--- title: AperiCTF 2019 - [OSINT] Hey DJ (175 points) author: Maltemo tags: CTF, AperiCTF, Stegano, Metadata, Automatic-response --- AperiCTF 2019 - [OSINT] Hey DJ (175 points) === Written by [Maltemo](https://twitter.com/Maltemo), member of team [SinHack](https://sinhack.blog/) [TOC] ___ ## Statement ### Description Votre ami vous assure que sa compositrice préférée (amatrice) Twisore garde son identité secrète. Prouvez-lui le contraire en investiguant. Le flag est sous la forme APRK{SHA1(NOMPRENOM)}. Par exemple, si l'artiste s'appelle Foo BAR, alors le flag serait APRK{f100629727ce6a2c99c4bb9d6992e6275983dc7f}. Notes : Le bruteforce est inutile et interdit sur ce challenge. L'identité de la compositrice est fictive et a été créée pour les besoins du challenge. Il s'agit d'un challenge réaliste. Une partie de la résolution du challenge implique une étape relativement "intrusive". En cas de doute, contactez un admin. Credits : Compositeur original des morceaux : [LIND](https://soundcloud.com/reallind) (ne fait pas partie du challenge) ## Analysis In the description, we get the information that our target is a women under the pseudonyme of Twisore. By making a simple query on you're favorite browser with the keyword Twisore. We immediatly get [this webpage](https://soundcloud.com/twisore) : ![](https://i.imgur.com/uJuIVpV.png) From this page, we get an important information in the description, her mail address : twisore999@gmail.com The difficulty of this challenge was that all the informations we needed to solve the challenge were on this page, but we didn't have this information. In the write-up, I won't explain all the research I did with different OSINT tool, but I lost a lot of time. ### Getting the first name After searching if there were accounts on social medias created with this mail (and founding there weren't), I tried to send a mail to this address, hoping to get an automatic response. :::warning I didn't believe one moment that it would work *Chat with Zeecka :* - **Maltemo** : :cry: don't tell me that I have to send a mail to twisore or I go insane - **Zeecka** : . . . did you tried at least - **Maltemo** : ![](https://i.imgur.com/foyxziz.png) ::: And with this, I got this response. ``` Hello, Thank you for your email, I’m currently on vacation. I’ll reply to your message promptly when I return. Wishing you a good day, Julietta (aka Twisore) ``` We just got her first name, Julietta. ![](https://i.imgur.com/5T4hoYc.png) Infortunately, the mail didn't leak more information in the name of the target in the header. ### Getting the last name The last part of the challenge was to obtain the last name. I knew that in souncloud, you can enable the download of your songs. I checked on all musics and found two musics downloadable. ![](https://i.imgur.com/J8QFjCp.png) The second track downloadable (Twisore - Nephelim) had metadata in it. I used AVI to read the metadatas on the musics (right click on the track, then `Informations...` tab). ![](https://i.imgur.com/3XkP3QF.png) And we get the path where the track was created. C:\Users\J.MOORE\My Music We can guess that the `J` stands for Julietta, and MOORE is the last name. ## Solution Now we have to calculate the SHA1 hash of : `SHA1(MOOREJULIETTA) = a445a4b4e031c3b7c933a5b28ea825bccbe86da5` ### TL;DR The informations where hidden in the automatic mail response and in the metadata of Twisore's tracks. ### Flag The flag was **APRK{a445a4b4e031c3b7c933a5b28ea825bccbe86da5}** ___ <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.