Introduction

This challenge write-up was one of the challenges administered by TrendMicro CTF 2017. These challenges require open-source intelligence skills.

Let’s get started…

The challenge text was as follows:

 “Description: Challenge This challenge has been solved. Category: Iot/osint/scada Points: 100 Today you received an email that seemed to be from an online shopping site that you use – but when you followed the link something did not seem right. It appears that the world’s worst phisher must have set up the page – and has targeted you with a phishing attack!

The email text said you needed to visit a link to update the security of your account. However, the link leads to the site ctf.superpopularonlineshop.com.definitelynotaphishingsite.com

For this challenge, you must find the “Real Person” who is behind this attack – leveraging your Open Source Intelligence (OSINT) skills.

The Flag will be found on one of their social profile pages

NOTE: Pen Testing the site will not help – in fact, all you need to start the trail is in this email already “

Get OSCP Certificate Notes

———————————————————–

Keywords: OSINT, Whois, Maltego

Now Starting by exploring the website of the domain ctf.superpopularonlineshop.com.definitelynotaphishingsite.com gives us

And as always first thing first when doing OSINT is identifying the domain artifacts by using “whois”

And this time I used whois for “definitelynotaphishingsite.com” because using the whole domain did not yield anything

Now searching for the email pointed by arrows in the figure above did not yield anything concrete so the focus was switched on the phone number.

Using Maltego to analyze to where the phone number belongs gives us three options as shown

Trying every one of those landed me to go with the url

https://pastebin.com/TyEDZsaA

which redirects to page with whois information

Now going to the website highlighted with yellow gives as the following

And as with any OSINT case, we need to dig in the social profile. A little googling gives as the following twitter account which supposed to belong the real person we’re stalking

Working with OSINT cases requires focusing also on the subject’s connections and a after a dive into his/her followers, the account shown in the picture below was the one we were supposed to consider from the beginning

Googling the account’s name took us to his linked in page which finally had the leads and clues we’re interested in

Now this cipher text GZPGS{SGE0FVAG101 looks like one of ROT variants, a little search and decryption gives us

And the flag is TMCTF{FTR0SINT101}