Introduction
This challenge write-up was one of the challenges administered by TrendMicro CTF 2017. These challenges require open-source intelligence skills.
Let’s get started…
The challenge text was as follows:
“Description: Challenge This challenge has been solved. Category: Iot/osint/scada Points: 100 Today you received an email that seemed to be from an online shopping site that you use – but when you followed the link something did not seem right. It appears that the world’s worst phisher must have set up the page – and has targeted you with a phishing attack!
The email text said you needed to visit a link to update the security of your account. However, the link leads to the site ctf.superpopularonlineshop.com.definitelynotaphishingsite.com
For this challenge, you must find the “Real Person” who is behind this attack – leveraging your Open Source Intelligence (OSINT) skills.
The Flag will be found on one of their social profile pages
NOTE: Pen Testing the site will not help – in fact, all you need to start the trail is in this email already “
———————————————————–
Keywords: OSINT, Whois, Maltego
Now Starting by exploring the website of the domain ctf.superpopularonlineshop.com.definitelynotaphishingsite.com gives us
And as always first thing first when doing OSINT is identifying the domain artifacts by using “whois”
And this time I used whois for “definitelynotaphishingsite.com” because using the whole domain did not yield anything
Now searching for the email pointed by arrows in the figure above did not yield anything concrete so the focus was switched on the phone number.
Using Maltego to analyze to where the phone number belongs gives us three options as shown
Trying every one of those landed me to go with the url
which redirects to page with whois information
Now going to the website highlighted with yellow gives as the following
And as with any OSINT case, we need to dig in the social profile. A little googling gives as the following twitter account which supposed to belong the real person we’re stalking
Working with OSINT cases requires focusing also on the subject’s connections and a after a dive into his/her followers, the account shown in the picture below was the one we were supposed to consider from the beginning
Googling the account’s name took us to his linked in page which finally had the leads and clues we’re interested in
Now this cipher text GZPGS{SGE0FVAG101 looks like one of ROT variants, a little search and decryption gives us
And the flag is TMCTF{FTR0SINT101}
