Competitive Intelligence at PHD-2013

Hello!
I want to tell you about the competition "Competitive Intelligence", held at the conference Positive Hack Days - 2013. More about it can be found here: www.phdays.ru/program/contests/#16276
I participated in “Competitive Intelligence” for the second time already, having already had some experience in similar work, and I was looking forward to new conditions. One of the reasons why I wrote this article is that I still haven't found the answers to some questions from last year’s competition. I very much hope that in this discussion we will bring together all the answers to the questions that were this year.

I will give answers to questions not in the order given in the conditions of the competition, but according to the logical chain that led me to the correct answers. At the end I will describe the questions, the answers to which I have not found.
I wrote this article after the contest was closed, and at that time its developers have already closed some competitive sites, so do not be embarrassed if some links will no longer work.
Also note that the correct answer at every step was born in agony, was the result of epic brainstorming, trial and error, many dozens of tried options. And here I will only write about the scenario, close to the ideal. Go.

Step 1.

This time it was necessary to answer 16 questions about the Godzilla Nursery Laboratory company.

Looking for a company name in Google:

The first link is the Godzilla Nursery Laboratory's Linkedin group , www.linkedin.com/groups/Godzilla-Nursery-Laboratory-5000097 :

We study the links on the group’s main page, which were published by a certain “Randi Klinger”, working in the position of “Marketing manager”. All of them are reduced using the bit.ly service and lead to different, unrelated, articles:
bit.ly/12LtZwC - wonderwall.msn.com/movies/angie-everhart-is-now-cancer-free-1752151.story
bit.ly/12txG8G - movies.msn.com/movie-guide-summer/11-things-we-love-about-original-star-trek-movies/photo-gallery/feature
bit.ly/YuDX4D - now.msn.com/angry-cats-a-photo-gallery-of-ways-to-piss-off-a-cat
bit.ly/13iaUmE - tv.msn.com/personalities-we-love-to-hate/photo-gallery/feature/?photoidx=12
But hey, they are all united by the fact that they are located on msn.com . I think that the site msn.com can be used for social engineering against the “Marketing manager”.
The correct answer is "msn.com".

Step 2.

In the news of the group in Linkedin we see that this group was created by a certain “Amber Lester”.

We study her profile. I will note that her profile can either be found in Google, or go to her page on Linkedin by clicking on the pop-up link to her name in the updates feed.

Great, there is a profile, www.linkedin.com/pub/amber-lester/70/595/a1 :

We have the name of the HR director, as well as the interesting sites indicated by her in the general information. We break through all these sites at www.whois.sc .
Do not get anything interesting for www.godzillanurseryfans.com and www.godzillanurseryfans.ru . But the domain www.godzillanurseryfans.info see the following data:

Yes, Amber Lester mail is: mberlest@gmail.com .
I note that here in the competition there was a difficulty, because there was still mail: amber.lester@godzillanurserylab.com , as well as the profile of the same Amber Lester “V Kontakte ” attached to it, vk.com/id210561328 . It was unclear whether this false trail was made by the creators of the contest on a special basis or simply it happened.
The fact remains: amber.lester@godzillanurserylab.com is not a valid option.
The correct answer is "mberlest@gmail.com".
')

Step 3.

Now we go to the official website of the Godzilla Nursery Laboratory: www.godzillanurserylab.com . It is easy to find it - at the time of this writing, this is the second and third link in Google for the query: “Godzilla Nursery Laboratory”.
Look in the robots.txt:

What is hidden for robots is interesting to us, go to the “test” directory:

Download all files. In addition, we receive the archive under the password: "gmailacc.rar". We will hold other files for now, they will be useful to us later.
Put the brut: "gmailacc.rar". The “* .rar” archives are fighting much slower than “* .zip”, but after 3 minutes we have an extremely difficult password:

The archive file is: "gmailacc.PNG". Here is its most important part:

It seems that the email address: greg.cru@godzillanurserylab.com , belongs here to this comrade, which can be found at: www.godzillanurserylab.com/contacts.htm :

We try his email address and the password “cru1crua27” to log in to Gmail, however, since I wrote the article after the contest was closed, the developers managed to cover some things. I did not find the name of the company directly, but did not remember the correct answer:

But already from this step to the definition of its insurance company, you are divided seconds.
The correct answer: a hacked archive leads to it.

Step 4.

Following the link: www.godzillanurserylab.com/contacts.htm , we see CEO:

Linkedin, www.linkedin.com/pub/maximiln-ozillov/70/460/54b :

Wow, yes there is plenty of data about him! It should be noted that the following data appeared as a hint only on the second day of the competition, on the first day it was not:

We work with the fact that he loves ICQ. We are looking in ICQ:

Found, check, maybe it's a namesake. We press: "Profile". Yes, this is our object:

The correct answer is: "Concord".

