Keeber NahamCon CTF 2022 [OSINT]

8 min readMay 4, 2022

Keeber 1

You have been applying to entry-level cybersecurity jobs focused on reconnaissance and open source intelligence (OSINT). Great news! You got an interview with a small cybersecurity company; the Keeber Security Group. Before interviewing, they want to test your skills through a series of challenges oriented around investigating the Keeber Security Group.
The first step in your investigation is to find more information about the company itself. All we know is that the company is named Keeber Security Group and they are a cybersecurity startup. To start, help us find the person who registered their domain. The flag is in regular format.

googled the company name and found Keeber Secuirty Group website. in order to find the registrant name used who.is .

whois an internet record which have information about the website owner. to read more about whois, read R1 in the References

S1. Registrant Contact Information of Keeber Security Group

Keeber 2

The Keeber Security Group is a new startup in its infant stages. The team is always changing and some people have left the company. The Keeber Security Group has been quick with changing their website to reflect these changes, but there must be some way to find ex-employees. Find an ex-employee through the group’s website. The flag is in regular format.

surf their website but didn't found anything but as they had made changes

to the website in past. so in order to view those changes used wayback machine. found three screenshot

S3. screenshot of the changes made to the keeber security group’s website in past

clicked the 19th april one and found the flag along with the ex employee name Tiffany Douglas

S4. ex-employee’s name along with Flag{}

Keeber 3

The ex-employee you found was fired for “committing a secret to public github repositories”. Find the committed secret, and use that to find confidential company information. The flag is in regular format.

it is cleared from the previous challenge that the ex employee is Tiffany Douglas as we found the flag under her profile which can be seen in S4

as i was going through their website earlier, i found their github repo link in the footer

there were only three members along with three repositories in their github profiles, as it can been seen in the People. ex-employee, Tiffany Douglas, isnt their but the challenger have mentioned that she made commits to their repo in past.

Github

before starting the party lets discuss Github User Interface first. which will ease us later in the next challenges, as they are connected. this overview will not be in detail to read more about github ……….github detail link……

i have mentioned all the basics components in the screenshot below.

S7. Basics Overview of the Github UI.[ open in new tab for clear view]

to download any repository:

lets move back to the challenge. In S7 we have seen the contributors section along with the Tiffany Douglas profile in there.

opened her profile, as it can been seen in her contribution activity timeline that she made commits to some repositories

she only created 6 commits thus far to two repositories.

S10 . Tiffany Contribution Activity commits screenshot

Clicked on the Red Underlined commits Link, to view the commits she made to that specific repo. lets dig into these commits to find something. by doing that this will only show the commits created by Tiffany to that certain repo.

S11. Commits created by Tiffany to the Security-evaluation-workflow.

opened /security-evaluation-workflow/ commits. went through all of them one by one and found that she commit a .text file to .gitignore named asana_secret.txt

S12. asana_secret.txt file along with its contents

file: asana_secret.txt

content:1/1202152286661684:f136d320deefe730f6c71a91b2e4f7b1

tried to think what asana_secret is, thought for some minutes its a random text. may be there flag is in metadata .but didnt understand anything then google'd “asana”and found its a team management software. but yet this time again it didnt explain anything after surfing through more found that they got API too. opened asana documentation and in the first page

the string in S14 is similar to the format which we found in asana_secret.txt

why not give it a try. opened curl online tool and made a request by changing the “Authorization” value to the asana_secret.txt content

s15. Screenshot of curl request with Flag

ara ara we got the flag

Keeber 5

The ex-employee in focus made other mistakes while using the company’s GitHub. All employees were supposed to commit code using the keeber-@protonmail.com email assigned to them. They made some commits without following this practice. Find the personal email of this employee through GitHub. The flag is in regular format.

as in the previous challenge we discussed that upcoming challenges are gonna connected. in S10 she created 6 commits in two repositories but we didnt discuss how to check with which email the member have created those commits.

