osint
Mann-Hunt
Solved by: Avantika(iamavu)
Mann Hunt
We were on the trail of a notorious hacker earlier this week, but they suddenly went dark, taking down all of their internet presence...All we have is a username. We need you to track down their personal email address! It will be in the form ****.sdctf@gmail.com. Once you find it, send them an email to demand the flag!
Username
mann5549
We have a username mann5549, I checked in discord server, but couldn’t find anything
Let’s try to find social media accounts, usually I go with instant-username-search From there I got the twitter - https://twitter.com/mann5549
Which had the following website - https://mann.codes, though I couldn’t really find much on that website, even checked in WayBack Machine
Coding reminded me of GitHub, so I went and did a GitHub search for mann5549 but no such user, I though I should also query for the website name itself (mann.codes)
and I found the user. YAY.
Visiting the repository, and going through commits and specifically this file
[src/components/seo.js](https://github.com/manncyber/manncodes.github.io/commit/e81f6315e6a1ecc2277246547f85f3c9e0ebf11e#diff-46bb1d99a93bc5b6f63d50361abac9cc4c09038b92b77536c85a93ff2f8fc401)
I found a name
Let’s google this name and we get a LinkedIn the first search itself - https://www.linkedin.com/in/emanuel-hunt-34749a207/
A google drive file, let’s see what it is - https://drive.google.com/file/d/10No4G_5iv2t5jxbvg2-weXkFouZrnQtg/view No email sadly here D: but then I remembered we can look up metadata of google drive file via google’s API and possibly get the email let’s go to the Google API website - https://developers.google.com/drive/api/v3/reference/files/get
Reading the documentation, I realised we need the fileID, which is just present in the URL itself and we need to tell the API to show all possible field of metadata
Hit execute and boom we get the email ID - mann.sdctf@gmail.com
Now send a email to ID asking for flag, and soon we get a autoreply with the flag
FLAG - **sdctf{MaNN_tH@t_w@s_Ann0YinG}**
P.S.: Alternate way to check for docs email:
Google-Ransom
Solved by: Avantika (iamavu) and Starry-Lord
Google Ransom
Oh no! A hacker has stolen a flag from us and is holding it ransom. Can you help us figure out who created this document? Find their email address and demand they return the flag!
Ransom Letter - https://docs.google.com/document/d/1MbY-aT4WY6jcfTugUEpLTjPQyIL9pnZgX_jP8d8G2Uo/edit
We can find the owner of any drive file via google API, simply query the fileID which is present in the URL itself https://developers.google.com/drive/api/v3/reference/files/get
the * tells to print all possible fields in the metadata, we get the email as amy.sdctf@gmail.com send them a email and we get back our flag
FLAG - sdctf{0p3n_S0uRCE_1S_aMaz1NG}
Part of the ship
Solved by: Avantika(iamavu) and Starry-Lord
Part of the ship...
Sometimes I worry about my friend... he's way too into memes, he's always smiling, and he's always spouting nonsense about some "forbidden app." I don't know what he's talking about, but maybe you can help me figure it out! All I know is a username he used way back in the day. Good luck! Flag format is sdctf{flag}
Username
DanFlashes
“smiling” and “app”, reminded me of iFunny , I went to https://ifunny.co/user/DanFlashes but it gave a 404, so first thing usually which I do is check on wayback machine and boom, we got our flag https://web.archive.org/web/20220128003432/https://ifunny.co/user/DanFlashes
FLAG - sdctf{morning_noon_and_night_I_meme}
Additional details:
https://ifunny.co/picture/top-definition-part-of-the-ship-part-of-the-crew-LKPb8Zjx7
Samuel
Solved by : Avantika(iamavu) and Starry-Lord
We have a youtube video https://www.youtube.com/watch?v=fDGVF1fK1cA. We can see a blurry video, with a beacon going on and off in the night, with what seems like cable-cars or planes in the distance. Short light and long lights seemed like morse code. Here’s the decoded morse.
