Passing the Competitive Intelligence Competition on PHDays III
This year, when developing the legend of the tasks for the Competitive Intelligence competition, we focused on the applicability of the information being sought in real passive analysis in preparing for pentest and in assessing awareness , as well as using various search engines and deductive methods.
As can be judged by one of the interesting raitaps about this competition - we did it, at least in part.
Unfortunately, there were not so many participants this year as in the past, and since some of the tasks were much more difficult, nobody completed them completely. The winners stopped at 12 correct answers and had to reward depending on the speed of passing.
')
So, let's take a look at the approximate algorithm for passing all the tasks of the competition and finally give answers to questions about the uncompleted tasks, and also once again announce the updated list of winners.
The company that the contestants were to work with was Godzilla Nursery Laboratory , an international corporation engaged in breeding and selling home godzill. Godzillas were not chosen by chance - it was they who “guarded” the railroad from the “ Choo-choo PWN ” competition.
Google told the participants immediately that the working site of this company with a nice logo was www.godzillanurserylab.com , and many of its employees are represented on the social network LinkedIn. Let's go!
Note: the percentage of correct answers is given in relation to the wrong ones (those who did not take up the task were not taken into account), absolute values ​​are given at the end.
The marketing manager is easily located on LinkedIn (how to find out that his name is Randi Klinger , you can read at http://ya-recruiter.blogspot.ru/2012/09/linkedin_12.html ). It is immediately obvious that he is the only active writer in the Godzilla Nursery Laboratory group and all the links he places there lead to the resources of the site msn.com .
The correct answer is msn.com.
The main problem among the participants arose not from finding Amber Lester , which is the HR director , but to understand that mberlest@gmail.com is the personal address of the person, and the pentesters should be interested in the work address. It is logical to assume that it looks like something like mberlest@godzillanurserylab.com . And in order to understand that it was he (and not mberlest@gmail.com and not amber.lester@godzillanurserylab.com , which some participants were able to find), all he had to do was write a letter to this address and get an auto reply;)
Correct answer: mberlest@godzillanurserylab.com .
Those participants who sometimes did work on the analysis of web application security or are familiar with their development should have found the file www.godzillanryrylab.com/robots.txt and go to the / test / folder with a bunch of interesting things.
One of the useful files in this folder is gmailacc.rar , since the password to it is the 5th most popular in the frequently used TOP 10 Passwords ( http://www.ptsecurity.ru/download/PT-Metrics-Passwords-2009. pdf ) - 12345 . Three things can be learned from the screenshot in this archive:
If you now try to log in with this data, you can get access to the box and find a letter from the CEO, which clearly indicated that “From the Tokio Marine & Nichido Fire Insurance” - from which the correct answer is clear.
Correct answer: Tokio Marine & Nichido Fire Insurance.
In order for the contestants to start thinking in the right direction, our CEO had to invent and add to the general information the phrase “I LOVE ICQ !!!”. With this clue, the answer to such a simple question becomes obvious. We are looking for UIN and contact information by name and surname (this information is present on the website and in the social network).
Correct answer: Concord.
The first clue about the existence of the email.godzillanurserylab.com subdomain, which could be obtained from the Inessa Golubova account page in the My World network, was not enough for some participants - and again they had to give hints from the Maximillian Ozillov page, which seems to be “my email webapp is ***. godzillanurseryrylab.com ". Scanning existing third-level domains is not exactly a passive way of gathering information, but is a common practice.
Having found the domain, participants could find a simple web-based authorization form with the ability for forgetful users to recover a password. And knowing the CEO's email address (any doubts will be dispelled if you look at the page http://www.godzillanurserylab.com/contacts.htm ) and the answer to the “secret question” from the previous task, anyone could get access to the mail interface, where he saw personally, as still looks like the beloved park of our long-suffering CEO. And if you feed this photo with Google Images, then the name of the park could be found.
The correct answer is: St. James's Park.
The last simple task for the warm-up is solved by searching for the Biological Engineer account on the social network “My World” by name and surname (behind them again on LinkedIn), and there will be a picture, which will give the answer.
The correct answer: GNL \ Igolubova.
Here comes the extremely useful feature of Google - Google Cache or “Saved Copy”. If you use this chip, it is easy to find on the page http://www.godzillanurserylab.com/contacts.htm for some reason, a deleted post about the user Ivanes Inclam, who is a sysadmin in our company. And who, if not a sysadmin, knows best what firewall is installed in the company. Searching by name will display several forums containing the correct answer. Unfortunately, most of the participants went around the script and simply looked at the position on the LinkedIn network.
