In the footsteps of cyberdetective

Hello to all habrovchan!

I happened to take part in a competition, quite rare of its kind, called Cyber ​​Detective. The competition was held at the HackIT-2017 conference, in which he also actively participated. Jobs are based on finding open information online. I want to share experiences, raitaps and impressions.

In this kind of CTF participate for the first time. I usually participate in jeopardy CTF format, in which several categories are at once (Web, Reverse, Crypto, Stego, Pwn, etc.). In the same contest, the developers did almost all the tasks for the Recon category and one task for Forensic. But more on that below. Initially, he did not plan to participate in the competition, but he was interested in the task for social engineering, which later gave uniqueness to this competition and made him play seriously.
')
The tasks of the Recon direction, or as they are often called “OSINT tasks”, are solved by finding information from open sources. To solve such tasks, you need to be well able to use the features of search engines, such as Google , Duckduckgo , Shodan , Censys , be aware of various public databases, as a rule, public, well-versed in the features of social networks. Of course, nowhere without social engineering. And this is not all the skills that a qualified Internet intelligence officer should possess.



A total of 27 tasks were posted on Cyber ​​Detective, which were divided into groups. These groups, “branches” had their own legend, history, around which tasks and solutions revolve. A visual graph of job dependencies taken from the platform is presented above. The story unfolds as the current branch resolves, which is much more interesting than reading the meager condition of a task on a typical CTF. For each story, an average of 3-4 tasks.

I want to note the high level of preparation and reasonableness of the platform. On many CTFs, tensions and disputes arise between some teams and organizers regarding the integrity of other teams regarding participation rules. Simply put - it is forbidden to exchange flags between teams / participants. And it so happens that the team, without taking the desired prize, tries to get it by searching for reasons and evidence of the fraud of the winning teams. This is rather low and most often causes nothing but contempt and no respect, since the organizers themselves try to catch and punish violators. However, in this platform, the flag delivery information is open to any participant, and allows anyone who wants to analyze the delivery history of the other participant’s decisions.

As the tasks are described, I will talk not only about the right decisions, but not the right ones, and how they led to the answer. Many interesting services, utilities, approaches were used. So you need to stock up on attention, tea \ coffee and read on.

Intro

From this category begins the solution of all other tasks. Without the delivery of this task alone it is impossible to solve all the others, but since it was solved quickly, no problems arose.



It was easy to find. Going into the chat telegram and opening the chat page, you could see the flag. I want to note that the flags do not have a typical template, like flag {...}, or md5. This makes it difficult to find him. On the other hand, this format can not be placed everywhere, so the developers decided to donate my nerves in favor of the diversity of tasks.
Flag: "Welcome on board!"

Internet profile

Then it was worth starting to solve this category, each of the tasks was estimated at 50 points. There were simple tasks on which you can warm up. The assignments are written in the order in which they were published on the site, but they were decided, of course, not in that order.

Start

Some social networks have the opportunity to find out information about the page, in particular, this is vk.com , knowing the user's email / phone, as well as his last name. This bug or feature is hard to say, but there is a flaw (you shouldn’t run a report on hackerone :)).

It would be logical to think that Mark is the name, but no, this is the last name. This put me in a dead end not for a long time and did not immediately introduce a “last name”. Then I went to the VC, clicking on "Forgot your password", entered the number, last name, and got a page that you can easily find through a search. Here is the profile: Orest Mark


Flag: Orest

Nick

It's all elementary, his nickname, this is the address on the VK site.
Flag: "0n1zz"

Work

After reviewing many of the groups to which he is subscribed, as well as a quick glance at the page on his github, the idea came that it was Microsoft.
Flag: Microsoft

Profession

I decided this task not immediately, continuing to look at the tasks below, and extracting as much information as possible from the page, entered values ​​such as Programmer, Developer, and so on. Then he went to look for a guy in other soc. networks, found it Orest Mark . When searching, in the list of profiles or in the information about the page, it is written that he is a software engineer at Microsoft.
Flag: "Software Engineer"

Mail

It was very simple, I remembered that I saw soap on his github page.
Flag: "oreest1987@gmail.com"

