PHDays 9 Competitive Intelligence contest: writeup and solutions

7/1/2019

For eight years now, the Competitive Intelligence contest at PHDays has provided participants with the opportunity to test their skill at searching for information while learning new OSINT techniques. This year's tasks centered on a fictional information security company specializing in a particular vulnerability. Participants had to dig up information on people related to this company, but do so without hacking, using only their wits and various online resources.

They had to complete 19 tasks, each worth a certain amount of points depending on complexity:

In the text that follows, we will describe how to complete each task.

Company real name — 10

To start with, participants were given a description of the company: nfsg64ttmvrxk4tjor4q. Solving this introductory task required performing a Google search. The results provide information about the company's domain:

One might think that the character string is encoded. But after trying several decoding algorithms (such as with this online decoder), it becomes clear that the string is the Base32 representation of the string "Idorsecurity". And this was the answer to this task. (For a flag to be accepted, the solution to a given task had to be put in lowercase and hashed with MD5.) Alternately, you could try different versions of the company name that were used by affiliated individuals (Facebook or Telegram channel ID).

Donation wallet number — 20

By following the link from Google, you find yourself on the company's WordPress blog.

At first glance, the page looks totally useless. But what if you go into the web archive? The Wayback Machine provides two saved states for the site, and one of them contains the wallet number, which is the flag for this task.

IDOR specialist username — 30

The blog also says that an employee is selling equipment on eBay due to the company going out of business. (Remember this for later.)

Since the blog runs on WordPress, it is prudent to determine standard entry points for it. One is /wp-json/wp/v2/users/, which gives a list of users that have ever posted anything on the blog. You can find it if you scan the site, for example, with WPScan.

Incidentally, HackerOne, which searches for vulnerabilities in various companies' infrastructures, has a report analyzing this leak.

So you end up with a link (http://nfsg64ttmvrxk4tjor4q.club/wp-json/wp/v2/users/) to the list of users and their description. They correspond to the sequence of tasks for getting information on a specific person. Here the participants found another flag: the IDOR specialist's username.

IDOR specialist location — 25

This is where we can make use of the fact that the company is selling its equipment on eBay. The next step is searching by username (taken from the wp-json account) for the company or one of its employees. There were two ways to do that. Either search for eBay users (however, this requires switching on mixed content in your browser, because the site used HTTPS while the CAPTCHA shown by the page script used HTTP) or go to namechk.com (which displays a list of social networks where a particular username has been registered).

A successful search takes you to the employee's eBay page and the flag for the task:

IDOR specialist work e-mail — 30

If you follow the link in the account description, you see the auction lot. From the looks of it, it's the one mentioned on the company blog.

Here you need to look carefully at the pictures. One of them contained an important detail.

In the photo, you can see that the employee selling Idorsecurity equipment is somehow related to another company named Self-XSS Security. A search for that company on LinkedIn yields a link to the profile of one of the employees (the IDOR specialist) and his corporate email address.

Participants who made it this far noticed that getting a detailed view of the user page for Abdul Bassur was not possible from a newly created account. There are several ways to work around that. For instance, you could fill in all required fields in the new profile you created. One participant suggested registering an account with workplace indicated as "Self-XSS Security." In this case, the LinkedIn algorithms recognized the new account and the user page from the previous picture as belonging to the same contact network, and granted access to detailed data on Abdul Bassur. The detailed information contained the IDOR specialist's work email address, which was the task flag.

IDOR specialist personal e-mail — 70

This task, instead of involving blog entries, required checking domain DNS records. One way to do so is by using the dig utility.

Then you find that the corporate mail system runs on mail.yandex.ru. Also you can find some IP addresses, both IPv4 and IPv6. Scanning TCP and UDP for some of them with Nmap provided curious results.

Alas, SNMP connections on IPv4 did not result in anything that would be a flag or could be used later.

Some participants had trouble establishing an SNMP connection on IPv6, because they did not expect this type of connection to require a dedicated IPv6 address. The way to get such an address was to rent a server with such functionality and use it as a VPN. Two such providers include DigitalOcean and Vultr.

IPv6 gives you more information than IPv4. For instance, one of the OIDs (1.3.6.1.2.1.1.4.0, also called sysContact, contains information, most often an email address, for contacting the server owner). The personal email address used there is the flag for this task.

This completes the task arc related to the IDOR specialist.

Secret employee mobile phone — 20

Second employee IM username — 25

For tasks related to the secret employee, you had several ways to get the first flag. Method #1: If you completed all previous tasks, you had work and personal email addresses for one of the Idorsecurity employees. Also you would know that their corporate email is hosted on mail.yandex.ru.

So you could go to Yandex and try recovering access to p@nfsg64ttmvrxk4tjor4q.club. You do not know the password, but you know the security question (private email address) because you found the answer with the help of the SNMP connection.

Now you have access to Yandex.Connect. It functions as an internal address book for the company, with a list of employees, departments they work in, and contact information. Just what you need! So you could get two flags at once: the employee's cell phone number and another username.

Method #2: You could get the secret employee's phone number by searching various social networks and chat platforms for company accounts. For example, in Telegram if you search for nfsg64ttmvrxk4tjor4q, you get this:

This is the company channel, and its description contains an account name and phone number of the company owner. This information is the solution regarding the secret employee's mobile phone number.

Secret employee username — 40

As you had only the secret employee's phone number, it was a good idea to squeeze as much as possible from this tidbit. The next step was to add this number to the contact list on your phone and search for contacts on various social networks.

