IRIS CTF 2024 Write up - OSINT - All Challenges

Hi, I am vow. I participated IRIS CTF 2024 and played with Black Bauhinia.

I tried to make this write up as beginner friendly as possible so that everybody can follow and learn something.

Special thanks to harrier, hollow, TheHakkaman and th1k4n for solving the challenges with me.

Part 1: What is, and how to OSINT?

OSINT is a new category added to IRIS CTF this year. So, what is OSINT?

To simply put, most of the time, OSINT CTF challenges require you to search and gather information from publicly available sources in order complete the challenge.

Some common OSINT challenges include:

• Using a search engine to find information
• Gather information in images
• Geolocation
• And more…

So, how does one get better at OSINT?

Google Harder.

Now, let's dive into the challenges.

Part 2: Czech Where? (401 Solves)

We are given an image, and are tasked to find the street name of where this image was captured.

This is a Geolocation OSINT challenge, and from the hint we can guess that the street name is likely to contain spaces and accent marks.

If we read the title carefully, Czech Where? is obviously a hint for where the image was taken, Czech Republic. However, there are lots of streets in Czech Republic so we need to narrow down our scope.

The image itself doesn't really provide us with any clues except for the N:20 address top of the door.

Fortunately, Google offers a very useful feature called "Search by Image" that can help us. Basically, you could upload an image, and Google will show webpages that have similar images (Remember to change the scale to the whole image!).

Looking at the results, the first returned image looks very similar to our image:

Visiting the webpage, we can see it is a travel blog of a Japanese person.

If we scroll down the blog, we would see our image, but let's focus on the text first. Perhaps it may give us some clues as to where the image was taken at?

If we copy and paste some text into DeepL Translator, we get the following translation:

Seems like it is mentioning a place called "Golden Alley", that is located in Czech Republic near Prague Castle. If we Google these keywords, we get this:

Now, we can proceed to search for this place using Google Maps Street View.

Typing "The Golden Lane" leads us to here:

Let's take a look using "Street View" (Just drag the "Orange Person" at the bottom right, and place it on the blue lines that appear!)

Looking around the streets, we see this building:

If we compare the 2 images, we can see that there are many similarites:

At this point, we are quite confident that this is the building we are looking for.

Now, we just have to check the street name, modify it so it matches our flag format, and we would have our first flag!

Part 3: Away on Vacation (255 Solves)

This time, our goal is to learn more about the assistant of Iris Stein. Reading the transcript, we can learn a few facts:

Given that we have an email address, why not try sending a message to it?

After sending an email to Michel, we received this reply:

From this reply, we learn something new, which is that Michel has his own social media account and mostly talk about birds on it. Let's try searching for it.

Hmm, it seems like searching for "Michelangelo Corning" or "Michelangelo Corning Social Media" or "Michelangelo Corning [Insert Popular Social Media Platform Name Here]" did not provide any relevant information.

Maybe trying a different search engine might yield better results?

There are many search engines in the world besides Google, here are a few other examples:

Let's try using DuckDuckGo, repeating the same keywords and we get this:

Let's check out this Instagram account:

Several important details stand out here:

This is probably the social media we are searching for, let's take a look at the posts! But, Instagram requires you to have an account in order to access the platform.

Nowadays, many websites require you to register an account to access their tools or platform, but sometimes we prefer not to sign up with our personal email accounts, either to avoid spam or for privacy reasons.

A solution to this problem would be to use a "Disposable Email".

For some larger platforms, they may have checks that prevent email addresses with unusual email domains from signing up. In that case, your only option would be to use your personal email, or to create a new email address with a commonly known email doamin like Gmail.

After creating an account, we can take a look at Michel's posts. If we take a closer look at the images, descriptions and comments, we would find something interesting:

The flag is located in the description of this post!

Part 4: Personal Breach (173 Solves)

For this challenge, we are given a link to a website where we have to fill in some personal information related to Iris Stein. Here are the questions:

Reading the description, the second sentences hints that for this challenge, we are going to have to look at other people's social media accounts or websites in order to gain more information about Iris Stein.

Since we already have Michel's Instagram account, let's take a look at who Michel is following:

We see that Michel is following Iris Stein, how about let's take a look at Iris Stein's Instagram account?

Taking look at Iris Stein's followers, it seems she is mainly following other companies' social media accounts (with the exception of Michel), so it is unlikely we can find any more useful information here.

Again, let's go through Iris' posts and see what we can find!

Exercise: Go through Iris Stein's posts and see what you can discover.

Solution

Reading the posts, we can learn a few facts:

• Iris loves to travel.
• Iris also likes Mimosas and Tiramisu.

But the more useful information for this task would be:

• Her mother is named "Elaina Stein", and is born in April.
• Her mother does not have an Instagram account.

Remember the description? "The weakest link in security could be the people around you." Maybe we can find more information in her mother's social media account.

