osint

Mann-Hunt

Solved by: Avantika(iamavu)

Mann Hunt

We were on the trail of a notorious hacker earlier this week, but they suddenly went dark, taking down all of their internet presence...All we have is a username. We need you to track down their personal email address! It will be in the form ****.sdctf@gmail.com. Once you find it, send them an email to demand the flag!

Username
mann5549

We have a username mann5549, I checked in discord server, but couldn’t find anything

Let’s try to find social media accounts, usually I go with instant-username-search From there I got the twitter - https://twitter.com/mann5549

Which had the following website - https://mann.codes, though I couldn’t really find much on that website, even checked in WayBack Machine Coding reminded me of GitHub, so I went and did a GitHub search for mann5549 but no such user, I though I should also query for the website name itself (mann.codes) and I found the user. YAY.

Visiting the repository, and going through commits and specifically this file [src/components/seo.js](https://github.com/manncyber/manncodes.github.io/commit/e81f6315e6a1ecc2277246547f85f3c9e0ebf11e#diff-46bb1d99a93bc5b6f63d50361abac9cc4c09038b92b77536c85a93ff2f8fc401) I found a name

Let’s google this name and we get a LinkedIn the first search itself - https://www.linkedin.com/in/emanuel-hunt-34749a207/

A google drive file, let’s see what it is - https://drive.google.com/file/d/10No4G_5iv2t5jxbvg2-weXkFouZrnQtg/view No email sadly here D: but then I remembered we can look up metadata of google drive file via google’s API and possibly get the email let’s go to the Google API website - https://developers.google.com/drive/api/v3/reference/files/get

Reading the documentation, I realised we need the fileID, which is just present in the URL itself and we need to tell the API to show all possible field of metadata

Hit execute and boom we get the email ID - mann.sdctf@gmail.com Now send a email to ID asking for flag, and soon we get a autoreply with the flag

FLAG - **sdctf{MaNN_tH@t_w@s_Ann0YinG}**

P.S.: Alternate way to check for docs email:


Google-Ransom

Solved by: Avantika (iamavu) and Starry-Lord

Google Ransom
Oh no! A hacker has stolen a flag from us and is holding it ransom. Can you help us figure out who created this document? Find their email address and demand they return the flag!

Ransom Letter - https://docs.google.com/document/d/1MbY-aT4WY6jcfTugUEpLTjPQyIL9pnZgX_jP8d8G2Uo/edit

We can find the owner of any drive file via google API, simply query the fileID which is present in the URL itself https://developers.google.com/drive/api/v3/reference/files/get

the * tells to print all possible fields in the metadata, we get the email as amy.sdctf@gmail.com send them a email and we get back our flag

FLAG - sdctf{0p3n_S0uRCE_1S_aMaz1NG}


Part of the ship

Solved by: Avantika(iamavu) and Starry-Lord

Part of the ship...
Sometimes I worry about my friend... he's way too into memes, he's always smiling, and he's always spouting nonsense about some "forbidden app." I don't know what he's talking about, but maybe you can help me figure it out! All I know is a username he used way back in the day. Good luck! Flag format is sdctf{flag}

Username
DanFlashes

“smiling” and “app”, reminded me of iFunny , I went to https://ifunny.co/user/DanFlashes but it gave a 404, so first thing usually which I do is check on wayback machine and boom, we got our flag https://web.archive.org/web/20220128003432/https://ifunny.co/user/DanFlashes

FLAG - sdctf{morning_noon_and_night_I_meme}

Additional details:

https://ifunny.co/picture/top-definition-part-of-the-ship-part-of-the-crew-LKPb8Zjx7


Samuel

Solved by : Avantika(iamavu) and Starry-Lord

We have a youtube video https://www.youtube.com/watch?v=fDGVF1fK1cA. We can see a blurry video, with a beacon going on and off in the night, with what seems like cable-cars or planes in the distance. Short light and long lights seemed like morse code. Here’s the decoded morse.

WHWHWHGODWROUGHT

https://www.history.com/.amp/this-day-in-history/what-hath-god-wrought

According to the link, Samuel Morse demonstrated the telegraph in 1844 with the sentence “what had God wrought”.

