# HACKMAC 2022 Report - Optus2.0
### [CS1](ye.han3@students.mq.edu.au) | [DAspland](dean.aspland1@students.mq.edu.au)
<br/><br/>
## 1. Probe
#### 1.1 Task description:
You are tasked with finding as much information on Joe mohm as possible. We have found his linkedin profile https://www.linkedin.com/in/joe-bob/, we trust that you have what it takes to uncover everything there is to know about him.
**Author**: Avinash
#### 1.2 Task Overview:
This task required fundamental OSINT practices.
#### 1.3 Approach:
We are given a [link](https://www.linkedin.com/in/joe-bob/) to a LinkedIn account to begin.
Under the contact field, a [link](https://twitter.com/JoeMohm022) to a Twitter account is found.
Under the Twitter biography, a [link](https://t.co/K9mBqyJo0I) to a YouTube account is found
In the ‘About’ tab of the YouTube account, a [link](https://www.twitch.tv/joebob022/about) can be found to a Twitch account
In the ‘About’ tab of the Twitch account, a [link](https://www.reddit.com/user/Joe_bob022) can be found to a Reddit account
[Linked](https://open.spotify.com/user/31jgzw74fipmdivojatml3sxmgsi?si=e78ca99a699b43b9&nd=1) in the Reddit account is a Spotify account.
This account has three playlists, of which the “Villain Playlist” stands out. This playlist contains a [link](https://on.soundcloud.com/stX5d) to a SoundCloud account.
In the SoundCloud account, links to all of the pages above can be found. Along with a new [link](https://www.tumblr.com/myyyyymusicblogog%2Fmyyyyymusicblog&token=7ca2bd-1-1666829033096) to a Tumblr account.
The [flag](https://at.tumblr.com/myyyyymusicblog/697084598133325824/xm2i2fuuuhi9) can be found by searching the Tumblr account.
<br/><br/>
## 2. Open File
#### 2.1 Task description:
The flag is contained within this file, to what extent will you go whilst oPeNinG it?
**Author**: lucasteng8
#### 2.2 Task Overview:
This miscellaneous task requires the opening/accessing of a file with an incorrect file extension.
#### 2.3 Approach:
Step 1: Download ‘OpenFile.pdf’
Step 2: Right click ‘OpenFile.pdf’ and select get info
Step 3: Select the preview button and the flag will be displayed
This solve was made possible as the file provided was not actually a .pdf file, rather a JPG. Most modern operating systems can detect and display file contents, even when the file extension is incorrect.
<br/><br/>
## 3. The Sea Beast
#### 3.1 Task description:
A message in a bottle washes up on the shore, it contains an image and message saying "a foul beast from the depths of seven seas has sunken me ship and drowned me crew. Carcharodon carcharias. I utter ye name no more but any brave adventurer willing to hunt this beast will need to find its name and track it to the location where I tagged it.”
**Author**: hkumar07
#### 3.2 Task Overview:
This OSINT task required the use of a Shark tracker in order to find a specific location. Our Shark tracker of choice was: https://www.ocearch.org/tracker/
#### 3.3 Approach:
The first step to identifying this creature is to find any names provided in the description. We are given a species of shark, namely Carcharodon carcharias or more commonly known as a Great White.
Using this knowledge, we set the filter on the shark tracker and through trial and error, found the name of a Great White named **[Mahone](https://www.ocearch.org/tracker/detail/mahone)**
<br/><br/>
## 4. Wifi Hacking 0
#### 4.1 Task Overview:
This task required basic knowledge of wifi router setup.
#### 4.2 Approach:
The flag was found through physical inspection of the router. Most manufacturers provide the default credentials in the form of a label on the bottom of the router.
<br/><br/>
## 5. Who Is This
#### 5.1 Task Overview:
This task required basic OSINT knowledge, and understanding of steganography.
#### 5.2 Approach:
We were provided the instagram account “0er99luap”
The text in the description is UGF1bCBSZW8= which can be decoded from BASE64 to” Paul Reo”
Paul can be found on [LinkedIn](https://www.linkedin.com/in/paul-reo-06952a252/), where he is listed as a security analyst at hacademy.com.
Searching for 'hackademy' brings up a facebook page which lists Paul Reo as a security analyst.
In the comments of the post naming Paul, there is a link to a google drive.
Inside the drive, there is a folder called “Contact,Address of Paul”.
In it, there is a file called paul.png.
The flag can be found by running paul.png through a [steganography decoder](https://stylesuxx.github.io/steganography/).
