OSINT Challenges Vulncon

# OSINT Challenges Vulncon ### OSINT 1- Find the Coin The challenge decstiption mentioned that there was a transaction of 100,000,000 DX to Ku Coin. We can use etherscan to search for the transactions in DX coin and narrow down to the date 26 November 2020(mentioned in the challenge) We ca n see one transaction. [https://etherscan.io/tx/0xfdef5b6f6dece6b29695b9fd8d0cadaff944876e598fd443125e1f8c2db15160](https://) The transaction hash wrapped inside vulncon{} gives us the flag. #### Flag- vulncon{0xfdef5b6f6dece6b29695b9fd8d0cadaff944876e598fd443125e1f8c2db15160} ### OSINT 2 - trouver The description says that friend of author has created a forum **photobay** and we need to find it. I did a basic google search of photobay and got some profiles, but nothing matched. Then did a search of photobay + vulncon and matched a reddit comment. #### Flag- vulncon{F1nd1ng_1s_n0t_3Asy!!} ### OSINT 3 - Flying Bear The challenges description had a code A25B54 and wants us to find the address of the owner. Reading this and the title we can assume the code has to be a aircrat tail number or a model. So, when we google A25BF4, we get a radarbox link which gives us the registration number N251HR. Searching this in flightaware gives us more information like the current owners and the past owners. [https://de.flightaware.com/resources/registration/N251HR](https://) Here we can try thr addresses of all the three owners and the flag corresponds to the address of first owner. #### Flag- vulncon{PO_BOX_699_ROSE_HILL_NC_284580699} ### OSINT 4- The Watcher The challenge description tells us there is auser named *tim3zapper* and he wants to us to find the email id of a photographer. To start off the challenge I googled tim3zapper and we get a twitter profile. Going over his tweets, we observe that one of the tweets was deleted but backed up somewhere. Immediately , we can guess that its the internet archive. Looking at web archives we see a user mentioned `@sullyth3h4x0r`. Using the **sherlock** tool, we come to know of an ello page with this username [https://ello.co/sullyth3h4x0r](https://). In the page, we see a picture of the plane and a caption asking to find the photographer who took it. Now we know that the mail id in the flag corresponds to the photographer who took this photo ![](https://i.imgur.com/Qyirf12.jpg) Doing a reverse image search on google, we get a page [https://www.jetphotos.com/registration/N251HR](https://) with the photographer's name **Agustin Anaya** A google search on Agustin Anaya hits a page [http://www.dutchops.com/Result.asp?PageNo=1&Soort=%&Airline=Delta%20Airlines](https://) where we see a contact email button. On hovering we see the email address which is our flag. #### Flag- vulncon{m.venema@dutchops.com} ### OSINT 5- Anything Challenge Description ``` A person named Noob_Hacker is always doing the strange thing,He wants everything to be on his name, find what he did on internet! ``` My first instinct was to google for the user name **Noob_Hacker**, but going through the description again, found out that the author is asking us to look what he did on the internet, so went straight to [https://archive.org/](https://) and checked for any metadata matching **Noob_Hacker** and we get to see a community text. The text contains the following ```maybe your flag is here on the https://discord.gg/ZKtrDHKmJY``` The discord link is an invite to **Noob_Hacker** created by the author. The discord has two messages to get the flag. ![](https://i.imgur.com/fxTOYM5.png) First the author says he likes to paste sites and a code. This gives a pastebin url [https://pastebin.com/ex3fXYma](https://) which is locked. Looking closey at the discord, we can see a tag up top, on clicking it we get the message to unlock the pastebin. ![](https://i.imgur.com/AUywdDi.png) The link again takes us to the internet archive we had found earlier. Checking the added time of the post--> ` 2020-12-15 05:00:05` Tried mixing the date and time format variants and in the end the format was `dd-mm-yyyy-hh-ss` so the password being `15-12-2020-05-05`. And voils we get the flag #### Flag- vulncon{h0w_1s_th3_cha113ng3!!!} ## OSINT 6 - Sudo GF The challenge description asks us to find the pseudo GF of **r3curs1v3_pr0xy** who goes by the name Sabia and has graduated from University of Groningen. First step is we google `Sabia + University of Groningen`, we get one hit a LinkedIn profile of Sabia Zana. In the profile we can see a link to her GitHub page. [https://github.com/0x9710sabia](https://). we can see a gist named secret.md which has a pgp key and also a redacted line which was a keybase url. In her keybase profile, we can see a cryptic message. `I am Software Engineer at Avratra My Boss asked me to paste this to my keybase Bio: YTrc68ub He said, Someone, will come looking for it :) NY` In the cryptic message we see few keywords- paste and Bio.. which can be interpreted as pastebin. so we get the pastebin url[https://pastebin.com/YTrc68ub](https://) which is a locked pastebin. Now, looked at all possible locations except the wiki page in the GitHub repo. In one of the repo named *public-gist* we see the password for the locked pastebin. `My encrypted Pass: \x78\x63\x56\x56\x74\x6d\x73\x5a\x70\x56` which on decrypting gives us `xcVVtmsZpV` Unlocking the pastebin gives us the flag. #### Flag- vulncon{k3ybase_&_g1thub_pgp_4r3_d3adly_c0mb0 Thanks to Noob_4rmY [https://twitter.com/noobarmy_](https://) and the authors for the challenges.