Step 5.

We refer again to Linkedin, on the CEO page: www.linkedin.com/pub/maximiln-ozillov/70/460/54b , we see many of his colleagues.

Here, almost the entire friendly company, now we are interested in "Inessa Golubova", "Biological Engineering". Go to her page and among other things see:

We go to "My World", we search by mail, we find the profile, www.my.mail.ru/mail/gineska81/info :

In her photos we see the photo we need:

Pay attention to the important detail in the upper left corner of the picture; we see there the lower part of the address of the company's web-mail version: www.email.godzillanurserylab.com . This fact is useful to us further.
The correct answer is: "GNL \ Igolubova".

Step 6.

In step 5, we found the web version of the email address: www.email.godzillanurserylab.com . Go to it and see the following form:

Pretend that we are an CEO and that we have forgotten our password for the mail. By clicking on “Forgot your Password?”, We enter the email: ceo@godzillanurserylab.com .

Well, this post exists. We see the secret question:

Oh, yes, we already know this from step 4. Enter “Concord” and get a new password.

Now we go back to the mail login form, www.email.godzillanurserylab.com , enter ceo@godzillanurserylab.com and password, get into the “debug mode” of the mail. There we see a single letter with a small picture:

We hammer in the picture in Google image search and in a minute we find that it is “St James Park”.
The correct answer is: St James Park.

Step 7.

Go ahead through the list of CEO's colleagues on LinkedIn. Now we are interested in a certain “Ivanes Inclam”.

Just ask Google about it and get 3 links at once:

Ivanes Inclam asks for help on filtering settings for the firewall in three forums at once:



The correct answer is: “Kaspersky Security for Internet Gateway Russian Edition”.

Step 8.

Now we recall the second encrypted archive: “Investigation_Report.zip”. Here is more interesting. Although the archive is encrypted, you can view its contents:

We see two files in it: “Investigation Report.pdf” and “sil-male.png”. It is noteworthy that next to this encrypted archive in the open are two more files:

Total We have:
- encrypted archive, “Investigation_Report.zip”, which contains, in addition to the PDF file we need, the file “sil-male.png”
- open archive, “src.zip”, containing only one file, “sil-male.png”
- the file itself, “sil-male.png”:

Hmm, yes, this is a hint of plaintext-attack. Its possibility arises when we have the plaintext and its corresponding ciphertext. Read more here:
www.en.wikipedia.org/wiki/Known-plaintext_attack
www.ru.wikipedia.org/wiki/Attack_in_based_open_text
I think there are several programs that can perform this attack, but I used Elcomsoft's Advanced Archive Password Recovery application. Specifying the type of attack as parameters: “Plaintext”, as well as encrypted and open archives containing the same file, I launched the attack:

Twenty seconds, and we have an open archive without a password, the password in this case is not.

The archive contains data on a certain "Robert Craft":

Yes, it turns out, our CIO.
The correct answer is "Robert Craft".

Step 9.

The “Carlos Bechtol” profile is also on LinkedIn, but it doesn’t give us anything interesting. We found his profile "in contact": vk.com/id210334624 .

Here I will note another difficulty.
In the picture you see his phone after the first hint of the organizers. Before this very prompt, his number looked like this: "+7916 *** 13 **".
Before the tip, we found a profile of some “Carlos Bechtol” on Google+. But there was no data on the page. Then we manually picked up his mail: " carlos.bechtol@gmail.com ".
Then they checked that the “ Vkontakte ” password recovery form by mail “ carlos.bechtol@gmail.com ” clearly indicated the page we needed.

We found the last two digits of the phone using the password recovery form for this email on Google:

The question remained how to find the fifth, sixth and seventh digits of the number: "+7916 *** 1374". And here we are again faced with a problem. Profiles in other social networks, we have not found. A form of password recovery "in contact", faced with a heightened interest in this profile, gave the following message:
“Exceeded the number of attempts. Please try again later. ”
It was a great pity to miss the point for the almost found phone. After dozens of our attempts to recover the password, the contest developers gave a hint, after which the phone looked like this: "791660413 **".

And so, I think, why the hint appeared. Everything turned out to be interesting. May 21, 2013, at the time of writing the post of Dmitry Evteev about punching the phone number of a person on a social network account : www.devteev.blogspot.ru/2013/05/blog-post_21.html , the service "In contact" when requesting a password recovery issued as many as 7 first digits of the number, and as early as May 24, on the second day of the competition, only the first three digits (operator code) and the last two digits were issued. Quickly the guys from Vkontakte fixed this vulnerability.
The correct answer is: "+79166041374".

