTF 2023 writeups. Similarly, in n00bzCTF 2022, there was a John Doe challenge with coordinates 46.720, 33.154, which we can find by going to the n00bzCTF 2022 writeups.

Now that we have our key and IV, we just need to figure out what the additional hex string is. There are only two input fields left -- the GCM tag and additional authenticated data. Using trial and error, we can conclude the input string is our GCM tag.

Decrypting the string gives us a link to a Discord server. Upon joining it, we see conversations from three people: John Doe, NoobHacker, and Censored1375. They give some pretty obvious hints about the location of the meetup (which is what we're trying to find).

We google up Bengaluru airport and find the Kempegowda International Airport, meaning our statue is the Kempegowda statue. We can verify that the statue is roughly 110 feet tall with a quick Google search. From here, we find the place on Google Maps and get the coordinates.

Flag: n00bz{13.199,77.682}

The Gang 4 (first blood)

We have to find some specifics regarding John Doe's flight. Here's the flag format: n00bz{DateOfFlight(DD/MM/YYYY)_FlightNumber_IATAairportCodeOfDeparture_IATAairportCodeofArrival_ACTUALtimeOfDeparture_ACTUALtimeOfArrival_GateofDeparture_AirplaneModel}

That's a lot to find, but most of it is fairly simple to figure out. We start by using the hints in the Discord, turns out a few messages give everything away. There is more conversation, but this is all we need.

We know John Doe is leaving from the Delhi Airport (code DEL) and arriving in the Kempegowda Airport (code BLR). Furthermore, the day of the flight is on August 3rd, 2024. Using this online flight tracker, we can find the flight number to be AI506.

Once we get the flight number, we can look up the flight status on Air India's website to get the type of airplane, departure and arrival time, and gate of departure.

Unfortunately, I procrastinated my writeups, and now I can't post pictures detailing the process since both websites I used only let you look up flights from up to two days ago -- it's August 15th at the time of writing this.

Flag: n00bz{03/08/2024_AI506_DEL_BLR_10:03_12:44_30_AirbusA350-900}

Look at the first letter of every line