Correct answer: Kaspersky Security for Internet Gateway Russian Edition.
The name of the Chief Information Officer was recognized by those participants who recalled such an attack on cryptographic protocols as plain-text attack. It must be applied to get access to the encrypted archive www.godzillanurserylab.com/test/Investigation%20Report.zip . If you feed this archive and the unencrypted version of the src.zip file to any Advanced Archive Password Recovery by a well-known Elcomsoft company, then in a few seconds you can access the PDF document containing the answer to the question.
The correct answer is Robert Craft.
Note : our character is fictional and has NO relation to the senior executive director of the Craft group of companies, Robert Kraft, who has emerged from the story about the super bowl :)
Only three people coped with this task, and none of them became a prize winner, but it is a pity. All you had to do was write a letter to cro@godzillanurserylab.com , and see the address on the public page http://www.godzillanurserylab.com/contacts.htm .
The correct answer is: 81356873113.
Unfortunately, nobody was able to answer this question correctly. The file http://www.godzillanurseryryb.com/test/dbo.report.log gives you everything you need to understand the direction of the search: there seems to be a domain DBO ***. GODZILLANURSERYFANS.INFO. And if participants learned the name of the domain, then it would most likely contain the name of the RBS system. And here AXFR requests come to the rescue.
About why they are needed and how to get all subdomains on vulnerable DNS servers with their help (namely, this was in the company), see Habratopik .
Correct answer: DBOINTEGRA
One of the most curious assignments in the competition. The first curiosity is that Dmitry Evteev, regardless of the compilers of the assignments, came across an interesting bug about how to calculate the phone of the user of social networks and the Google Mail mail service (who are not yet up to date - read: http: //www.devteev.blogspot .ru / 2013/05 / blog-post_21.html ). However, on the day of the competition, this technique stopped working - first, because of the frequent reset of the password of our account, and then due to the fact that the VKontakte administration fixed this extremely useful feature). As a result, we had to add the missing numbers to the contact information of the account in the social network vk.com.
For those who for some reason could not cope with the task: a rather rare name allows you to find information about your account in the social network, and her nickname carlos_bechtol_gmail_com hints at the existence of an email carlos*bechtol@gmail.com (you can quickly skip the missing symbol: this is a point symbol). Next is the algorithm from the above article.
The correct answer is 79166041374.
We could not have succeeded in telling about this task more colorfully and in detail than did Dmitry Ugryumov from the RosIntegration company.
The correct answer is: ceo@godzillanurserylab.com , cro@godzillanryrylab.com.
A little more active scanning of the IP address 54.245.97.120, obtained as a result of the previous task, will allow you to find the service on port 5161, which responds with the “SISCO TELECOM VOIP” banner. However, the correct answer was obtained only by Sergey Topoltsev.
The correct answer is: SISCO TELECOM VOIP.
Due to the unusual difficulty of this assignment, we gave indulgence to the participants by offering them two options for passing. The main option implied that participants, after completing task number 3, would not only start to change this user's password in a panic (which some began to do, but, well, we provided for this), but also start to think further: after all, Google provides excellent integration opportunities many of their products, in particular - the ability to synchronize browsers on a Google Account. This means that knowing the password and account (and the participants knew them), you could log in to Google Chrome and get access to the bookmarks of this account.
One of the tabs contained an unequivocal answer to the question. An easier way would be to assume that the Chief Information Officer could also be a member of the board of directors. And his card number could be found by completing task number 8. Only the already mentioned Sergey Topoltsev discovered the first method.
The correct answers are: 4401-7864-4568-1145 and 4716-5410-4981-7265.
Excellent opportunities provides Google Street View in this regard! Knowing the person's home address (in this case, it was easy to find out from the contact information on LinkedIn and on the contact page on the main site) we can try to peek at it. In this case, find out the brand of the car parked near the house.
The correct answer is: Honda.
The task turned out to be quite simple: many passed it, a few more stopped a step away from the correct answer. We notice a link to the .onion domain, we include Tor (who have not yet heard of Tor's hidden services - we urgently read: http://www.en.wikipedia.org/wiki/.onion ), we get the creation of the authors of the contest in JPEG format . If the contestants would look in EXIF-tags, they would find the desired answer.