WHWHWHGODWROUGHT
https://www.history.com/.amp/this-day-in-history/what-hath-god-wrought
According to the link, Samuel Morse demonstrated the telegraph in 1844 with the sentence “what had God wrought”.
So we are looking for a beacon that sends the message in morse code, and I found this https://sculpturemagazine.art/mixed-messages-mark-bradfords-what-hath-god-wrought/
Avantika then found the location for this place on Google maps. https://www.google.com/maps/place/What+Hath+God+Wrought/@32.8752134,-117.2429636,17z/data=!3m1!4b1!4m5!3m4!1s0x80dc07e0d30e81a7:0x69087278617d6b1d!8m2!3d32.8752134!4d-117.2407749
sdctf{32.875,-117.240}
Paypal Playboy
Solved by: Starry-Lord
link for the mail: https://cdn.discordapp.com/attachments/808487148332122144/969683292918001787/mbox
Reading the mail shows us some base 64 encoded string, which is a commonly used Content-Transfer-Encoding for e-mails.
From flag.peddler@wehate.sdc.tf Sat Apr 23 00:39:01 2022
Delivered-To: [redacted]@gmail.com
Received: by 2002:a05:6520:266f:b0:1b9:b81b:dce2 with SMTP id il15csp1101047lkb;
Fri, 22 Apr 2022 17:39:02 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzxwJlzfSGrxfS8BUrPyF3Rv2x9sStBn/U0tFRYMXyPsNYCyOVhWQQn7IKnPNjwjmMRrzkp
X-Received: by 2002:a05:6402:d2:b0:413:2e50:d6fd with SMTP id i18-20020a05640200d200b004132e50d6fdmr7715550edu.171.1650674341863;
Fri, 22 Apr 2022 17:39:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1650674341; cv=none;
d=google.com; s=arc-20160816;
b=BnpreoBKj7rM/1WsS1qGkQIpbJ5Q7glsLDD6PWDJRM4ChXRSMefEmwqElRjZAsNnxQ
WbkErwUv9FGbI9XDj0QRlgbcKOY+zfDryej6XaZQ7/YzfTNUYFVLQ9H1tFQvNV32oI9m
2d8eZn4LyHtp4x4M2nIplYo9EWPUObAd9/V2ajSdVBagveQXocWA28Sdcy2bflA0SplT
gOUu1TWsT1yD1aRwIzdwyJY8J139u02P7ZIjvO0OHunde46MKIlcA50KyumhKeTCyxqJ
YLjmgyw6Aey6PlG224L9Mslkcg739k81aUKUTMflpKGqxzM75UZepuCoKyVcwpCp+3vc
WFug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:mime-version:reply-to:errors-to:importance:from
:subject:to;
bh=SklLFzj9D7lIOMbltmueGQUwZr9CMGutPIb3RqUNk6E=;
b=EEGOb2Wm/rKABjU6iN1Cv+E3b6mU3Ke04PhXntTkpa7vGH8WeZg7GCfg7dmrBLGyDb
nGC6L9utfPWqzL7tBmXDtyzqVJE/Qy82QujjnKuT5Vnxuwn1mU1ZOoAXr0KfyK8hOIe6
jn2nQGeADRUuEedqomYGjUH6RGjuU536npXLWtqmwIwWIRv08UYkItB6ma5pDuuyEdId
PBwv2ByfPMrReSahatKSk3FbvVuQMCqmHwSlvCIJC2fbNMVw64cQwyCP0sOl1CsFbu98
UmtH/8ptv3tavNNjIpNqvwCFyp9pbvqZvhOUwDakqV6rY2USr51DIBFymLBllWiCHupb
w2ZQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) smtp.mailfrom=flag.peddler@wehate.sdc.tf
Return-Path: <flag.peddler@wehate.sdc.tf>
Received: from emkei.cz (emkei.cz. [101.99.94.116])
