# TRACS 2022 - EURECOM 1 Shared Notes # Fake News Buy Hint?? Un peu de culture cinématographique pour discriminer le pseudo du compte source parmi les bots ;) "A little film culture to discriminate the source account's nickname among the bots ;)" I think we could buy one, or bribe the other team FINAL Suspect: cyber-rider (all tweets are Loren Ipsums) Tweets from the 9 users with higher tweet count by large margin (~300000), all mentioned by the hp. main user `cyber-rider` `grep 'cyber-rider' inputdata_2022_2.csv | grep -Eo '@[A-Za-z0-9]*\s' | sort | uniq | xargs -I % grep % inputdata_2022_2.csv > botstweets.txt` - Mainly Latin placeholders tweeted - [ ] Find perhaps actual misinformation tweets among the Lorem Ipsums #### Random Commands Sorting tweets of an user by time `grep ,exampleuser, inputdata_2022_2.csv | awk -F ',' '{print $4","$1","$2","$3}' | sort -h` # Ariette ## Files #### Arlette_rapport.pdf > I am now certain that malpractices on the the scoring algorithms of the TikBook network network allow to emphasize the fake news unfavorable to Paul Hytick and to make inaccessible the ones that are critical of Harry Viste. My manager Eve Hillboss keeps a close eye on the team in charge of the evolution of these algorithms who now eat lunch separately and carefully avoid any interaction interaction with the rest of the company's employees. employees. On the other hand, on several occasions on Wednesday evening, I Eve in a bar with someone. But she had never been to such a bar before. She had never been to such a bar before. I tried to collect documents on the network and while exploring the file server, I saw a directory "To be deleted" which I copied. It has since been deleted. I also collected documents. I took a picture of his office in case it might be useful to you, even if there is nothing special. I've put everything in the the zip. Since I started this investigation, I have noticed abnormal behaviors on my computer: the files that I got so hard to get disappear or are unreadable. Maybe some of them are encrypted. I haven't even had time to look at them. Has someone taken control of my computer? ## Foulage Likely JPEG DCT alteration, detected via [atomicjpeg](https://github.com/b3dk7/atomicjpeg) - 0.25% score - [ ] Find a tool to automatically extract potential data added to the DCT coefficients - Tried a bunch of them, got tired lol ## C2 Ransomware > In the file sent by Arlette, she mentions the corruption of her computer. A ransomware was found there. Following an analysis, we know that it exfiltrates its data on the server https://z5RL4uK3.ec.tracs.viarezo.fr. We want to take control of it. 1. Quel est le nom du fichier temporaire ? #### Findings `?page=docteurs` - uid=1000(rhackgondins) gid=1000(rhackgondins) groups=1000(rhackgondins) - Someone might've already hacked it DevTools -> Network -> data:application/json ```json { "canary": "r2v9phps", "enabled": false, "postmessage": false, "spoofOrigin": false, "injectCanary": false, "filterStack": false, "fireEvents": false, "guessStrings": false, "crossDomainLeaks": false, "duplicateValues": false, "preventRedirection": false, "redirectBreakpoint": false, "injectIntoSources": false, "prototypePollution": false, "prototypePollutionDiscoverProperties": false, "prototypePollutionPropertiesPerFrame": 10, "prototypePollutionAutoScale": true, "prototypePollutionQueryString": true, "prototypePollutionHash": true, "prototypePollutionJson": true, "prototypePollutionVerify": true, "prototypePollutionNested": true, "prototypePollutionCSP": false, "prototypePollutionXFrameOptions": false, "prototypePollutionSeparateFrame": false, "disabledSources": [], "disabledTrackingSources": [ "location", "location.href", "location.hash", "location.search", "location.pathname", "document.URL", "window.name", "document.referrer", "document.documentURI", "document.baseURI", "document.cookie", "URLSearchParams" ], "disabledSinks": [ "xhr.open", "xhr.send", "fetch", "fetch.header", "fetch.url", "fetch.body", "xhr.setRequestHeader.name", "xhr.setRequestHeader.value", "document.domain", "history.pushState", "history.replaceState", "xhr.setRequestHeader", "websocket", "anchor.href", "JSON.parse", "document.cookie", "localStorage.setItem.name", "localStorage.setItem.value", "sessionStorage.setItem.name", "sessionStorage.setItem.value", "window.name", "location.pathname", "location.protocol", "location.host", "location.hostname", "location.hash", "location.search" ], "disabledTechniques": [], "sinkCallback": false, "sourceCallback": false, "messageCallback": false, "permissionsPolicy": false } ``` # Matt Huvut ## Logs GSM > Arlette stated that Eve Hilboss meets with an individual every Wednesday night at a bar in TrueCity. SOS provided us with TrueCity's GSM intercepts to identify this second individual. Eve