<br/><br/>
## 6. The Riddler
#### 6.1 Task description:
The Riddler has teamed up with **HEX** Luthor and they have captured the Batman. They currently have him locked in a room, and there is a lock on the door that requires a password. There is a fish tank outside the door, and you notice a piece of paper is stuck to the lid. You then decide to **R**each **O**ver **T**he **13** piranhas and grab the paper
The slip contains the code `55 4e 50 58 5a 4e 50 7b 67 75 72 5f 65 76 71 71 79 72 65 5f 67 65 76 72 66 5f 70 65 6c 63 67 62 74 65 6e 63 75 6c 7d`
#### 6.2 Task Overview:
This cryptography task required the use of CyberChef
#### 6.3 Approach:
The recipe used in CyberChef can be found [here](https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')ROT13(true,true,false,13)&input=NTUgNGUgNTAgNTggNWEgNGUgNTAgN2IgNjcgNzUgNzIgNWYgNjUgNzYgNzEgNzEgNzkgNzIgNjUgNWYgNjcgNjUgNzYgNzIgNjYgNWYgNzAgNjUgNmMgNjMgNjcgNjIgNzQgNjUgNmUgNjMgNzUgNmMgN2Q).
The code given is written in HEX, which is the first step in decoding this flag.
Also hinted in the description is ROT13 which is a simple caesar substitution cipher.
After applying the ROT13 decode, we are left with the flag.
<br/><br/>
## 7. Can you find it?
#### 7.1 Task description:
Welcome to this challenge. You are working as a outsider pentester in this CTF. You got to know that someone from your contracted company accidentally left sensitive information while using http site. Your boss has already captured and sent you a PCAP file. Now analyse and find the leaked data
**Author**: Mohaiminul
#### 7.2 Task Overview:
By utilising a PCAP analysis software, like WireShark, we are able to filter the data provided for useful information and uncover the flag.
#### 7.3 Approach:
Step 1: Download wireshark while watching a YouTube tutorial on WireShark
Step 2: Google WireShark PCAP analysis tools, specifically relating to http
Step 3: Open SensitiveData.pcapng through WireShark
Step 4: Run a http filter to find all http data
Step 5: Open the first piece of data and select HTML Form URL Encoded: application/x-www-form-urlencoded, finding the flag listed next to ‘password’
<br/><br/>
## 8. Colour Palette
#### 8.1 Task description:
The flag is in this colour palette
**Author**: gilllo
#### 8.2 Task Overview:
This task requires knowledge of ACII and colour codes. We used [this](https://html-color-codes.info/colors-from-image/) colour code finder, and this ASCII to text converter.
#### 8.3 Approach:
Find the colour codes contained in the picture. They were (in this order):
1. #420080
2. #79D065
3. #599078
4. #375084
5. #2C4079
6. #2E7078
7. #420069
8. By removing the ‘#’ from the colour codes collected and splitting them into groups of 3 characters, we come to see that it looks a lot like ASCII in every second group.
420 **080** 79D **065** 599 **078** 375 **084** 2C4 **079** 2E7 **078** 420 **069**
9. Using an ASCII to Text converter, we are given the flag.
<br/><br/>
## 9. Lamb Source
#### 9.1 Task description:
WHERE'S THE LAMB SOURCE???
#### 9.2 Task Overview:
This requires basic knowledge of internet browsers
#### 9.3 Approach:
This flag was found by accessing the source of the website (F12 on Chrome) and entering the directory path found in the source.
<br/><br/>
## 10. Relaxation and self-referential
#### 10.1 Task description:
You woke up one day only to be met with a message from a friend who is in dire need of your help! Your friend fell for an online prankster that zipped one of his most important images and he has no idea how to retrieve the image, since he knows you have a deep understanding of anything involving computers he turns to you for help, do you offer your assistance?
#### 10.2 Task Overview:
This task required the use of different types of file compression, and understanding of file types. We used [this](https://www.checkfiletype.com/) file checker to find the correct file extension. And WinZip + 7Zip to open the files.
#### 10.3 Approach:
We were provided a file with no file extension.
For the most part, this challenge followed the loop below:
Check file type > Add correct file extension > Open file > Back to beginning.
At the end of the loop, we find a folder named ‘Flag’.
Within this folder is a file called ‘Flag.jpg.
The flag is in the metadata of this JPG under the 'Authors' field.
<br/><br/>
## 11. Secret Message
#### 11.1 Task description:
An audio file contains a secret message. The decoded secret message from the audio file will need to be decoded again to find the flag.
**Author**: NorahAlharbi1
#### 11.2 Task Overview:
This task requires the analysis of morse code and hex to text conversion.
#### 11.3 Approach:
Step 1: Upload Secret_message.wav to a [morse code analyser](https://databorder.com/transfer/morse-sound-receiver/)
Step 2: Copy the output of the morse code analysis into Cyberchef & utilise the ‘magic’ operation to obtain the flag.
<br/><br/>
## 12. Matrix
#### 12.1 Task description:
This one is pretty simple, the flag is in the matrix but don't look too hard! You might get lost...
#### 12.2 Task Overview:
This task required use of a hex editor and CyberChefto analyse a .jpg file.