by mx.google.com with UTF8SMTPS id c1-20020a170906694100b006df76385bb2si7985374ejs.82.2022.04.22.17.39.01
for <[redacted]@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 22 Apr 2022 17:39:01 -0700 (PDT)
Received-SPF: neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) client-ip=101.99.94.116;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) smtp.mailfrom=flag.peddler@wehate.sdc.tf
Received: by emkei.cz (Postfix, from userid 33)
id 41BF9182372; Sat, 23 Apr 2022 02:39:01 +0200 (CEST)
To: [redacted]@gmail.com
Subject: very cheap banner
From: "cheap sdctf banner" <flag.peddler@wehate.sdc.tf>
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: flag.peddler@wehate.sdc.tf
Reply-To: flag.peddler@wehate.sdc.tf
MIME-version: 1.0
Content-Type: multipart/mixed; boundary=BOUND_62634AA53D6521.02935547
Message-Id: <20220423003901.41BF9182372@emkei.cz>
Date: Sat, 23 Apr 2022 02:39:01 +0200 (CEST)
--BOUND_62634AA53D6521.02935547
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
5Zyj5Zyw5Lqa5ZOl572R57uc5a6J5YWo6L+Q5Yqo5Lya55qE5buJ5Lu35qiq5bmF44CC5oiQ5Li6
IFNEQ1RGIOeahOi1ouWutuOAguW/q+aNt+aWueS+v+OAgueCueWHu+S4i+aWueOAguWco+WcsOS6
muWTpee9kee7nOWuieWFqOi/kOWKqOS8mueahOW7ieS7t+aoquW5heOAguaIkOS4uiBTRENURiDn
moTotaLlrrbjgILlv6vmjbfmlrnkvr/jgILngrnlh7vkuIvmlrnjgILlnKPlnLDkuprlk6XnvZHn
u5zlronlhajov5DliqjkvJrnmoTlu4nku7fmqKrluYXjgILmiJDkuLogU0RDVEYg55qE6LWi5a62
44CC5b+r5o235pa55L6/44CC54K55Ye75LiL5pa544CC5oKo5Lmf5Y+v5Lul5ZyoIFBheVBhbOaI
luiAheWMuuWdl+mTvuS4iuaJvuWIsOaIkeS7rOOAgjB4QkFkLi4uQTQzQi4uLi4uIFNEQ1RGe+S8
qumAoOeahF/ml5fluJx9IDPvuI/ig6Mg8J+SsCDinLPvuI8g8J+RnyDwn5izIPCfk5kg8J+NkyDw
n5i6IPCfkYgg8J+UoCDwn4+eIPCflpYg8J+QviDwn4OPIPCflZUg8J+QtiDwn5uPIPCflJEg4p2H
77iPIPCfkqkg4qyH77iPIPCfiLfvuI8g8J+RnSDwn5mIIPCfmoIg8J+UnSDimKog4pqh77iPIPCf
k6wg8J+YtyDwn4+oIPCfmoQg8J+PmSDwn5WcIOKGmO+4jyDwn42VIPCfkagg8J+MjyDil77vuI8g
8J+MjiDwn5i4IPCfjYQg4pyz77iPIPCflaEg8J+amyDwn5GnIPCflLsg4pmT77iPIPCflKAg8J+Y
rQ==
mbox part 1/2
This is some text in Chinese, which translates to the following:
Then we also have an attachment, named “pay.png” in Chinese:
mbox part 2/2
--BOUND_62634AA53D6521.02935547
Content-Type: image/png; name="支付.png"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="支付.png"
iVBORw0KGgoAAAANSUhEUgAAAUYAAAFOCAYAAAD6hLSdAAABPmlDQ1BJQ0MgUHJvZmlsZQAAKJFj
YGASSCwoyGFhYGDIzSspCnJ3UoiIjFJgf8bAwiDMIMigxcCXmFxc4BgQ4ANUwgCjUcG3awyMIPqy
Lsisncmnb3+YKdt7w+KqjrKaJjemehTAlZJanAyk/wBxYnJBUQkDA2MCkK1cXlIAYrcA2SJFQEcB
2TNA7HQIew2InQRhHwCrCQlyBrKvANkCyRmJKUD2EyBbJwlJPB2JDbUXBNiNzH0DjI0JuJQMUJJa
UQKinfMLKosy0zNKFByBIZSq4JmXrKejYGRgZMTAAApviOrPN8DhyCjGgRArBPrPypOBgSkXIZYQ
