In the footsteps of cyberdetective

All habarovchanin hi!

I had the opportunity to participate in the competition, quite rare in its kind, called Cyber Detective. The competition was held at the conference HackIT-2017, which also took an active part. Assignments are based on the search information in the network. Want to share the experience, ratapani and impressions.

In such CTF participating for the first time. Usually participate in CTF format of jeopardy in which multiple categories (Web, Reverse, Crypto, Stego, Pwn, etc.). In the same competition the developers have done almost all the tasks on the category Recon, and one task for Forensic. But more on that below. Initially participate in the competition not planned, but are interested in the job at social engineering, which gave uniqueness to this contest and got to play for serious.

Set the direction of the Recon, or as they are often called "job OSINT", are resolved by finding information from open sources. To solve these tasks need to be able to use the features of search engines such as Google, Duckduckgo, Shodan, Censys to know about the different public databases, usually public, to understand the features of social networking. Of course, nowhere without social engineering. And it's not all skills which they should possess qualified web intelligence.



Only Cyber Detective 27 was posted assignments that were divided into groups. These groups "branches" had its legend, history, around which revolve tasks and decisions. Visual graph based on tasks taken from the platform above. History unfolds as you solve the current branch, which is much more interesting than reading meager task conditions on a typical CTF. To each story on average, treated 3-4 tasks.

I want to note high level of preparation and sophistication of the platform. On many CTF tensions and disputes between some of the teams and the organizers regarding the honesty of the other teams in relation to the rules of participation. Simply put — is prohibited between the teams / participants to share flags. And it so happens that the team not having won the coveted prize, trying to get it by finding reasons and evidence of the fraud of the winning teams. This is quite low and often does not cause nothing but contempt and lack of respect, as the organizers themselves are trying to catch and punish violators. However, in this platform, information on delivery flag is open to any participant, and allows anyone to analyze the history of the delivery of the decisions of the other participant.

As the mission descriptions will tell not only about the correct decision, but not faithful, and how they led to the answer. Used a lot of interesting services, tools, and approaches. So you need to be attention, tea\coffee and read on.

the

Intro

This starts all other tasks. Without putting this one task, you cannot decide all the rest, but since it was solved quickly, no problems have arisen.



That made it easy. Going to the chat telegram and opening the chat page, you can see the flag. I note that the flags do not have a typical pattern, like a flag{...}, or md5. This makes it difficult to search for it. On the other hand, this format can be placed anywhere, so the developers decided to sacrifice my nerves in favor of a diversity of tasks.
Flag: "Welcome on board!"

the

Internet Profile

Next, it was necessary to begin to solve this category, each job was estimated at 50 points. Here was a simple task on which to exercise. Assignments written in the order in which they were published on the website, but decided they are of course not in that order.

Start

Some social networks have the opportunity to learn information about the page, in particular, is a vk.com knowing the email/phone of the user, as well as his name. This is a bug, or a feature — hard to say, but the drawback is (on hackerone to run to reportit is not :) ).

Logically you would think that mark is the name, but no, it's a name. This has me stumped not for long, and immediately entered "surname". Went to the VC by clicking on the "Forgot password", entered a number, the name, and got a page that no problems can be found through the search. Here is the profile: Orest mark


Flag: "Orest"

Nick

It's all simple, his nickname, is the address on the website of the VC.
Flag: "0n1zz"

Work

Reviewing a lot of groups it subscribes to, as well as briefly glancing at the page on github it came up with the idea that it's Microsoft.
Flag: "Microsoft"

Profession

Decided this job is not right, by continuing to browse the jobs below and extracting as much information from the page, entered values such as Programmer, Developer, etc. Then went to look for the guy in the other SOC. networks, and found him Orest Mark. When searching in the profiles list or in the page information, it says Software Engineer at Microsoft.
Flag: "Software Engineer"

Mail

There was very just, remembered that on his page github seen soap.
Flag: "oreest1987@gmail.com"

Skype

The name of the task suggests on what to look for, the answer to Orest Mark page.
Flag: "orest_mark_87"

Place 1

But with this and the following tasks had a little trouble, because he was formally approached by several variants. Visit to post attached geotag that never came. Looking friends, once it is clear that Mark has a brother, Tenson mark, which also has a geotag. Just looking at Facebook, it became clear where he is.
Flag: "Sinaia, Romania"

Place 2

Response to Facebook page, in the "About me".
Flag: "Kiel, Germany"

Relatives

Considering that Mark has a brother, Tenson mark, hand over the next flag.
Flag: "Tenson Mark"

