shuban-789
commented
3 months ago Yup. Prob the best osint chall i have done in a while
Open aye1024 opened 3 months ago
shuban-789
commented
3 months ago Yup. Prob the best osint chall i have done in a while
OSINT 1-3 Writeup
Two days ago, the venerable UTCTF 2024 launched and as someone new to CTF's, it was a pleasure to compete with a friend and place in the top 150. We tried many challenges, and were able to dive deep into the abyss and solve some intriguing problems. OSINT 1-3 is my most memorable of the few as it is beginner friendly, yet requires a fresh approach and strong curiosity.
OSINT 1:
Our challenge provides us with the fact that this company has a leaked document. A link is also provided, leading us to the front page of a company.
Now, our hints suggest that our leaked document won't be found anywhere on the site. Hence, searching for further information is required. A Google search on this company yields nothing. (Of course it isn't a real company.) Similarly, any links on the page go to nowhere, the map gives a location for a different establishment, and any support contact doesn't work at all. However, their team management is listed.
Truthfully, I searched all of these names up. However in hindsight, one name stands out: Cole Minerton. Isn't that name quite strange?
A quick Google search gives an inactive twitter account created a month before the CTF. Within the bio is a linktree, where all our necessary information for the OSINT challenge saga is listed. We just need to find the right pieces.
Clicking on the Youtube link, we find his channel, where "Cole" has posted his speedrun of Catbird Marda. However, more importantly, a discord link is provided. Joining the discord and scrolling up, we find our leaked document in plain sight.
Downloading this document and using CTF+F to search for "utflag", we find our flag:
utflag{discord_is_my_favorite_document_leaking_service}OSINT 2:
In OSINT 2, we need to correctly find Cole Minerton's city, state, and zip code. Even armed with the linkree, this is no small task. Scavenging through the links, we see that Cole has posted many photos in his Mastodon.
Two of which are from his skiing ventures at Angel Fire, however, one catches the eye.
He goes to a gas station to fill up his 4x4 for a trip. This trip is further hinted at in the discord conversation he has with his colleagues.
Instinctively, I searched the net for Telluride and reviews for the skiing resort, hoping to find some other hidden account Cole had. This came to no avail. However, going back to the picture and caption, we realize that Cole must have filled up on gas in his hometown, as he had not begun to drive towards Telluride yet. Zooming into the photo, we find some crucial information:
We are looking for a Cimarron Ave. in New Mexico, of which there are 3:
Using Google maps street view, we can look for the same run-down gas station. Only Raton, NM has this gas station on Cimarron Ave.
A quick search gives us that Raton, NM's zip code is 87740, thus our flag is:
Raton,NM,87740OSINT 3:
In OSINT 3, we look for his IP address. Once again, we return to the faithful linktree.
Cole's Twitter is empty, we've used his Mastodon for OSINT 2, and his Youtube for OSINT 1. However, if you were lucky and caught a crucial hint in Youtube, or scourged his Reddit, you'd find something interesting.
His "New Account" post is a red herring, so if you looked deep into that, RIP to your time. However, our clues point towards the fact that Cole plans to speedrun a game called "Tiny Island Survival", and because there is no wiki for it, he plans to create his own.
Now, here's where prior knowledge comes into play. I had never known much about wikis, however, upon asking my teammate and doing a quick Google search, he immediately pointed me in the right direction. If you are not logged into a wiki while editing a page, your IP address is leaked to the public. This feature is for moderators to be able to easily IP ban trolls that spam pages with misinformation, however, in Cole's case, it has clearly backfired on him. When we open the revision history, we see the following:
Here, we see that Cole has been faithfully keeping his word and updating information on his wiki. The IP of all unauthorized users has been recorded, while Cole, who has been logged in the whole time, comes up as "coleminerton". But has he really been logged in the whole time?
He was not logged in for one single edit. And this will prove to be his downfall.
We can now see his IP address:
181.41.206.31. This is the correct flag for OSINT 3.Final Remarks
This challenge was the most fun I've had and I'm very glad I chose UTCTF as my 2nd CTF to participate in. Props to
@mzoneon discord who I'd assume is running the Cole Minerton account. Too bad he didn't fall for the very not obvious grabify attempt for OSINT 3:But at least I tried it.