GistからHatenaBlogに移動．

TrendMicroCTF2017_IoT_OSINT_SCADA_100pt.md · GitHub

TrendMicroCTF2017_IoT_OSINT_SCADA_200pt.md · GitHub

IoT/OSINT/SCADA 100pt

問題文

Today you received an email that seemed to be from an online shopping site that you use - but when you followed the link something definitely did not seem right. It appears that the world's worst phisher must have set up the page - and has targeted you with a phishing attack!

The email text said you needed to visit a link to update the security of your acccount. However the link actually lead to the site ctf.superpopularonlineshop.com.definitelynotaphishingsite.com

For this challenge you must find the "Real Person" who is behind this attack - leveraging your Open Source Intelligence (OSINT) skills.

The Flag will be found on one of their social profile pages

NOTE: Pen Testing the site will not help - in fact all you need to start the trail is in this email already

まずはwhoisで情報を収集する．

$ whois definitelynotaphishingsite.com
Domain Name: definitelynotaphishingsite.com
Registry Domain ID: 2114851273_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2017-04-16T08:54:38Z
Creation Date: 2017-04-16T08:54:37Z
Registrar Registration Expiration Date: 2018-04-16T08:54:37Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: osint isfun
Registrant Organization:
Registrant Street: 230 Earls Court Road
Registrant Street: Kensington
Registrant City: London
Registrant State/Province: London
Registrant Postal Code: SW5 9AA
Registrant Country: UK
Registrant Phone: +44.7441911980
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: osintisfun@gmx.com
Registry Admin ID: Not Available From Registry
Admin Name: osint isfun
Admin Organization:
Admin Street: 230 Earls Court Road
Admin Street: Kensington
Admin City: London
Admin State/Province: London
Admin Postal Code: SW5 9AA
Admin Country: UK
Admin Phone: +44.7441911980
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: osintisfun@gmx.com
Registry Tech ID: Not Available From Registry
Tech Name: osint isfun
Tech Organization:
Tech Street: 230 Earls Court Road
Tech Street: Kensington
Tech City: London
Tech State/Province: London
Tech Postal Code: SW5 9AA
Tech Country: UK
Tech Phone: +44.7441911980
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: osintisfun@gmx.com
Name Server: NS23.DOMAINCONTROL.COM
Name Server: NS24.DOMAINCONTROL.COM

Reverse Whois Lookupで手に入れたメールアドレスで検索 mail:"osintisfun@gmx.com"

http://viewdns.info/reversewhois/

t3m4.comにアクセスするとhttps://t3m4haxor.wordpress.com/ に行く．

Posted on April 10, 2017 by t3m4haxor
Welcome to my awesome new (and I promise to be regularly updated) blog.

My name is T3-M4Haxor – at least thats what my friends call me. That is not my real name of course … which is a secret that NO ONE WILL EVER FIND OUT . Muhaha!

When I am not creating (truely terrible) Phishing pages , I can normally be found having fun creating OSINT challenges for awesome CTF. For all you know – you might be in the middle of one right now …

IDの"t3m4haxor"でGoogle検索をすると以下のWEBサイトが出てくる．

"Davik Surik (@T3M4haxor) News, Photos & Videos, Bio/https://topicsbird.com/u/T3M4haxor"

t3m4haxorの名前が"Davik Surik"と仮定し，検索をするとLinkedinのページが出てくる．

"https://uk.linkedin.com/in/davik-surik-b04198141"

Projects
Trend Micro CTF 2017
Proud to have helped with the Trend Micro CTF 2017 - especially Secret Challenge "13" -> GZPGS{SGE0FVAG101}

ROT13して終わり

$ python
>>> print("GZPGS{SGE0FVAG101}".encode("rot13"))
TMCTF{FTR0SINT101}

TMCTF{FTR0SINT101}

IoT/OSINT/SCADA 200pt

問題文

A customer suspects that his email account is being targeted to be hacked. He has asked you to investigate and trace his attacker's real name (flag).

During your talk, he mentioned a suspicious email that he received about a bank transfer from someone he doesn't know. He actually tried to investigate by himself and found out the email was crafted to hide the real sender. He was able to go as far as finding a related facebook account by adding "tmctf" to the name he found from the email and that was as far as he got. Unfortunately he deleted the email after this, thinking it was just a random phishing email. He provided you with pcap logs from his machine to start your investigation.

ZIP password : virus

zipファイルを解凍するとpcapngファイルがあるので，それをWiresharkで開く． 問題文と通信を確認すると，メッセージでのやりとりを確認することが出来る．

問題文にあるようにメールアドレス"mario_dboro@testing-my-mail.com"のユーザ部分の"mario dboro tmctf"をFacebookで検索．

そのFacebookコミュニティにメッセージを送ると以下のようなメッセージを受信する．

Thanks for messaging us. You are half way in your challenge. In order to proceed, you need to find the magic string "854FJD922KA" in social media post. Goodluck!

指定された文字列"854FJD922KA"でGoogle検索をすると以下のTwitterアカウントがヒットする．

そのアカウントのこのツイートのリンクにアクセスするとPastbinが出てくる． https://twitter.com/dboro18673/status/873158280368996353

https://pastebin.com/71KhaaMK

pastebinにはメールアドレス("jon.rebutang@gmail.com")が記載してあり，そのユーザIDの部分をlinkedinで検索をすると以下のアカウントが出てくる

問題文としては攻撃者の名前を特定することなので，FLAGはTMCTF{Jon Kravitsky Rebutang} 終わり．