Skype

The name of the task itself suggested what to look for, the answer on the Orest Mark page.
Flag: "orest_mark_87"

Place-1

I had to tinker a bit with this and the following tasks, as several options formally fit. On the page a geotag is attached to the post , which does not fit. After reviewing friends, it is immediately clear that Mark has a brother, Tenson Mark , who also has a geotag. Just looking at Facebook, it became clear where he was from.
Flag: Sinaia, Romania

Place-2

The answer is on the Facebook page, in the "About Me" column.
Flag: Kiel, Germany

Relatives

Taking into account that Mark has a brother, Tenson Mark , we hand over another flag.
Flag: Tenson Mark

Hoby

Having already studied this person enough, it is clear that he is interested in racing. The correct name of the flag can be found in the lists of groups on the VC page, or, if you look closely, you can see his T-shirt on the avatar, where this inscription was.
Flag: Speed ​​racing

Recreation

Remembering that a geotag was attached to the post on the VK page of the guy, having run a place, we find the solution.
Flag: Sesena, Spain

The first branch is closed, the assignments are handed over, +550 points in literally 20 minutes. This gave a huge incentive to understand further, naively thinking that subsequent tasks will be just as easy. But let's see in the end what the file gathered on the guy. His name is Orest Mark, I know his pages on VK , Facebook , Github . I know mail, nickname, phone number. It is also the fact that he loves, by whom he works, where he works, where he lives, where he was born, who his relatives and loved ones are, where they live. This branch of tasks is an excellent illustration of how you can find information about many people through social networks. The collected information is enough to attack his email address, try to get access to accounts on social networks, apply social engineering and find out any other data. However, enough elementary things, go to the most interesting task of this competition.

Family dramas

Immediately googled the person by number, try to repeat the trick with the restoration of the page in VK. Google gave out something interesting, at first glance, on the request "0671710968", especially the first page . I did not understand what it means. In the absence of other options, I decided to dial the number. To my surprise, the girl replied, and immediately dropped. The task involved the use of social engineering skills, as I understood later, which would help to find out the address. It was necessary to do this not intrusively, inquiring a person. Somewhere for 20-30 minutes I thought about the legend, and it took about 15 minutes to practice reading in such a way that it was not very noticeable that I was reading the text, speaking not intrusive and not monotonous. Many subtleties that tried to take into account. Here is the text that made up.

Good evening!

My name is Andrey.

I represent the student movement called World Frendship. We are committed to bringing people together based on mutual assistance. Helping in various life and domestic issues, we make new acquaintances, friends, and also want to give at least a little good mood to people. Want to participate?

- (answer)

Then I will talk a little bit about our movement and what we actually do.

Our movement organizes many projects. For example, not so long ago we launched one project, the essence of which was to help foreigners find housing for free. The idea is to make new acquaintances, foreign friends, to have the opportunity to learn a little about the culture of other people, to practice a foreign language, and so on. Perhaps you have heard of similar projects like these being carried out in England and the USA. Here it is.

To you, I want to offer to participate in another project called “Warm Dinner”.
The bottom line is that we cook together with you and spend time in a fun atmosphere. How do you offer?

- (answer)

See it. You cook food as well as recipes that you would like to try. Two of our students, usually a boy and a girl, come to you and prepare. Then you can play some board games, or go for a walk. Well, do you agree?

- (answer)

Then you need to clarify a couple of points. Tell me, what is your name?

- ...

And tell me your address

Address found failed. But then I had to call back, because I didn’t understand the address a bit, and now I’m allegedly checking the address on the map to compile the route. Already in the course of the conversation I realized that I was submitting a bit of information, I needed more communication. However, as the developers later admitted, it was the best attempt of all who received and did not receive the address. Of course, I’m far from Kevin Mitnick, and I don’t do carding, but for the first time, it’s fine. I want to note that it was from this task that the CTF began to solve, it attracted an unusual and very interesting format for receiving an answer. I think admins have not slept for days, as there are many participants, and they decide 24 hours a day. As it was later suggested to me, I could write this number in a telegram, and I would have answered the same way, I think, this is done for foreigners. Although of course there is not the drive, risk, emotion. By phone, you need to answer quickly questions that you could not foresee, and the quality of the answers depended on the literacy and forethought of the legend. Having received a cool experience, the new impressions wanted to continue to decide even more. However, such an interesting task was estimated at 100 points, which was not pleased, and it was not fair to allocate points for this task in my opinion. The players in the top of the scorbord were far away, but two sleepless nights fixed it.
Flag: "Odessa, Palubnaya, 7"

Retribution

Then he took on this category, since judging by the number of solutions of tasks from it, it should not have been difficult.

