It covers some tips, strategies, and common mistakes to avoid in order to get the most out of OSINT CTFs.

#osint #ctf

Tips

1. Zoom! Enhance
2. There is no substitution for scrolling
   • scroll geolocated posts on IG
   • scroll profile posts+tweets
3. Screen cap or it didn't happen.
4. Link usernames to other profiles.
5. Family trees have handy information

Takeaways

Collection

• Annotations are fine on screenshots for proof. However, evaluate the time it will take vs being able to concisely provide links and information using text.

Tools

• Tools aren't really required to do good OSINT work. It ends up just complicating your workflow. Focus on good analysis.

Strategy

• You should be able to submit a few hundred points in the first 30 mins. If you can't the subject may not have enough information to analyse.

• Sometimes you cannot submit the same link twice. To get around this, submit a link to the specific post or information. This can sometimes be done via permalinks and via embed/share options.

• Aim for 150-200 points in the first 20 minutes. This creates a good feedback loop for your brain to keep looking.

• Low point flags must be submitted — STACK and LAYER until you hit a wall. Rinse and repeat.

• Aim: decrease Time:Points ratio.

Submissions

• Build your case with low point flags e.g. facebook profile —> confirmed. Utilise this to build bigger flags and mention that “since the fb account was confirmed previously...”

• You won't always have the same judge. Therefore, always substantiate – especially towards the end.

• Create rapport with your judge where possible. E.g. a group chat with the judge and your team in Slack (DM).

Submission Example

e.g. sister's fb page

• Screenshot of information [the flag]
• Proof = public link to sister's fb page
• Relevance = “there could potentially be comments or interactions on this facebook page relating to the subject”
• Substantiation / Evidence = Include a link to the specific page and write how this is showing the above e.g. sister is talking about the brother 2 weeks before they disappeared.

Analysis

• Make sure you are able to get foundational flags correct and verified. All future and potentially larger flags will depend on this foundation.

Updating this as soon as the event starts in mid-December 2020 🎄

Resources

cheatsheet

#sans #holidayhack #ctf #kringlecon

John Strand, Keynote: A Hunting We Must Go

• Interval, con time, data size.
• Holes in an org are just as important to detect as threat actors.
• Deception time + Reaction time < Time to perform attack.

Katie Knowles, How to (Holiday) Hack It: Tips for Crushing CTFs & Pwning Pentests

• Recon –> ID Vuln –> ID Exploit –> Test –> New Info Integrate

1. Understanding the Problem

• Drawing is a useful way to visualise a problem e.g.:

credit: Katie Knowles

2. Plan

• Google things; look for other things that are similar.
• Having a list of things that we've done and then ensuring all bases are covered in each step e.g. all ports checked, UDP as well?

3. Carry out the plan

4. Looking Back

• Record your steps, useful links, wiki.

Snow, Santa’s Naughty List: Holiday Themed Social Engineering

Tools

• rita – tool to check for beacons
• Zeek
• Url Crazy – typosquatting #socialengineering

#CTF #SANS #HolidayHack #KringleCon2019

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas

Day 1

• cookies that have fixed values are bad as it allows attackers to guess the pattern and values.
• a new cookie can be created from Firefox dev tools > storage > cookies > add new

Day 2

• check source pages
• dir searching
• github search for website

Day 3

• for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh
• follow stream to export to txt
• johntheripper can work on /etc/shadow without needeing /etc/passwd.

Day 4

• to find text within all files: grep -Ril "text"
  • to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
• It's wise to search for *.bak files in case some world readable backups exist : find / -name *.bak 2>/dev/null

Day 5

• OSINT required creative google searches, social media, and the use of waybackmachine.

Day 6

• Tools used:
  • wireshark-gtk
  • fcrackzip
  • steghide

Day 7

• strange protocols running on weird ports are worth trying out via http.

Day 8

• if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.:

find /home/igor -name flag1.txt  -exec cat /home/igor/flag1.txt \;

• commonly used command to list all suid binaries:

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Day 10: Metasploit

• After a quick nmap scan, there seems to be a tomcat server running on port 80.
• Version enumeration reveals that it may be prone to the struts2 vuln.
• Let's use the struts2_content_type_ognl exploit via MSF and configure hosts, ports, and path (path = “”).
• exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container.
• SSH creds are available —> this is how we break out.

Day 11: Network Exploitation

• nmap -A $IP -oA <filename>
• We can see the following services open: ftp, nfs, mysql
• Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials.

NFS

• showmount -e $IP to check if NFS is present and directory path.
• cd /tmp && mkdir thm-nfs-11
• sudo mount $IP:/opt/files thm-nfs-11
• thm-nfs-11 contains a file with the flag.

MySQL

• I'll be using mycli to connect to the msql database.
• mycli -h $IP -P 3306 -u root
• show databases
• use data
• show tables
• SELECT * FROM 'USERS'
• Creds are now retrieved from the table.

Day 12

1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt to obtain decrypted note.

Day 14: AWS S3 Buckets

• Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com
• Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name

Day 15: Local File Inclusion

• Webservers will often pull files from local locations to display on a webpage.
• It's best to have a look at the HTTP requests and start crafting potential LFI that way.
• Be sure to encode the / using %2F.
• Example payload: http://host/get-file/%2fetc%2fpasswd

#writeups #ctf #tryhackme