PHDays 8: Competitive Intelligence contest writeup

6/4/2018

Held in the weeks leading up to Positive Hack Days, the Competitive Intelligence contest offered a chance to compete at open-source online sleuthing. This year, the contest had a bit of cryptostartup flair: tasks centered around NotSoPositive, a fictional small company holding a typical ICO. The company's imaginary founders and employees, as well as their friends and family, went under the microscope. To succeed, competitors needed to have intricate knowledge of the workings of online services and social networks, combined with skill at making inferences and inspired guesses.

Tasks were designed with both veterans and newbies in mind—anyone could walk away with at least one flag. Many tasks fit with each other in a logical sequence, forming entire storylines. Other tasks could be completed independently of the rest, which was why participants were asked to keep a record of information at each step.

As an easy warmup, a simple Google search was enough to find the company's page, which was the jumping-off point for all the other tasks:

All tasks revolved around eight NotSoPositive employees. Some of them worked on the executive team and others on the development team.

A close look at the site revealed a number of "entry points" pointing the way to start one's efforts. Let's look at each of the tasks in detail.

Adam Wallace, CMO

Questions on the Adam Wallace storyline:

  • What is Adam Wallace's username?
  • What does Adam's son have allergies to?
  • What is Adam's house number?
  • Where does Adam's son study?
  • What is the name of the favorite bar of the CMO?

So after finding the whitepaper on the site, the trick was to upload the PDF to any online service for reading metadata (such as PDFCandy) or open it in Word. In either case, you could find the username of CMO Adam Wallace, a.k.a. "sumcoinz".

Those of the DIY persuasion could open the PDF in their favorite HEX editor and find the username themselves.

To continue on, it was necessary to find an FTP server with the help of Knock Subdomain Scanner. The dnsmap, sublist3r, and sublazerwlst utilities could also be used for this purpose.

As an alternative, one could learn the real IP address of notsopositive.online (which was hidden behind CloudFlare) and scan the entire subnet in search of port 21. There were a variety of ways to complete this task, depending on the skill and personal taste of the participant.

The IP address for the FTP server plus username were sufficient to start a brute-force password attack. The infamous utility THC-Hydra was the tool for this job. It may seem simple enough, but the participants needed to use the entire dictionary of nicknames of NotSoPositive employees. (Incidentally, in the FTP logs we also found attempts to attack the "root", "admin", and "administrator" users).

So with Adam's username (sumcoinz), the trick was to brute-force the password using the most well-known dictionary in CTF circles.

Some participants ran into problems connecting to the FTP server due to a restriction on the number of clients; this configuration error was later fixed. We also changed the FTP password to a simpler one, in order to make the task easier and quicker for participants.

This attack generally took just a few seconds. Then you could connect to the server in whatever way is convenient and discover a heap of disorganized files (it is a personal FTP server, after all!).

Besides installers, you could also find photos containing several flags.

In Adam's messy handwriting, we see the name of his son, school name, school address, and home address. Learning what Adam's son has an allergy to gave another flag. Also on the server was an interesting file named screenshot.jpg:

It's a screenshot of WhatsApp correspondence, presumably between Adam and his friend. Adam's friend is asking about the location of the bar where Adam is. Using any online map of Spokane, you could follow Adam's directions to find his favorite bar (7th Rail).

By the end of the competition, only 20 participants had successfully completed all of the Adam Wallace-related tasks.

Ryan Evans, CTO

Questions on the Ryan Evans storyline:

  • What is his GitHub username?
  • What is his corporate email address?
  • What is the email address of Ryan's wife?
  • What is the username of Ryan's wife?
  • At which resort is Ryan's wife?
  • What is the last name of the friend of Ryan's wife?
  • Where does Ryan's wife work (company name)?

By using utilities such as dirb or the fuzz.txt dictionary to search for folders and files, one could find a folder named .git at the root level of notsopositive.online. This allowed getting all sources from the repository. The next step was to get the source code like so, use GitRipper (targeting the site's real IP address), and extract Git configuration files. Access to /.git/config was also possible through an ordinary browser.

