Write-Up: DEFCON 25 Recon Village OSINT CTF

Filter by category:

August 1, 2017 by G123N1NJ4
This blogpost is a write-up of some online challenges we managed to solve during the DEFCON 25 Recon Village OSINT CTF.
This OSINT CTF is hosted by the Recon Village which is an Open Space with Talks, Live Demos, Workshops, Discussions, CTFs with a common focus on Reconnaissance. The village consists of a small group of people interested in areas of Open Source Intelligence, Threat Intelligence, Reconnaissance and Red Teaming, with a common goal of encouraging and spreading awareness about these areas.

Here is a nice video overview of the CTF starts:

TL;DR As we didn't finished in the TOP 3 teams, don't expect too much fancy stuff here, but feel free to send some write-ups of the other challenges, it will be added to this post and will help us to complete this write-up !



OSINT CTF framework is based on the Facebook CTF platform: FCTF (Yes there is a Facebook CTF platform to host your own CTF ^^, and it’s even available on github: https://github.com/facebook/fbctf and moreover potential vulnerabilities are eligible for Facebook BugBounty program). Once registered to the CTF, when connecting to the CTF platform you will find a map with one challenge per country:


CHALLENGE 1 – Capture_Algeria – 200 pts

Let’s start with the challenge 1, which will involve some easy networking and forensic skills but also some OSINT basics.

Our first target is the twitter handle of the attacker, let’s see how it goes. After downloading the pcap file: https://ctf.reconvillage.org/data/attachments/Challenge-4_42e6f673622d0b243f7bd8394acc96cb.pcap, we can open it on wireshark in order to see what it contains. After a fast glance, we can find out a Word document.


Then by using the wireshark tools it is possible to extract the document with: file > export objets > http. After having the Word document saved, we can find the Author email address in the document properties: HilalSchuurbiers21@gmail.com. Google was a great friend for helping us to find some interesting information about: « Hilal Schuurbiers », according to that research it was possible to find his Instagram account and some pictures he has posted: http://www.hdphotolife.com/instagram/i4mth4tculpri7.html.


After checking the flag format, we made it: flag{i4mth4tculpri7}.

CHALLENGE 2 - Capture_Lybia - 200 pts


"Profile the user identified in challenge 1 and find the building he's been staying in. What does the building say?"

The second challenge is a follow up to the challenge 1, once we found the Instagram account:  i4mth4tculpri7, the user uses the same solo name for his twitter account. Then by looking at the user’s tweets, a geolocation was discovered:


By using Google Maps, we could find the hotel and at the top of the hotel it is marked: RADARPORT.


Then the second flag was: flag{radarport}.

CHALLENGE 3 - Capture_Lybia - 100 pts


"Paul was System Admin at x64 Corporation. He had an argument with his manager and left the company few days back. Being disappointed, he started leaking sensitive data. He also deleted all the employee records. Help our investigators to find his Phone number."

OSINT is very often nothing much more than the ability to find a needle in a haystack and this one could have been tricky.
Paul is a common name and so are the keywords "x64 Corporation". Adding "Corp" keyword lead us to the company website http://www.x64-corp.com/ which was quite empty unless a link to the company github https://github.com/x64Corp/www.x64-corp.com and a mention of the company bought by x64 Corp http://x32corp.org/.


The fact that x32 Corp website wasn't available made us think about using Wayback Machine, which was later on confirmed by a free hint which was offered: "Free_HINT: go back to the past". Using Wayback Machine on x64 website was the key:


Looking at the archived webpage (https://web.archive.org/web/20170621192326/http://www.x64-corp.com/), we found Paul's phone number, and here is the third flag: flag{559811232121278}.

CHALLENGE 5 - Capture_India - 100 pts


"Dan has shared an IP which he suspect that the hackers used to attack us. He was able to ping it few minutes back, but it's not responding anymore- can you findout anything which might be helpful"

FREE HINT: "Show Dan whant you can do with an IP"

Well, this one was straightforward as Shodan is one of the tool we are pretty much familiar as IoT security is our thing you know:
Going to Shodan.io we found the different banners of services available on this Ip and the flag was there: flag{bilalkharjilal337} ! (https://www.shodan.io/host/



Challenge 8 - Capture_Greenland - 500 pts

Topic :