Hobby

Enough already examining the man, it is clear that he enjoys racing. The correct name of the flag can be found in the lists of groups on VK page, or if you get closer, you see the avatar on his shirt, where was this inscription.
Flag: "Speed racing"

Recreation

Remembering that the VK page of a guy post was attached to the geotag by googling the place, find the solution.
Flag: "Sesena, Spain"

The first branch is closed, the job put, +550 points for literally 20 minutes. It gave a huge incentive to look into it, naively thinking that the next job will be the same light. But look in the end, what is the dossier compiled on the guy. His name is Orest mark, you know its page in the VK, Facebook, Github. Know mail, nickname, phone number. In the same way that he loves, he works, where he works, where he lives, where he was born, who his relatives are, where they live. This branch of tasks is a great illustration of how you can find information about many people through social networks. The collected information is enough to attack his mailing address to try to access accounts on social networks to apply social engineering and learn any other information. But enough of the basic things, will go to the most interesting task of this contest.
the

Family Dramas

Immediately googled person in the room, trying to repeat the trick with the restore page in the VC. Google gave out something interesting, at first glance, "0671710968", especially first page. Did not understand what it means. For lack of other options already decided to dial the number. To my surprise, the girl answered and immediately hung up. The job involves the application of skills of social engineering, as I understood later, which would help to find out the address. Need this to be done not Intrusive, engaging person. Somewhere between 20 and 30 minutes thought on the legend, and 15 minutes left to practice reading so that it is not so much that I read the text, speaking not Intrusive and not monotone. A lot of subtleties that are trying to take into account. Here is the text, which amounted to.

Good evening!

My name is Andrew.

I represent the student movement called "World Frendship". What we do is we bring people together, based on mutual aid. Helping in different life and everyday issues, we find new acquaintances, friends, and also want to give a little bit good mood to people. Want to participate?

— (response)

Then I will tell you a little about our move and what we actually do.

Our movement is organizing many projects. For example, recently we have launched one project, the essence of which is to help foreigners find housing free of charge. The idea is to make new friends, foreign friends, as to have the opportunity to learn a little about the culture of other people, to speak a foreign language, and so on. Perhaps you have heard of similar such projects undertaken in England and the United States. Here.

You I want to offer to participate in another project called "Warm dinner".
The point is that we prepare together with you a meal and spend time in a fun atmosphere. How do you offer?

— (response)

See. You prepare products and recipes that would like to try. Two of our students, usually a boy and a girl come to you and cook. Then you can play some Board games or go for a walk. Well, do you agree?

— (response)

Then you need to clarify a couple of things. Tell me, what is your name?

— ...

And tell your address

Address learn failed. But then I had to call back because the address is a bit do not understand, and supposedly now specify the map address for directions. In the course of the conversation realized that too much information, need more communication. However, as later admitted by the developers, it was the best attempt of all who have received and not received the address. To Kevin Mitnick to me of course and far, and carding are not engaged, but for the first time will descend. I want to note that this job began to solve the CTF, has attracted an unusual and very interesting format to generate a response. I think the admins haven't slept for days, as many of the participants, and decide they're round 24 hours. Then I suggested, could be back in the telegram to write this number, and would have answered, it's done, I think, for foreigners. Although of course there is not the drive, risk, emotions. On the phone need to respond quickly to questions that could not be provided, and the quality of responses depended on the literacy and thoughtfulness of legends. Having a great experience, new experiences are more like to continue to decide. However, this interesting exercise was estimated at 100 points, not pleased, not fairly allocated the points for this task in my opinion. To the players in the top skorbord was far away, but two sleepless nights to fix it.
Flag: "Odessa, Palubnaya, 7"

the

Retribution

Then took this category, because judging by the number of decision jobs from her, she wasn't supposed to be hard.

Step #1

At the time of writing, Google has not issued absolutely no information on this strange address. It's not base64 or any other encrypted text, as I first thought. It was logical then to assume that this is the onion online. After downloading a Tor browser in a few minutes beheld this site. At the time of this writing, a search that has already zakeshirovalo and this greatly facilitates the process of solving this task.



Here's a site opened and received its first flag.


Flag: "HACK IN the DARK"

Step #2

This task was not simple and depends on it for a long time. On the page below there have been proposals to crack various addresses, accounts in social networks, breaking simcard, and even learning to hack. Here is a small part of the list of services.



Clicking on one of the services get the QR code.