Hilboss resides at coordinates (latitude 357, longitude 184) and works at the TikBook headquarters: (-831, -1775) For your information, the position of the BTS in this city is as follows: - BTS1 : (-1235, -1748) - BTS2 : (1842, 1145) - BTS3 : (-1130, 1852) - BTS4 : (-4231, 2212) - BTS5 : (3412, -1490) ## Site Agents Evil > EvilCountry's clandestine agents transfer the reports of their external operations to the website Nv2rpEpa.ec.tracs.viarezo.fr. Our goal is to successfully read Matt Huvut's reports. #### Crypto chall > SOS has already investigated the behavior of an agent of EvilCountry services: Pat Rediskrer. The field agent tells us that "he uses QR codes to hide his password with a Shamir base 3 algorithm" and that the PyCryptoDome library would be used. One of these QR codes was found on Pat. What is the password used by Pat Rediskrer? qr-code scanned -> `1-de2578600fe895bf483e5ddfc9925827` - Couldn't find public vulns (CVEs) for PyCryptoDome #### Web chall > A previous study of an old version of the web server authentication system revealed the ability, once connected to the site, to modify the login present in a cookie in order to access the reports of a chosen user. You will find in the attachment some example cookies on the trapped computer of pat.rediskrer. Can you tell us when the next meeting with Eve Hilbosse will take place? - `pat.rediskrer` -> possible username - [ ] cookies.txt -> fromHex -> base64 encoded chunks -> don't know how to determine the format - Simple Login form, looks useless, maybe restoring the session is the way # Locaux TikBook ## Fluxes Binaires > The proximity to the TikBook offices allowed us to capture streams from technical equipment configured with various parameters. Help the SOS analyze these streams to find the transmitted files. 1. In many of these files there are hardware marks (marques de matériels). Give 10 of them, separated by ";" `Fichier_2: Apple DiskCopy 4.2 image H\251\263\253\315, 2882368025 bytes, 0x3200 tag size, GCR CLV ssdd (400k), 0x0 format` - Need tool to analyze forensically # TikBook - Forum > From a source, we have obtained the certainty that two actors particularly involved in the circulation of fake news were to meet. It would be a question of a clandestine purchase. The information is incomplete, so the digital research unit was directed by the attached message. It is up to you to investigate, but above all, do not leave any trace of your activities! #### TG.pdf TOP SECRET - Reserved for Cyber resources DUE DATE : ++03/12/2022++ Beginning of the message: From a source, we have obtained the certainty that two actors particularly involved in the circulation of fake news were to meet. It would be a question of a clandestine purchase. The Service was able to identify the forum ++fandebecanes.forumactif.com++ where they would have exchanged information about the place and date of this meeting. We believe that the individuals felt threatened, as the activity of the forum in question is declining strongly. Therefore, we ask the Open Source Cyber Research Service - If there is a record of the dialogue between the individuals - To confirm that the nicknames used (bibi and cyber-rider) are indeed those of our targets or to correct if necessary - At least to determine the place and date of the meeting of the individuals - Any additional information that could help us to carry out the mission, in particular technical elements such as names, first names, emails, telephone numbers... or anything else that the recipient might consider relevant would obviously be greatly appreciated /!\ IMPORTANT /!\ The mission is crucial for the Service, the means involved are important. The cyber service is urged to operate with the utmost caution so as not to arouse the slightest suspicion in the individuals mentioned above. Any detection of any intervention would be detrimental to the mission and could be responsible for its total cancellation. /IMPORTANT /!\ # SOS en Action ## Drones > With the modified report on the control server, the Evil Services should cross the border at this location to retrieve indium. The SOS observation drones should fly over the area and detect passing vehicles with a sensor that works within a certain radius. They created a simulation: three drones flying over a rectangular area of six square kilometers. They say they have tested a few deployment strategies, but even in such a simple situation, the richness of the possibilities makes the problem difficult. That's why they're calling on us: they want us to provide them with a strategy that allows them to detect as many vehicles as possible. Here is the work they have already done. Send us your drone order file. The strategy that will detect the most vehicles will be sent to the SOS. Attention: all answers are final!