So we are looking for a beacon that sends the message in morse code, and I found this https://sculpturemagazine.art/mixed-messages-mark-bradfords-what-hath-god-wrought/

Avantika then found the location for this place on Google maps. https://www.google.com/maps/place/What+Hath+God+Wrought/@32.8752134,-117.2429636,17z/data=!3m1!4b1!4m5!3m4!1s0x80dc07e0d30e81a7:0x69087278617d6b1d!8m2!3d32.8752134!4d-117.2407749

sdctf{32.875,-117.240}

Paypal Playboy

Solved by: Starry-Lord

link for the mail: https://cdn.discordapp.com/attachments/808487148332122144/969683292918001787/mbox

Reading the mail shows us some base 64 encoded string, which is a commonly used Content-Transfer-Encoding for e-mails.

    From flag.peddler@wehate.sdc.tf Sat Apr 23 00:39:01 2022
    Delivered-To: [redacted]@gmail.com
    Received: by 2002:a05:6520:266f:b0:1b9:b81b:dce2 with SMTP id il15csp1101047lkb;
            Fri, 22 Apr 2022 17:39:02 -0700 (PDT)
    X-Google-Smtp-Source: ABdhPJzxwJlzfSGrxfS8BUrPyF3Rv2x9sStBn/U0tFRYMXyPsNYCyOVhWQQn7IKnPNjwjmMRrzkp
    X-Received: by 2002:a05:6402:d2:b0:413:2e50:d6fd with SMTP id i18-20020a05640200d200b004132e50d6fdmr7715550edu.171.1650674341863;
            Fri, 22 Apr 2022 17:39:01 -0700 (PDT)
    ARC-Seal: i=1; a=rsa-sha256; t=1650674341; cv=none;
            d=google.com; s=arc-20160816;
            b=BnpreoBKj7rM/1WsS1qGkQIpbJ5Q7glsLDD6PWDJRM4ChXRSMefEmwqElRjZAsNnxQ
             WbkErwUv9FGbI9XDj0QRlgbcKOY+zfDryej6XaZQ7/YzfTNUYFVLQ9H1tFQvNV32oI9m
             2d8eZn4LyHtp4x4M2nIplYo9EWPUObAd9/V2ajSdVBagveQXocWA28Sdcy2bflA0SplT
             gOUu1TWsT1yD1aRwIzdwyJY8J139u02P7ZIjvO0OHunde46MKIlcA50KyumhKeTCyxqJ
             YLjmgyw6Aey6PlG224L9Mslkcg739k81aUKUTMflpKGqxzM75UZepuCoKyVcwpCp+3vc
             WFug==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
            h=date:message-id:mime-version:reply-to:errors-to:importance:from
             :subject:to;
            bh=SklLFzj9D7lIOMbltmueGQUwZr9CMGutPIb3RqUNk6E=;
            b=EEGOb2Wm/rKABjU6iN1Cv+E3b6mU3Ke04PhXntTkpa7vGH8WeZg7GCfg7dmrBLGyDb
             nGC6L9utfPWqzL7tBmXDtyzqVJE/Qy82QujjnKuT5Vnxuwn1mU1ZOoAXr0KfyK8hOIe6
             jn2nQGeADRUuEedqomYGjUH6RGjuU536npXLWtqmwIwWIRv08UYkItB6ma5pDuuyEdId
             PBwv2ByfPMrReSahatKSk3FbvVuQMCqmHwSlvCIJC2fbNMVw64cQwyCP0sOl1CsFbu98
             UmtH/8ptv3tavNNjIpNqvwCFyp9pbvqZvhOUwDakqV6rY2USr51DIBFymLBllWiCHupb
             w2ZQ==
    ARC-Authentication-Results: i=1; mx.google.com;
           spf=neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) smtp.mailfrom=flag.peddler@wehate.sdc.tf
    Return-Path: <flag.peddler@wehate.sdc.tf>
    Received: from emkei.cz (emkei.cz. [101.99.94.116])
            by mx.google.com with UTF8SMTPS id c1-20020a170906694100b006df76385bb2si7985374ejs.82.2022.04.22.17.39.01
            for <[redacted]@gmail.com>
            (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
            Fri, 22 Apr 2022 17:39:01 -0700 (PDT)
    Received-SPF: neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) client-ip=101.99.94.116;
    Authentication-Results: mx.google.com;
           spf=neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) smtp.mailfrom=flag.peddler@wehate.sdc.tf
    Received: by emkei.cz (Postfix, from userid 33)
            id 41BF9182372; Sat, 23 Apr 2022 02:39:01 +0200 (CEST)
    To: [redacted]@gmail.com
    Subject: very cheap banner
    From: "cheap sdctf banner" <flag.peddler@wehate.sdc.tf>
    X-Priority: 3 (Normal)
    Importance: Normal
    Errors-To: flag.peddler@wehate.sdc.tf
    Reply-To: flag.peddler@wehate.sdc.tf
    MIME-version: 1.0
    Content-Type: multipart/mixed; boundary=BOUND_62634AA53D6521.02935547
    Message-Id: <20220423003901.41BF9182372@emkei.cz>
    Date: Sat, 23 Apr 2022 02:39:01 +0200 (CEST)
    
