Analysis of the competitive intelligence contest at PHDays 9
For the eighth year, the traditional Competitive Intelligence contest offers participants to try their hand at finding information and, in the meanwhile, learn new OSINT techniques. This year, all tasks were centered around a fictitious information security company, positioning itself as a company - an expert in one vulnerability. Participants in the competition had to find information about people associated with this organization, without resorting to hacking, and relying solely on the help of various sources from the vastness of the network and on their own ingenuity.
The competition included 19 tasks, for each of which a certain number of points was awarded according to the degree of difficulty. In this article we will look at how each task could be solved.
Company real name - 10
At the beginning of the competition, the participants received a description of a certain company: nfsg64ttmvrxk4tjor4q. To solve the first task it was necessary to use a Google search. Information about the company’s domain was given to the request:
It can be assumed that the string is encoded, but if you sort through several options for encryption algorithms (for example, using an online decoder ), you can conclude that it is Base32 from the Idorsecurity string. She was the answer to this assignment. In order for the flag to be accepted, the response to each task had to be lowercase and then hashed using MD5. There was an alternative solution: it was possible to sort through the various options for the company name used by its representatives (channel id on Telegram or Facebook).
Donation wallet number - 20
If you click on the link provided by Google, then you get to the company’s blog on WordPress.
At first glance, there is nothing useful here. But what if you turn to the web archive? Wayback Machine displays two saved site conditions, one of which contains useful information: wallet number, which is the flag for the task.
IDOR specialist username - 30
The site also says that an employee of the company, in connection with its closure, is selling its equipment on eBay. Remember this moment.
Since the blog was made using WordPress, it made sense to define the standard entry points for this blog. One of these is the / wp-json / wp / v2 / users / method , which displays a list of users who posted something on the site. It can be detected if, for example, you scan a site using the WPScan utility .
By the way, on the HackerOne website dedicated to finding vulnerabilities in the infrastructures of various companies, there is a report that looks into such a “leak”.
By the received link ( http://nfsg64ttmvrxk4tjor4q.club/wp-json/wp/v2/users/) was a list of users with their description. They correspond to a chain of tasks for finding information about a particular person. Here, participants could find another flag - the IDOR username.
IDOR specialist location - 25
In this task, information was needed about the company selling its property on eBay. The next step is to search by username from the wp-json account of the company or one of the employees. This could be done in several ways: using the eBay member search (but for this it was necessary to enable mixed content in the browser, since the site worked on HTTPS, and the captcha displayed by the script on the page hung on HTTP) or the namechk.com site (it displays a list social networks on which the entered username is registered).
A successful search leads to the employee’s page on eBay and the flag to the task:
IDOR specialist work e-mail - 30
If you click on the link from the account description - a lot appears. Apparently, the one that was discussed in the company's blog.
Here it was important to carefully study the images: on one of them was a detail that was worth paying attention to.
The photo shows that an employee selling Idorsecurity equipment is somehow connected with another company - Self-XSS Security. Searching for this company on LinkedIn gives a link to the profile of one of the employees (namely, an IDOR specialist) and his corporate mail.
Participants who reached this point noticed that for the newly created account, a detailed view of the Abdul Bassur user page does not work. There are several ways around this limitation. For example, you can fill out the profile you just created with all the necessary information. One of the contestants suggested registering an account where Self-XSS Security is indicated in the column “place of work”. In this case, LinkedIn algorithms recognized the newly created account and user page from the image above as belonging to the same contact network and opened access to detailed information about Abdul Bassur. There was a flag for the task - a working email of an IDOR specialist.
IDOR specialist personal e-mail - 70
In this task, it was worth moving from studying the blog to viewing the domain’s DNS records. This is possible, for example, using the dig utility.
This is where it turns out: the company’s corporate mail works using mail.yandex.ru. In addition, you can find some IP addresses - both IPv4 and IPv6. Scanning TCP and UDP for some of them using Nmap yielded interesting results.
