Sunday, 7 June 2020

CYBAR OSINT CTF - Everything Except Two!

It's been awhile since I last blogged about something here. But tonight I think I'd like to share the experience me and my two buddies had during the 24 hours Open Source Intelligence (OSINT) Capture-The-Flag (CTF) online competition, organized by CYBAR, that we participated.

Fig 0. CYBAR OSINT CTF


According to its website, "the challenges focus(ed) on IMINT, GEOINT and journalistic investigative techniques surrounding a threat intelligence specialist, self-aware Roombas and containing the Coronavirus pandemic".

This would be the first official public OSINT CTF I participated in and although IMINT and GEOINT is not my strongest skillset, I've demonstrated I was able to handle it after solving an unofficial challenge provided by an instructor during my OSINT SANs course back in 2018, and eventually won the in-class CTF at the end of the course.

So after my buddy shared me the link to join - I accepted and invited another buddy of mine to join. Made up of 3 individuals, the team was called "Apa2Lah" which basically is a Malay language slang for "whatever".

The CTF organized by CYBAR was straight-forward. Solve the challenges, gain as many points as possible and the top few win the cash prizes. Our intention was simply to experience the kind of questions in this CTF and I have to admit, once we scored a couple of points, we got hooked and zoned into the challenges. Something I just wanted to spend like maybe 2-3 hours became 15 hours (the 9 hours was for sleeping and family time).

To cut the story short, we were able to answer all the question within 7 hours except for two questions. Two bloody questions, with the two highest score points, that we spent the remaining hours trying to solve them.

Fig 1. Everything except for two!

These were the two questions we were unable to solve. 

Fig 2. The question that made me explore Texas for 5 hours

Fig 3. Another mind-boggling question


When CYBAR released the answers on its GitHub page after the CTF is over, I was like...what the hell.. Although I admit, given more time and slightly better hint, we could possibly have solved the one with 725 points. Seriously hats off to those who were able to solve this without given any hints or clues. We were looking at the wrong thing at the right place. 

But the one with the 675 points, this was just mind-boggling. The answer to this...well, we never would have guessed that the answer to this question was the answer to this question. The answer had nothing to do with Wuhan, nor Zuckerberg, not a name of a place, not a person or a map.. Take a look at the answer here.

We were able to answer some of the questions that were not in the 'official' manner. For example for the question below:
Fig 4. Getting Alycee's birthday

The official way of getting the answers can be found here. However, we took a different route to get it. We found Alycee's art profile which reveals her month and day of her birthday but not the year. Scrolling to Alycee's Twitter profile, we saw a picture and when we gave an extra focus, we saw a password with the number 89 on it. As many people tend to use birthday year as part of their password combination, we gave it a shot: CYBAR{01/01/1989} and it was correct!

Fig 5. Day and month of her birthday

Fig 6. A possible year of her birthday

This was another interesting question which we managed to pull through - thanks to google. The official way is slightly different from us (official answer here) in that we relied on a different database to locate for Scott. 

Fig 7. Static on the Wire question

We firstly googled for "ham radio" AND "florence alabama" and selected the first website displayed in the result: http://www.city-data.com/aradio/lic-Florence-Alabama.html. Then we searched for: Scott and there's the answer!

Fig 8. Relying on a different database website

Another question we did not answer in the official way was this:
Fig 9. Pay $9 to get this answer

So according to the official solution here, in order to get her middle name, you have to "Find the ABN/ACN of the company "CYBAR PROPERTIES PTY LTD". Once found, visit the ASIC register information and purchase the $9 company information record."

We found a domain themoneyfactory.com.au tied to Lillie Cawthorn. The domain was not accessible and no website was hosted on it. So we ran it through domain records online tool to check if we could get the WHOIS records of this domain. Surprisingly, we managed to find the full name of Lillie and submitted the middle name as the flag! Saved us $9! 

Fig 10. The middle name

Another question which was not straight forward to answer was this:

Fig 11. Fake news question

We initially googled for news article mentioning such incident mentioned in the 'Article text' pictured above and even went to filter for news published on 29th February just to see if anyone published any articles relating to this. But it's no surprise that a question of 650 points does not answered with a mere google search. Took us about an hour or two before we arrived at the answer. The process of getting the answer is not the same as the 'official' way here. Instead what we did was to visit another Australian government public database record and played around with the filters to determine the answer. This answer brought us up briefly to the top 25 spot.

Fig 12. Generating the answers after doing some filtering

After 24 hours, and with 2 flags still not completed, we just had to let it go. But it was good, I believed we learned a lot from this competition. A 3-men team comprised of a cybersecurity analyst, a data scientist and a threat intelligence analyst, who are not experienced in IMINT and GEOINT were able to get 32nd position (tying points with many) out of over 160 teams that joined.

Fig 13. Falling at 32nd place

Fig 14. 161 teams registered for the challenge

Participating in CTFs is one of the ways you could explore your skills, what you are good at and what you need to improve. It's also an opportunity for me to understand what skills or tools needed in order to answer those questions, and if i feel this was useful for me, I would embark into learning that further. If time permits, I would definitely participate in more of these online CTFs - lesser pressure and at the comfort of my own home.