Write-Up: DEFCON 25 Recon Village OSINT CTF

Filter by category:

CTF
DefCon25
OSINT
ReconVillage
Write-Up
August 1, 2017 by G123N1NJ4
DEFCON_25_Recon_Village_OSINT_CTF
This blogpost is a write-up of some online challenges we managed to solve during the DEFCON 25 Recon Village OSINT CTF.
This OSINT CTF is hosted by the Recon Village which is an Open Space with Talks, Live Demos, Workshops, Discussions, CTFs with a common focus on Reconnaissance. The village consists of a small group of people interested in areas of Open Source Intelligence, Threat Intelligence, Reconnaissance and Red Teaming, with a common goal of encouraging and spreading awareness about these areas.

Here is a nice video overview of the CTF starts:


 
TL;DR As we didn't finished in the TOP 3 teams, don't expect too much fancy stuff here, but feel free to send some write-ups of the other challenges, it will be added to this post and will help us to complete this write-up !

 

Introduction

OSINT CTF framework is based on the Facebook CTF platform: FCTF (Yes there is a Facebook CTF platform to host your own CTF ^^, and it’s even available on github: https://github.com/facebook/fbctf and moreover potential vulnerabilities are eligible for Facebook BugBounty program). Once registered to the CTF, when connecting to the CTF platform you will find a map with one challenge per country:

 
ctf_board


CHALLENGE 1 – Capture_Algeria – 200 pts

Let’s start with the challenge 1, which will involve some easy networking and forensic skills but also some OSINT basics.
 
challenge_1


Our first target is the twitter handle of the attacker, let’s see how it goes. After downloading the pcap file: https://ctf.reconvillage.org/data/attachments/Challenge-4_42e6f673622d0b243f7bd8394acc96cb.pcap, we can open it on wireshark in order to see what it contains. After a fast glance, we can find out a Word document.


pcap


Then by using the wireshark tools it is possible to extract the document with: file > export objets > http. After having the Word document saved, we can find the Author email address in the document properties: HilalSchuurbiers21@gmail.com. Google was a great friend for helping us to find some interesting information about: « Hilal Schuurbiers », according to that research it was possible to find his Instagram account and some pictures he has posted: http://www.hdphotolife.com/instagram/i4mth4tculpri7.html.


instagram

After checking the flag format, we made it: flag{i4mth4tculpri7}.


CHALLENGE 2 - Capture_Lybia - 200 pts

Topic:

"Profile the user identified in challenge 1 and find the building he's been staying in. What does the building say?"

The second challenge is a follow up to the challenge 1, once we found the Instagram account:  i4mth4tculpri7, the user uses the same solo name for his twitter account. Then by looking at the user’s tweets, a geolocation was discovered:

twitter


By using Google Maps, we could find the hotel and at the top of the hotel it is marked: RADARPORT.

hotel

Then the second flag was: flag{radarport}.



CHALLENGE 3 - Capture_Lybia - 100 pts

Topic:

"Paul was System Admin at x64 Corporation. He had an argument with his manager and left the company few days back. Being disappointed, he started leaking sensitive data. He also deleted all the employee records. Help our investigators to find his Phone number."
 

OSINT is very often nothing much more than the ability to find a needle in a haystack and this one could have been tricky.
Paul is a common name and so are the keywords "x64 Corporation". Adding "Corp" keyword lead us to the company website http://www.x64-corp.com/ which was quite empty unless a link to the company github https://github.com/x64Corp/www.x64-corp.com and a mention of the company bought by x64 Corp http://x32corp.org/.

site

The fact that x32 Corp website wasn't available made us think about using Wayback Machine, which was later on confirmed by a free hint which was offered: "Free_HINT: go back to the past". Using Wayback Machine on x64 website was the key:

wayback_machine


Looking at the archived webpage (https://web.archive.org/web/20170621192326/http://www.x64-corp.com/), we found Paul's phone number, and here is the third flag: flag{559811232121278}.


CHALLENGE 5 - Capture_India - 100 pts

Topic:

"Dan has shared an IP 54.183.214.103 which he suspect that the hackers used to attack us. He was able to ping it few minutes back, but it's not responding anymore- can you findout anything which might be helpful"

FREE HINT: "Show Dan whant you can do with an IP"


Well, this one was straightforward as Shodan is one of the tool we are pretty much familiar as IoT security is our thing you know:
Going to Shodan.io we found the different banners of services available on this Ip and the flag was there: flag{bilalkharjilal337} ! (https://www.shodan.io/host/54.183.214.103)

http

 


Challenge 8 - Capture_Greenland - 500 pts

Topic :

"I own 13.56.108.41. I don't trust people.
I play with malwares. Hack my servers. bwhaha!
FREE HINT : Damn!. I am donovan and I leaked my password somewhere.. wtf."
By analyzing the SSL Certificate of the server: 13.56.108.41, it is possible to find an email address: « Rafaela.Pereira@x64-corp.com ».
Then with a basic research on Google with this email, it was discovered two pastebin links:
• https://pastebin.com/2nZ5BLav
• https://pastebin.com/hpkBJgDg
These links provide the following informations:
• DOB: 11 April 1983
• Twitter: i4mrafaela
Nevertheless, the twitter account doesn’t give any essential informations.
By searching on Facebook, it was discovered that Rafaela Pereira has an account on facebook too: https://www.facebook.com/profile.php?id=100019421580542. There, we can find the string: « MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU », this hash is in fact a malware report analysis : https://malwr.com/analysis/MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU/. Moreover the response of the comment of the 20th of July is a password:


Defcon25


On the Static Analysis, we can find in the Strings the following informations:
• ZmlmdHktdHdvLm5pbmUuc2l4dHktZml2ZS50d28tdHdlbnR5LWZpdmU= → decoded on base64: fifty-two.nine.sixty-five.two-twenty-five (52.9.65.225).
• eff-tee-pee (FTP)
Then by connecting to the FTP: ftp://52.9.65.225 with the login: « donovan » and the password: « ??42|french|MONDAY|type|EXPECT|were|TEACHER|82?? », a file: « flag.txt » was present with the following quote : « Amidst the mists and coldest frosts he thrusts his fists against the posts and still insists he sees the ghosts ».
Credit: beast-fighter (https://gist.github.com/beast-fighter/eb25f9d1067dfb8b76a5f83af1f37bef), thank you for your writting:D.


CHALLENGE 10 - Capture_Germany - 100 pts

Topic:

"Find the IP Address of the Netweaver Application that runs on an apache server and sits in Switzerland"


Well, well, looks like a low hanging fruit as our Shodan API was already up and running for CHALLENGE 5 - Capture_India:

shodan
https://www.shodan.io/search?query=netweaver+product%3A%22Apache+httpd%22+country%3A%22CH%22


And then it was possible to find the IP address and the flag: flag{91.212.75.227}.


CHALLENGE 11 - Capture_Brasil - 200 pts

Topic:

"Company x64-corp has received an email which says:
Hi, This bad chap out there tracks leaked info. He got some info about us too and leaked  that same.
http://ow.ly/Zx8y30e0EKu
Can you help us identify the info he's leaked."


The shorten url ow.ly goes to a google drive with 2 files available https://drive.google.com/drive/folders/0BzPVktCa6QgTZVpGV2dxM1RUekE

google_drive
 
First file was a password protected file when the second one was a "compressed of a compressed of a compressed file" which we were able to simply open with 7zip. Last embedded document was a clear txt file containing the password str0ng9455w0rd12#2 to open the first protected file giving us a list of 16 Pastebin links.

why_data

bloc_note

Amongst the refreshing Pastebin links (Sony leaks, NSA tools, ....), one was clearly our target when we saw Pastebin title " x32corp.org 0wn3d - a guest Jul 4th, 2017"
 
pastebin
https://pastebin.com/SY23hK1m

 
 
And so we scored this challenge with the following flag: flag{gue55wh4therei5theflag.x32corp.org}
Note: Looking at hashed password without trying to crack them is something we can't do, so we found that one a SHA1 which must be useful somewhere else in this CTF ... or obviously not ?

robert:ef01c63fff98727a4b7e8db3b9e2ea25899ea124
fuller:913fa8825f281581e8ae3b18bc670d2d03dc9d2b
bernie:c0df53d045dc948202ee794a54e5640865923437
max:4642e9dd8056bb057056bf75a73f74600e1f8e7b
alexcraig:07a40b2d658a08447df29640c5e103db05eb1d32
john:b2399b0109bfc8090a51d7098367512fb7e5d9ec
alisha:de2b9d29de9f8c7caeab1658802560081c0fc027
anand:231adaf300d234e6cc56ab36f4e46d09e0fed0ab
nutan:0951a7539154f3faea055599564b1d061edaeb3f

max:4642e9dd8056bb057056bf75a73f74600e1f8e7b  => clear password: notthisone


CONCLUSION

Lots of fun in this DEFCON 25 Recon Village OSINT CTF, and congrats to the TOP 3 winning teams Rumpleforeskin, Proprietary Data and The Nosey Parke.

----------------------------------------------------------------------------------------------------------------
PS: For the record, and for people willing to keep on digging the remaining challenges, please find the unsolved ones below (on our side).


CHALLENGE 4 - Capture_USA - 400 pts

Topic:

"Somone leaked company's server information which lead to a serious hack.
Hacker left this signature. BrunoRochaAlvesFelipeAraujoGoncalves. And said: Find me by the gist.
Remember hackers are anonymous.
Can you help us find what exact information was leaked?"



CHALLENGE 6 - Capture_Pakistan - 100 pts

Topic:

"Can you find out the location of the hacker using the IP in challenge 5?
Free Hint: lateral thinking might be helpful but it will take long time"



CHALLENGE 7 - Capture_Australia - 300 pts

Topic:

"Our company dosn't spend a lot on paid products, and we use a lot of open source / free products. For example we use git for version controlling - https://github.com/x64Corp
Since teams don't use any centralized chat system, it's difficult to monitor the same. Our CTO suspects that someone is keeping an eye on our discussions. Not sure how.
Can you help?"

 

CHALLENGE 9 - Capture_UK - 100 pts

Topic:

"Our CTO (zakjohnson_1980) somehow leaked sensitive keys."



CHALLENGE 12 - Capture_Bolivia - 200 pts

Topic:

"Great, you found something in challenge 11, but are they really usable or just another bunch of garbage?"



CHALLENGE 13 - Capture_Argentina - 100 pts

Topic:

"Cracked password in challenge 12? seems useful? Really?"



See all articles