HackIM 2018 Walkthrough OSINT 1 to 4
OSINT 1
The challenge was pretty clear.
One of our systems has been infected by a ransomware.The message says My username is your password. Wait for further instructions.
We have been able to identify the JS file used to download the ransomware.
Here is the MD5: '151af957b92d1a210537be7b1061dca6'.
Can you help us to unlock the machine?
A quick search in virus total revealed that the md5 belongs to a malicious js file called as DSAdaDSDA.js:
Also the challenge says "My username is your password"
After learning more about DSAdaDSDA.js I came across this link:
https://www.hybrid-analysis.com/sample/611f55dc3d7b88d8000aa54bb571752f9b14889d913805ae5824187c1cc73371?environmentId=100
And found the username there in the analysis of this js.
The challenge was pretty clear.
One of our systems has been infected by a ransomware.The message says My username is your password. Wait for further instructions.
We have been able to identify the JS file used to download the ransomware.
Here is the MD5: '151af957b92d1a210537be7b1061dca6'.
Can you help us to unlock the machine?
A quick search in virus total revealed that the md5 belongs to a malicious js file called as DSAdaDSDA.js:
Also the challenge says "My username is your password"
After learning more about DSAdaDSDA.js I came across this link:
https://www.hybrid-analysis.com/sample/611f55dc3d7b88d8000aa54bb571752f9b14889d913805ae5824187c1cc73371?environmentId=100
And found the username there in the analysis of this js.
The flag was : hackim18{'n923wUc'}
OSINT 2
The challenge said :
Annual audits have flagged an employee who is sharing data outside the company in some secret manner. A quick OSINT revealed his personal email id, i.e. zakripper@mail.com.
Can you find the secret?
Googling on zakripper@mail.com didn't fetch much relevant results. Then one of the hint released was look for public profile of zakripper@mail.com.
I quickly started looking for public profiles of zakripper@mail.com. I came across this link to do it easily:
http://lullar-com-3.appspot.com/en
I landed up here in : https://www.flickr.com/photos/162289309@N03/28359721879/in/dateposted/
This profile seemed to be formed recently and the pic was uploaded on 7th Feb 2018. This lead me to the conclusion that this could be the right profile.
I downloaded the pic and opened it with a text editor and the flag was sitting right there in the corner.
The Flag was hackim18{'7h1515453cr3tm35543'}
OSINT 3
The challenge said:
Person is running a social engineering campaign. After initial inspection, his/her username was identified by our investigators. It was also found that this guy was signed up on Snapchat and Instachatbook around April 2017. However we cannot get hold of his phone number.
Username identified was 'example1234'
Please help our investigators find his number.
So I started searching about the 2017 instachatbook hack and snapchat issue of leakage of user's phone numbers and usernames.
It was clear from the challenge that the username was "example1234"
To confirm I went to https://haveibeenpwned.com/ which confirmed that this username could be found in snapchat dump.
Next step was to find the snapchat dump, I came across this reddit link:
https://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phone_number_database_leaked_46_million/
and from there I was able to download the sql file which had the leaked data of the snapchat users.
The dowloaded sql dump gave me the 8 digits of the phone number:
The other 2 digits of the phone number was found in the instachat dump in pastebin of the link I found while googling:
https://hacked-emails.com/leak/784e6cf3120e0057b731/instachatbook-hacked-april-2017
https://pastebin.com/vA3BfJER
The flag was : hackim18{'8157935355'}
OSINT 4
This was my favourite challenge. The challenge said:
This server is an staging/uat box but the developer has got a public IP on the same. Someone exploited the misconfiguration and got hold of the box.
Can you re-hack the server and get hold of attacker's secret flag.
Target: 54.85.105.103
After learning about server I found a .git folder is available :
So I quickly learnt about how to use GitTools and extract the information.
https://github.com/internetwache/GitTools
The extractor script of this tries to recover incomplete git repositories:
I output of the extractor lead me to one of directories which had the Slack Token. Now this was clear hint that I was going in the right direction.
The next step was to learn about Slack APIs and try to use this token and fetch more info.
I went through :
https://api.slack.com/web
I found the slack token found is quite powerful. I came across method file.list which can list files shared in the slack channel. This was good breakthrough as I learnt that id_rsa.pub and id_rsa were being shared.
Further learning about Slack APIs I understood that these shared files can be downloaded. And yes I used burp to access the id_rsa file. Which had the potential for anyone to ssh to the server.
I tried loggin in as root but I failed ! These was another twist.
Then when I closely observed the slack api output in the browser there was a mention of mikeatcorp@mail.com
I user mikeatcorp as user and W00T !! I was logged in. At this point I was sure I was very near to the flag. A quick locate search hinted about a hidden secret directory and flag was sitting right there in the flag.txt
I could solve all the OSINT challenges. Persistence and patience really helped !!
Comments
Post a Comment