--- title: AUCTF 2020 - [OSINT] Oxyr (1000pts) author: Maltemo tags: CTF, AUCTF, OSINT --- AUCTF 2020 - [OSINT] Oxyr (1000pts) === Written by [Maltemo](https://twitter.com/Maltemo), member of team [SinHack](https://sinhack.blog/). [TOC] ## Statement of the challenge ### Description One of the developers of devs-r-us.xyz has been a little sketchy lately. We have received reports that they may be selling data to competitors. We just haven't found out how! Author: c ## Analyze Let's start by scouting the website given in the description : https://devs-r-us.xyz/ This website doesn't have much informations : * Three pictures * Two little paragraphs about developers * A contact button The rest is "Lorem ipsum" (placeholder). Let's start by the images. We got two png files that show the exact same photo of a boat on the sea. There names are `mcafee.png` and `mcofee.png`. This name can be taken as a hint, because McAfee (the owner of the McAfee Antivirus Software), is known to hide himself and sending photos pretending to be on the other side of the globe. But metadata betrayed him many time !  Let's check the metadatas of the pictures with `exiftool` : ```bash= $ exiftool mcafee.png ExifTool Version Number : 11.16 File Name : mcafee.png Directory : . File Size : 2.5 MB File Modification Date/Time : 2020:03:14 23:13:07+01:00 File Access Date/Time : 2020:04:04 14:33:10+02:00 File Inode Change Date/Time : 2020:04:04 14:32:52+02:00 File Permissions : rw-r--r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 1920 Image Height : 1080 Bit Depth : 8 Color Type : RGB Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced XMP Toolkit : Image::ExifTool 11.91 Description : https://discord.gg/pMzcE45 DM me if you want more info Image Size : 1920x1080 Megapixels : 2.1 ``` Our first hint was in the description of the photo. The discord link was a simple invitation to the official AUCTF discord. We have to find who is the user we need to contact. Lets continue our research. After reading the source code of the page, I noticed that the contact button was redirecting to an new page `1ndex.html`. Yes, you read it right. `1ndex.html`, not `index.html`. ```html= <div class="py-4"> <h1 class="h3">Devs-R-Us</h1> <p>Copyright &copy; 2020</p> <button class="btn btn-primary" data-toggle="modal" onclick="location.href='1ndex.html#share-section'">Contact Us</button> </div> ``` This is kind of suspicious. Why would someone want to create a page quite similar to the first one, with the name and the content ? Maybe to hide some informations. After searching this new page https://devs-r-us.xyz/1ndex.html, I found an html commentary just under the contact button : ``` <div class="py-4"> <h1 class="h3">Devs-R-Us</h1> <p>Copyright &copy; 2020</p> <button class="btn btn-primary" data-toggle="modal" data-target="#contactModal">Contact Us</button> <!-- 'Who is MaddAddam?' --> </div> ``` :::warning __'Who is MaddAddam?'__ I thought this question needed to be answered to find who we needed to contact on the discord, but it was a rabbit hole. You can skip the next part which is the research I about MaddAddam. ::: :::info > The leader of the rebel group God's Gardeners in the book Oryx and Crake written by Margaret Atwood. Trilogy of books by Margaret Atwood : - Oryx and Crake (2003) - The Year of the Flood (2009) - MaddAddam (2013) __Characters__ : Ren and Toby (The Year) - Amanda Payne Jimmy (Oryx) Zeb, Adam One ::: When I finaly understood that this was a dead end, I started to search with the previous informations we got from the first page : >__Jorge Greenwood__ Web Developer extraordinaire. Jorge Greenwood has worked on the Internet's most impressive websites. From Myworld.com to Facepalm.org. He has done it ALL! you can find EVEN MORE information about Jorge on his twitter account @JorgeGreenwoodCodes >__Loretta Mcintosh__ Backend Bada**. Loretta Mcintosh backs up all of her claims to success with excellent work ethic and even better portfolio. Loretta is some kind of genius. You can find out some of her successes on her twitter account @BackUpOrMcintoshYouOut I searched for a Jorge or a Loretta and look what I found :  So I started a conversation with `Jorge G`, not being sure if he was a member of the other teams trying to get more informations or not.  He sent me an invitation to a new discord and there was one image of a QRcode.  The message was a link to a new website containing the flag : https://devs-r-us.xyz/ahsdbwgjkhb23tsdonoqw1892345bnew/flag.txt auctf{3X1F_D4TA_SH0UlD_B3_sTr1pp3d_2b23sadf} ## TL;DR Two informations where hidden in the website : * An invitation to the discord of AUCTF, in the metadata of a photo. * An html comment in an hidden page. The last part of the challenge consisted in contacting the good guy in the discord and decoding a QRcode. ## Flag The flag is __auctf{3X1F_D4TA_SH0UlD_B3_sTr1pp3d_2b23sadf}__ ___ <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.