The config file referenced Ryan's GitHub account (github.com/ryanevans0082), from which one could discover his Jabber account:

Sending Jabber messages would have been pointless, but searching for that same username with Google was not a bad idea at all. First flag complete! In the Google search results, click the link to Ryan's Speaker Deck account and view the only presentation on it ("Initial Coin Offering").

Bored to tears by the presentation itself, participants perked up at the last slide: Ryan's email address was there for the taking.

Bruteforcing the password for this email address was impractical. But recovering it by answering the security question, that's a different matter:

Not the most secure question! Answers to such questions can usually be found on social networks. So participants got looking for relevant accounts:

The Twitter results show that familiar bearded face. Yandex, too, offered the account in its search results.

The Twitter feed indicated his grandmother's birthday, April 20.

And by looking closely at the cake, we could figure out her year of birth:

With simple subtraction, we now knew her date of birth: April 20, 1946. But what format did Ryan use to indicate the date in his security question? Scroll down the Twitter feed to the post about his car, a gray Kia Carens, which he bought on October 1, 2014. He gave the date in dd.mm.yyyy format, so likely he used the same format in his security question.

Not all OSINT warriors are car nerds, making it difficult for them to figure out the make and model of Adam's vehicle. If a Google image search or prior knowledge didn't do the trick, you could have tried Yandex, which tells us that we are looking at a Kia Carens.

With the "CTO's car model" flag behind them, participants then needed to enter grandma's birthday in the correct format (20.04.1946) to answer the security question for the Yandex.Mail account.

Then a participant could set a new password (not that it mattered, with each participant resetting the password in any case) and get into Ryan's mail. His outbox contained a message to his wife at the email address evansmegan02282@yahoo.com.

The address was a giveaway to his wife's name—Megan—and a social network search turned up her VK page:

Another way to find Megan on VK was via the password reset form. Request a password reset, indicate her email address, and enter her last name (Evans):

This page was bursting with information:

  • Hometown
  • University
  • Employer (subscribed)
  • Vacation spot (GPS tags in the photo EXIF data)
  • Several photos giving an idea of her appearance
  • Personal interests

Several Megan flags down!

So with all we now knew about Megan, participants were probably wondering: "So why didn't Megan answer Ryan's email with the cat photo?" And truly, something was amiss.

Not many participants were able to guess how to continue—but those who did, finished in the top 10.

After installing Tinder, we emulate geolocation with the help of applications such as Fake GPS; we can also install Tinder on Bluestacks, which supports such emulation out of the box.

From the geotags in the trip photos on her VK page, we were able to figure out that Megan is currently vacationing in Miami. Then participants needed to use Fake GPS to "fly" to Miami (at least as far as their phone's GPS is concerned), target Megan's demographic (we already know her age and location from her VK page), and start swiping for women. After five to ten other candidates, we come across the one and only Megan Evans. But her first and last name on Tinder differ from her profile page? Fear not, we can recognize her using the photos she uploaded to VK.

To make sure this is "our" Megan and not someone else, we cross-reference the education and hometown data, which is automatically imported from Facebook during account creation. "CTO's wife place of work" complete!

Now we could start investigating Megan's double life. One thing about Tinder is that it automatically populates profiles with employer information from Facebook. So we could go straight to Facebook and see the page for Scamsopositive.

By poking around the likes, we could find Joanne Brandt and complete the last flag—the last name of the only Facebook friend for that account (Rossi).

The remaining tasks were relatively simple. These mini-quests occasionally involved a little knowledge about certain services. For example, finding out the model of the mobile phone used by front end developer Aleksey Naborshikov required knowing about the ability to indicate one's favorite gadgets in 4PDA forum profiles.

To start, we needed to find Aleksey on social networks.

Multiple people with this name turned up on Facebook but only one of them works in IT. The giveaway is the profile photo of the bottom-listed Aleksey, who proclaims his 1337ness for all to see.

"127.0.0.1? Got ya!"

"127.0.0.1? Got ya!"

The unique Facebook address (m0arc0de) gave us a username that our target used on many sites. A search on 4PDA or xda-developers for this name could turn up a certain front end dev from NotSoPositive. His profile information (describing his job and employer) confirmed that this was our mark. Phone model flag—check!

