CTFzone write-ups - Going 300, going 500, OSINT sold

Friends, thanks for being active in the chat and following the link with the tasks - your interest and dedication motivate us to work 25 hours a day, and this is not the limit! In connection with the increase in our daylight hours, we are ready to present you the next batch of WTAs - this time we will look at the OSINT branch.

Judging by the number of solved tasks, this direction turned out to be quite difficult and required the manifestation of maximum ingenuity. Remarkable is the fact that the task for 500 was decided by only two people, and only one participant coped with the task for 1000. Therefore, in this article, we will publish solutions for only two tasks — 300 and 500 points, and the 1000 request will be a little later in a separate post. Keep for updates ;)

OSINT_300. Son of the law

AURORA: Lieutenant, I have found a diary of your predecessor - Lieutenant Scott. He is reading this memoirs. Do you want to read it outloud? Scott's diary is about Captain Picards's friend.
Scott's memoirs. December 5, 2047.
He wanted to be a lawyer for a lawyer. Captain remembers only his nickname - the01awson. Well, let's see .. ".

Decision:

So, in this task, as in OSINT_100, (which, by the way, is very well described here in this post ) you need to help someone again and find someone. This time is the email address of a certain gentleman. A search for "standard" social networks did not give anything, as well as a search on Google, even with the help of all sorts of different dorks and tricks. This task could not be solved for a long time, so we decided to throw in the hint: "google -> username check" .

We drive in a request, after which Google displays us a list of services that break through the nicknames in various social networks, not only in the "standard" ones. Follow the first link, trying to find this very lawyer. The service highlights that in some places there is such a user. However, following the links, we get only errors.

Hooray! On about.me there is still a user page with such a nickname.

It seems we have found what we need. The user’s biography says that he was on a long professional vacation and plans to return to work soon. Also in the profile there is a link to its old repository, which stores various legal documents and not only. We follow the link and see the standard nginx page, albeit a little edited by the site owner.

There is no repository here, you will have to "dirbasti" in search of the right directory.

Yeah, dirb found what we were looking for. It should be noted that in the biography of the user was the word "repo", and one could find the repository immediately. But this move is not obvious;) Turning on the found path, we really see a very large repository of documents.

There are a lot of files stored here, some of them immediately catch the eye and distract attention. Each of you solved the task differently - someone played a guessing game, someone parsed the files, trying to find mail by a pattern, some downloaded the entire repository and searched for the file locally, someone watched by the change date. There were lots of options, but the result should have been one - it was necessary to find the dead.letter file in which the necessary mail was stored.

In the file, we see part of the correspondence with a certain Jeanine Camps, and in it is the e-mail address of the lawyer, who had to be found.

Answer: ctfzone{theol@the01awson.me}.

PS Not everyone knows that dead.letter is a special (almost standard) file in which a letter is stored, undelivered (unsent) for one reason or another. Such a file can be found on many servers, the main thing is to know where and how to search. More information about this file can be found here .

OSINT_500. Elusive memory

AURORA: Lieutenant, it's time for another memoir. Are you ready? Scott's diary is about Captain Picard's best friend.
Scott's memoirs. February 28, 2047.
I’m a captain. I’m not sure what I’ve seen is a captain Picard. I have my own hands: http://78.155.207.50/owncloud/index.php/s/JZkseeNj4hb6TD6 . Hopefully, it will be helpful .. "I'm curious, what is this link behind?

Decision:

In this task we are looking for a friend of the Captain with the nickname "pestovs". It is worth paying attention to the fact that he is a speed jacket. A reference to OwnCloud is also attached to the task: http://78.155.207.50/owncloud/index.php/s/JZkseeNj4hb6TD6 . We follow the link and find that a password is required there.

Of course, you can try to beat the form, but this is not banned for now ... A search for the word "pestovs" gives out a lot of people with that name in social networks, but upon closer study it is immediately clear that this is not at all like that. Using services to search for nicknames, as in the previous task, also will not help us out. The task could not be solved for almost a day, but we did not hint, since by the evening there was only one successful delivery of the flag. Some wrote in the telegraph that they could not find the person, asked if everything was all right with the task. But in the telegraph it was necessary not to write, but to look for;)

Check whether there is a user in the telegraph with the nickname "pestovs". Ta-dam! There is such a user, he came in a few days ago, and there is a Rubik's cube on his avatar - remember, in the assignment it was said that he was a speedcuber?

We rummage in his avatars and find one very interesting - the usual photo with passwords on stickers on the monitor and, of course, with a Rubik's cube.

Yes, indeed, a lot of passwords, and the case is just like in the recent news. One of them will certainly help us get into OwnCloud, and not only there. Create a dictionary of all seven passwords, it can be useful. Next, we try to enter one of these passwords into OwnCloud to see what is behind this form.

Great, the fifth password came up, and we see that this is a link to download some dump file. We download it and, having carefully studied, we see that this is a dump of the database table. It contains various user logins and hashes for their passwords. Let's try to get inside this cloud storage.

There is only one way out of the current situation - to stitch all the logins using the dictionary received from the telegram. “Johnny” helped us out in such a situation more than once, and Blowfish, which hashes OwnCloud passwords, should not be a problem for him. We form the hash file and set John on it.

Fine! We are saved, we have credits, and now we will try to get inside OwnCloud. The login and password came up, so that we get inside the vault, which is not filled with anything interesting, except for a melody with Mario, where it is said that his princess is not in this castle again. But what is it? In the upper right corner we see the user ID and his real name - Sergio Pestov. Here is a clue.

There is nothing more remarkable in the repository. All possibilities are cut, except that you can change the password, but it is reset every minute, and it does not give us anything. Let's start the search by the found username and ask Google to help us. Find a link to a person with the same name in Twitter Pics, but immediately from the contents of the page you can see that it is not him. Let's go over the "standard" social networks and try to find a person with the same name. Luck overtakes us on Twitter - there is a user with that name and he has only 2 tweets. In one of them, we meet a character already familiar to us from a game about an Italian plumber who is trying to hide a princess from us in a castle. It seems we are on the right track!

We peer at the second tweet and see between the words "beaten" link to bit.ly. Quickly repair the link, go on it and voila! - we get to the hosting of images, where we are waiting for our flag.

Answer: ctfzone {On3_PaSSworD_mAn} .

One of the BI.ZONE developers: “Watching how my colleagues solved this task, I realized that the most difficult thing was to understand what to look for in the telegraph. Most users think that OSINT / CI tasks are limited to Facebook, Linkedin, This situation happens not only on the CTF, but also in life: “Yes, there, google it, and that's it!” But everything is not so simple.

If you have any questions, or you want to offer your solutions to the tasks - leave comments or write in our chat in telegrams , we will reveal all the secrets to you!

In our chat, you asked what other CTF there is - we have a better offer. On https://tasks.bi.zone, tasks are not only close to reality, but are also available until December 15. But better hurry;)