So last weekend The Many Hats Club hosted what by all accounts was a successful CTF on Hack The Box, who were kind enough to sponsor and let us use their awesome CTF platform.

I had the pleasure of creating a simple OSINT challenge, and being that we are a Discord community, what better than directing CTF participants there to solve this.

So here is the write up and challenge, I hope you enjoy.

Help someone is pretending to be me!

So one of the owners of TMHC Dave @Dav is having an identity crisis, can you find the fake account and their secret? You’ll need to join TMHC discord to start this challenge. https://discord.gg/infosec

First, we have a hint that @dav is being impersonated, so lets look at their account to see who might be trying to copy them and why? We know this is an OSINT challenge and involves searching, so lets take a look at the Discord Search function.

Using search function to locate the Dav Accounts

We can see there are 2 Dav Accounts, but which one is real? Some further digging is required to understand which account might be the fake one.

There are a lot of results for Dav#1234 

This account Dav#1234 has over 7k posts, so clearly is the real one, so we know that Dav#6825 is the fake account. So lets review the posts, to find any evidence we can use to find their secret.

Messages from the Fake Dav

So there are a few recent post saying we should look further back, so if we set the search to oldest first and see their earlier messages for clues.

So here is our first clue

Figure 4: First clue, looks like its encoded.

We have a string, that needs decoding.

U28geW91IGZvdW5kIG91dCB0aGF0IEknbSBub3QgcmVhbGx5IERhdi4uIGJ1dCB3aG8gYW0gST8=

You can use a variety of online tools to detect the encoding used, in this example I used Webatic decoder, the message was in Base64, and the message was decoded below in Figure 5.

Decoded message.
The GIF posted is different from the one in the link?
Garlic Bread??! 

There are other possible clues in the search, this one references a GIF, but if you look at the link its not the Spiderman GIF as displayed. Garlic Bread seems to be important here. We might come back to this later.

Scrolling down a bit more there is another encoded string, most likely base 64 again, this time a possible clue of Iamnotdave and the string

Another Clue

So by running this code through Base64 encoder we get another string, which looks like a hash, lets try and verify this using hash killer or maybe Hashcat. 4124350084d609d1b554a6c93bafca34

Decoding Base64 reveals what might be a hash.

I dumped the hash into Google and found it was a MD5 hash of Pastebin, but also running it through Hashkiller, also found it’s a known MD5 for “pastebin”. So we have some information we can use from this. It’s a clue for Pastebin, and also a possible username – Iamnotdave.

MD5 hash for "pastebin"

Scrolling through other messages, this next one also seems to be another clue.

Another clue! Possibly a big one.

Again, its definitely Base64 encoded. YUhSMGNITTZMeTl3WVhOMFpXSnBiaTVqYjIwdmRTOUpZVzF1YjNSa1lYWmwgR28gQWdhaW4= So back to our decoder. It tells us to go again, so we run both of the codes through.

Time to run this through again.
This time we get a Pastebin link to Iamnotdave! 

And now we got a hit, it’s a Pastebin for user iamnotdave. So lets head to this user.  There have only been 2 recent posts, it seems like an otherwise inactive account, with both the posts being identical.

Garlang_Bread code?!

We seem to have a code, but what the heck is Garlang_Bread? Time to hit Google.

There is a Github for GarLang_bread and it seems to be created by AlanTheBlank and Hosted on TheCyberViking's Github
Er, okay then.

Searching “Garlang_Bread” on google brings up a Github by CyberViking, staff at The Many Hats Club. After cloning the GitHub and recompiling the Java code to ensure all is up to date we can begin to decode the message. Lets try and put this code in a text file and run it.

After running the code it tells us we need to have the file be a .gbread file so lets rename the file and run again.

After changing the file extension and re-running the Java program we are given the flag! TMHC{Y0u_F0uNd_My_S3cR3t_1ts_StU}

So that was the simple OSINT challenge, I hope you enjoyed reading. I wanted to thank @AlanTheBlank and @TheCyberViking for helping with Garlang_bread and @rag_sec for helping during testing of this CTF.

cybersecstu

cybersecstu

Stu is one of the owners and founders of The Many Hats Club. with a background of threat intelligence, Social Engineering, and incident response. He also hosts the podcast, and features in many memes

Read More
OSINT Write Up for TMHC CTF