The correct one to search was Twitter. That gave you the Idorsecurity employee's account and name, completing the task.

Secret employee birthday — 40

Studying the account closely, you can see the employee's response to a tweet about hiring a programmer. In his response, the Idorsecurity guy posted a link to his resume that had been shortened with GG.GG.

Following the link did not turn up anything of interest, but if you noticed the misspelling in the target URL, you could see Error 403 and a non-standard filename.

Based on the information you already had on the secret employee (name and company), you could start searching social networks for him. This leads you to an account on vk.com where you can find the secret employee's date of birth, which is the answer to the task.

Secret employee university — 50

For this task, you had to ask yourself which information you had not used yet. There's the fact that he has an account on vk.com, the non-standard name for his resume file, and the name of the task ("Secret employee university").

For starters, you could do a Documents search on vk.com to find his resume by entering the file name. Experience shows this is a neat trick to find private data. (You can even find people's passport information this way!) This move gave you the guy's resume, which contained the task flag.

And now you have completed the tasks related to the secret employee.

Nightly programmer private username — 30

To find information on the nightly programmer you had to go back to wp-json.

The employee's description hinted where you could look for him, such as github.com. A search for Matumbo Harris there yielded a link to a repository, as well as points for the task flag.

What the flag? — 60

The repository contained code for some bot. Looking at the code closely, you could notice a hardcoded token. The line after it, or just a simple Google search, would point in the direction of the Slack API.

You could tinker with the Slack API, check token validity, and try a few tricks. For example, you could get a list of files exchanged via Slack (presumably from Idorsecurity corporate chat).

Studying the Slack API a bit more, you could get links to accessible files:

Examine the linked document to get what you need for the "What the flag?" task.

Also, the Slack API enabled you to get a list of chat users the token was attached to. This was the key to the "Second employee IM username" task. The first name and last name will get you the username you need.

Nightly programmer tasks complete!

IP used in PoC — 40

Here you had to go back again to the start (the company blog) and see what information was still unused. There was a link to Amazon S3 and the task "IP used in PoC," the flag for which was on S3.

Simply clicking the link did not turn up anything interesting. But combining all the available data might have inspired a close reading of the documentation for Amazon S3.

The methods for connecting to an S3 bucket include Amazon's own set of command-line programs, called AWS CLI. Connecting in this manner would get you access to the file and the flag for this task.

This discrepancy in access methods is due to ACL settings for this bucket. It has an "authenticated-read" canned ACL, which provides full rights to the owner and read-only rights to the AuthenticatedUsers group including all users with an AWS account. (This is why connecting via AWS CLI works, since using AWS CLI requires an account.) You can read more on docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html.

Alexander's real lastname — 25

To complete this task, you had to go back to one of the previous stages, where you searched for company accounts on social networks. This brings us to Idorsecurity's Facebook footprint.

The page includes a phone number.

A search for the phone number came back empty. But persistent participants remembered about GetContact, an app that shows full information for a given phone number. If a person running this app has added a number to a contact list and allowed the app to have access to contacts, full contact information is open to the public. Running the company phone number through the app delivered the last name of the phone owner, which was the task flag.

Peter's primary e-mail We know he's looking for a job — 40

For this task you had to once again call upon Google for all available data on the company. The first result in the search for Idorsecurity was a link to another employee's page on moikrug.ru. If you go to moikrug.ru and sign in, you can get the Idorsecurity employee's email address.

Peter's secondary e-mail — 20

The email address is on Mail.ru, and you could try resetting its password.

Quite predictably, the two asterisks stand for "in". This guess got you the correct solution.

Peter's password — 60

The last task in the Peter task arc. We know his two email addresses, full name, age, and job title. Social network searches came back empty, so the best way to get Peter's password was searching for him among leaked accounts. One quite useful site was haveibeenpwned.com, which brought some interesting data on one of the addresses:

Searching a site with leaked credentials (Weleakinfo or LeakedSource) or downloading them wholesale for free from Databases.today (after determining the database you need on Weleakinfo) brought participants what they needed.

Software which was downloaded from IP 77.71.34.171 — 30

The final task. Here the participants had to find the name of a torrent file sharing the same name as software downloaded from the indicated IP address. This is where iknowwhatyoudownload.com comes in handy: it provides this data because its search algorithms imitate real members of the DHT network which file downloaders use to find each other.

The site will show two options. Try them both for an easy 30 points.

Results

By the end of the contest, 227 out of 599 participants completed at least one task.

Top 10:

550 Noyer_1k – 16 completed tasks!480 Mr3Jane – 15 completed tasks!

  1. 480 kaimi_ru – 15 completed tasks!
  2. 480 Lendgale
  3. 480 V88005553535
  4. 425 cyberopus
  5. 420 nitroteamkz
  6. 420 joe1black
  7. 355 breaking_mash
  8. 355 U-45990145

The top three participants got prizes:
First place: a pair of Apple AirPods, invite to PHDays, and a special prize: a year's subscription to Hacker magazine, the contest sponsor.
Second place: ALFA Network AWUS036NH Wi-Fi adapter, a six-month subscription to Hacker, and invite to PHDays.
Third place: a Xiaomi ZMI QB810 power bank, a three-month subscription to Hacker, and invite to PHDays.

The tasks remained available for three weeks after the contest ended. Two participants, V88005553535 and romask, completed them all and got the maximum possible score of 665 points.

Thank you all for taking part, and see you again next year! Writeups from previous years: 2012, 2013, 2014, 2015, 2017, 2018.