Explanation: DRYcucyK5Hfc3A4hit9KqsKm5FwxHJYSdk

During the CTF, these QR codes are changed, which complicates the solution a bit confusing. One of these codes successfully deciphered using base64 decoder, and received a rather cryptic text, had gone the wrong way, examining what it is. Then I finish that at the bottom of the page there is a mention of such a thing as dogecoin, and it immediately became clear that this cryptocurrency. Now, when writing this description, in principle, it seems obvious, but at the time it wasn't. Googling, I learned that dogecoin is Aldon, based on the blockchain. Go to the website Dogecoin registered the purse, trying to deal with it. But it was easier, it was necessary to see the transaction history for the current wallet. Here's a list of translations for this wallet.



With cryptocurrencies have experienced, but to track transactions not accounted for, and it turned out to be a problem for me. Here shipping coins through intermediate wallets, which send these coins to other wallets and so on. This whole circuit can be tracked through the program Maltego, is included with the Parrot and KaliLinux OS and also you can use online services that would be able to do it automated. In the process of solving've done quite a simple way — click on the transaction with leaving the coins from the purse, choosing the largest amount. As a result of several transitions found a purse, which receives the coins. Of course much would have complicated the work of different mixers, but the developers decided not to complicate and without that hard life of the participants.
Flag: "DMqh6vFJ5LpdEbJnW5NYhwRmW5tAC69Umg"

Step #3

This job was very simple, a few minutes did. Had to Google wallet, its mentioned on several forums, here is the forum, which attracted my attention because of one positive review.
Flag: "w3bg00dua"

Step #4

Here is the developers job is played for the ease of the previous job. Had to Google this nickname, finding nothing. Small changes in a nickname too, didn't help. Facebook, VK, too, failed, like telegrams. But in the process of searching found a wonderful tools pribivaniem in many social networks. Working on the basis that many social networks allow to assign to the account a shortened url address which is often the name of the person. That's what gave the service.


Interested in the account Github, which was one repository, and the description at the bottom was the email address for feedbacks or suggestions.



With the email too long morochata, he wasn't fit. After a while I figured to introduce google+, where I received a link to the account of a certain GlebReed.
Flag: "Gleb Reed"

What is the result of this thread? +1000 points, a lot of hours spent on the study of erroneous solutions. What is the result of the analysis of this legend? Even if a person has a website in Tor and he is not attentive to the information about it online, it can be tracked. On the wallet, nickname, email, some posts, and so on, and this is done only through search of information from open sources, not to mention a variety of closed bases, or other features that are owned by intelligence agencies.

the

Internet Fraud

Step #1

Permanently stuck on this mission. But this is due to lack of experience. Solved is not difficult, though the site itself has raised many questions that have not managed to find the answer. By accessing the site you see this greeting.



Scanned the website on the subdirectory utility dirsearch, and it became clear that the site runs on Wordpress. Of course, the habit began to scan wpscan-Ohm, and other tools to look for vulnerable plugins, but doing so is not worth it.



I went to authorization page, click on "Lost your password?" and get on the page.



By accessing some of the pages I was redirected to a default page that you saw when opening the site. However, on the website found nothing and started googling. Query "site:shop.cyber-detective.hackit.ua" nothing is given. But going to the online Web Archive, found many interesting things. This service allows you to store snapshots of websites. Even if a site is deleted, it is possible to view html page and some images. It is also possible to take pictures of the site. There are pictures in 2 days.



Pictures for the 3rd number, there is nothing interesting, but for the 5 th visit Contacts there is email and Skype.



You should pay attention to the fact that here the curve layout. This is done on purpose, or webarchive did it himself, is not known, but going to the element inspector, you can see that the email is separated by tags. However, this email is incorrect, you need to keep looking. Search Skype wouldn't work, as the search for niknayman. The answer lies on the The best clothes wholesale in UkraineinWomen's clothes Spring 2017. Inside the file there is nothing interesting, but in the properties was the author, a nickname which was part of the necessary addresses.


Flag:"salesmanager@shop.cyber-detective.hackit.ua"

Step #2

Once it is clear that there is flag an IP address. Most likely the IP of the recipient of the letter. Sent an email to this email address. There was no answer. I must say that sending a letter to info@shop.cyber-detective.hackit.ua came a letter with the message that it is not delivered. Since the answer to my last letter was not followed, I began to make a sniffer to intercept the IP address of whoever opens it. Here's a sniffer I came up with.
the

<html>
<head>
</head>
<body>
Good evening!
Why doesn't the site <a href="http://mydomain/index.php">shop.cyber-detective.hackit.ua</a>? 
<img src="http://mydomain/opened/index.php" width="1" height="1">
</body>
</html>

When you use of course was not mydomain. On my server there was two scripts, one of which gave a pixel and both wrote down the IP, UserAgent and other information. Such a script everyone will be able to write myself. However, it didn't work, I do on the server is not tapped. But a few hours later, the mail came this letter (on the serv bot stood that all e-mails answered the same way).