Step # 1

At the time of writing, Google did not give out absolutely no information on this strange address. This is not base64, or any other kind of cipher text, as I first thought. It was logical then to assume that this is an onion resource. After downloading Tor, the browser saw this site in a few minutes. At the time of this writing, the search engine has already cached something and this greatly facilitated the process of solving this task.



Here is a site opened, and received the first flag.


Flag: "HACK IN DARK"

Step # 2

This task was not easy and hung on it for a long time. On the page below, there were offers to hack various mails, accounts on social networks, breaking sim cards, and even learning to hack. Here is a small part of the list of services.



Clicking on one of the services I get a QR code.



Decryption: DRYcucyK5Hfc3A4hit9KqsKm5FwxHJYSdk

During the CTF, these QR codes changed, which complicated the decision, slightly confusing. One of these codes was successfully decrypted through the base64 decoder , and having received a rather incomprehensible text, went the wrong way, deciding what it is. Then I inspected that at the bottom of the page there was a mention of such a thing as dogecoin, and it immediately became clear that this was a cryptocurrency. Now, when I write this description, in principle, it seems obvious, but at that time it did not seem so. Googling found out that dogecoin is altcoin based on the blockchain. Going to the site Dogecoin registered wallet, trying to figure it out. But everything turned out to be simpler, it was necessary to review the transaction history for the current wallet . Here is a list of translations for this wallet.



I came across cryptocurrencies, but I didn’t have to track operations, and this turned out to be a problem for me. Here, the transfer of coins is carried out through intermediate wallets that send these coins through other wallets and so on. All this scheme can be traced through the Maltego program, which is part of KaliLinux and Parrot OS, and you can also use online services that could be done automatically. In the process of solving, I did it in a rather simple way - I clicked on the transaction with the leaving coins from the wallet, choosing the largest amount. As a result of several transitions, I found a purse where coins flowed. Of course, various mixers would greatly complicate the work, but the developers did not complicate the already hard life of the participants.
Flag: "DMqh6vFJ5LpdEbJnW5NYhwRmW5tAC69UmG"

Step # 3

This task turned out to be very simple, made it in a few minutes. It was necessary to google your wallet, it was mentioned in several forums, this is the forum that caught my attention thanks to one positive review.
Flag: "w3bg00dua"

Step # 4

Here the task developers won back the ease of the previous task. I had to google this nickname a lot, finding nothing. Small changes in the nickname did not help either. Facebook, VK also did not give results, as well as telegrams. But in the process of searching I found a wonderful service on probiunicums in many social networks. It works on the basis of the fact that many social networks allow you to assign a shortened url address to your account, which is often the nickname of a person. This is what the service issued.



I was interested in a Github account, in which there was one repository, and at the bottom of the description there was an email for feedbacks or offers.



With email, too, fooling around for a long time, he did not fit anywhere. After a while, I guessed to enter google + in the search, where I received a link to the account of a certain GlebReed .
Flag: "Gleb Reed"

What is the result of this thread? +1000 points, many hours spent on the elaboration of erroneous solutions. What is the result of the analysis of this legend? Even if a person has a website in Tor and he is not attentive to the information about him on the network, it can be tracked. There is a wallet, a nickname, an email, some posts, and so on, and this is done solely through searching for information from open sources, not to mention the various closed bases or other features owned by special services.

Internet fraud

Step # 1

Long stuck on this assignment. But this is due to lack of experience. Solving is not difficult, although the site itself has caused many questions that could not be answered. Going to the site I see such a greeting.



