---
title: x-masCTF 2019 - [OSINT] Dox the grinch (250 points)
author: Maltemo
tags: CTF, x-masCTF, OSINT, GoogleDork, Social, Medias
---
x-masCTF 2019 - [OSINT] Dox the grinch (250 points)
===
Written by [Maltemo](https://twitter.com/Maltemo), member of [SinHack](https://sinhack.blog/) team.
[TOC]
___
## Statement of the challenge
### Description
I found this guy who says that he hates Christmas! Unbelievable. Can you find out more info about him?
Flag format is
**X-MAS{name_surname_city_favouriteColor_bloodType_height}**
For example,
**X-MAS{george_lucas_newyork_blue_A+_184]**
**URL:** https://notabug.io/t/whatever/comments/44530e6b7740f22940db9c176b621900d0bce697/i-hate-xmas
**Authors:** Milkdrop, PinkPie1189
## Notabug.io account
First step of the challenge was to go on that post and start to search on the notabug.io account.
On this account, the grinch posted several comments and 2 posts.
I'll sum you up wich one were important :
## news.ycombinator.com account
In this post, we learn that the grinch has a HackerNews account.
I found it with this usefull tool for osint https://namechk.com/.
But it was not necessary to use this tool in this challenge.
Here is the URL of his account : https://news.ycombinator.com/user?id=Domay1986
```
Hello, my name is Eugene and I am interested in finances. I strongly believe that christmas is a scam.
They closed my twitter account! See interesting posts I reply to on notabug.io: https://notabug.io/user/uIUP3NZDQVnKkISlVdjM0cSOwt_5EKu1g3CzQGmtTSc.VlYirh-sCV0rZ_6px0em8HWyeKZN8TMnTtY2l0YtoTA
Business Inquires:
domay1986 (at) hotmail.com
domay1968@hotmail.com
```
From this account, we got his name **Eugene**.
We also learn about a twitter account closed. I tried to get more informations thanks to [wayback machine](https://web.archive.org/web/*/https://twitter.com/Domay1986/*), but it was a dead end.
## Facebook.com account
In a comment that the Domay1986 posted on notabug, we learn that he also uses a facebook account from time to time :
A simple search with `domay1986` didn't work.
`Eugene domay1986` didn't work either.
I finaly tried `Eugene domay` and this time I found his profile :
URL : https://www.facebook.com/eugene.clarke.56232
And we just learned his surname : **Clarke**
## Matrimonial.ro account
In one of his facebook post, we can notice that he made a screenshot from his computer.
This screenshot gives us the titles of his different tabs in his browser.
One of them just kept my attention :
This logo in heart made me think that it may be a dating website. Dating website means giving a lot of information from yourself.
To find back this website, I used a google dork to search for a similar title of the page (what appears in the name of the tab).
`intitle:Matrimoniale - femei`
I got this answer as the first, and by checking the website, i found the exact same logo.
Bingo ! We found it !
URL : https://www.matrimoniale.ro/
The next step is to find the grinch, the search is not long because his username is the exact same one from the first post (domay1968).
https://www.matrimoniale.ro/domay1986
By searching in his profile, we find in the personal data section his favorite color : __Magenta__
## Medical informations
In a second post of his facebook profile, on post mentions a link to the xmas ctf platform.
Here is the text :
```
so I was today at our local eggnog clinic and there was this young girl in front of me, I read she had arachnophobia LOL, imagine being afraid of some insects!
You guys can even check it out here, I noted down her patient ID (kn8dy2d192hycjow
http://challs.xmas.htsp.ro:13002
```
As I made this write-up way later after the ctf, I won't have any screenshots for this part.
This website was basicaly a fake copy of a hospital website where you could get your medical record with a specific ID.
We only had the id of the girl Clark talked in his post.
This kind of information is hard to get, not a lot of people publish this on their social medias (notice the "not a lot", because it happens, sadly).
I tried an sql injection on the form, by adding at the end of the id `'-'`.
Here is the request : `http://challs.xmas.htsp.ro:13002/23c12189dcu91n8uc198231c9n412c4189dsa/?id=kn8dy2d192hycjow'-'`
It gave me the entire list of users in the database.
From there, I was able to retrieve the last informations :
His blood type is __0-__.
His height is __162__ cm.
From his address in the medical record (2207 Kelly Ave PA 18508), I serched this place in [OpenStreetMap](https://www.openstreetmap.org) and found that the city was __Scranton__
:::success
By combining all those informations, we got the flag !
:::
## TL;DR
The account on notabug.io give us information that the user has another account on hacker_news.
Once this account found, we had new informations pointing us to his facebook account.
From there, we could get two more accounts :
* Medical website where we had to SQL inject to get his informations.
* A romanian dating app.
## Flag
The flag is **X-MAS{eugene_clarke_scranton_magenta_0-_162}**
___
<a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.
Sign in with Wallet
Connect another wallet