After completing the exercise (or checking the answers), you should know what to look for. Using different search engines, an interesting result popped up when I searched the key words using DuckDuckGo, and upon clicking the result, we arrive here:

This does seem like the account we should be looking for.

Taking a deeper look, we see that there is a section called "Life Events":

And it seems like it has Elaina and Iris' birthdays! Let's take a look at Iris' birthday:

At this point, we know Iris' birth date, which allows us to determine Iris' age. We also got an image and a hint to where Iris was born.

Exercise: Determine where Iris was born.

Solution

Google Image Search is here to save the day!

Using the image of the hospital room for a reverse search gives us the following queries:

It is easy to see that the first query is exactly the same as our image. Therefore, we can conclude that Iris was born in Lenox Hill Hospital.

We now have two pieces of information to fill in the form, but we are still missing the last piece of the puzzle - "What company does Iris work for?"

Not much more information can be found within the social media accounts and posts, so let's go back to the drawing board. Since it is asking something related to work, we can try searching in one of the biggest business networking platforms - LinkedIn.

After signing up an account for LinkedIn and searching for "Iris Stein", we are met with an overwhelming amount of results:

How can we find the correct account? We have some clues in hand:

• Iris Stein is a head of a HR department. (Away on Vacation)
• We have some images of how Iris Stein looks like. (Instagram Account)

Looking back at LinkedIn, there does exist an account that looks very similar to the images above:

In fact, this account has the exact image as the first image above, just with different color grading and without the heart emojis. We can also see that this Iris Stein in LinkedIn is also a HR of a company.

At this point we can pretty much confirm that this LinkedIn account belongs to the same Iris Stein we are searching for, and we can conclude that Iris Stein works for Mountain Peak Hiring Agency.

Now, we just have to submit the answers and get our flag!

Part 5: A Harsh Reality of Passwords (28 Solves)

Before attempting this challenge, we need to understand what is a "Hash".

That is the very basic idea of hashing. So our goal is to find a password that matches the hash, which would then be our flag. But first, we need to know what type of hash function is used for this hash, as there are many types of hash functions.

Throwing the hash into Hash Analyzer, we learn that the hash is made with a hash function called bcrypt.

So the main question remains: How do we find the password?

Based on the hints, we can have a rough idea of how the password looks like:

Since this is an OSINT challenge (not a cypto challenge), we can guess that the password should be composed of words and numbers that were mentioned, or related to the theme of the posts.

Let's start off with numbers. It is very common to add numbers to password as it would make the password more secure, however most people would use numbers that have special meaning to them, perhaps the date of an anniversary, a birthday, etc.

If we recall the post where we found Iris' mother's name, there is something important written there:

It seems that Iris mother's birthday is important to Iris, and it is common knowledge that dates are represented using numbers. Checking back the Facebook page:

Now, here comes the big question: What should the 3 words in the password be?

Unfortunately, there is no method to directly determine the words, therefore our only way is to brute force the password using a custom password list, which will be generated using Python.

The first step would be to get a list of potential keywords that might be in the password. Usually the keywords would be something of importance like locations, food, items, etc, and usually not words like pronouns, adjectives, etc.

Now that we have our wordlist, let's do some data processing. The first goal would be to split every word into it's own unique string, remove all unnesscary newline or space characters, and put all the words into a list:

# Explaination: 
# We first open the wordlist.txt file, and give it a name "file".
# 
# Then for every line in the file, we split it into strings 
# based on where a space exists. ("Hello World" --> ["Hello", "World"])

# Next, for every word in "line_with_many_words" (split() returns a list),
# we remove any newline characters or spaces using rstrip()
# and proceed to add the word into "word_list"

word_list = []

with open('COMPUTER_PATH_TO_YOUR_WORDLIST_TXT_FILE', "r") as file:
    for line in file:
        line_with_many_words = line.split(" ")
        for word in line_with_many_words:
            word_list.append(word.rstrip()) 

We now have a list of words, but we want a list with all words starting with capital letters only (All words have proper capitalization). Again, we can accomplish this with a little bit of Python:

# Explaination: 
# Similar to above, we use a for-loop to get each word, 
# then convert the first character into uppercase, 
# then add the word to "processed_word_list" respectively.

processed_word_list = []

for word in word_list:
    processed_word_list.append(word.title())    #Makes first character uppercase

# Remove duplicates using the "list-set" trick.
processed_word_list  = list(set(processed_word_list ))

Now here comes the fun part, we are going to use a built-in Python module called "itertools" to help us generate different password combinations. Itertools is very useful when you need to generate permutations and combinations with elements, it is also much faster and memory efficient when compared to using loops.

Our goal would be to select 3 words in order to form a password, and the 3 words can be in any order without repeats.

Now, let's implement this idea in Python, and using our wordlist as our set of elements:

# Explaination: 
# We create permutations using the words we pre-processed,
# and put them in a list.

# The list should look something like this:
# [('Milan', 'Tiramisu', 'Stein'), ('Tiramisu', 'Swarovski', 'Amsterdam')...]