The correct answer is: Zillaphilya.
Another feature of the competition this year was the innovation, which touched the display of statistics on the competition: participants did not know the number of correct answers, but only knew the number of correct ones, which was updated every half hour, which excluded the possibility of busting, although there were attempts :) Well, what would the child not play! Unfortunately, as a result, the answers at the very end had to be checked manually, and this introduced some contestants to partly justified indignation.
It turned out that it was absolutely in vain that we did not award one of the leaders, Sergey Topoltsev. We ask him to contact us for a waiting prize!
The most difficult were questions 2, 9, 10 and 13.
The employees responsible for information security at Godzilla Nursery Laboratory also didn’t lose their time and were tracking “intruders” in real-time mode trying to collect information about their colleagues. Everything took place within the framework of the legislation, no one dug deeply and did not do anything about which he spoke on the report “Traps know how to bite: reverse penetration” Alexey Sintsov. But the superficial collection of information on the methods described by Andrei Masalovich on another report (“Competitive Intelligence on the Internet”) allowed him to find among the participants of the competition:
Many thanks to all the contestants! Proposals are accepted at ci@ptsecurity.ru . Until new meetings.
Disclaimer : all characters are fictional and any coincidence with real-life or ever-living people by chance.
As can be judged by one of the interesting raitaps about this competition - we did it, at least in part.
Unfortunately, there were not so many participants this year as in the past, and since some of the tasks were much more difficult, nobody completed them completely. The winners stopped at 12 correct answers and had to reward depending on the speed of passing.
')
So, let's take a look at the approximate algorithm for passing all the tasks of the competition and finally give answers to questions about the uncompleted tasks, and also once again announce the updated list of winners.
The company that the contestants were to work with was Godzilla Nursery Laboratory , an international corporation engaged in breeding and selling home godzill. Godzillas were not chosen by chance - it was they who “guarded” the railroad from the “ Choo-choo PWN ” competition.
Google told the participants immediately that the working site of this company with a nice logo was www.godzillanurserylab.com , and many of its employees are represented on the social network LinkedIn. Let's go!
Note: the percentage of correct answers is given in relation to the wrong ones (those who did not take up the task were not taken into account), absolute values ​​are given at the end.
1) Which site is worth paying attention to when working on social engineering aimed at a marketing manager? (70% correct answers)
The marketing manager is easily located on LinkedIn (how to find out that his name is Randi Klinger , you can read at http://ya-recruiter.blogspot.ru/2012/09/linkedin_12.html ). It is immediately obvious that he is the only active writer in the Godzilla Nursery Laboratory group and all the links he places there lead to the resources of the site msn.com .
The correct answer is msn.com.
2) What is the email address of the HR director? (9% correct answers)
The main problem among the participants arose not from finding Amber Lester , which is the HR director , but to understand that mberlest@gmail.com is the personal address of the person, and the pentesters should be interested in the work address. It is logical to assume that it looks like something like mberlest@godzillanurserylab.com . And in order to understand that it was he (and not mberlest@gmail.com and not amber.lester@godzillanurserylab.com , which some participants were able to find), all he had to do was write a letter to this address and get an auto reply;)
Correct answer: mberlest@godzillanurserylab.com .
3) What is the name of the insurance company of a board member? (91% correct answers)
Those participants who sometimes did work on the analysis of web application security or are familiar with their development should have found the file www.godzillanryrylab.com/robots.txt and go to the / test / folder with a bunch of interesting things.
One of the useful files in this folder is gmailacc.rar , since the password to it is the 5th most popular in the frequently used TOP 10 Passwords ( http://www.ptsecurity.ru/download/PT-Metrics-Passwords-2009. pdf ) - 12345 . Three things can be learned from the screenshot in this archive:
- the company uses Google Mail for its corporate domain;
- Gregory Cruanstrom is a potentially interesting object (he is the head of the board of directors, this can be found at http://www.godzillanurserylab.com/contacts.htm or from LinkedIn);
- his mail is greg.cru@godzillanurserylab.com , and the password is cru1crua27 (according to legend, he made this screenshot in a panic that Google stopped disguising his password!).
If you now try to log in with this data, you can get access to the box and find a letter from the CEO, which clearly indicated that “From the Tokio Marine & Nichido Fire Insurance” - from which the correct answer is clear.
Correct answer: Tokio Marine & Nichido Fire Insurance.