Look detailed information about the letter.




Flag:"195.64.154.110"

Step #3

Having little experience in searching by name, by name, and a large register recorded, suggested that it can be found in some public registry.
Minut perfectly with it. Enter name, get three people. Empirically determine that the person with the location registration of the case "the Department restrac Harsco MSCo for the sake of" choice.


Flag:"80577109515"

Another thread closed and got +700 points. Hard was given only the first task, but we can say that the branch is not complicated.

the

OLX Fraud

Next, I will describe the branches that caused a lot of difficulties, had a lot of false paths and the solution of these tasks took a lot of time. I will describe with increasing complexity. OLX branch one of these simple.

Step #1

Then started to compile a dossier with all the information I found anywhere. Know what? The guy's name is Igor, phone number 380983607320, lives in the Chervonozavodsky district in Kharkov, and his farm here is a "mining farm AMD BOX 6 GPU 580 RX 180мх/s". Found a guy in the telegram, he wrote, tried to call but no one answered, and then strongly in the direction I went, as it was then understood. First tried to weed out those in the VC who's name is Igor, their approximately 2 million. Chose a male gender, Ukraine, Kharkiv, turned out somewhere in the 22 thousand. Perhaps we would have to find something if the name was more exotic. Out of the 22 thousand someone out. The gugleniya pictures gave nothing, but the gugleniya the name of the farm gave something interesting. Came across ads on other sites, so for example this. I immediately thought that the right to decide, since the photos are identical. Kept looking and came across an ad in the VK not long ago it became possible to sell the product there. Found the page guyand spent a lot of time to learn close to the man. It was a false trail. Returning to this job after passing some others, continued to deal with the telegrams account, wrote again and called, and like last time, nobody answered. After a time, unable to understand how to find the nickname in the telegram, knowing the phone number. And it was the right direction. The telegram added contact, the result is below. You can try to write something, but did not answer.



Then you need to go to account like in the first picture, and in the top right menu, press the "Delete" button. A couple of seconds and look like this.


The point is that when you delete this contact, then the application does not throw in the conversation list, and the contact disappears (where, for example, then put it in correspondence), and the developers of telegram decided room\name, replace the nickname (and again no need to run on hackerone to scribble report). Nickname — Gh0stbust3rs. Take the previously mentioned tools. Here again there was a huge number of wrong moves, because accounts with the same name a lot. The right decision was to choose the VK page of this man — ed Vysotsky. Then you need to go to the group that he signed and immediately rushed the group with a small number of subscribers and a strange name.



The administrator of this public Anna Gosteva, which has a family situation with ed Vysotsky, so it's our goal.
Flag: "04.06.1991"

Step #2

Punch the girl, her nick in a VK.gosteva91 and use tools, which has become my faithful ally against the battle with the tricky tasks of this CTF. Find this account and opened via the mobile app. The subscribers find it guy in the instagram.





He has a photo with a geotag, a residential complex.


Flag:"LCD "5th Avenue"" (standard flag double quotes)

It should be noted that the complexity of the branches, mainly, is that the scammer took the photos\Internet materials, and this greatly complicated the search. Cost for this branch to give more than +300 points. But in any case it's not the most complex branch.

the

Facke accounts

Step #1

This thread seemed the most difficult. Asking about right decision the developers realized that it is much easier, but is done through a method known to very few. However, I understand the first false path, then how is done and how to do it. There are Natalia Afian. Need to find a restaurant, remember. Research page of this fake. That's fotografiathat gives the owner of the original page. A real man is Olga Dyakova, which works in Slow Food Kiev. Feeling that it is not easy, analyze it the page does not help. Find several articles about it, here is a one, which, by the way, was taken almost all the photos for a fake account. The study of this material gave nothing. Then began to analyze the huskies who stand at some of the posts on the wall. Did not notice anything special. Repost was on the wall from popular pages, also look there is not an option. Remained analyze friends fake, which she 133. Under fresh Cup of coffee began to open each page. People whose page is not in Russian, or English passed. The result is allocated to a page — Mariya Odintsova. Studied at KHNURE, Kharkiv and raised the posts on the wall, there are two similar posts with Natalia Afian. Studying the repoststhis and ATAGO posts, studying those who did repost, I see the following.