wMCw4wPImwgxVR0GBp7jDAwHYgsSixLhDmD8xlKcZmwEYXNvZ2Bgnfb//+dwoJc1GRj+Xv////f2
////LmNgYL4F1PsNABfNXW1QnDRZAAAAYmVYSWZNTQAqAAAACAACARIAAwAAAAEAAQAAh2kABAAA
AAEAAAAmAAAAAAADkoYABwAAABIAAABQoAIABAAAAAEAAAFGoAMABAAAAAEAAAFOAAAAAEFTQ0lJ
AAAAU2NyZWVuc2hvdNuRKQwAAAI9aVRYdFhNTDpjb20uYWRvYmUueG1wAAAAAAA8eDp4bXBtZXRh
IHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA2LjAuMCI+CiAgIDxy
ZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4
<--SNIP-->
DtgBO+CN0eeAHbADdmDDAW+MG4b4rR2wA3bAG6PPATtgB+zAhgPeGDcM8Vs7YAfsgDdGnwN2wA7Y
gQ0HvDFuGOK3dsAO2AFvjD4H7IAdsAMbDnhj3DDEb+2AHbAD3hh9DtgBO2AHNhzwxrhhiN/aATtg
B7wx+hywA3bADmw44I1xwxC/tQN2wA54Y/Q5YAfsgB3YcMAb44YhfmsH7IAd8Mboc8AO2AE7sOGA
N8YNQ/zWDtgBO/D/ATm6EF9LClK2AAAAAElFTkSuQmCC
--BOUND_62634AA53D6521.02935547--
After decoding base 64 we get a qr code png.
Reading this with any qr code reader app gives a link to the cash app page of the seller.
https://cash.app/$limosheen?qr=1
Nothing much in the url itself, but now we have a username “limosheen” which we can hunt for.
Staying in the money app spectrum, we could find a paypal user with that name here:
https://paypal.me/limosheen
New clues to work with! We can see a wallet address and that it’s for ropETH. I don’t think it’s a common way to call it, but we’re talking about the Ropsten Ethereum blockhain here, which is also known as the “Ethereum Testnet”. It’s basically used for development and testing purposes before deploying to the mainnet.
So now that we have the wallet and the blockchain, we can try and follow the money 💸
https://ropsten.etherscan.io/address/0xbad914d292cbfee9d93a6a7a16400cb53319a43b
We can see a small amount of transactions happening 15 days ago, and only one outgoing transaction to another wallet. Following the money, we can consider this wallet as interesting:
Receiving wallet (with a hefty amount of ETH and no outgoing transactions):
0x949213139D202115c8b878E8Af1F1D8949459f3f
I got lucky on this one. I always considered Google to be the superior search engine, period, but for the first time, it was not showing anything. DuckDuckGo won this fight.
This url was not available anymore, but when looking back in time we can find the flag, still base 64 encoded.
https://www.reddit.com/user/wrestling-wave/comments/u9tgk7/how_i_made_10000000_selling_fake_flags_ama/
https://web.archive.org/web/*/https://www.reddit.com/user/wrestling-wave/comments/u9tgk7/how_i_made_10000000_selling_fake_flags_ama/
Only one capture to look into:
sdctf{You_Ever_Dance_With_the_Devil_In_the_Pale_Moonlight}