I scanned the site in the subdirectory with the dirsearch utility, and it became clear that the site was powered by Wordpress. Of course, out of habit, I began to scan wpscan, and other utilities, look for vulnerable plugins, but it was not worth it.



I go to the login page , click "Lost your password?" And get to the site page.



By accessing some pages I was redirected to the default page that I saw when opening the site. However, I found nothing on the site and started to google. The query “site: shop.cyber-detective.hackit.ua” did not give anything. But going to the resource Web Archive , I found a lot of interesting things. This service allows you to store snapshots of sites. Even if the site is deleted, it is possible to view html pages and some pictures. It is also possible to take pictures of the site yourself. There are pictures for 2 days.



In the pictures for the 3rd number there is nothing interesting, but for the 5th number on the Contacts page there is an email and Skype.



It is worth paying attention to the fact that there is a curved layout. It is deliberately done, or the webarchive did it himself, it is not known, but by going to the elements inspector, you can see that the email is separated by tags. However, this email is wrong, you need to continue to search. Search Skype did not give anything, as well as search by nicknames. The answer lies in the women's clothes Spring 2017 . Nothing interesting inside the file, but in the properties was the author, whose nickname was part of the necessary mail.


Flag: "salesmanager@shop.cyber-detective.hackit.ua"

Step # 2

Immediately it is clear that here the flag is the IP address. Most likely the recipient's IP address. Sent a letter to this email. There was no answer. It must be said that by sending a letter to info@shop.cyber-detective.hackit.ua, a letter arrived with the message that it was not delivered. Since there was no response to my last letter, I began to compile a sniffer to intercept the IP address of the person who opens it. Here is a sniffer I came out.

<html> <head> </head> <body>  !     <a href="http://mydomain/index.php">shop.cyber-detective.hackit.ua</a>? <img src="http://mydomain/opened/index.php" width="1" height="1"> </body> </html> 

When used, of course, it was not mydomain. There were two scripts on my server, one of which produced a pixel and both recorded IP, UserAgent and other information. Such a script everyone can easily write himself. However, it did not work, I did not tap the server. But after a couple of hours, such a letter arrived at the post office (the bot was on the server, which responded to all messages equally).



We look at the detailed information about the letter.




Flag: "195.64.154.110"

Step # 3

Having little experience in searching by surnames, judging by the full name of the person, it is also recorded in a large register, he suggested that it can be found in some state register.
The Ministry of Justice handled it perfectly. Enter the name, get three people. Experimentally, I determine that the person with the location of the registration file “Department of Registration of Kharkiv Town for the sake of” is appropriate.


Flag: "80577109515"

The next branch is closed and got +700 points. It was difficult to give only the first task, but we can say that the branch is not difficult.

Olx fraud

Next, I will describe the branches that caused a lot of difficulties, had a lot of false paths and the solution of these tasks took a lot of time. I will describe as the increase in complexity. OLX branch is one of those not simple.

Step # 1

Here I began to make a dossier with all the information I found somewhere. What do I know? The guy's name is Igor, phone number 380983607320, lives in Chervonozavodskoy district, in Kharkov, and he has a farm like this “Mining AMD BOX 6 GPU RX 580 180mh / s farm”. I found the guy in the telegram, wrote to him, called him, but no one answered, and then he went off to the side, as he later understood. At first I tried to weed out those in the VK who are called Igor, about 2 million of them. Chose the male gender, Ukraine, Kharkov, it turned out somewhere around 22 thousand. Perhaps it would have been possible to find something if the last name was more exotic. Weed out of 22 thousand someone did not work. Googling pictures gave nothing, but googling the name of the farm gave something interesting. I came across ads on other sites, for example this . I immediately thought that I was solving correctly, since the photos are identical. He continued to search and came across an ad in the VC , not so long ago it became possible to sell goods there. I found the guy ’s page and spent a huge amount of time getting to know his relatives. It was a false mark. Returning to this assignment after handing over some others, he continued to deal with the telegram account, wrote again and called, and like last time, no one answered. After a while, I was able to figure out how to find out the nickname in the telegram, knowing the phone number. And that was the right direction. In the telegram added contact, the result is below. You can try to write something, but will not answer.



