Keeber NahamCon CTF 2022 [OSINT]
Keeber 1
You have been applying to entry-level cybersecurity jobs focused on reconnaissance and open source intelligence (OSINT). Great news! You got an interview with a small cybersecurity company; the Keeber Security Group. Before interviewing, they want to test your skills through a series of challenges oriented around investigating the Keeber Security Group.
The first step in your investigation is to find more information about the company itself. All we know is that the company is named Keeber Security Group and they are a cybersecurity startup. To start, help us find the person who registered their domain. The flag is in regular format.
googled the company name and found Keeber Secuirty Group website. in order to find the registrant name used who.is .
whois an internet record which have information about the website owner. to read more about whois, read R1 in the References
Keeber 2
The Keeber Security Group is a new startup in its infant stages. The team is always changing and some people have left the company. The Keeber Security Group has been quick with changing their website to reflect these changes, but there must be some way to find ex-employees. Find an ex-employee through the group’s website. The flag is in regular format.
surf their website but didn't found anything but as they had made changes
to the website in past. so in order to view those changes used wayback machine. found three screenshot
clicked the 19th april one and found the flag along with the ex employee name Tiffany Douglas
Keeber 3
The ex-employee you found was fired for “committing a secret to public github repositories”. Find the committed secret, and use that to find confidential company information. The flag is in regular format.
it is cleared from the previous challenge that the ex employee is Tiffany Douglas as we found the flag under her profile which can be seen in S4
as i was going through their website earlier, i found their github repo link in the footer
there were only three members along with three repositories in their github profiles, as it can been seen in the People. ex-employee, Tiffany Douglas, isnt their but the challenger have mentioned that she made commits to their repo in past.
Github
before starting the party lets discuss Github User Interface first. which will ease us later in the next challenges, as they are connected. this overview will not be in detail to read more about github ……….github detail link……
i have mentioned all the basics components in the screenshot below.
to download any repository:
lets move back to the challenge. In S7 we have seen the contributors section along with the Tiffany Douglas profile in there.
opened her profile, as it can been seen in her contribution activity timeline that she made commits to some repositories
she only created 6 commits thus far to two repositories.
Clicked on the Red Underlined commits Link, to view the commits she made to that specific repo. lets dig into these commits to find something. by doing that this will only show the commits created by Tiffany to that certain repo.
opened /security-evaluation-workflow/ commits. went through all of them one by one and found that she commit a .text file to .gitignore named asana_secret.txt
file: asana_secret.txt
content:1/1202152286661684:f136d320deefe730f6c71a91b2e4f7b1
tried to think what asana_secret is, thought for some minutes its a random text. may be there flag is in metadata .but didnt understand anything then google'd “asana”and found its a team management software. but yet this time again it didnt explain anything after surfing through more found that they got API too. opened asana documentation and in the first page
the string in S14 is similar to the format which we found in asana_secret.txt
why not give it a try. opened curl online tool and made a request by changing the “Authorization” value to the asana_secret.txt content
ara ara we got the flag
Keeber 5
The ex-employee in focus made other mistakes while using the company’s GitHub. All employees were supposed to commit code using the keeber-@protonmail.com email assigned to them. They made some commits without following this practice. Find the personal email of this employee through GitHub. The flag is in regular format.
as in the previous challenge we discussed that upcoming challenges are gonna connected. in S10 she created 6 commits in two repositories but we didnt discuss how to check with which email the member have created those commits.
so we are gonna open any commit and in the end of url of that commit we are gonna add “.patch”. “.patch” is a text file which contain metadata of a commit along with the code
https://github.com/repository_location/commit/commit_id.patch
after adding .patch at the end of the url of all the commits found the flag along with the personal email in started code_reviews.txt
Keeber 6
After all of the damage the ex-employee’s mistakes caused to the company, the Keeber Security Group is suing them for negligence! In order to file a proper lawsuit, we need to know where they are so someone can go and serve them. Can you find the ex-employee’s new workplace? The flag is in regular format, and can be found in a recent yelp review of their new workplace.
(Hint: You will need to pivot off of the email found in the past challenge!)
as we have already got tiffany douglas email address tif.hearts.science@gmail.com as it is mentioned that the flag must be in the yelp
googled the “yelp” and found that it is a reviews and recommendation based app
out of curiosity searched that is their any possibility to search users from yelp and found that there is but for that one must have a yelp’s account. created an account on the website and look through their UI
after creating a account if you just click on the profile and open “Find Friends” in the next tab as it is shown in the S19
you are gonna redirect to this page, i first type her name but there were so many tiffany
after fuzzing again and again, copied the email to the search bar as shown in the S20 and hurrah found her review along with the flag. NOTE:[THIS ACCOUNT HAVE BEEN DELETED]
Keeber 7
Multiple employees have gotten strange phishing emails from the same phishing scheme. Use the email corresponding to the phishing email to find the true identity of the scammer. The flag is in regular format.
(Note: This challenge can be solved without paying for anything!)
as the gmail email was given tried to search tools to do OSINT on gmail and found GHUNT using this tool was pain during integrating cookies with it, somehow it worked
Name : Issac Anderson
[-] Default profile picture
Last profile edit : 2022/04/24 02:15:34 (UTC)
Email : cheerios.fanatic1941@gmail.com
Gaia ID : 102794538121253485049Hangouts Bot : No
[+] Activated Google services :
- Hangouts
- Photos[+] YouTube channel (confidence => 90.0%) :
- [Issac Anderson] https://youtube.com/channel/UCWBSq_ptHFNVnpi982rr7vAGoogle Maps : https://www.google.com/maps/contrib/102794538121253485049/reviews
[-] No reviewsGoogle Calendar : https://calendar.google.com/calendar/u/0/embed?src=cheerios.fanatic1941@gmail.com
[-] No public Google Calendar.
but this doesnt give any hint rather than his name and a few links, opened all the given link but these were dead ends. after re-evaluating the scheme tried maltego and just after adding a email and started the transforms and found his myspace account
after opening myspace link in browser found the flag. in order to access my space do use VPN as it is restricted here in pakistan
for this challenge just register your account in maltego and use community free edition just as i used here. For more details on maltego watch a video youtube video which im gonna write a writeup on it soon.
Keeber 8
Despite all of the time we spend teaching people about phishing, someone at Keeber fell for one! Maria responded to the email and sent some of her personal information. Pivot off of what you found in the previous challenge to find where Maria’s personal information was posted. The flag is in regular format.
from the S23 we can saw maria email keeber-maria@protonmail.com and as it is mentioned that her personal information was posted somewhere then it was a data breach. there are many tools which one can use to search if there was a data breaches from a certain email or not.
the famous one is https://haveibeenpwned.com/ opened this link and paste her email and found
but didn't illicit anything after clicking the files attaches to in the result
i also knew another website which i have been using in past https://intelx.io/ created an account here [ 7 days free trail] and entered her mail in the search
there were more 3 files opened first one and type maria in the search bar
found the Flag.
References
========================================
- https://www.domain.com/blog/what-is-whois-and-how-is-it-used/
- https://www.yelp-support.com/article/How-do-I-add-friends-on-Yelp?l=en_US
- https://github.com/mxrch/GHunt
- https://developers.asana.com/docs
- https://www.maltego.com/ce-registration/
- https://www.nymeria.io/blog/how-to-manually-find-email-addresses-for-github-users
- https://www.youtube.com/watch?v=zu3_CR_Wh3A
- https://intelx.io
- https://haveibeenpwned.com/