4) Hometown CEO (76% correct answers)
In order for the contestants to start thinking in the right direction, our CEO had to invent and add to the general information the phrase “I LOVE ICQ !!!”. With this clue, the answer to such a simple question becomes obvious. We are looking for UIN and contact information by name and surname (this information is present on the website and in the social network).
Correct answer: Concord.
5) Favorite park CEO (52% correct answers)
The first clue about the existence of the email.godzillanurserylab.com subdomain, which could be obtained from the Inessa Golubova account page in the My World network, was not enough for some participants - and again they had to give hints from the Maximillian Ozillov page, which seems to be “my email webapp is ***. godzillanurseryrylab.com ". Scanning existing third-level domains is not exactly a passive way of gathering information, but is a common practice.
Having found the domain, participants could find a simple web-based authorization form with the ability for forgetful users to recover a password. And knowing the CEO's email address (any doubts will be dispelled if you look at the page http://www.godzillanurserylab.com/contacts.htm ) and the answer to the “secret question” from the previous task, anyone could get access to the mail interface, where he saw personally, as still looks like the beloved park of our long-suffering CEO. And if you feed this photo with Google Images, then the name of the park could be found.
The correct answer is: St. James's Park.
6) Find a Biological Engineer domain account of the form (DOMAIN \ login) (80% correct answers)
The last simple task for the warm-up is solved by searching for the Biological Engineer account on the social network “My World” by name and surname (behind them again on LinkedIn), and there will be a picture, which will give the answer.
The correct answer: GNL \ Igolubova.
7) What is the name of the corporate firewall in the company? (90% correct answers)
Here comes the extremely useful feature of Google - Google Cache or “Saved Copy”. If you use this chip, it is easy to find on the page http://www.godzillanurserylab.com/contacts.htm for some reason, a deleted post about the user Ivanes Inclam, who is a sysadmin in our company. And who, if not a sysadmin, knows best what firewall is installed in the company. Searching by name will display several forums containing the correct answer. Unfortunately, most of the participants went around the script and simply looked at the position on the LinkedIn network.
Correct answer: Kaspersky Security for Internet Gateway Russian Edition.
8) FIO CIO (38% correct answers)
The name of the Chief Information Officer was recognized by those participants who recalled such an attack on cryptographic protocols as plain-text attack. It must be applied to get access to the encrypted archive www.godzillanurserylab.com/test/Investigation%20Report.zip . If you feed this archive and the unencrypted version of the src.zip file to any Advanced Archive Password Recovery by a well-known Elcomsoft company, then in a few seconds you can access the PDF document containing the answer to the question.
The correct answer is Robert Craft.
Note : our character is fictional and has NO relation to the senior executive director of the Craft group of companies, Robert Kraft, who has emerged from the story about the super bowl :)
9) What is the Chief Risk Officer phone number? (75% correct answers)
Only three people coped with this task, and none of them became a prize winner, but it is a pity. All you had to do was write a letter to cro@godzillanurserylab.com , and see the address on the public page http://www.godzillanurserylab.com/contacts.htm .
The correct answer is: 81356873113.
10) Software of the remote banking system, which is used in the company (0% correct answers)
Unfortunately, nobody was able to answer this question correctly. The file http://www.godzillanurseryryb.com/test/dbo.report.log gives you everything you need to understand the direction of the search: there seems to be a domain DBO ***. GODZILLANURSERYFANS.INFO. And if participants learned the name of the domain, then it would most likely contain the name of the RBS system. And here AXFR requests come to the rescue.
About why they are needed and how to get all subdomains on vulnerable DNS servers with their help (namely, this was in the company), see Habratopik .
Correct answer: DBOINTEGRA
11) Cell phone researcher Carlos Bechtol (67% correct answers)
One of the most curious assignments in the competition. The first curiosity is that Dmitry Evteev, regardless of the compilers of the assignments, came across an interesting bug about how to calculate the phone of the user of social networks and the Google Mail mail service (who are not yet up to date - read: http: //www.devteev.blogspot .ru / 2013/05 / blog-post_21.html ). However, on the day of the competition, this technique stopped working - first, because of the frequent reset of the password of our account, and then due to the fact that the VKontakte administration fixed this extremely useful feature). As a result, we had to add the missing numbers to the contact information of the account in the social network vk.com.
