x-masCTF 2019 - [OSINT] Dox the grinch (250 points)
Written by Maltemo, member of SinHack team.
Statement of the challenge
Description
I found this guy who says that he hates Christmas! Unbelievable. Can you find out more info about him?
Flag format is
X-MAS{name_surname_city_favouriteColor_bloodType_height}
For example,
X-MAS{george_lucas_newyork_blue_A+_184]
URL: https://notabug.io/t/whatever/comments/44530e6b7740f22940db9c176b621900d0bce697/i-hate-xmas
Authors: Milkdrop, PinkPie1189
First step of the challenge was to go on that post and start to search on the notabug.io account.
On this account, the grinch posted several comments and 2 posts.
I’ll sum you up wich one were important :
In this post, we learn that the grinch has a HackerNews account.
I found it with this usefull tool for osint https://namechk.com/.
But it was not necessary to use this tool in this challenge.
Here is the URL of his account : https://news.ycombinator.com/user?id=Domay1986
Hello, my name is Eugene and I am interested in finances. I strongly believe that christmas is a scam.
They closed my twitter account! See interesting posts I reply to on notabug.io: https://notabug.io/user/uIUP3NZDQVnKkISlVdjM0cSOwt_5EKu1g3CzQGmtTSc.VlYirh-sCV0rZ_6px0em8HWyeKZN8TMnTtY2l0YtoTA
Business Inquires:
domay1986 (at) hotmail.com
domay1968@hotmail.com
From this account, we got his name Eugene.
We also learn about a twitter account closed. I tried to get more informations thanks to wayback machine, but it was a dead end.
In a comment that the Domay1986 posted on notabug, we learn that he also uses a facebook account from time to time :
A simple search with domay1986 didn’t work.
Eugene domay1986 didn’t work either.
I finaly tried Eugene domay and this time I found his profile :
URL : https://www.facebook.com/eugene.clarke.56232
And we just learned his surname : Clarke
In one of his facebook post, we can notice that he made a screenshot from his computer.
This screenshot gives us the titles of his different tabs in his browser.
One of them just kept my attention :
This logo in heart made me think that it may be a dating website. Dating website means giving a lot of information from yourself.
To find back this website, I used a google dork to search for a similar title of the page (what appears in the name of the tab).
intitle:Matrimoniale - femei
I got this answer as the first, and by checking the website, i found the exact same logo.
Bingo ! We found it !
URL : https://www.matrimoniale.ro/
The next step is to find the grinch, the search is not long because his username is the exact same one from the first post (domay1968).
https://www.matrimoniale.ro/domay1986
By searching in his profile, we find in the personal data section his favorite color : Magenta
In a second post of his facebook profile, on post mentions a link to the xmas ctf platform.
Here is the text :
so I was today at our local eggnog clinic and there was this young girl in front of me, I read she had arachnophobia LOL, imagine being afraid of some insects!
You guys can even check it out here, I noted down her patient ID (kn8dy2d192hycjow
http://challs.xmas.htsp.ro:13002
As I made this write-up way later after the ctf, I won’t have any screenshots for this part.
This website was basicaly a fake copy of a hospital website where you could get your medical record with a specific ID.
We only had the id of the girl Clark talked in his post.
This kind of information is hard to get, not a lot of people publish this on their social medias (notice the “not a lot”, because it happens, sadly).
I tried an sql injection on the form, by adding at the end of the id '-'.
Here is the request : http://challs.xmas.htsp.ro:13002/23c12189dcu91n8uc198231c9n412c4189dsa/?id=kn8dy2d192hycjow'-'
It gave me the entire list of users in the database.
From there, I was able to retrieve the last informations :
His blood type is 0-.
His height is 162 cm.
From his address in the medical record (2207 Kelly Ave PA 18508), I serched this place in OpenStreetMap and found that the city was Scranton
By combining all those informations, we got the flag !
TL;DR
The account on notabug.io give us information that the user has another account on hacker_news.
Once this account found, we had new informations pointing us to his facebook account.
From there, we could get two more accounts :
- Medical website where we had to SQL inject to get his informations.
- A romanian dating app.
Flag
The flag is X-MAS{eugene_clarke_scranton_magenta_0-_162}
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
x-masCTF 2019 - [OSINT] Dox the grinch (250 points)
Written by Maltemo, member of SinHack team.
Statement of the challenge
Description
I found this guy who says that he hates Christmas! Unbelievable. Can you find out more info about him?
Flag format is
X-MAS{name_surname_city_favouriteColor_bloodType_height}
For example,
X-MAS{george_lucas_newyork_blue_A+_184]
URL: https://notabug.io/t/whatever/comments/44530e6b7740f22940db9c176b621900d0bce697/i-hate-xmas
Authors: Milkdrop, PinkPie1189
Notabug.io account
First step of the challenge was to go on that post and start to search on the notabug.io account.
On this account, the grinch posted several comments and 2 posts.
I’ll sum you up wich one were important :
news.ycombinator.com account
In this post, we learn that the grinch has a HackerNews account.
I found it with this usefull tool for osint https://namechk.com/.
But it was not necessary to use this tool in this challenge.
Here is the URL of his account : https://news.ycombinator.com/user?id=Domay1986
From this account, we got his name Eugene.
We also learn about a twitter account closed. I tried to get more informations thanks to wayback machine, but it was a dead end.
Facebook.com account
In a comment that the Domay1986 posted on notabug, we learn that he also uses a facebook account from time to time :
A simple search with
domay1986didn’t work.Eugene domay1986didn’t work either.I finaly tried
Eugene domayand this time I found his profile :URL : https://www.facebook.com/eugene.clarke.56232
And we just learned his surname : Clarke
Matrimonial.ro account
In one of his facebook post, we can notice that he made a screenshot from his computer.
This screenshot gives us the titles of his different tabs in his browser.
One of them just kept my attention :
This logo in heart made me think that it may be a dating website. Dating website means giving a lot of information from yourself.
To find back this website, I used a google dork to search for a similar title of the page (what appears in the name of the tab).
intitle:Matrimoniale - femeiI got this answer as the first, and by checking the website, i found the exact same logo.
Bingo ! We found it !
URL : https://www.matrimoniale.ro/
The next step is to find the grinch, the search is not long because his username is the exact same one from the first post (domay1968).
https://www.matrimoniale.ro/domay1986
By searching in his profile, we find in the personal data section his favorite color : Magenta
Medical informations
In a second post of his facebook profile, on post mentions a link to the xmas ctf platform.
Here is the text :
As I made this write-up way later after the ctf, I won’t have any screenshots for this part.
This website was basicaly a fake copy of a hospital website where you could get your medical record with a specific ID.
We only had the id of the girl Clark talked in his post.
This kind of information is hard to get, not a lot of people publish this on their social medias (notice the “not a lot”, because it happens, sadly).
I tried an sql injection on the form, by adding at the end of the id
'-'.Here is the request :
http://challs.xmas.htsp.ro:13002/23c12189dcu91n8uc198231c9n412c4189dsa/?id=kn8dy2d192hycjow'-'It gave me the entire list of users in the database.
From there, I was able to retrieve the last informations :
His blood type is 0-.
His height is 162 cm.
From his address in the medical record (2207 Kelly Ave PA 18508), I serched this place in OpenStreetMap and found that the city was Scranton
By combining all those informations, we got the flag !
TL;DR
The account on notabug.io give us information that the user has another account on hacker_news.
Once this account found, we had new informations pointing us to his facebook account.
From there, we could get two more accounts :
Flag
The flag is X-MAS{eugene_clarke_scranton_magenta_0-_162}
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.