CSAW'22 – our spy in new terrain

Overview

Task description: It is up to you to determine who The Enemy is going to attack next and when they plan to strike! Their newest recruit is on twitter as DarkRoom8109. Good luck. nc misc.chal.csaw.io 5005

This Open-Source Intelligence task was a cool “Schnitzeljagd”. The task goal is defined as you can see above. We used tools like TWINT, Sherlock and OSINT Framework for the research as well.

Tools in action

TWINT

TWINT is a python3 based tool, it is used to scrape user data from Twitter like tweets, follower, or media posts. It’s a command line tool without using the Twitter API or authentication. “TWINT utilizes Twitter’s search operator to let you scrape Tweets from specific users. You can easily scrape up to 3200 Tweets (Limit by Twitter).”

The project README describes some basic commands to search all tweets posted by one user:

twint -u username - Scrape all the Tweets of a user (doesn’t include retweets but includes replies).
twint -u username -s pineapple - Scrape all Tweets from the user’s timeline containing pineapple.
twint -s pineapple - Collect every Tweet containing pineapple from everyone’s Tweets.
twint -u username --year 2014 - Collect Tweets that were tweeted before 2014.

It’s possible to set an upper bound and search only for tweets before this date.

Sherlock

With Sherlock, you can hunt down usernames, it’s a python3 based tool like TWINT. Most people are using the same username for different services / websites. This is an opportunity to track people across multiple platforms to get more vectors to gather information, if it’s verified that the found accounts are the same person. This tool can be used for searching more than one username per request.

$ sherlock --help
usage: sherlock [-h] [--version] [--verbose] [--folderoutput FOLDEROUTPUT] [--output OUTPUT] [--tor] [--unique-tor] [--csv] [--xlsx] [--site SITE_NAME] [--proxy PROXY_URL] [--json JSON_FILE] [--timeout TIMEOUT]
                [--print-all] [--print-found] [--no-color] [--browse] [--local]
                USERNAMES [USERNAMES ...]

Sherlock: Find Usernames Across Social Networks (Version 0.14.0)

positional arguments:
  USERNAMES             One or more usernames to check with social networks.

options:
  -h, --help            show this help message and exit
  --version             Display version information and dependencies.
  --verbose, -v, -d, --debug
                        Display extra debugging information and metrics.
  --folderoutput FOLDEROUTPUT, -fo FOLDEROUTPUT
                        If using multiple usernames, the output of the results will be saved to this folder.
  --output OUTPUT, -o OUTPUT
                        If using single username, the output of the result will be saved to this file.
  --tor, -t             Make requests over Tor; increases runtime; requires Tor to be installed and in system path.
  --unique-tor, -u      Make requests over Tor with new Tor circuit after each request; increases runtime; requires Tor to be installed and in system path.
  --csv                 Create Comma-Separated Values (CSV) File.
  --xlsx                Create the standard file for the modern Microsoft Excel spreadsheet (xslx).
  --site SITE_NAME      Limit analysis to just the listed sites. Add multiple options to specify more than one site.
  --proxy PROXY_URL, -p PROXY_URL
                        Make requests over a proxy. e.g. socks5://127.0.0.1:1080
  --json JSON_FILE, -j JSON_FILE
                        Load data from a JSON file or an online, valid, JSON file.
  --timeout TIMEOUT     Time (in seconds) to wait for response to requests. Default timeout is infinity. A longer timeout will be more likely to get results from slow sites. On the other hand, this may cause a
                        long delay to gather all results.
  --print-all           Output sites where the username was not found.
  --print-found         Output sites where the username was found.
  --no-color            Don't color terminal output
  --browse, -b          Browse to all results on default browser.
  --local, -l           Force the use of the local data.json file.

OSINT Framework

The OSINT FW is a website with handy tools and hints. https://osintframework.com/

The Mission

Okay then, enough about tools… let’s get our hands dirty!

With the description of the task, we got a starting point.

There is this profile named DarkRoom8109, on his timeline we found 14 tweets, two of them are pictures. We used twint to get an overview about this user. DarkRoom8109 has retweeted a message from Brandon (Rossi @0xConda). This information we can gather by using twint or scrolling around on his timeline.

$ twint --username DarkRoom8109
1563356916881174529 2022-08-27 02:45:09 +0000 <darkroom8109> Why are programmers good at road trips? They know how to handle hard drives.
1563356486818234369 2022-08-27 02:43:26 +0000 <darkroom8109> Do developers have interests? Heaps.
1562574222127689728 2022-08-24 22:55:00 +0000 <darkroom8109> Yikes. Thank goodness you can delete tweets!
1555754550224490498 2022-08-06 03:16:03 +0000 <darkroom8109> Anyone else?  https://t.co/GFYnACUEyW
1555754376379043840 2022-08-06 03:15:22 +0000 <darkroom8109> oh  https://t.co/GOFvtiOQU5
1555752592835485697 2022-08-06 03:08:17 +0000 <darkroom8109> Who is in town rn? I just want to leave my problems on the dance floor #demoted
1555752201049427968 2022-08-06 03:06:43 +0000 <darkroom8109> Should I ask for a raise to go with my promotion? It was a raise in title only...
1555751909817851905 2022-08-06 03:05:34 +0000 <darkroom8109> Does anyone have any recommendations for where I can get a good cup of tea?
1555751794726146049 2022-08-06 03:05:06 +0000 <darkroom8109> I can't believe I'll be going abroad soon!
1555751379292958720 2022-08-06 03:03:27 +0000 <darkroom8109> Got promoted!
1555750991277879296 2022-08-06 03:01:55 +0000 <darkroom8109> Why did the cyber spy get fired? They couldn't hack it
1555750710456659968 2022-08-06 03:00:48 +0000 <darkroom8109> What do computers order at the bar? Screen shots
1555362568931254274 2022-08-05 01:18:28 +0000 <darkroom8109> When you see an email for free pizza, don't click on the URL.   Don't ask me how I know this.
1555358751703678978 2022-08-05 01:03:18 +0000 <darkroom8109> I never lock my computer when I leave, I just enter vim.
[!] No more data! Scraping will stop now.
found 0 deleted tweets in this search.