Natalia Odintsova Afian and Mariya already know, that's what the first two humans is not clear. Vladimir Kulakovskii was a random user, but the Olga Perunova turned out to be very similar to fake. Checked — in friends of Natalia Afian available. What would it be? People registered not one, but three fake account, added to every account, lots of friends and other well established fakes. Moreover, did all three pages repost 2 same records. It's weird, but seeing that it was created artificially, you know that you progress. Here again stuck as on any page does not have any useful references to anyone else. After a few hours of study friends realized that at least one account is found in friends of all three fakes — Oleg Stanov. On his page there is postin the photo which shows a personalized restaurant napkin holder.
It turns out, moreover, that was created three accounts that were added each other as friends, and did the same repost, so the scammer also added friends to their accounts. Only after the delivery of the flag occurred, that learning three fake account, it was possible to look for the service to build social graphs, met such for VC and on the basis of three fake accounts to find out who unites them. Must be for Facebook. An example of such a social graph below, taken from the Internet and perfectly illustrates why such a build.



Now, as the cost to solve it. Some of the above fakes laykali here Atat Atat posts Natalia Afian. Among likes was found, and Oleg Stanov. But it is not clear that he is the center of all this business, we need to continue to gather information. Going to those who like Natalia Afian, you can select Mariya Odintsova according to the method described above. Now let's use this feature of Facebook, which is not in the VC. Go to reset page password, enter the name and surname.









Clicking on "Reveal my trusted contacts", enter the selected name "Odintsova Mariya". In the list of trusted friends fake that was found earlier and the page Creator. Further, the steps of the method above.


Flag:"Stargorod"

Step #2

Studying the page, it appears that the person likes tennis. In this the public, who signed the person has postin the comments to which unsubscribed goal.


Flag:"Oleg Sotnichuk"

As I hinted in the process of writing, in life there are similar cases and are real people who are so stupid tie fake accounts, at first not even believe it. For those who does — read this article and don't be stupid and better get busy.

the

and black bookkeeping Business

This branch is not the most complicated or intricate, but so it was that seriously her in the end, and other top players also handed over the job from her last. It's fair to talk about this thread at the end.

Step #1

Here's a site opened.



Before you get on the right trail, came across a few about. For example, there were several sites that look like the interface, such as this. Also Google provides the cached page, which at the time of passage of the CTF was gone. A request to Google was site:company.cyber-detective.hackit.ua.



Remembering a web archive of past jobs, also went on the wrong track. Really should find a subdomain of the current site that was not a simple task, and nowhere is this domain cached was not. Helped utility knockpy.



The resulting cloud.

Step #2

This task was the most fun among all, performed it in a cafe in prikusku with the pizza and 2 hours of well-chosen songs was very welcome. The solution is obvious, as this is not a standard CTF and no complex steganography should not be here. Between songs was inserted a piece of the conversation of the Director with a subordinate in which the subordinate reported important information. To find a song enough, Windows Media Player, slowly flipping through a music track forward. For lovers of soft screenshot below. The conversation lasted 15 seconds.


Username: director
Password: Vladimir-1985

Aduacity, the program is often used in tasks with musical steganography, good shows inserted the conversation. Return to cloud. After extracting some files from the recycle bin, we have the following.



Immediately drew the picture with the name Paris.jpg but the flag never came. In the folder Photos From Holidays was such pictures that, in my opinion is too cool for photos for the average person. Maybe it's like a picture-memories of a man who had been there.



Study the exif files with the help of this service nothing is given. But the pictures were similar, perhaps. Using Google search, each picture is given about the following.


Flag:"San Francisco"

Step #3

In the pasted image checksums for files, calculated using the program 7-Zip.
This Tusk was from the category of Forensic. In the cloud was a file "Private Files.tc", and the job was offered to download "20170906.mem". The first file was a TrueCrypt container, the second memory dump file, which is hidden session keys from the container. To resolve tried utilities such as pytruecrypt (decrypted by using the extracted keys), volatility, Forensi Elcomsoft Disk Decryptor. Came program Passware Kit Forensic, but decoding was not immediately apparent. Under this cryptocotylar went Passware Kit Forensic only a specific version.



The decryption process is simple, the menu is "Full Disk Encryption"- > "TrueCrypt", then specify the path to the container and dump. Next, the decryption process.



The output is an image that can be mounted in any convenient way. Decrypted inside the container turned out to be folders in which still a lot of folders in which still a lot of folders.



The correct folder to find just enough to see its size and the number of its files. The result found Exel document.


Flag:"26,542,579,522.00"

I had the opportunity to participate in a unique CTF which had a huge amount of custom jobs that I meet for the first time. Successfully came out to take third place, though, having more prior experience would be able to achieve more. Ogro Article based on information from habrahabr.ru