# OSINT Writeup Foobar CTF ## Challenge 1- Old Memories #### Challenge Description I urgently need to contact the President of GNU/LINUX USERS Group NIT Durgapur back in 2015 but I cannot find his details. Can you please help me to find his name and phoneno. <span style="color:purple">GLUG{Firstname_Lastname_phoneno}</span> #### Solution On reading the description, first thing that comes to mind is wayback machine or archive.org. So we get the link for GNU/Linux group (https://nitdgplug.org) and go back to 2015 using wazback machine. Checking the contacts in the page we get the name and number of the president. ![](https://i.imgur.com/kSyJu7z.png) So the flag was <span style="color:green">GLUG{Harshit_Agarwal_8942031165}</span> ## Challenge 2- You #### Challenge Description <span style="color:purple">h4x0rl4dy</span> - "Oversized shades, floral shirt, and a lean physique. That is all I remembered from our first meeting. A paradise on Earth they say, help me locate the place where we first met <span style="color:purple">Flag format : GLUG{latitude_longitude} (upto 3 decimal places).</span> ![](https://i.imgur.com/3iTVDbq.jpg) #### Solution There are two methods to get some leads on the places, either by reverse imaging the above image given in challenge description or check for the username h4x0rl4dy. I took the second method as the above image resulted in false positives. So looked into her insta profile and came up with another two images and a story which mentioned paradise same as that of the challenge description. ![](https://i.imgur.com/59E9Zkj.jpg) and story ![](https://i.imgur.com/5XZqgYX.jpg) Reverse imaging on these two leads us to Constance Ephelia resort in Seychelles. Using Google Maps we can get the Longitude and Latitude So the flag was <span style="color:green">GLUG{-4.658_55.405}</span> ## Challenge 3- Home #### Challenge Description <span style="color:purple">h4x0rl4dy</span> - That is the last I saw of him. The only link to him is his address. He gave it to me but I cannot find it. Help me! <span style="color:purple">FLAG FORMAT - GLUG{address}</span> #### Solution This was one of the two challenges that required more time and concenteration to solve. There are no clues in the challenge description and we are stuck with just the username h4x0rl4dy. Using sherlock we can get the social medias and other profiles matching the username. Interesting profile is that of GitHub which has a readme file mentioning "you already f0und me". On checking the commits we see some redacted info like a mail address and a comment mentioning a preview link. When we view the main page of her profile, we do see an interesting character with a link icon - 'UTDgPMGE'. I immediatelz thought of two things- pastebin/youtube. on trying pastebin, we see a locked pastebin, so we are on the right track. [locked pastebin](https://pastebin.com/UTDgPMGE) So now we need to find the password and we are again back to the drawing board with the username. Now on searching twitter and facebook we reach a deadend. Only profiles left were LinkedIn and Reddit. Reditt has no posts but just DOB which is not the password :wink: . We open the LinkedIn(open the profile with logged in and not simply viewing it).We can see that she has created a slideshare PPT which gives us the next clue- a gist.github page. [gist.github](https://gist.github.com/h4x0rl4dy/b32511c29ef72700fbe57c90e5e857ac) which contains the wordlist and an hash to crack. ========================================= WORDLISTS ========================================= h4x0r caltech 1997 loves rishav 69 crypto oshint ========================================= --------------------------------------------------- my secret hash : df6584e59b2f57173db5191fa6ed84ac --------------------------------------------------- We can identify the hash as MD5 using hash-identifier. but none of the above words match the hash. Next step was to combine the words and check the hash. There are two methods. 1. hashcat- combinator method 2. wite a python script I could not use the hashcat as it had some problems with my AMD processor. But the command to use hashcat is ~~~ hashcat -a 1 -m 0 hash wordlist.txt ~~~ For the python I wrote a script using itertools which has the permutation function. ~~~ x = ["h4x0r","caltech","1997","loves","rishav","69","crypto","oshint"] y = [] import itertools for j in range(6): for i in itertools.permutations(x,j): y.append(''.join(i)) resultlist = [] for i in range(len(y)): result = hashlib.md5(y[i].encode()) #resultlist.append(result.hexdigest()) print(y[i], result.hexdigest() ~~~ we get a match for > h4x0r69loves df6584e59b2f57173db5191fa6ed84ac We can now unlock the pastebin using this password and get the flag. we see the contents of the pastebin as ~~~ 10880_Malibu_Point - <3 r1shav here ~~~ So the flag was <span style="color:green">GLUG{10880_Malibu_Point}</span> ## Challenge 4- Missing #### Challenge Description <span style="color:purple">h4x0rl4dy</span> : I went to his home...but he was nowhere to be found. All I got was this note : <span style="color:purple">Он тебе не подходит. Держись подальше</span>. Help me track down the b!!!h who left this. <span style="color:purple">FLAG FORMAT : GLUG{flag}</span> ##### Note: Only 3 tries #### Solution From the answer of last challenge, everz marvel fans know that Malibu Point is the location of Stark Mansion. Following this path is sure to lead you into rabbit hole. The russian script translates to "He's not good for you. Stay away.", so we can tell that we are looking for a russian lady. Other clues which we have from our last challenge is a redacted gmail id -"h4x0rl4dy@gmail.com" and a new username r1shav. We can use Ghunt to anlayse the mail id. We get some zoutube links matching the name Kristina Parker and a Gmaps review https://www.google.com/maps/contrib/117418642363520110962/reviews which takes us to the famous Marshall Chess Club in New York with a single star rating. Looks like Kristina is really pissed off with the chess club and we might have out solution with them. I started looking through the various members to see if there was Kristina Parker or Rishav but no matches. Next step was to google "marshall chess club + r1shav" and scrolling through the results, there was an interesting page called lichess.org with a reference to marshall chess club. On opening the site,we see a rather interesting name in recent members list- r1sh4v which is same as r1shav we have. Entering his profile, we see he has played one match and that too with a Russian lady named anyasmirnova. Entering her profile, we are treated with another russian script ![](https://i.imgur.com/HuQCz98.png) On translating we get two results. flag - mate ;) flag - checkmate ;) Since we have only three tries, I confirmed with the admin h4ck3r_d0g3 as I was not sure if the smilez need to be included. So the flag was <span style="color:green">GLUG{checkmate}</span>