Step 10.

On the CEO page it is indicated that the CEO worked previously in:

Follow the link, see the picture:

We increase and read the address: 54.245.97.120 and also see that after the last octet “120” there is an explicit colon, which means that a specific port is entered. The site itself was unfriendly:

We recognize its ports using nmap: "nmap -p 1-65535 -v 54.245.97.120"

There are 4 open ports in total. The 22nd SSH port doesn’t do anything, it needs an account. Brush and uchetku and password - a thankless task. The 53rd DNS port does not provide anything interesting either.
We take the 80th port and use our hands to sort out the TOP-10 of the most common directories: “admin”, “test”, “doc”, “upload”, “download”, “images”, etc. Nothing.
We take port 8080, sort out the same list of TOP-10. Voila:

So, in Genom Lab Departmnet only two employees: CEO and CRO. We know CEO mail: ceo@godzillanurserylab.com , and CRO mail can be found here: www.godzillanryrylab.com/contacts.htm

Correct answer: “ceo@godzillanurserylab.com cro@godzillanurserylab.com”

Step 11.

In contacts on the main site: www.godzillanurserylab.com/contacts.htm , we see the person we need:

Looking for it on Linkedin:

There is one. We get his home address:

We are looking for an address on Google maps, we see the house:

And on the right, behind the bushes, we find the car, let's bring it closer:

Looks like this is a honda.
The correct answer is: "Honda".

Step 12.

On the SEO page on Linkedin: www.linkedin.com/pub/maximiln-ozillov/70/460/54b , let 's return to the general information:

We see the site * .onion, which means we need Tor. Read more here who is interested: www.en.wikipedia.org/wiki/.onion . Download Tor Browser Bundle and go to the site, or use the gateway to Tor type 6uzhxjor2tfsdwzf.tor2web.org and see only one picture:

Wide flight of fantasy from the CEO. Obviously, this picture is associated with the word "fetish". Looking into the EXIF ​​image. Read more here - www.ru.wikipedia.org/wiki/EXIF . Or open it with any hex editor. We will use the first available EXIF ​​online viewer: www.regex.info/exif.cgi . We load the picture and see the word we need in the “Location” field.

Or in the hex editor we see the same thing:

The correct answer is: “Zillaphilya.”

Step 13.

We did not find the answer to this question, but there are clues. In particular, Linkedin has a person with the “Call center operator” post : www.linkedin.com/pub/janice-harrison/70/a06/846 :

But the search for it to us did not lead to success.
An unknown signature was also found when scanning nmap of the resource previously mentioned in step 10: 54.245.97.120.

Options: "Cisco" and "Sisco", did not fit. Now I think it was necessary to try “SISCO TELECOM VOIP”.
The correct answer: we find together.

Step 14.

There is a hook in the file: “dbo.report.log”, which we received together with the encrypted archives in step 4. In this file, among other things, there is a line like: “N: / DBO ***. GODZILLANURSERYFANS.INFO/www/favicon .ico
The brutal directories for different masks on “dbo ***. Godzillanurseryfans.com” and other found sites did not give any results.
The correct answer: we find together.

Step 15.

We did not find this answer, without clues.
The correct answer: we find together.

Step 16.

We did not find this answer either, without clues.
The correct answer: we find together.

Conclusion

At the end of the article, I note that this year the Competitive Intelligence Competition has become more "technical", for example, taking the same hacking archives. Sometimes it is seriously embarrassed in the choice of strategy.
There were also some inconsistencies, like two HR director posts.
Another feature that slightly dispersed attention was that the contest developers mixed the “Russian” network segment (“VK”, “My World”, etc.) with the “more western” direction (“LinkedIn”, many places and addresses of objects were abroad). Enough time has been wasted searching for people on Western social networks.
Since I wrote the article after the contest was closed, I could have made an inaccuracy somewhere: for example, at the finish of Step 3. If someone finds a blot, write, I will correct it.
I want to say thank you “shisha”, with which we fought together over the competition. You're doing fine! We did not have quite a bit of medals. But it was an important experience. I want to say thank you to the guys who took the first three places with nicknames: “azrael”, “topol”, “Det0” - I have specified some answers after your awarding.
And thanks to the organizers of this competition and the entire conference, it was just a great holiday of information security! Keep it up!

Update : the developers of the competition on June 24, 2013 published its official passage, which can be read here .