    --BOUND_62634AA53D6521.02935547
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: base64
    
    5Zyj5Zyw5Lqa5ZOl572R57uc5a6J5YWo6L+Q5Yqo5Lya55qE5buJ5Lu35qiq5bmF44CC5oiQ5Li6
    IFNEQ1RGIOeahOi1ouWutuOAguW/q+aNt+aWueS+v+OAgueCueWHu+S4i+aWueOAguWco+WcsOS6
    muWTpee9kee7nOWuieWFqOi/kOWKqOS8mueahOW7ieS7t+aoquW5heOAguaIkOS4uiBTRENURiDn
    moTotaLlrrbjgILlv6vmjbfmlrnkvr/jgILngrnlh7vkuIvmlrnjgILlnKPlnLDkuprlk6XnvZHn
    u5zlronlhajov5DliqjkvJrnmoTlu4nku7fmqKrluYXjgILmiJDkuLogU0RDVEYg55qE6LWi5a62
    44CC5b+r5o235pa55L6/44CC54K55Ye75LiL5pa544CC5oKo5Lmf5Y+v5Lul5ZyoIFBheVBhbOaI
    luiAheWMuuWdl+mTvuS4iuaJvuWIsOaIkeS7rOOAgjB4QkFkLi4uQTQzQi4uLi4uIFNEQ1RGe+S8
    qumAoOeahF/ml5fluJx9IDPvuI/ig6Mg8J+SsCDinLPvuI8g8J+RnyDwn5izIPCfk5kg8J+NkyDw
    n5i6IPCfkYgg8J+UoCDwn4+eIPCflpYg8J+QviDwn4OPIPCflZUg8J+QtiDwn5uPIPCflJEg4p2H
    77iPIPCfkqkg4qyH77iPIPCfiLfvuI8g8J+RnSDwn5mIIPCfmoIg8J+UnSDimKog4pqh77iPIPCf
    k6wg8J+YtyDwn4+oIPCfmoQg8J+PmSDwn5WcIOKGmO+4jyDwn42VIPCfkagg8J+MjyDil77vuI8g
    8J+MjiDwn5i4IPCfjYQg4pyz77iPIPCflaEg8J+amyDwn5GnIPCflLsg4pmT77iPIPCflKAg8J+Y
    rQ==
    mbox part 1/2

This is some text in Chinese, which translates to the following:

Then we also have an attachment, named “pay.png” in Chinese:

    mbox part 2/2
    --BOUND_62634AA53D6521.02935547
    Content-Type: image/png; name="支付.png"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="支付.png"
    
    iVBORw0KGgoAAAANSUhEUgAAAUYAAAFOCAYAAAD6hLSdAAABPmlDQ1BJQ0MgUHJvZmlsZQAAKJFj
    YGASSCwoyGFhYGDIzSspCnJ3UoiIjFJgf8bAwiDMIMigxcCXmFxc4BgQ4ANUwgCjUcG3awyMIPqy
    Lsisncmnb3+YKdt7w+KqjrKaJjemehTAlZJanAyk/wBxYnJBUQkDA2MCkK1cXlIAYrcA2SJFQEcB
    2TNA7HQIew2InQRhHwCrCQlyBrKvANkCyRmJKUD2EyBbJwlJPB2JDbUXBNiNzH0DjI0JuJQMUJJa
    UQKinfMLKosy0zNKFByBIZSq4JmXrKejYGRgZMTAAApviOrPN8DhyCjGgRArBPrPypOBgSkXIZYQ
    wMCw4wPImwgxVR0GBp7jDAwHYgsSixLhDmD8xlKcZmwEYXNvZ2Bgnfb//+dwoJc1GRj+Xv////f2
    ////LmNgYL4F1PsNABfNXW1QnDRZAAAAYmVYSWZNTQAqAAAACAACARIAAwAAAAEAAQAAh2kABAAA
    AAEAAAAmAAAAAAADkoYABwAAABIAAABQoAIABAAAAAEAAAFGoAMABAAAAAEAAAFOAAAAAEFTQ0lJ
    AAAAU2NyZWVuc2hvdNuRKQwAAAI9aVRYdFhNTDpjb20uYWRvYmUueG1wAAAAAAA8eDp4bXBtZXRh
    IHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA2LjAuMCI+CiAgIDxy
    ZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4
    <--SNIP-->
    DtgBO+CN0eeAHbADdmDDAW+MG4b4rR2wA3bAG6PPATtgB+zAhgPeGDcM8Vs7YAfsgDdGnwN2wA7Y
    gQ0HvDFuGOK3dsAO2AFvjD4H7IAdsAMbDnhj3DDEb+2AHbAD3hh9DtgBO2AHNhzwxrhhiN/aATtg
    B7wx+hywA3bADmw44I1xwxC/tQN2wA54Y/Q5YAfsgB3YcMAb44YhfmsH7IAd8Mboc8AO2AE7sOGA
    N8YNQ/zWDtgBO/D/ATm6EF9LClK2AAAAAElFTkSuQmCC
    
    
    --BOUND_62634AA53D6521.02935547--

After decoding base 64 we get a qr code png.

pay.png

Reading this with any qr code reader app gives a link to the cash app page of the seller.

https://cash.app/$limosheen?qr=1

Nothing much in the url itself, but now we have a username “limosheen” which we can hunt for.

Staying in the money app spectrum, we could find a paypal user with that name here:

https://paypal.me/limosheen

New clues to work with! We can see a wallet address and that it’s for ropETH. I don’t think it’s a common way to call it, but we’re talking about the Ropsten Ethereum blockhain here, which is also known as the “Ethereum Testnet”. It’s basically used for development and testing purposes before deploying to the mainnet.

So now that we have the wallet and the blockchain, we can try and follow the money 💸

https://ropsten.etherscan.io/address/0xbad914d292cbfee9d93a6a7a16400cb53319a43b

We can see a small amount of transactions happening 15 days ago, and only one outgoing transaction to another wallet. Following the money, we can consider this wallet as interesting:

Receiving wallet (with a hefty amount of ETH and no outgoing transactions):

0x949213139D202115c8b878E8Af1F1D8949459f3f

I got lucky on this one. I always considered Google to be the superior search engine, period, but for the first time, it was not showing anything. DuckDuckGo won this fight.

This url was not available anymore, but when looking back in time we can find the flag, still base 64 encoded.

https://www.reddit.com/user/wrestling-wave/comments/u9tgk7/how_i_made_10000000_selling_fake_flags_ama/

https://web.archive.org/web/*/https://www.reddit.com/user/wrestling-wave/comments/u9tgk7/how_i_made_10000000_selling_fake_flags_ama/

Only one capture to look into:

sdctf{You_Ever_Dance_With_the_Devil_In_the_Pale_Moonlight}