Unfortunately, connecting via SNMP to IPv4 would not produce anything that could be passed as a flag or used later.
When connecting via SNMP to IPv6, some competitors had problems because they did not take into account that a dedicated IPv6 address is required for this type of connection. It could be obtained if you rent a server with the function above and use it as a VPN. A similar service could be used on DigitalOcean or Vultr.
IPv6 will provide more information than IPv4. For example, in one of the OIDs (188.8.131.52.184.108.40.206.0 is also called sysContact and contains information - most often email - so that you can contact the server owner). The value will be personal mail - the flag to the task.
This concludes the assignment chain associated with an IDOR specialist.
Secret employee mobile phone - 20
Second employee IM username - 25
There were several ways to get the first flag in tasks related to secret employee. The first way: if you solve all the previous tasks, then you will have the working and personal mail of one of the Idorsecurity employees on hand. There will also be information that the company’s corporate mail has been picked up at mail.yandex.ru.
So, you can go to Yandex and try to regain access to the mail email@example.com . Since the password is unknown, the secret question My private mail, the answer to which was found in SNMP, will help.
So, now there is access to Yandex.Connect of the company. In terms of functionality, it is an internal address book: it contains a list of employees with their contact details and information in which departments they work. Just what you need! So, in one fell swoop, you could pass two flags at once - the employee’s mobile phone number and another username.
The second way to get the phone number of a secret employee is through the search for company accounts in various social networks and instant messengers. For example, Telegram, when searching on the string nfsg64ttmvrxk4tjor4q, will show the following:
The given channel identifies the company’s channel, and its description contains the account of the company’s owner with a phone number. This will be the answer to the “Secret employee mobile phone” task.
Secret employee username - 40
Since only the secret employee phone number is known, it was worth trying to get the most out of this information. The next step in the solution is to add this phone number to the contacts of your mobile and try to find friends among the list of numbers in various social networks.
The right step was to check Twitter: it led to the account of the Idorsecurity employee and his name, and therefore to the completed assignment.
Secret employee birthday - 40
Having carefully studied the account, you can stumble upon the employee’s response to one of the tweets about finding a programmer. Employee Idorsecurity left in his tweet with a link to the summary, passed through the GG.GG .
Going through the link did not give anything useful, but if you noticed a typo in the final URL, you could come up with error 403 and a non-standard file name.
After analyzing the information available about the secret employee, it was possible to search for this employee on social networks, since his name and place of work are known. This move leads to an account on vk.com, and in it you can find the answer to the task - the date of birth of the secret employee.
Secret employee university - 50
To complete this task, you had to think about what information had not yet been used, namely: whether an employee has an account on vk.com, an atypical file name with a resume, and also that the task is called “Secret employee university”.
For starters, you could search for a file with a resume by name in the "Documents" section on vk.com. As practice shows, this is a useful trick for searching for private information: for example, you can even find passport data. This move gave access to the resume, where the flag for the task was stored.
The job chain associated with the secret employee is complete.
Nightly programmer private username - 30
To search for information about the nightly programmer, you had to go back to wp-json.
The employee’s description contained a hint about where to look for him: for example, on github.com. Matumbo Harris employee search by resource gave a link to the repository - and points for the flag to the task.
What the flag? - 60
In the repository there was a code of a certain bot. Upon careful study of the code, one could notice a hardcoded token. The next line of code or a simple Google request gave the participants a hint about the Slack API.
After spending some time learning the Slack API, you could check the token for validity and try out some methods. For example, find out the list of files exchanged in Slack chat (apparently, Idorsecurity corporate chat).
After a little more study of the Slack API, you could get links to accessible files:
Studying the document by reference gives an idea of what was required in the “What the flag?” Task.
In addition, the Slack API allowed you to get a list of chat users to which this token is bound. This was the key to solving the “Second employee IM username” task: it is easy to find the name of the desired user by first and last name.
The chain with the nightly programmer is complete.
