Friday, September 27, 2013

CSAW CTF Quals: Recon All

Jordan Wiens (100):


The Jordan Wiens recon began where 2012's recon ended, at key.psifertex.com. His site gave the hint, "Michael Vario sure does some suspicious signs, hope he doesn't do me."  This led us to Google Michael Vario and find that his name was often associated with the PGP key world. Searching Jordan Wiens in a public PGP key database (pgp.mit.edu, any database works) showed a public key with the User ID "Jordan Wiens (CSAW folks: getting warmer) <csaw@psifertex.com>"   it also showed the key having a "user attribute packet" After musing over this hint for far too much time we decided to look into what a "user attribute packet" was. Turns out it is a picture embedded in the public key. We were able to find a database which displays a "user attribute packet" in line with the web page (keyserver.gazzang.net). Searching Jordan Wiens in this data base resulted in a picture with the key handwritten out.      
key{mvarioisnotmyhomeboy}
-wardawg

Odin (100):


Looking at the Whoami on snOwDIN in the IRC gave the hint linkedin:chinesespies. This lead us to search the user chinesespies on linked in. turned out to me an "Eddie Snowdin" spoof account with the key written out in the Skills & Expertise section. 
key{cookies_are_for_csaw}
-wardawg, 

Brandon Edwards (100):


Searching Google, we found that Brandon Edwards is often referred to as drraid. Searching drraid in google lead us to his github account. Scrolling through the posts allowed us to find: "Hai Guys, for CSAW CTF Judge responsibility I have to hide a recon key." The key is located in the post at: Github
key{a959962111ea3fed179eb044d5b80407}
-hawkeye

Julian Cohen (100):


Some googling found that his handle is HockeyInJune. Searching this gave his Wikipedia user page User:HockeyInJune which only displayed "Check out my new website omnom.nom.co" visiting the site's IP address gave the key 
key{1a8024a820bdc7b31b79a2d3a9ae7c02}
-wardawg, lilniqy



Theodore Reed (100):

A hint was that it was within 3 clicks of prosauce.org, with that number increasing to 4 due to "asshole" CTF players. I took that last addition to mean that there was some sort of user comment functionality which would allow for this number to change, and require an extra click to get to. I wget'ed off of prosauce.org with
wget -e robots=off --tries=40 -r -H -l 4 prosauce.org
This downloaded everything. I then recursively grepped for the key, printing out each file that contained "key=". Looking through the list, I found a youtube link, with a comment as the key.

The youtube comment didn't have "key=" ironically, so I thank the people at youtube for including that somewhere in their code and matching my search term.

http://www.youtube.com/all_comments?v=RCTRSK45bS4
key{shmoonconrocksglhfwithcsaw}

-albinotomato

No comments:

Post a Comment