Objective one

The first question to answer is:

When did the enemy agent join twitter? Please use the format MM/YYYY

We can easily use the Twitter profile information “Joined XYZ”.

So we have some data points and tools to get the answer.

Objective two

What is the spy’s github username?

We tried to find a Github user with sherlock:

$ python3 sherlock DarkRoom8109
[*] Checking username DarkRoom8109 on:

[+] AllMyLinks: https://allmylinks.com/DarkRoom8109
[+] GitHub: https://www.github.com/DarkRoom8109
[+] Quizlet: https://quizlet.com/DarkRoom8109
[+] Star Citizen: https://robertsspaceindustries.com/citizens/DarkRoom8109
[+] Twitter: https://twitter.com/DarkRoom8109
[+] Whonix Forum: https://forums.whonix.org/DarkRoom8109

[*] Results: 6

[!] End:  The processing has been finished.

But all hits on “DarkRoom8109” are dead ends (note: since 2022-09-10 there is a “DarkRoom8109” GitHub user, at the time of the CTF this profile was not findable (ERROR 404 on GitHub)). Dead End?? Hmm…. We need to take a step back and look at our already gathered information’s and data points. As we can see in picture three, our target has sent 14 tweets. Thanks to Raffi Krikorian we know more about the “anatomy of a tweet”.

There is a parameter within the JSON called statuses_count this one tells us about all posted tweets… This information is used by socialbearing.com, a search and analyzer tool for twitter. We know there are 15 tweets not only 14, now. Okay, but what now?

This would be a great moment for a “back to the future” meme….

Okay, its wayback time. With the URL https://twitter.com/darkroom8109 we can find two snapshots at WBM. Let’s have alook at 2022-08-17 because it’s the oldest snap.

Oh, snap… Nothing new! Okay, try the 20th of August now!

Et voilà:

deleted tweet

Objective three

What is the full name of the file that contains communications between The Enemy and the Evil Spy?

We got a new source for information’s about our target. Let’s have a look around the GitHub account. Profile, Repo and so on. There is a repository called “Chat-App”… Great idea to have your tools for shady use on a platform that is publicly available.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


import socket

client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


ip = input("Enter IP Address: ")
port = int(input("Enter Port Number: "))

client.connect((ip, port))

#client.connect(("localhost", 9999))

done = False

f = open('log.txt', 'w')

while not done:
        sent = input("Message: ")
        f.write("Client: "+sent +"\n")
        client.send(sent.encode('utf-8'))
        received = client.recv(1024).decode('utf-8')
        f.write("Server: " + received+"\n")
        if received == 'quit':
                done = True
        else:
                print(received)

This is the client.py script. We can see there is a open('log.txt', 'w') statement at line 15. The same file is used within the server.py file, nothing suspicious there. We check the commits of this repository as well and find proof for our right guess. log.txt must be the answer for objective three.

We found another data point, as well.

Objective four

bit.ly/evilevilinfo There is an audio file… It’s morse code, right?

With some assistance by morsecode.world we could translate the morse code to English:

HELLO EVIL AGENT YOUR NEXT TARGET IS A BANK THE BANK’S BIN NUMBER IS 452234 THE TARGETS SWIFT CODE IS YOUR PASSWORD FOR MORE INSTRUCTIONS VISIT BIT.LY SLASH OSINTSEC GOOD LUCK

Well, this is some serious information, we must be on the right track.

We must dig some information about this bank. The evil handler has provided the Bank Identification Number in short BIN. We need to find the bank’s SWIFT code to unlock the pdf. With binlist.net we got the Bank behind BIN 4522 34, it’s the “Toronto-Dominion Bank” with origin in Toronto, Ontario in Canada.

Which country is the target based in?

“O Canada”… okay, it’s just “canada”.

Objective five

What is the target’s international Swift code?

The SWIFT Code of Toronto-Dominion Bank is still unknown, we need to open this pdf… With the bank’s name, we will get this last information on bank-code.net.

We’ve got five hits on TDB in Canada and two hits just in Toronto. So, we tried out the two hits and started with TDOMCATTXXX. Spoiler, it’s not the right answer. Let’s try TDOMCATTTOR… Jackpot!

Now we can open the pdf as well! It was late already, and I have decided to take a break until the next day.

Objective six

What is a crime? Hint: it is two words

cherryNo.7 got the final hit on question six. He checked the pdf properties and got the answer “Copyright Infringement”.

$ pdfinfo -opw TDOMCATTTOR YoureSoClose.pdf
Title:          Remember: Copyright Infringement is Against the Law
Creator:        Adobe Acrobat 22.2
Producer:       macOS Version 12.4 (Build 21F79) Quartz PDFContext
CreationDate:   Sat Aug 27 05:35:13 2022 CEST
ModDate:        Sat Aug 27 05:35:13 2022 CEST
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          1
Encrypted:      yes (print:yes copy:yes change:no addNotes:yes algorithm:AES)
Page size:      720 x 1082.88 pts
Page rot:       0
File size:      2928087 bytes
Optimized:      no
PDF version:    1.6

flag{C0N6r475463N7600DW0rKN3X771M3N0PU811C53rV3r}

This task was fun! Thanks to our hosts at “CSAW CTF by NYU”.