IP used in PoC - 40
Here it was necessary to turn again to the beginning, namely to the company’s blog, and see what else remained unused. There was a link to Amazon S3 and the task “IP used in PoC”, the flag to which you need to look for is on S3.
Directly following the link did not provide anything useful, but summing up all the available information about this assignment led to a study of the Amazon S3 documentation.
The documentation among the ways to connect to the S3 Bucket describes the possibility of interacting using Amazon’s own set of CLI programs called AWS CLI. Connecting in this way opened access to the file and flag from the “IP used in PoC” job.
A similar result in different ways of accessing by reference is due to the ACL setting for this bucket, namely the presence of a canned authenticated-read ACL that gives its owner full access and read rights only to the AuthenticatedUsers group, to which all users with an AWS account belong (therefore AWS CLI connection works, since an account is required to work with this set of programs). Read more at: docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html.
Alexander's real lastname - 25
In this task, again, it was necessary to return to one of the stages, namely, to search for company accounts in various social networks. This move will also lead us to the Idorsecurity Facebook track.
After examining the data contained on the page, one could stumble upon a phone number.
An attempt to break through the phone number did not lead to anything, but the smartest ones remembered the GetContact application, which shows all the information about the number. For example, if someone who installed this program has a number added to contacts and he gave the application access to them, then all information about the contact list will go to public access. Similarly, after breaking through the phone number indicated in the contact information of the company, the participants received the name of the owner of the number, which was the flag to the question of the name of the person.
Peter's primary e-mail We know he's looking for a job - 40
To complete this task, it was necessary to turn again to a Google search of all possible information about the company. A search on Idorsecurity with the first link returned another employee’s page on moikrug.ru. By logging in to moikrug.ru, being authorized, you could receive the mail of an Idorsecurity employee.
Peter's secondary e-mail - 20
The mail is on Mail.ru, you could try to restore the password to it.
Predictably enough, two asterisks hide in. This assumption led to a successfully solved task.
Peter's password - 60
The last task from the chain about Peter. Two mail addresses are known, full name, age and position. Search on social networks did not lead to anything, the most effective way to get a password was to search for accounts in leaks. Here haveibeenpwned.com turned out to be useful: it showed interesting information at one of the mail addresses:
Search on one of the sites where you can access leaks ( Weleakinfo , LeakedSource or download the necessary database for free from Databases.today , whose name can be found on Weleakinfo ), led the participants to a successful assignment.
Software which was downloaded from IP 220.127.116.11 - 30
The last task from the disassembled. It required finding the name of the Torrent file of the same name with some software that was downloaded from the IP address given in task. For these purposes, there is a site iknowwhatyoudownload.com : it displays this information, because the search is based on algorithms that mimic the full members of the DHT network , with which file sharing participants find each other when downloading a file.
By the end of the competition, out of 599 participants, 227 people had solved at least one task.
- 550 Noyer_1k - 16 solved tasks!
- 480 Mr3Jane - 15 completed quests!
- 480 kaimi_ru - 15 solved tasks!
- 480 lendgale
- 480 V88005553535
- 425 cyberopus
- 420 nitroteamkz
- 420 joe1black
- 355 breaking_mash
- 355 U-45990145
The participants who took the first three places received prizes:
- I place: Apple AirPods headphones, an invite to PHDays and a special prize from the Hacker magazine (contest sponsor) - an annual subscription to the magazine.
- II place: Wi-Fi adapter ALFA Network AWUS036NH, subscription to the Hacker magazine for six months, an invite to PHDays.
- III place: Xiaomi ZMI QB810 portable battery, subscription to the Hacker magazine for 3 months, an invite to PHDays.
After the end of the competition, for about three weeks the tasks remained available, and two participants with the names V88005553535 and romask solved all of them and received maximum 665 points.
Thank you all for participating, see you next year! Analysis of the competition years: 2012 , 2013 , 2014 , 2015 , 2017 , 2018 .