In the task for finding an unknown hacker ("Evil guy's username on Anonymous freelance service"), the participant was expected to know about Yukon, a new anonymous marketplace for various services. By clicking through the listings, you could find a curious post with a direct link to the targeted site. The contact email address for the would-be employer contains the username for Mr. Evil Guy.

"Needed: access to corporate email account"

"Needed: access to corporate email account"

But what about those of us who don't know what Yukon is? Just Google it:

The first result is just what we need. But d34dl0ck is a common handle—there were lots of matching search results. One way was to simply start ruling them out, one by one.

By entering the full email address, we could narrow things down quite a bit.

A message on the linked forum page indicates that Mr. Evil Guy has malware development skills.

What malware did he write? The archive with source code contained an executable. The target framework (.NET 3.5) indicates C# as the likeliest development language. A search for "Hidden Tear" (the code used as the basis for creating the ransomware) also suggests С#.

So what were the code changes he made? Here we can decompile with .NET Reflector. Handling the code very carefully (it is malicious, after all!) we load the executable into the decompiler. The application is beautifully decompiled by .NET Reflector. The functions used on a particular form include GenEthAddress, which may remind you of the question about "Evil guy's wallet number."

Ransomware for sale

Ransomware for sale

A quick look at the decompiled code allowed figuring how the wallet number was assembled from four strings. Four strings of equal length are concatenated into a larger string and then converted into a string array, which is then reversed. The GenEthAddress function is called from messageCreator, which is the function that creates the final wallet number. "0x" is inserted at the start of the array.

A simpler way to figure out the address—if one is willing to deal with the hassle of a virtual machine—is to simply launch the malicious executable. The file encryption message displays the ETH address in question..

There were also several ways to discover the IP address of the notsopositive.online web server, which was hidden behind CloudFlare. Although the organizers had a "planned" pathway for solving each task, participants often found original methods of their own.

At the top of the ICO site was a link to subscribe to NotSoPositive news. One way to learn the real IP address, then, was to send a message from the server to your own email address and look at the headers. (Although that wasn't the only way.)

Go to the form, enter any name, and enter your own email address.

A message arrives with the following headers:

So 178.170.172.110 would win you the flag.

Participant @AlexPavlov60 found another way using Shodan. If a participant already knew the IP address of the FTP server, it was possible to check the entire subnet for other NotSoPositive servers.

The Shodan search query net:178.170.172.0/24 product:"Apache httpd" returns several servers, one of them with a familiar DNS number.

Another search engine, Censys, was suggested by @rdafhaisufyhiwufiwhfiuhsaifhsaif.

The following search: https://censys.io/ipv4?q=80.http.get.title%3ANotSoPositive also returns the real IP address.

Of course, there are ready-made solutions for extracting a CloudFlare-hidden IP address. @Blablablashenka used Hatcloud to find the neighboring address on the subnet, at which point it's just a matter of looking for web servers on it.

Finding the second domain to which this IP address points was rather easy: the PTR entry actually shows all services on which information about an IP can be found, so the task ending up being weighted out of proportion to its actual difficulty. (The answer was scamsopositive.com.)

James Taylor, CEO

Questions in this storyline:

  • CEO's car model
  • Find the CEO's nickname (we know that his friend's name is James Cottone)
  • Let's see how you can use Facebook: find the CEO's son
  • Find out his e-wallet and with whom the son of the CEO is connected

The ICO page mentioned Telegram, but the link did not go anywhere. This was a hint to look for the NOTSOPOSITIVE chat or channel:

There you could also find the account of the CEO, with his avatar and car.

Thanks to Google image search, we could easily identify the car in the photo—a Toyota Land Cruiser.

Then we needed to find out the CEO's nickname, which was not on Telegram. But we did know that one of his friends is James Cottone. One of the intended solutions was to use the Facebook password reset feature, in order to search for the friend's name and any associated accounts:

Many services allow this technique for determining whether a certain email address or phone number is signed up for a service. After entering the friend's name, we were notified that an access code was sent by email:

Facebook asking for a 6-digit security code

Facebook asking for a 6-digit security code

From here, it is easy to guess that his address is taylor@notsopositive.online. Another method used by a participant was anymailfinder.com, which offers email addresses for several of the company's employees:

Knowing the email address, we can attempt a password reset one more time and see his profile picture:

Then we can see his page and nickname:

To find the son, it was necessary to take advantage of that the fact that Facebook makes it possible to see the posts liked by a particular user. Such information is available from this service. James' history of likes leads to the profiles of his wife and son.