Then you need to log into your account, as in the first picture, and in the top right-hand menu, click the "Delete" button. A couple of seconds and it will turn out like this.



The point is that when we delete this contact, the application does not throw into the list of conversations, and the contact does not disappear (where, for example, then do the correspondence), and the telegram developers decided to replace the number / name with a nickname (and again do not need to run on hackerone scribble report). Nickname - Gh0stbust3rs. I take the previously mentioned service . Here again there was a huge amount of wrong moves, as there are many accounts with such a nickname. The right decision was to choose the page VC of this man - Ed Vysotsky . Here you need to go to the groups that he signed and immediately rushed a group with a small number of subscribers and a strange name.



The administrator of this public, Anna Gosteva , who has a marital status to Ed Vysotsky, is our goal.
Flag: 06/04/1991

Step # 2

Punching a girl, her nickname in VK a.gosteva91 and using the service , which has already become my faithful ally against the battle with the difficult tasks of this CTF. I find this account and open it through a mobile application. In subscribers I find her boyfriend already in instagramme.





I find he has a photo with a geotag, a kind of residential complex.


Flag: “5th Avenue LCD” (standard double quotes in the flag)

It should be noted that the complexity of the branch, mainly, lies in the fact that the scammer took photos / materials from the Internet and this greatly complicated the search. It was worth giving more than +300 points for this thread. But in any case, this is not the most difficult branch.

Facke accounts

Step # 1

This thread seemed the most difficult. Asking about the right decision from the developers, I realized that everything is much simpler there, but it is done through a method known to very few. However, I will first analyze the false paths, then how I did it and how it was necessary. There is Natalia Afyan . Need to find a restaurant, remembered. I study the page of this fake in detail. Here is a photo that gives the owner of the original page. The real person is Olga Dyakova , who works at Slow Food Kiev. Feeling that it is not simple, I analyze its page in detail, it does not help. I find several articles about her, this is one of them , from which, by the way, almost all the photos for the fake account were taken. The study of all this material did nothing. Then he began to analyze the likes that stand under some posts on the wall. Nothing special noticed. Reposts were made on the wall of popular publics, it is also not an option to look there. It remained to analyze the fake friends, whom she had 133. With a fresh cup of coffee, she began to open each page. People whose page is not framed in Russian, or in English, missed. As a result, highlighted such a page - Mariya Odintsova . She studied in KNURE, from Kharkov and attracted more posts on the wall, there are two similar to the posts of Natalia Afyan. Studying repost of this and this posts, studying those who did repost, I see the following.



Natalia Afyan and Mariya Odintsova already know, that's who the first two people are not clear. Vladimir Kulakovsky was a random user, but Olga Pirunova turned out to be very similar to fake. I checked - she is available as a friend of Natalia Afyan. What is the result? A person registered not one, but three fake accounts, added many friends to each account and other fakes created by him. Moreover, I made a repost of 2 identical records on all three pages. It is strange, but seeing that it was artificially created, I understand that I am moving forward. Here I am stuck again, because not a single page had any useful references to anyone else. After several hours of studying friends, I realized that at least one account is found in the friends of all three fakes - Oleg Stanov . On its page there is a post , on the photo of which you can see the nominal napkin holder of the restaurant.

It turns out that not only were three accounts created, which were added to each other as friends, and they made the same repost, so the fraudster also added as a friend to these accounts. Only after the delivery of the flag, it occurred to me that, having learned three fake accounts, one could search for a service for building social graphs, met those for VK and, on the basis of three fake accounts, find out who unites them. Must be for Facebook. An example of such a social graph below, taken from the Internet and perfectly illustrating why such a build.



Now about how to decide. Some of the aforementioned fakes like this and this posts by Natalia Afyan. Among the likes met and Oleg Stanov. But it is not yet clear that it is he who is the center of this whole business; you need to continue to collect information. Going to those who liked Natalia Afyan, we can single out Mariya Odintsova by the method described above. Now use the Facebook chip, which is not in the VC. You need to go to the password recovery page , enter the name and surname.









Clicking on "Expand my trusted contacts", you need to enter the highlighted first and last name "Mariya Odintsova". In the list of trusted friends are two fakes that the creator page previously found. Next, perform the steps from the method above.


