HTB Write Up - OSINT - ID Exposed

2020-09-24 - Reading time: 9 minutes

I've been doing a lot of TryHackMe rooms over the last week or two, but this morning I decided to jump over to HackTheBox to take a look at their OSINT challenges.

While I've never done a CTF write-up before, I want to start doing this a bit more often. Especially when I encounter new topics or concepts I've never encountered before.

We are looking for Sara Medson Cruz's last location, where she left a message. We need to find out what this message is! We only have her email: saramedsoncruz@gmail.com

With this bit of content, I spent a lot of time going through my usual routine...

Sherluckin' Out

First, I looked for the username saramedsoncruz using Sherlock. It's a tool written in Python that queries a ton of social media services. (There's websites for this, too.) This pulled up only a couple results:

[*] Checking username saramedsoncruz on:
[+] Pinterest: https://www.pinterest.com/saramedsoncruz/
[+] geocaching: https://www.geocaching.com/p/default.aspx?u=saramedsoncruz

When I saw the Geocaching link, I got excited. We could satisfy all of our requirements.

Her last location? Possibly! A potential message left? Sure! Maybe she took a picture of a message left in a cache. Or had comments about a cache she'd just found.

This seemed to be a lock... but, despite a match on that very specific username, it wound up going nowhere.

Struck out with the Pinterest link, but I had low hopes for that one.

Desperation Sets In...

At this point, I'm trying everything I know. Manually clawing though "Sara Cruz" accounts (and various permutations on the name) on Facebook and other social media sites. One even had a Guy Fawkes mask for an avatar -- I thought to myself "Some dumb hacker shit! Surely, this must be it!"

But, no. Another dead end.

As I'm searching around, I see a link talking about Google IDs and Gmail accounts. It looks interesting, but I put it aside.

I'm about to give up -- which is fine by me. Yeah, I'm always a little disappointed when I throw in the towel, but that's part of the reason I do these CTF challenges: to test what I know, and if it's something I don't know: learn. (From write-ups. Like this. 😏)

...when suddenly!

So I return to the HTB OSINT page, and I take a look at the name of the challenge so I can google a write-up.

"ID Exposed"... hey, waaaait a minute...

I think for a moment as that piece of information zip-zaps across my mind over to the article I'd found earlier: Getting a Grasp on GoogleIDs.

I'd completely overlooked a clue in the title. Turns out this was VERY relevant!

I'll leave the article for you to see the details, but long story short: there's a profile ID number attached to every Google account. There's a couple ways to get this ID outlined in the article.

In my case, I added it to my existing Google Contacts collection and sniffed the data-personid attribute from the modal dialog of the Contacts page when the contact is opened for editing (it may be seen elsewhere, but this is where I got it).

With this in hand, I went over to the People API people.get page, which lets you try executing an API endpoint. In order to execute this endpoint call, you'll need to give permission for your own Google account.

Following the instructions in the article, I plugged in "people/c6412528252752365100" for the resourceName, and "metadata" for the personFields field.

The call, successful, returned this block of JSON:

{
  "resourceName": "people/c6412528252752365100",
  "etag": "%EgMBNy4aBAECBQciDG1IQ1NWS3NJSEc0PQ==",
  "metadata": {
    "sources": [
      {
        "type": "CONTACT",
        "id": "58fde0788976062c",
        "etag": "#mHCSVKsIHG4=",
        "updateTime": "2020-09-24T15:59:18.216Z"
      },
      {
        "type": "PROFILE",
        "id": "117395327982835488254",
        "etag": "#4eZz2/IuMFw=",
        "profileMetadata": {
          "objectType": "PERSON",
          "userTypes": [
            "GOOGLE_USER"
          ]
        }
      }
    ],
    "objectType": "PERSON"
  }
}

Under the metadata -> sources entry with the PROFILE type, there is our GoogleID: 117395327982835488254.

Now That's Brazilliant

From here, we can look for various things (again, check the article for what's possible).

As it turns out, you can take a look at the 'contributions' that a GoogleID has made to Google Maps. This means reviews and photos, for the most part. Certainly the kind of data that would tick the boxes of what this CTF solution asks of us.

So, I tack the GoogleID onto the appropriate URL...

https://www.google.com/maps/contrib/117395327982835488254/

...and sure enough:

"Flag Watcher", huh? 😏

No photos, but they've posted a review for the 'Museu do Futebol' in Brazil, giving it a whopping five stars, and a terse comment of "really nice museum"...

Wait, there's more.

Like, literally 'More'.

Click it.

And there's our flag, buried in a bunch of percent signs to force the comment to collapse. :)

HTB{i_W4S_D_I_S_c_O_v_3_R_3_D}

Conclusion

It's okay to give up, as long as you're willing to learn.

Just be careful that you're not overlooking a clue being given to you. Few things suck more than bashing your head against the wall going down a dead end for an hour when a quick re-read of the CTF details might have prevented it. 😳


Gangster Computer God Worldwide Secret Containment Policy

2020-09-13 - Reading time: ~1 minute

I didn't go over every word of this, but I'm fairly sure these are the reenacted insane ramblings of Francis E. Dec. Besides, the phrase "Gangster Computer God" is pretty much his thing. 😉

Francis E. Dec (January 6, 1926 – January 21, 1996) was an American lawyer and outsider writer who was best known for his typewritten diatribes that he independently mailed and published from the late 1960s onward. His works are characterized by highly accusatory and vulgar attacks on various subjects, often making use of phrases like "Mad Deadly Worldwide Communist Gangster Computer God" to slander hierarchies that he believed were engaging in electronic harassment against him.

