AUCTF 2020 - [OSINT] OSINT You All Other The Place (1000pts)

Written by Maltemo, member of team SinHack.

Statement of the challenge

Description

This company is super cool! You should see who made it.

http://devs-r-us.xyz

author c

Analyze

We want to learn who created the website. We will start to use the command whois which might give us the email address of the person who registered the website.

whois searches for an object in a RFC 3912 database. (man whois)

WHOIS is a TCP-based transaction-oriented query/response protocol that is widely used to provide information services to Internet users. (RFC 3912)














































whois devs-r-us.xyz

Domain Name: DEVS-R-US.XYZ
Registry Domain ID: D178588099-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://namecheap.com
Updated Date: 2020-03-12T23:19:23.0Z
Creation Date: 2020-03-12T23:19:18.0Z
Registry Expiry Date: 2021-03-12T23:59:59.0Z
Registrar: Namecheap
Registrar IANA ID: 1068
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization:
Registrant State/Province: PA
Registrant Country: US
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unsigned
Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2020-04-04T13:54:04.0Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

>>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit
https://www.centralnic.com/support/rdap <<<

The Whois and RDAP services are provided by CentralNic, and contain
information pertaining to Internet domain names registered by our
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com)

Access to the Whois and RDAP services is rate limited. For more
information, visit https://registrar-console.centralnic.com/pub/whois_guidance.

With those informations we learn two important informations :

After trying to call the WHOIS Server URL, I went on the namecheap website to find if this service was available on another link.

It was, at this address:

https://www.namecheap.com/domains/whois/result?domain=devs-r-us.xyz




Admin Email: admin@devs-r-us.com
Registrant Email: shannonengrid@gmail.com
Registrant Phone: +1.3343844504

Perfect, we just found the webmail of Shannon Engrid, the administrator of the website.

From a webmail address, I could have use a lot of different tools, like Sherlock or sn0int, but I decided to do start with a basic query on duckduckgo shannonengrid.

The first link I got returned was this LinkedIn link with an obviously funny description :

For the next step you had to be logged in LinkedIn to get the coordinates of Shannon :

We found her twitter accont : SFelinefriend
Let’s continue the investigation :male-detective:

Her twitter was quickly found at this link : https://twitter.com/SFelinefriend

From the description we got her instagram account :

Check out my instagram! https://www.instagram.com/s.e.grid/

But the second tweet seemed interesting to me because a message was encoded in base64.

I decoded it ( -n option for avoiding the addition of the \n after the base64 encoded message, risking to corrupt the decoded message ):



echo -n "aHR0cHM6Ly9iaXQubHkvMlRLT001cw"|base64 -d
https://bit.ly/2TKOM5s

The linked redirected me to a youtube video AAAAANNND I GOT RICK ROLLED :rolling_on_the_floor_laughing:

Okay, enough fun, lets go on the instagram account now.

This instagram account had the same profile photo of the creator of this challenge © in the discord, so I deduced that we might be closer to the end of the challenge.

The account had a single post at this link


The image contained the flag hidden in the lorem ipsum text.

After asking the creator the right format of the flag, it gave me this :

auctf{7sbhww4yt0g0ONf1nd1nGth3fl4G}

TL;DR

We had to identify the owner of the website. We started with a whois on the website. After getting the email of this person, we found her twitter and instagram.

Flag

The flag is {auctf{7sbhww4yt0g0ONf1nd1nGth3fl4G}}

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.