Flag: "Stargorod"

Step # 2

Studying the page, it turns out that the person loves tennis. In this public , to which a person is subscribed, there is a post , in the comments to which the goal was unsubscribed.


Flag: "Oleg Sotnichuk"

As I was hinted in the process of writing this article, such cases occur in life and there are real people who so foolishly link fake accounts, at first they didn’t even believe it. For those who are engaged in this - read this article and do not do stupid things, but rather get involved in business.

Business and black bookkeeping

This branch is not the most difficult, or confused, but it turned out that I took it seriously at the very end, and other top players also passed the last tasks from it. It is fair to talk about this thread at the end.

Step # 1

That such a site has opened.



Before entering the correct trail, I stumbled upon a few false ones. For example, there were several sites that externally similar in interface, for example, this one . Also, Google issues cached pages that were no longer present at the time of the CTF. The request in google was site: company.cyber-detective.hackit.ua.



Remembering the web archive from the previous task, I also followed the wrong track. In fact, it was worth finding the subdomain of the current site, which turned out to be not an easy task, this domain was not cached anywhere. The knockpy utility helped.



The resulting cloud.


Flag: "cloud.company.cyber-detective.hackit.ua"

Step # 2

This task was the most fun of all, he served him in a cafe with pizza, and 2 hours of well-chosen songs were very useful. The solution is obvious, since this is not a standard CTF and there should be no complicated steganography here. Between the songs was inserted a piece of conversation with the director of the subordinate, during which the subordinate reported important information. To find a song, Windows Media Player is enough to flick the music track forward. For lovers of software screen below. The conversation lasted 15 seconds.


Login: director
Password: Vladimir-1985

Aduacity, a program often used in music steganography tasks, illustrates the inserted conversation well. Returning to the cloud . After extracting some files from the recycle bin, I have the following.



Immediately attracted a picture called Paris.jpg, but the flag did not fit. In the Photos From Holidays folder there were such pictures that, in my opinion, are too cool for photos for the average person. Perhaps it is like a flashback for a person who has been there.



Studying exif files with the help of such a service did not work. But the pictures were similar, perhaps from one area. Through the Google search, each picture gave about the following.


Flag: San Francisco

Step # 3

In the sticky photos there were checksums for files, calculated through the 7-Zip program.
This task was from the Forensic category. In the cloud there was a file “Private Files.tc”, and in the task it was suggested to download “20170906.mem”. The first file was a TrueCrypt container, the second was a memory dump, in which session keys from the container were hidden. To solve, I tried utilities such as pytruecrypt (for decryption using extracted keys), volatility, Elcomsoft Forensi Disk Decryptor. Passware Kit Forensic came up, but it wasn’t immediately decrypted. Under this cryptocontainer Passware Kit Forensic came only a certain version.



The decryption process is simple, the menu “Full Disk Encryption” -> “TrueCrypt”, followed by the path to the container and the memory dump. Next is the decryption process.



The output is an image that can be mounted in any convenient way. Inside the decrypted container, there were folders, in which there are still many folders, in which there are still many folders.



The desired folder is easy to find, just look at its size and the number of files included in it. As a result, found Exel document.


Flag: "26,542,579,522.00"

I happened to take part in a unique CTF, in which there was a huge number of non-standard tasks I encountered for the first time. Successfully left to take the third place, although, having more preliminary experience, I could achieve more. Huge great winners, fought together for victory for many hours on a span without sleep. Pleased with the task of social engineering. There were not very pleasant tasks, but this is usual on any CTF. The experience was simply colossal. I tried to write the article in as much detail as possible so that anyone interested in the steps could repeat my actions, and moreover, understand the false paths and mistakes that I had to make. This will help to solve such tasks much faster in the future. Assignments are available on the site for another week, go ahead! I advise everyone else to be vigilant, in the 21st century a digital footprint is an integral part of life, and you need to think about what to keep online.

Dear reader, if you have reached this place, congratulations! I hope you learned something useful from this article. If you have questions or suggestions - well in the HP in VK , Telegram or comments.