# Note that we only have a list of tuples for now, therefore we need to combine 
# the strings in the tuples together.

# Using a for-loop, we go through each tuple, join the elements together,
# and put them in a new list called "password_strings".

from itertools import permutations 

password_strings = []

for group in list(permutations(processed_word_list , 3)):
    password_strings.append(''.join(group))

Now, we have a list containing all permutations of our word list!

But wait, we remember that we still have a number (date) to consider.

numbers = ["8", "08", "4", "04", "1965"]
date_strings = []

for group in list(permutations(numbers, 3)):
    date_strings.append(''.join(group))

# Explaination:
# We create 4 tuples: 
# ('8', '4', '1985') ('8', '04', '1985') 
# ('08', '4', '1985') ('08', '04', '1985')

# Then we create permutations using each of these 4 tuples, 
# join the strings with "+", and append it to "date_strings".

from itertools import permutations, product

day = ["8", "08"]
month = ["4", "04"]
year = ["1985"]

date_strings = []

for pair in product(day,month,year):
    for a,b,c in permutations(pair,3):
        date_strings.append((day+month+year))

Now, we have a list of words and a list of dates, we just need to join them together, save it to a text file, and we would have our password list!

# Explaination:            
# We open up your password.txt file first
# (if the file does not exist, Python will automatically create one for you),

# Then for every word, we add all the possible dates behind it,
# along with a newline character (this is the same as pressing enter)
# and append it to the text file.

with open('COMPUTER_PATH_TO_YOUR_PASSWORD_TXT_FILE', "a") as file:
    for date in date_strings:
        for word in password_strings:
            file.write((word+date) + "\n")

Now that we have our password list, it's time for the last step: Finding which password is the correct one.

There are two ways to do this, one is to use a password cracking tool called "Hashcat" (probably the fastest method), the other is to use the "bcrypt" module in Python. Note that you have to install the module using pip.

Hashcat Method (Highly recommended):

Prepare two textfiles, one would be your password list, and the other would be your hash list.

In this case the hash.txt should only contain:
$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC

Now, once you have installed hashcat, you can execute the following command (Linux):
$ hashcat -m 3200 -a 0 password.txt hash.txt

The arguments -m and -a means the hashing function and attack method respectively.
-m 3200 is bcrypt hash function, and -a 0 is called "Dictionary attack" (basically means going through all the passwords in a text file to see which passwords match).

Once hashcat finds the password, the output would look like this:
$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC:REDACTED_FOR_NOW

Python Method:

The "bcrypt" module has a function called checkpw(), which checks whether a password is equal to a hash and returns a boolean value.

We can then brute force the password with the following code:

# Explaination:                     
# We open up your password list, remove the newline characters with rstrip(),
# convert the passwords into bytes (utf-8), 
# and then compare the passwords with the hash.

# If it returns "True", that means we found the 
# correct password, print it out, then stop.

# If it returns "False", that means we need to keep trying.

from bcrypt import checkpw

hash_goal = b"$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC"

with open('COMPUTER_PATH_TO_YOUR_PASSWORD_TXT_FILE', "r", encoding='utf8') as file:
    for password in file:
        if (checkpw(bytes(password.rstrip(), "utf-8"), hash_goal) == True):
            print("The password is: " + password)
            break
        else:
            continue

Before showing the flag, let's see some statistics for password generation and hash cracking time:

Now, here is the final code and the flag!

from itertools import permutations
from bcrypt import checkpw

# Permutations of words.

word_list = []
processed_word_list = []
password_strings = []

with open('COMPUTER_PATH_TO_YOUR_WORDLIST_TXT_FILE', "r") as f:
    for line in f:
        line_with_many_words = line.rstrip().split(" ")
        for word in line_with_many_words:
            word_list.append(word.rstrip())

for word in word_list:
    processed_word_list.append(word.title())

processed_word_list = list(set(processed_word_list))

for group in list(permutations(processed_word_list , 3)):
    password_strings.append(''.join(group))

# ============================================================

# Permutations of date.

numbers = ["8", "08", "4", "04", "1965"]
date_strings = []

for group in list(permutations(numbers, 3)):
    date_strings.append(''.join(group))

# ============================================================

# Generating password list by listing all combinations 
# of password_strings and date, then exporting it to a file.
    
with open('COMPUTER_PATH_TO_YOUR_PASSWORD_TXT_FILE', "a") as file:
    for date in date_strings:
        for word in password_strings:
            file.write((word+date) + "\n")

# ============================================================

# Hash brute forcing. (Slow)

flag = 0

hash_goal = b"$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC"
print("Brute forcing hash...")

with open('COMPUTER_PATH_TO_YOUR_PASSWORD_TXT_FILE', "r") as file:
    for password in file:
        if (checkpw(bytes(password.rstrip(), "utf-8"), hash_goal) == True):
            print("Found!")
            print(password)
            flag = 1
            break
        else:
            continue  
            
if (flag == 0):
    print("Not found :(")

And that's it! I hope you learned something from this write up!