AUCTF 2020 - [OSINT] Oxyr (1000pts)
Written by Maltemo, member of team SinHack.
Statement of the challenge
Description
One of the developers of devs-r-us.xyz has been a little sketchy lately. We have received reports that they may be selling data to competitors. We just haven’t found out how!
Author: c
Analyze
Let’s start by scouting the website given in the description :
https://devs-r-us.xyz/
This website doesn’t have much informations :
- Three pictures
- Two little paragraphs about developers
- A contact button
The rest is “Lorem ipsum” (placeholder).
Let’s start by the images. We got two png files that show the exact same photo of a boat on the sea.
There names are mcafee.png and mcofee.png.
This name can be taken as a hint, because McAfee (the owner of the McAfee Antivirus Software), is known to hide himself and sending photos pretending to be on the other side of the globe. But metadata betrayed him many time !
Let’s check the metadatas of the pictures with exiftool :
$ exiftool mcafee.png
ExifTool Version Number : 11.16
File Name : mcafee.png
Directory : .
File Size : 2.5 MB
File Modification Date/Time : 2020:03:14 23:13:07+01:00
File Access Date/Time : 2020:04:04 14:33:10+02:00
File Inode Change Date/Time : 2020:04:04 14:32:52+02:00
File Permissions : rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 1920
Image Height : 1080
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
XMP Toolkit : Image::ExifTool 11.91
Description : https://discord.gg/pMzcE45 DM me if you want more info
Image Size : 1920x1080
Megapixels : 2.1
Our first hint was in the description of the photo. The discord link was a simple invitation to the official AUCTF discord.
We have to find who is the user we need to contact. Lets continue our research.
After reading the source code of the page, I noticed that the contact button was redirecting to an new page 1ndex.html.
Yes, you read it right. 1ndex.html, not index.html.
<div class="py-4">
<h1 class="h3">Devs-R-Us</h1>
<p>Copyright © 2020</p>
<button class="btn btn-primary" data-toggle="modal"
onclick="location.href='1ndex.html#share-section'">Contact Us</button>
</div>
This is kind of suspicious. Why would someone want to create a page quite similar to the first one, with the name and the content ?
Maybe to hide some informations.
After searching this new page https://devs-r-us.xyz/1ndex.html, I found an html commentary just under the contact button :
<div class="py-4">
<h1 class="h3">Devs-R-Us</h1>
<p>Copyright © 2020</p>
<button class="btn btn-primary" data-toggle="modal" data-target="#contactModal">Contact Us</button>
<!-- 'Who is MaddAddam?' -->
</div>
’Who is MaddAddam?’ I thought this question needed to be answered to find who we needed to contact on the discord, but it was a rabbit hole. You can skip the next part which is the research I about MaddAddam.
The leader of the rebel group God’s Gardeners in the book Oryx and Crake written by Margaret Atwood.
Trilogy of books by Margaret Atwood :
- Oryx and Crake (2003)
- The Year of the Flood (2009)
- MaddAddam (2013)
Characters :
Ren and Toby (The Year) - Amanda Payne
Jimmy (Oryx)
Zeb, Adam One
When I finaly understood that this was a dead end, I started to search with the previous informations we got from the first page :
Jorge Greenwood
Web Developer extraordinaire. Jorge Greenwood has worked on the Internet’s most impressive websites. From Myworld.com to Facepalm.org. He has done it ALL! you can find EVEN MORE information about Jorge on his twitter account @JorgeGreenwoodCodes
Loretta Mcintosh
Backend Bada**. Loretta Mcintosh backs up all of her claims to success with excellent work ethic and even better portfolio. Loretta is some kind of genius. You can find out some of her successes on her twitter account @BackUpOrMcintoshYouOut
I searched for a Jorge or a Loretta and look what I found :
So I started a conversation with Jorge G, not being sure if he was a member of the other teams trying to get more informations or not.
He sent me an invitation to a new discord and there was one image of a QRcode.
The message was a link to a new website containing the flag :
https://devs-r-us.xyz/ahsdbwgjkhb23tsdonoqw1892345bnew/flag.txt
auctf{3X1F_D4TA_SH0UlD_B3_sTr1pp3d_2b23sadf}
TL;DR
Two informations where hidden in the website :
- An invitation to the discord of AUCTF, in the metadata of a photo.
- An html comment in an hidden page.
The last part of the challenge consisted in contacting the good guy in the discord and decoding a QRcode.
Flag
The flag is auctf{3X1F_D4TA_SH0UlD_B3_sTr1pp3d_2b23sadf}
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
AUCTF 2020 - [OSINT] Oxyr (1000pts)
Written by Maltemo, member of team SinHack.
Statement of the challenge
Description
One of the developers of devs-r-us.xyz has been a little sketchy lately. We have received reports that they may be selling data to competitors. We just haven’t found out how!
Author: c
Analyze
Let’s start by scouting the website given in the description :
https://devs-r-us.xyz/
This website doesn’t have much informations :
The rest is “Lorem ipsum” (placeholder).
Let’s start by the images. We got two png files that show the exact same photo of a boat on the sea.
There names are
mcafee.pngandmcofee.png.This name can be taken as a hint, because McAfee (the owner of the McAfee Antivirus Software), is known to hide himself and sending photos pretending to be on the other side of the globe. But metadata betrayed him many time !
Let’s check the metadatas of the pictures with
exiftool:Our first hint was in the description of the photo. The discord link was a simple invitation to the official AUCTF discord.
We have to find who is the user we need to contact. Lets continue our research.
After reading the source code of the page, I noticed that the contact button was redirecting to an new page
1ndex.html.Yes, you read it right.
1ndex.html, notindex.html.This is kind of suspicious. Why would someone want to create a page quite similar to the first one, with the name and the content ?
Maybe to hide some informations.
After searching this new page https://devs-r-us.xyz/1ndex.html, I found an html commentary just under the contact button :
’Who is MaddAddam?’ I thought this question needed to be answered to find who we needed to contact on the discord, but it was a rabbit hole. You can skip the next part which is the research I about MaddAddam.
Trilogy of books by Margaret Atwood :
Characters :
Ren and Toby (The Year) - Amanda Payne
Jimmy (Oryx)
Zeb, Adam One
When I finaly understood that this was a dead end, I started to search with the previous informations we got from the first page :
I searched for a Jorge or a Loretta and look what I found :
So I started a conversation with
Jorge G, not being sure if he was a member of the other teams trying to get more informations or not.He sent me an invitation to a new discord and there was one image of a QRcode.
The message was a link to a new website containing the flag :
https://devs-r-us.xyz/ahsdbwgjkhb23tsdonoqw1892345bnew/flag.txt
auctf{3X1F_D4TA_SH0UlD_B3_sTr1pp3d_2b23sadf}
TL;DR
Two informations where hidden in the website :
The last part of the challenge consisted in contacting the good guy in the discord and decoding a QRcode.
Flag
The flag is auctf{3X1F_D4TA_SH0UlD_B3_sTr1pp3d_2b23sadf}
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.