The son's page has his Twitch account name (br4yl0r), but the account yielded nothing. Search engines did not turn up anything either. When profile pages have not been indexed, it can be handy to take a look at sites like namechk.com, which show usage of nicknames and domain names across various web services. This pointed us in the direction of the son's Steam account, and from it, his GitHub account (STKLRZSQUAD). Here too you had to know the workings of the service and figure out what Bredly had uploaded on gist. After finding the following bytecode:

0x606060405234801561001057600080fd5b5061013d806100206000396000f300608060405260043610610041576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff16806338cc48311461009e575b737527f9ac752aaddbb54432d288f9a89191f7954f73ffffffffffffffffffffffffffffffffffffffff166108fc349081150290604051600060405180830381858888f1935050505015801561009b573d6000803e3d6000fd5b50005b3480156100aa57600080fd5b506100b36100f5565b604051808273ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff16815260200191505060405180910390f35b6000737527f9ac752aaddbb54432d288f9a89191f7954f9050905600a165627a7a72305820a369acc2650e24d84edd29c97cee2db1f5caada831581fa2482a002b87404aba0029

and looking at the headers, it became clear that this was the bytecode for a smart contract:

Then we needed a utility (like this one) to convert it into opcode. This code contains a wallet whose address we already know from a previous task:

Could the CEO's son really be behind the attack on his own father's ICO?

Rajesh Bishop, System Administrator

Questions in this storyline:

  • Find out the domain name of the system administrator's personal website
  • What is the sysadmin's personal email address?
  • What is the sysadmin's favorite beer brand?
  • What is the name of the restaurant where the sysadmin recently drank beer?

Plain old gumshoe work here: you needed nmap to find the domain mail.notsopositive.online, with its self-signed certificate that was active for a second domain as well:

By sending an ANY request to the bishopshomepage.win DNS, you could find his email address:

And now for the question about Rajesh's favorite beer. Many beer lovers know about the Untappd social network (you can find it by searching for "beer social network"). As always, using ordinary search engines was a serviceable option:

The rest is easy: find his profile, which has a single photo and hashtag.

But Untappd doesn't have hashtags—which was a hint to start searching on other social networks, such as VK, Facebook, Twitter, and Instagram. On the last of these, we could find the same photo, but with a geotag:

NOTSOPOSITIVE HQ

Finding the headquarters of NotSoPositive again required that participants make the effort to search all sorts of social networks. The answer was on LinkedIn:

NotSoPositive, a financial services company based in Winnipeg, Manitoba

NotSoPositive, a financial services company based in Winnipeg, Manitoba

Mark Fox, CSO

To start the tasks related to the CSO, you again had to use fuzz.txt and discover in the root web directory a file named .DS_Store, which is left by macOS. After decoding it online at https://labs.internetwache.org/ds%5Fstore/ or viewing the binary file, you could find the following strings:

This address indeed led to a person's photo. Here it is useful to know that Facebook used to add the photo ID as the second block of numbers in the file name. This number led us to his Facebook profile:

And the profile had Mark's corporate email address: mmmmmmmmfox@notsopositive.online

Results

Over 500 people took part in the contest this year, of which almost 300 completed at least one flag. The winner was (again) Noyer_1k, whose tribulations were rewarded with an Apple Watch, PHDays invites, and souvenirs. Second place with a Power Bank, PHDays invite, and souvenirs went to Kaimi0. Third place, the book Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information, an invite, and souvenirs were won by empty_jack.

Final results:

| # | Name | Score | | -- | ----------------- | ----- | | 1 | Noyer_1k | 816 | | 2 | Kaimi0 | 816 | | 3 | empty_jack | 816 | | 4 | Antxak | 786 | | 5 | V88005553535 | 661 | | 6 | jerh17 | 611 | | 7 | shsilvs | 556 | | 8 | someotherusername | 526 | | 9 | trace_rt | 491 | | 10 | shadowknight | 481 |

Congratulations to all!

Authors: Yaroslav Babin, Arseny Sinev