Inferno CTF 2019 OSINT Writeups
Welcome!
Writing write-ups for CTFs is something I wanted to do for a while now, but in order to do it, I need to participate in CTFs and solve some challenges so I could write about :)
The motive behind this, is that I read myself write-ups of other people for challenges I tried to solve but didn't manage to get the flag.
"Sharing is caring" - during the CTF I hanged around in theIRC Discord server, and as soon as I wrote "OSINT was fun" I immediately got flooded with PMs with questions.
CTFs consists from different categories, so you might be a good at reversing, but no idea what to do in other categories, so sharing solutions (after the CTF has ended) is a good way to learn new tricks and methods of solving challenges.
Lets get down to business :)
Task name: "New Developer" - 50 Points
Obviously we need to go to the GitHub page, we can see 2 pinned repositories, but he got 3, what is the third one? Just click on the repositories tab and you will see the third "hidden" repository - "dotfiles".
In case you are not familiar with Linux, it saves dot files in the home dir of the user, essentially those are configuration files for different applications, and you can move them to a new Linux system to maintain your current configuration, this is the good part, the bad part, those files might contain sensitive information such as users/passwords/keys/tokens/flags :)
I jumped straight to the interesting file which is (dot)bash2048 and it contain the flag template, but not the flag itself, so perhaps the bash2048 repository will contain more clues to the flag, because the logic says this dot file is used by the bash2048 program.
Some people asked if you need to play the game for the flag, I didn't play the game and got the flag, but the answer is within the code or within the $CODE :P
Some people told me they can't find the $CODE variable referenced in the code, but you don't have to declare it in the same file, as matter of fact, one line above there is a "source" command that reference to another dot file ".bashrc2" , let's check it:
Looks like we have the full pastebin URL, let's see what is there:
Let's move to the 2nd OSINT Task - "Whistle Blower":
Okay, so this continue the story of our lovely developer, let's read the mail:
This might sound stupid to some people, especially for those that are not from the InfoSec industry, but Twitter is an important tool :P
It allows you to make comic breaks during work and to stay up to date to current trends and attacks, obviously you need to maintain an up to date list of who or what to follow to get the relevant tweets.
Here is an example of dropping a 0day on Twitter:
Actually, one of the first things I've been told to do when I joined my current work place is to go over a curated list and make sure I am subscribed to all of them, so I could get all the latest "Threat Intel".
Anyway... back to the CTF, the lovely developer didn't had a Twitter URL on his GitHub, and the pastebin was posted by a guest, so we need to find his twitter account.
Luckily, as with passwords, users also reuse user/nick names, but simply going to @iamthedeveloper123 didn't work, but in Twitter your user name (@handle) doesn't have to correspond to the name you use, so I used Twitter search to look for this name and I got a hit :)
Oh no! the URL does no longer exist, but if you know the internetz, you should know once something goes online, most chances someone or something saved it already.
There could be other solutions for this problem, but I used the one I know and it worked like a charm.
There is a website called the waybackmachine and it had a cached version of the blog post before it was deleted, this blog post contained the flag:
That is all, hope you had fun reading as I had fun solving those tasks, stay tuned for (hopefully) more CTF write-ups.
Writing write-ups for CTFs is something I wanted to do for a while now, but in order to do it, I need to participate in CTFs and solve some challenges so I could write about :)
The motive behind this, is that I read myself write-ups of other people for challenges I tried to solve but didn't manage to get the flag.
"Sharing is caring" - during the CTF I hanged around in the
CTFs consists from different categories, so you might be a good at reversing, but no idea what to do in other categories, so sharing solutions (after the CTF has ended) is a good way to learn new tricks and methods of solving challenges.
Lets get down to business :)
Task name: "New Developer" - 50 Points
Figure 1: Task description
Figure 2: GitHub page of the developer
Figure 3: Interesting dot file
In case you are not familiar with Linux, it saves dot files in the home dir of the user, essentially those are configuration files for different applications, and you can move them to a new Linux system to maintain your current configuration, this is the good part, the bad part, those files might contain sensitive information such as users/passwords/keys/tokens/flags :)
I jumped straight to the interesting file which is (dot)bash2048 and it contain the flag template, but not the flag itself, so perhaps the bash2048 repository will contain more clues to the flag, because the logic says this dot file is used by the bash2048 program.
Figure 4: Interesting code in bash2048.sh
Some people asked if you need to play the game for the flag, I didn't play the game and got the flag, but the answer is within the code or within the $CODE :P
Some people told me they can't find the $CODE variable referenced in the code, but you don't have to declare it in the same file, as matter of fact, one line above there is a "source" command that reference to another dot file ".bashrc2" , let's check it:
Figure 5: .bashrc2 file interesting part
Looks like we have the full pastebin URL, let's see what is there:
Figure 6: The flag reside in the pastbin URL
Let's move to the 2nd OSINT Task - "Whistle Blower":
Figure 7: 2nd OSINT Task description
Figure 8: Interesting part of the mail correspondence
It allows you to make comic breaks during work and to stay up to date to current trends and attacks, obviously you need to maintain an up to date list of who or what to follow to get the relevant tweets.
Here is an example of dropping a 0day on Twitter:
Figure 9: SwiftOnSecurity - if you don't follow this account, you are not an infosec expert.
Actually, one of the first things I've been told to do when I joined my current work place is to go over a curated list and make sure I am subscribed to all of them, so I could get all the latest "Threat Intel".
Anyway... back to the CTF, the lovely developer didn't had a Twitter URL on his GitHub, and the pastebin was posted by a guest, so we need to find his twitter account.
Luckily, as with passwords, users also reuse user/nick names, but simply going to @iamthedeveloper123 didn't work, but in Twitter your user name (@handle) doesn't have to correspond to the name you use, so I used Twitter search to look for this name and I got a hit :)
Figure 10: The Twitter profile handle is @imdeveloper123
There could be other solutions for this problem, but I used the one I know and it worked like a charm.
There is a website called the waybackmachine and it had a cached version of the blog post before it was deleted, this blog post contained the flag:
Figure 11: The 2nd flag :)
That is all, hope you had fun reading as I had fun solving those tasks, stay tuned for (hopefully) more CTF write-ups.
Comments
Post a Comment