so we are gonna open any commit and in the end of url of that commit we are gonna add “.patch”. “.patch” is a text file which contain metadata of a commit along with the code

https://github.com/repository_location/commit/commit_id.patch

after adding .patch at the end of the url of all the commits found the flag along with the personal email in started code_reviews.txt

S16. Adding .patch at the end of the url

S17. Screenshot of flag and Tiffany Douglas personal email

Keeber 6

After all of the damage the ex-employee’s mistakes caused to the company, the Keeber Security Group is suing them for negligence! In order to file a proper lawsuit, we need to know where they are so someone can go and serve them. Can you find the ex-employee’s new workplace? The flag is in regular format, and can be found in a recent yelp review of their new workplace.
(Hint: You will need to pivot off of the email found in the past challenge!)

as we have already got tiffany douglas email address tif.hearts.science@gmail.com as it is mentioned that the flag must be in the yelp

googled the “yelp” and found that it is a reviews and recommendation based app

S18. Screenshot of Yelp Website Homepage

out of curiosity searched that is their any possibility to search users from yelp and found that there is but for that one must have a yelp’s account. created an account on the website and look through their UI

after creating a account if you just click on the profile and open “Find Friends” in the next tab as it is shown in the S19

you are gonna redirect to this page, i first type her name but there were so many tiffany

after fuzzing again and again, copied the email to the search bar as shown in the S20 and hurrah found her review along with the flag. NOTE:[THIS ACCOUNT HAVE BEEN DELETED]

S22. Tiffany Douglas Profile on YELP with Flag

Keeber 7

Multiple employees have gotten strange phishing emails from the same phishing scheme. Use the email corresponding to the phishing email to find the true identity of the scammer. The flag is in regular format.
(Note: This challenge can be solved without paying for anything!)

S23. This PDF file was attached with Challenge

as the gmail email was given tried to search tools to do OSINT on gmail and found GHUNT using this tool was pain during integrating cookies with it, somehow it worked

S24. GHUNT tool result for cheerios.fanatic1941@gmail.com

Name : Issac Anderson
[-] Default profile picture
Last profile edit : 2022/04/24 02:15:34 (UTC)
Email : cheerios.fanatic1941@gmail.com
Gaia ID : 102794538121253485049
Hangouts Bot : No
[+] Activated Google services :
- Hangouts
- Photos
[+] YouTube channel (confidence => 90.0%) :
- [Issac Anderson] https://youtube.com/channel/UCWBSq_ptHFNVnpi982rr7vA
Google Maps : https://www.google.com/maps/contrib/102794538121253485049/reviews
[-] No reviews
Google Calendar : https://calendar.google.com/calendar/u/0/embed?src=cheerios.fanatic1941@gmail.com
[-] No public Google Calendar.

but this doesnt give any hint rather than his name and a few links, opened all the given link but these were dead ends. after re-evaluating the scheme tried maltego and just after adding a email and started the transforms and found his myspace account

S25. Maltego CE cheerios.fanatic1941@gmail.com result along with his myspace account

after opening myspace link in browser found the flag. in order to access my space do use VPN as it is restricted here in pakistan

S26. Cheerios.fanatic1941@gmail.com myspace account with flag

for this challenge just register your account in maltego and use community free edition just as i used here. For more details on maltego watch a video youtube video which im gonna write a writeup on it soon.

Keeber 8

Despite all of the time we spend teaching people about phishing, someone at Keeber fell for one! Maria responded to the email and sent some of her personal information. Pivot off of what you found in the previous challenge to find where Maria’s personal information was posted. The flag is in regular format.

from the S23 we can saw maria email keeber-maria@protonmail.com and as it is mentioned that her personal information was posted somewhere then it was a data breach. there are many tools which one can use to search if there was a data breaches from a certain email or not.

the famous one is https://haveibeenpwned.com/ opened this link and paste her email and found

S27. have i been pwned result screenshot of maria’s email

but didn't illicit anything after clicking the files attaches to in the result

i also knew another website which i have been using in past https://intelx.io/ created an account here [ 7 days free trail] and entered her mail in the search