TrendMicroCTF2017 WriteUp
GistからHatenaBlogに移動.
TrendMicroCTF2017_IoT_OSINT_SCADA_100pt.md · GitHub
TrendMicroCTF2017_IoT_OSINT_SCADA_200pt.md · GitHub
IoT/OSINT/SCADA 100pt
問題文
Today you received an email that seemed to be from an online shopping site that you use - but when you followed the link something definitely did not seem right. It appears that the world's worst phisher must have set up the page - and has targeted you with a phishing attack! The email text said you needed to visit a link to update the security of your acccount. However the link actually lead to the site ctf.superpopularonlineshop.com.definitelynotaphishingsite.com For this challenge you must find the "Real Person" who is behind this attack - leveraging your Open Source Intelligence (OSINT) skills. The Flag will be found on one of their social profile pages NOTE: Pen Testing the site will not help - in fact all you need to start the trail is in this email already
まずはwhoisで情報を収集する.
$ whois definitelynotaphishingsite.com Domain Name: definitelynotaphishingsite.com Registry Domain ID: 2114851273_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Update Date: 2017-04-16T08:54:38Z Creation Date: 2017-04-16T08:54:37Z Registrar Registration Expiration Date: 2018-04-16T08:54:37Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: osint isfun Registrant Organization: Registrant Street: 230 Earls Court Road Registrant Street: Kensington Registrant City: London Registrant State/Province: London Registrant Postal Code: SW5 9AA Registrant Country: UK Registrant Phone: +44.7441911980 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: osintisfun@gmx.com Registry Admin ID: Not Available From Registry Admin Name: osint isfun Admin Organization: Admin Street: 230 Earls Court Road Admin Street: Kensington Admin City: London Admin State/Province: London Admin Postal Code: SW5 9AA Admin Country: UK Admin Phone: +44.7441911980 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: osintisfun@gmx.com Registry Tech ID: Not Available From Registry Tech Name: osint isfun Tech Organization: Tech Street: 230 Earls Court Road Tech Street: Kensington Tech City: London Tech State/Province: London Tech Postal Code: SW5 9AA Tech Country: UK Tech Phone: +44.7441911980 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: osintisfun@gmx.com Name Server: NS23.DOMAINCONTROL.COM Name Server: NS24.DOMAINCONTROL.COM
Reverse Whois Lookupで手に入れたメールアドレスで検索 mail:"osintisfun@gmx.com"
http://viewdns.info/reversewhois/
Domain Name | Creation Date | Registrar |
---|---|---|
definitelynotaphishingsite.com | 2017-04-16 | GODADDY.COM, LLC |
t3m4.com | 2017-04-16 | GODADDY.COM, LLC |
t3m4.comにアクセスするとhttps://t3m4haxor.wordpress.com/ に行く.
Posted on April 10, 2017 by t3m4haxor Welcome to my awesome new (and I promise to be regularly updated) blog. My name is T3-M4Haxor – at least thats what my friends call me. That is not my real name of course … which is a secret that NO ONE WILL EVER FIND OUT . Muhaha! When I am not creating (truely terrible) Phishing pages , I can normally be found having fun creating OSINT challenges for awesome CTF. For all you know – you might be in the middle of one right now …
IDの"t3m4haxor"でGoogle検索をすると以下のWEBサイトが出てくる.
"Davik Surik (@T3M4haxor) News, Photos & Videos, Bio/https://topicsbird.com/u/T3M4haxor"
t3m4haxorの名前が"Davik Surik"と仮定し,検索をするとLinkedinのページが出てくる.
"https://uk.linkedin.com/in/davik-surik-b04198141"
Projects Trend Micro CTF 2017 Proud to have helped with the Trend Micro CTF 2017 - especially Secret Challenge "13" -> GZPGS{SGE0FVAG101}
ROT13して終わり
$ python >>> print("GZPGS{SGE0FVAG101}".encode("rot13")) TMCTF{FTR0SINT101}
TMCTF{FTR0SINT101}
IoT/OSINT/SCADA 200pt
問題文
A customer suspects that his email account is being targeted to be hacked. He has asked you to investigate and trace his attacker's real name (flag). During your talk, he mentioned a suspicious email that he received about a bank transfer from someone he doesn't know. He actually tried to investigate by himself and found out the email was crafted to hide the real sender. He was able to go as far as finding a related facebook account by adding "tmctf" to the name he found from the email and that was as far as he got. Unfortunately he deleted the email after this, thinking it was just a random phishing email. He provided you with pcap logs from his machine to start your investigation. ZIP password : virus
zipファイルを解凍するとpcapngファイルがあるので,それをWiresharkで開く. 問題文と通信を確認すると,メッセージでのやりとりを確認することが出来る.
問題文にあるようにメールアドレス"mario_dboro@testing-my-mail.com"のユーザ部分の"mario dboro tmctf"をFacebookで検索.
そのFacebookコミュニティにメッセージを送ると以下のようなメッセージを受信する.
Thanks for messaging us. You are half way in your challenge. In order to proceed, you need to find the magic string "854FJD922KA" in social media post. Goodluck!
指定された文字列"854FJD922KA"でGoogle検索をすると以下のTwitterアカウントがヒットする.
そのアカウントのこのツイートのリンクにアクセスするとPastbinが出てくる. https://twitter.com/dboro18673/status/873158280368996353
pastebinにはメールアドレス("jon.rebutang@gmail.com")が記載してあり,そのユーザIDの部分をlinkedinで検索をすると以下のアカウントが出てくる
問題文としては攻撃者の名前を特定することなので,FLAGはTMCTF{Jon Kravitsky Rebutang} 終わり.