So last weekend The Many Hats Club hosted what by all accounts was a successful CTF on Hack The Box, who were kind enough to sponsor and let us use their awesome CTF platform.
I had the pleasure of creating a simple OSINT challenge, and being that we are a Discord community, what better than directing CTF participants there to solve this.
So here is the write up and challenge, I hope you enjoy.
Help someone is pretending to be me!
So one of the owners of TMHC Dave @Dav is having an identity crisis, can you find the fake account and their secret? You’ll need to join TMHC discord to start this challenge. https://discord.gg/infosec
First, we have a hint that @dav is being impersonated, so lets look at their account to see who might be trying to copy them and why? We know this is an OSINT challenge and involves searching, so lets take a look at the Discord Search function.
We can see there are 2 Dav Accounts, but which one is real? Some further digging is required to understand which account might be the fake one.
This account Dav#1234 has over 7k posts, so clearly is the real one, so we know that Dav#6825 is the fake account. So lets review the posts, to find any evidence we can use to find their secret.
So there are a few recent post saying we should look further back, so if we set the search to oldest first and see their earlier messages for clues.
So here is our first clue
We have a string, that needs decoding.
U28geW91IGZvdW5kIG91dCB0aGF0IEknbSBub3QgcmVhbGx5IERhdi4uIGJ1dCB3aG8gYW0gST8=
You can use a variety of online tools to detect the encoding used, in this example I used Webatic decoder, the message was in Base64, and the message was decoded below in Figure 5.
There are other possible clues in the search, this one references a GIF, but if you look at the link its not the Spiderman GIF as displayed. Garlic Bread seems to be important here. We might come back to this later.
Scrolling down a bit more there is another encoded string, most likely base 64 again, this time a possible clue of Iamnotdave and the string
So by running this code through Base64 encoder we get another string, which looks like a hash, lets try and verify this using hash killer or maybe Hashcat. 4124350084d609d1b554a6c93bafca34
I dumped the hash into Google and found it was a MD5 hash of Pastebin, but also running it through Hashkiller, also found it’s a known MD5 for “pastebin”. So we have some information we can use from this. It’s a clue for Pastebin, and also a possible username – Iamnotdave.
Scrolling through other messages, this next one also seems to be another clue.
Again, its definitely Base64 encoded. YUhSMGNITTZMeTl3WVhOMFpXSnBiaTVqYjIwdmRTOUpZVzF1YjNSa1lYWmwgR28gQWdhaW4= So back to our decoder. It tells us to go again, so we run both of the codes through.
And now we got a hit, it’s a Pastebin for user iamnotdave. So lets head to this user. There have only been 2 recent posts, it seems like an otherwise inactive account, with both the posts being identical.
We seem to have a code, but what the heck is Garlang_Bread? Time to hit Google.
Searching “Garlang_Bread” on google brings up a Github by CyberViking, staff at The Many Hats Club. After cloning the GitHub and recompiling the Java code to ensure all is up to date we can begin to decode the message. Lets try and put this code in a text file and run it.
After running the code it tells us we need to have the file be a .gbread file so lets rename the file and run again.
After changing the file extension and re-running the Java program we are given the flag! TMHC{Y0u_F0uNd_My_S3cR3t_1ts_StU}
So that was the simple OSINT challenge, I hope you enjoyed reading. I wanted to thank @AlanTheBlank and @TheCyberViking for helping with Garlang_bread and @rag_sec for helping during testing of this CTF.