"I own I don't trust people.
I play with malwares. Hack my servers. bwhaha!
FREE HINT : Damn!. I am donovan and I leaked my password somewhere.. wtf."
By analyzing the SSL Certificate of the server:, it is possible to find an email address: « Rafaela.Pereira@x64-corp.com ».
Then with a basic research on Google with this email, it was discovered two pastebin links:
• https://pastebin.com/2nZ5BLav
• https://pastebin.com/hpkBJgDg
These links provide the following informations:
• DOB: 11 April 1983
• Twitter: i4mrafaela
Nevertheless, the twitter account doesn’t give any essential informations.
By searching on Facebook, it was discovered that Rafaela Pereira has an account on facebook too: https://www.facebook.com/profile.php?id=100019421580542. There, we can find the string: « MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU », this hash is in fact a malware report analysis : https://malwr.com/analysis/MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU/. Moreover the response of the comment of the 20th of July is a password:


On the Static Analysis, we can find in the Strings the following informations:
• ZmlmdHktdHdvLm5pbmUuc2l4dHktZml2ZS50d28tdHdlbnR5LWZpdmU= → decoded on base64: fifty-two.nine.sixty-five.two-twenty-five (
• eff-tee-pee (FTP)
Then by connecting to the FTP: with the login: « donovan » and the password: « ??42|french|MONDAY|type|EXPECT|were|TEACHER|82?? », a file: « flag.txt » was present with the following quote : « Amidst the mists and coldest frosts he thrusts his fists against the posts and still insists he sees the ghosts ».
Credit: beast-fighter (https://gist.github.com/beast-fighter/eb25f9d1067dfb8b76a5f83af1f37bef), thank you for your writting:D.

CHALLENGE 10 - Capture_Germany - 100 pts


"Find the IP Address of the Netweaver Application that runs on an apache server and sits in Switzerland"

Well, well, looks like a low hanging fruit as our Shodan API was already up and running for CHALLENGE 5 - Capture_India:


And then it was possible to find the IP address and the flag: flag{}.

CHALLENGE 11 - Capture_Brasil - 200 pts


"Company x64-corp has received an email which says:
Hi, This bad chap out there tracks leaked info. He got some info about us too and leaked  that same.
Can you help us identify the info he's leaked."

The shorten url ow.ly goes to a google drive with 2 files available https://drive.google.com/drive/folders/0BzPVktCa6QgTZVpGV2dxM1RUekE

First file was a password protected file when the second one was a "compressed of a compressed of a compressed file" which we were able to simply open with 7zip. Last embedded document was a clear txt file containing the password str0ng9455w0rd12#2 to open the first protected file giving us a list of 16 Pastebin links.



Amongst the refreshing Pastebin links (Sony leaks, NSA tools, ....), one was clearly our target when we saw Pastebin title " x32corp.org 0wn3d - a guest Jul 4th, 2017"
And so we scored this challenge with the following flag: flag{gue55wh4therei5theflag.x32corp.org}
Note: Looking at hashed password without trying to crack them is something we can't do, so we found that one a SHA1 which must be useful somewhere else in this CTF ... or obviously not ?


max:4642e9dd8056bb057056bf75a73f74600e1f8e7b  => clear password: notthisone


Lots of fun in this DEFCON 25 Recon Village OSINT CTF, and congrats to the TOP 3 winning teams Rumpleforeskin, Proprietary Data and The Nosey Parke.

PS: For the record, and for people willing to keep on digging the remaining challenges, please find the unsolved ones below (on our side).

CHALLENGE 4 - Capture_USA - 400 pts


"Somone leaked company's server information which lead to a serious hack.
Hacker left this signature. BrunoRochaAlvesFelipeAraujoGoncalves. And said: Find me by the gist.
Remember hackers are anonymous.
Can you help us find what exact information was leaked?"

CHALLENGE 6 - Capture_Pakistan - 100 pts


"Can you find out the location of the hacker using the IP in challenge 5?
Free Hint: lateral thinking might be helpful but it will take long time"

CHALLENGE 7 - Capture_Australia - 300 pts


"Our company dosn't spend a lot on paid products, and we use a lot of open source / free products. For example we use git for version controlling - https://github.com/x64Corp
Since teams don't use any centralized chat system, it's difficult to monitor the same. Our CTO suspects that someone is keeping an eye on our discussions. Not sure how.
Can you help?"


CHALLENGE 9 - Capture_UK - 100 pts


"Our CTO (zakjohnson_1980) somehow leaked sensitive keys."

CHALLENGE 12 - Capture_Bolivia - 200 pts


"Great, you found something in challenge 11, but are they really usable or just another bunch of garbage?"

CHALLENGE 13 - Capture_Argentina - 100 pts


"Cracked password in challenge 12? seems useful? Really?"