HackIM 2018 Walkthrough OSINT 1 to 4

-
OSINT 1

The challenge was pretty clear.

 One of our systems has been infected by a ransomware.The message says My username is your password. Wait for further instructions.

 We have been able to identify the JS file used to download the ransomware.

 Here is the MD5: '151af957b92d1a210537be7b1061dca6'.
Can you help us to unlock the machine?

A quick search in virus total revealed that the md5 belongs to a malicious js file called as DSAdaDSDA.js:




Also the challenge says "My username is your password"

 After learning more about DSAdaDSDA.js I came across this link:

 https://www.hybrid-analysis.com/sample/611f55dc3d7b88d8000aa54bb571752f9b14889d913805ae5824187c1cc73371?environmentId=100

 And found the username there in the analysis of this js.



The flag was : hackim18{'n923wUc'}


OSINT 2

The challenge said :

Annual audits have flagged an employee who is sharing data outside the company in some secret manner. A quick OSINT revealed his personal email id, i.e. zakripper@mail.com.

Can you find the secret?

Googling on zakripper@mail.com didn't fetch much relevant results. Then one of the hint released was look for public profile of zakripper@mail.com.

I quickly started looking for public profiles of zakripper@mail.com. I came across this link to do it easily:

http://lullar-com-3.appspot.com/en

I landed up here in : https://www.flickr.com/photos/162289309@N03/28359721879/in/dateposted/

This profile seemed to be formed recently and the pic was uploaded on 7th Feb 2018. This lead me to the conclusion that this could be the right profile. 



I downloaded the pic and opened it with a text editor and the flag was sitting right there in the corner.


The Flag was hackim18{'7h1515453cr3tm35543'}

OSINT 3

The challenge said:

Person is running a social engineering campaign. After initial inspection, his/her username was identified by our investigators. It was also found that this guy was signed up on Snapchat and Instachatbook around April 2017. However we cannot get hold of his phone number. 

Username identified was 'example1234'
Please help our investigators find his number.

So I started searching about the 2017 instachatbook hack and snapchat issue of leakage of user's phone numbers and usernames.

It was clear from the challenge that the username was "example1234"
To confirm I went to https://haveibeenpwned.com/ which confirmed that this username could be found in snapchat dump.



Next step was to find the snapchat dump, I came across this reddit link:

https://www.reddit.com/r/netsec/comments/1u4xss/snapchat_phone_number_database_leaked_46_million/

and from there I was able to download the sql file which had the leaked data of the snapchat users.




The dowloaded sql dump gave me the 8 digits of the phone number:





The other 2 digits of the phone number was found in the instachat dump in pastebin of the link I found while googling:

https://hacked-emails.com/leak/784e6cf3120e0057b731/instachatbook-hacked-april-2017
https://pastebin.com/vA3BfJER




The flag was : hackim18{'8157935355'}


OSINT 4

This was my favourite challenge. The challenge said:

This server is an staging/uat box but the developer has got a public IP on the same. Someone exploited the misconfiguration and got hold of the box. 

Can you re-hack the server and get hold of attacker's secret flag.

Target: 54.85.105.103

After learning about server I found a .git folder is available :



So I quickly learnt about how to use GitTools and extract the information.
https://github.com/internetwache/GitTools

The extractor script of this tries to recover incomplete git repositories:



I output of the extractor lead me to one of directories which had the Slack Token. Now this was clear hint that I was going in the right direction. 

The next step was to learn about Slack APIs and try to use this token and fetch more info. 
I went through :

https://api.slack.com/web

I found the slack token found is quite powerful. I came across method file.list which can list files shared in the slack channel. This was good breakthrough as I learnt that id_rsa.pub and id_rsa were being shared.



Further learning about Slack APIs I understood that these shared files can be downloaded. And yes I used burp to access the id_rsa file. Which had the potential for anyone to ssh to the server.


I tried loggin in as root but I failed ! These was another twist. 
Then when I closely observed the slack api output in the browser there was a mention of mikeatcorp@mail.com

I user mikeatcorp as user and W00T !! I was logged in. At this point I was sure I was very near to the flag. A quick locate search hinted about a hidden secret directory and flag was sitting right there in the flag.txt 



I could solve all the OSINT challenges. Persistence and patience really helped !! 





Comments

Post a Comment

Popular posts from this blog

DevSecOps Expeditions

-
During these lockdown times, when everyone is confined at home, it is a good time for all of us to upgrade our skills. I am a DevSecOps promoter and supported multiple organizations in implementing secure SDLC. I wanted to gain more depth in DevSecOps and was looking a good handon training. That's when I came across this training CDP - Certified DevSecOps Professional ( https://www.practical-devsecops.com/certified-devsecops-professional/ ). The course is beautifully designed to instill relevant concepts in the learner. The course has taken a practical approach to learning. Material is self-explanatory and the learner can take his own time to go through the videos and documents to learn at its own pace. There is a 30-day lab included which can be extended if required. Lab exercises can be practiced and if anywhere you are stuck trainer Imran ( https://twitter.com/secfigo ) himself helps you to get through the obstacles. The course helps to learn to design CICD pipelines using
Read more

Facebook: A Privacy Error ??

-
Image
If you want to identify your facebook account there are 3 ways you can Identify yourself: 1. Provide your e-mail ID. 2. Provide your Phone number (If you have given this in you profile). 3. Provide your user ID(your unique id assigned by the facebook). Screenshot below shows the page (https://www.facebook.com/login/identify?ctx=recover) to identify your account in case you want to recover. The other way to look into this is this can also be misused to validate someones phone number. Let say my phone number is 9739141XXX. I put it there and I see myself.So the phone number and profile relation can be seen successfully. But I have kept my privacy settings to most secure that "Only Friends"(shown in screenshot below) can look to my phone numbers. Isn't this is a privacy breach. But here is the catch.Facebook is smart and keeps the log of Public IPs you are coming from. If you have logged in from the same Public IP before this privacy se
Read more