#### 12.3 Approach:
Step 1: Upload hehe.jpg to a [hex editor](https://hexed.it)
Step 2: Attempt to locate an irregular section in the hex to text conversion
In this example the required text is located at the bottom in the form
‘SEFDS01BQ3tST09GTElaQVJEfQ’
Step 3: Utilise [CyberChef’s ‘magic’ operation](https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false,'')&input=U0VGRFMwMUJRM3RTVDA5R1RFbGFRVkpFZlE) on ‘SEFDS01BQ3tST09GTElaQVJEfQ’ to obtain the flag.
<br/><br/>
## 13. Redacted
#### 13.1 Task description:
This email has sensitive information required to catch an attacker. Can you help uncover the information?
**Author**: gilllo
#### 13.2 Task Overview:
This task requires knowledge of common methods of digital redaction. Also a bit on crypto websites and how they function.
#### 13.3 Approach:
We are given a ‘Redacted’ PDF file to start with.
To see if the text was still present, I selected all of the text and copied it over to a fresh notepad file.
This is what was found:
```
CONFIDENTIAL INFORMATION
FOR USE ONLY BY THOSE AUTHORISED
BY PHAROS SECURITY SERVICES
Addressed to:
FULL NAME: JOHN DOE
HOME ADDRESS: 42 Wallaby Way, Sydney, 2000
JOB TITLE: CEO
Hello John,
Don’t want to raise any alarm bells yet, however just received word we may have been
compromised over the weekend. The attacker seems to of left a trace, but can you look when
you get the chance? I’ve shared all the information we have below
Website: market.zora.co
Contract Address: 0xCa21d4228cDCc68D4e23807E5e370C07577Dd152
TokenID: 18462
The security team said the minter of the token is responsible for the hack.
Please take a look and get back to me asap with the minters address.
Regards,
Pharos Security Team.
```
Visiting market.zora.co, and searching ‘18462’ brings up a Zorb#18462.
This matches the contract address.
By checking the Etherscan transaction, you can find the address of the user that minted this ‘Zorb’
<br/><br/>
## 14. Babushka Doll
#### 14.1 Task description:
The string `K1pXaC02Z3crWldoLTI6cWxvK1pUWi1v` contains the flag, however it has been encrypted using multiple different techniques. To help you decrypt it we have given you a flowchart that shows flag encryption process.
**Author**: hkumar07
#### 14.2 Task Overview:
We are given a file that shows the whole process of encoding this text, so all we need to do is decrypt it through CyberChef.
#### 14.3 Approach:
This task was completed by working through the encryption process backwards.
Google was a great help when trying to find the name of the ciphers used and clarify other information given.
This is the [link](https://gchq.github.io/CyberChef/#recipe=From_Base64%28'A-Za-z0-9%2B/%3D',true,false%29Atbash_Cipher%28%29Decode_text%28'UTF-7%20%2865000%29'%29Affine_Cipher_Decode%2817,90%29Vigen%C3%A8re_Decode%28'Zvyozdochkin'%29XOR%28%7B'option':'Decimal','string':'17'%7D,'Standard',false%29ROT47%2847%29&input=SzFwWGFDMDJaM2NyV2xkb0xUSTZjV3h2SzFwVVdpMXY) to the recipe in CyberChef. It has all of the ciphers used except for the last one.
The return from CyberChef was: YVGGYRZNGEBA
This was run through [this](https://www.dcode.fr/caesar-cipher) Caesar cipher decoder which in turn returned the flag.
<br/><br/>
## 15. Nuclear Secrets
#### 15.1 Task description:
Mr. Burns continues to pour nuclear waste into the beautiful lake of your home town, Springfield. It's about time to put him out of business by selling his precious nuclear secrets. You notice a strange message from the nuclear power plant's email address. Perhaps this was sent to you by mistake? Can you decode this message and find the secret?
FROM: noreply@powerplant.com.au\r\nSubject: Employees Information\r\nHello Everyone, From now on, meltdowns will be referred to as an unrequested fission surplus. aHR0cHM6Ly90d2l0dGVyLmNvbS9OdWNsZWFyUG93ZXJfXw==
**Author**: BenjaminSum
#### 15.2 Task Overview:
This task required knowledge of a few different areas, from recognising and decoding BASE64 to having a brief knowledge of github.
#### 15.3 Approach:
We take the code given to us in the task description and decode it from BASE64.
Doing so returns this link: https://twitter.com/NuclearPower__
Linked to the Twitter account is a [Github page](https://t.co/MWjNFZrANb)
Searching through the page, there is no actionable information, except for the github account in the link (springfieldnuclearpowerplant).
A quick search on github.com reveals other commits that this user has made.
The flag is stored in plaintext in [this](https://github.com/SpringfieldNuclearPowerPlant/nuclear.github.io/commit/c613af6595657fe835e79c43b9f520f26b0884c4) commit on line 122.
Sign in with Wallet
Connect another wallet