For those who for some reason could not cope with the task: a rather rare name allows you to find information about your account in the social network, and her nickname carlos_bechtol_gmail_com hints at the existence of an email carlos*bechtol@gmail.com (you can quickly skip the missing symbol: this is a point symbol). Next is the algorithm from the above article.
The correct answer is 79166041374.
12) All email addresses of Genome Lab Department employees, separated by spaces (90% correct answers)
We could not have succeeded in telling about this task more colorfully and in detail than did Dmitry Ugryumov from the RosIntegration company.
The correct answer is: ceo@godzillanurserylab.com , cro@godzillanryrylab.com.
13) What product of IP-telephony does the company use? (100% correct answers)
A little more active scanning of the IP address 54.245.97.120, obtained as a result of the previous task, will allow you to find the service on port 5161, which responds with the “SISCO TELECOM VOIP” banner. However, the correct answer was obtained only by Sergey Topoltsev.
The correct answer is: SISCO TELECOM VOIP.
14) Bank card number of a member of the board of directors (83% correct answers)
Due to the unusual difficulty of this assignment, we gave indulgence to the participants by offering them two options for passing. The main option implied that participants, after completing task number 3, would not only start to change this user's password in a panic (which some began to do, but, well, we provided for this), but also start to think further: after all, Google provides excellent integration opportunities many of their products, in particular - the ability to synchronize browsers on a Google Account. This means that knowing the password and account (and the participants knew them), you could log in to Google Chrome and get access to the bookmarks of this account.
One of the tabs contained an unequivocal answer to the question. An easier way would be to assume that the Chief Information Officer could also be a member of the board of directors. And his card number could be found by completing task number 8. Only the already mentioned Sergey Topoltsev discovered the first method.
The correct answers are: 4401-7864-4568-1145 and 4716-5410-4981-7265.
15) Machine Brand Chief of Security Department (95% correct answers)
Excellent opportunities provides Google Street View in this regard! Knowing the person's home address (in this case, it was easy to find out from the contact information on LinkedIn and on the contact page on the main site) we can try to peek at it. In this case, find out the brand of the car parked near the house.
The correct answer is: Honda.
16) What kind of fetish CEOs have? :) (58% correct answers)
The task turned out to be quite simple: many passed it, a few more stopped a step away from the correct answer. We notice a link to the .onion domain, we include Tor (who have not yet heard of Tor's hidden services - we urgently read: http://www.en.wikipedia.org/wiki/.onion ), we get the creation of the authors of the contest in JPEG format . If the contestants would look in EXIF-tags, they would find the desired answer.
The correct answer is: Zillaphilya.
Results
Another feature of the competition this year was the innovation, which touched the display of statistics on the competition: participants did not know the number of correct answers, but only knew the number of correct ones, which was updated every half hour, which excluded the possibility of busting, although there were attempts :) Well, what would the child not play! Unfortunately, as a result, the answers at the very end had to be checked manually, and this introduced some contestants to partly justified indignation.
It turned out that it was absolutely in vain that we did not award one of the leaders, Sergey Topoltsev. We ask him to contact us for a waiting prize!
results
The most difficult were questions 2, 9, 10 and 13.
Summary
The employees responsible for information security at Godzilla Nursery Laboratory also didn’t lose their time and were tracking “intruders” in real-time mode trying to collect information about their colleagues. Everything took place within the framework of the legislation, no one dug deeply and did not do anything about which he spoke on the report “Traps know how to bite: reverse penetration” Alexey Sintsov. But the superficial collection of information on the methods described by Andrei Masalovich on another report (“Competitive Intelligence on the Internet”) allowed him to find among the participants of the competition:
- The CCM in chess, who grew up in Barnaul and entered the NSO on the specialty “Computer Aided Design”, which in Academgorodok in her student years liked to listen to loud music :) and loves 8 in a phone number;
- Native Indian, 27 years old, studying at Carnegie Mellon University;
- lover of rare and unusual programming languages ​​living in one Siberian town at the address: ul. Military, 7, Bldg. xxx, apt. xxx (zodiac sign - Pisces);
- Many participants of the Positive Hack Days: Young School (2012), Fast Track (2013) forums, including the author of the report on anonymity on the Internet :) and a character who knows a lot about the development of secure flash drives, which is also interested in payphones.
Many thanks to all the contestants! Proposals are accepted at ci@ptsecurity.ru . Until new meetings.
Disclaimer : all characters are fictional and any coincidence with real-life or ever-living people by chance.
Source: https://habr.com/ru/post/184450/
All Articles