Here's a sample of his... work... 🤯


Hacking Reality to Save the Princess

2020-09-13 - Reading time: 6 minutes

Came across this over on Hacker News this morning and left a brief thought on it over there (that I'm sure has been ripped to shreds by now). (EDIT: Not so much. But we did reach similar endpoints. Thanks, guys!)

Long story short, even shorter: player manipulates and aligns glitches to basically rewrite the code's stack to force the game ending sequence to execute. Goes from title screen to prince rescued in ~3 minutes.

From a hacker perspective, this kind of thing is -- 😘👌 -- excellent. Even if the player didn't consciously decide to manipulate the stack but happened to stumble onto a combination to make it work, it's still super cool to break it down, which is what this video does.



Originally this post was a reflection on the ethics of this kind of thing being considered a 'world record', and how I'd rather see them split this out into it's own category.

Instead of investigating first, I just vomited out all my thoughts and feelings without actually seeing how the world decided to handle this. I ran on an assumption. And it was wrong.

Because they DO break it out by category:

Here's how they break it down -- and they are NOT fucking around:

100%

Beat the game, entering and completing every stage and Hammer Bros. fight.

  • Time starts on pressing Start on the title screen.
  • Time ends on entering the door after defeating Bowser.

This category includes:

  • All action stages (numbered stages, fortresses, airships, plants, hands...)
  • All overworld Hammer Bros. (including their Boomerang, Fire and Sledge Bros. variations)

Important notes:

  • Do not forget the Fire Bros. behind the rock in world 2, the two plants in world 7 and the three hands in world 8!
  • If you accidentally transform some Hammer Bros. into a coinship, you must either beat the coinship or die on purpose during the coinship to transform it back into Hammer Bros. and then defeat them.
  • Mushroom houses, card games, roulette games and overworld pipes are allowed but not required.

Banned emulators: ZSNES (any version), SNES9x 1.4x

Any% Warpelss

Beat the game as quickly as possible without using any wrong warps or warp whistles. Warp whistles may be collected but not used.

Time starts on pressing Start on the title screen.
Time ends on entering the door after defeating Bowser.

Banned emulators: ZSNES (any version), SNES9x 1.4x

Any% (No Wrong Warp)

Beat the game as quickly as possible without using any wrong warps.

Time starts on pressing Start on the title screen.
Time ends on entering the door after defeating Bowser.

Banned emulators: ZSNES (any version), SNES9x 1.4x

Any%

Time starts on pressing Start on the title screen.


Time ends when Mario is visible in the princess' chamber. If the game crashes, the run is invalid.


Banned platforms: Virtual Console, NESClassic, BizHawk (QuickNES core)Note that BizHawk with the NESHawk core is allowed.

And these are just the Super Mario Bros. 3 specific rule sets. Other games have different rules.

For instance, Portal has "Out of Bounds" (any and all tricks allowed), "Inbounds" (camera and portals cannot leave the map), "Glitchless" (use none of the officially recognized glitches), and "Inbounds No SLA" (Save/Load Abuse).

Even something like bloody Cookie Clicker has a whole bunch of rule sets: "1 Million Cookies", "Neverclick" (bake 1 million cookies without clicking the cookie <= 15 times), "True Neverclick" (bake 1 million cookies without clicking the cookie at all), "Hardcore" (bake 1 billion cookies without upgrades), "40 Achievements" (guess), "1 Heavenly Chip" (🙏).

Finding this out was pretty amazing. Not only were my concerns alleviated, but I've actually found a brand new level of respect for the speedrunning. :)

And I was able to salvage a lengthy post, and turn it into something positive. Everyone wins!


One Blog Too Many

2020-09-06 - Reading time: 2 minutes

Decided I needed to have a place for random, dumb junk. And I'll keep BytesTemplar.com specific to projects and coding.

I've taken this opportunity to explore other flat-file CMS..es...CMSes... (🤔)

Sluggish Gravy

I migrated BT.com from WordPress to Grav at the start of the year. It's not bad, and at the time I was quite pleased with it... until I uploaded it to my shared Dreamhost account. Despite not using MySQL, and despite being a simple 'drop in and go' system, it still had these absolutely weird moments of slowness. Pages would take 3-5 seconds to load. Same for the admin.

This didn't happen on my development VM. It was a bit of a surprise.

I spent hours trying to debug the issue, but eventually I had to just concede that it was some mysterious Dreamhost magic getting in the way, and let it be.

Woof

So, this week I took a look at some others, and this time I'd install it on Dreamhost first to see how it performs. And, long story shorter: Bludit did the job. Fast, uses a clean WYSIWYG editor, but you can also flip over to Markdown. Feels mostly solid, and has a decent backup plugin.

The downsides are that there isn't really an easy to use plugin/theme system. And one of the plugins is broken so badly that it ate a lengthy post I'd written because I saved without a post title... Thankfully it's a completely unnecessary one that I quickly jettisoned once I realized it was a bug in the plugin, not the CMS.

Onward

So, got all this setup in an evening. Manually moved over some goofier posts from BT.com.

I feel like I'm spreading my interests thin -- BT for generic development? This for random junk? Another blog (elsewhere) for infosec?

I don't know what the hell I'm thinking. I need to clean this up and unify.


Cover Image

The Worm is Back!

2020-04-02 - Reading time: 3 minutes

NASA says the worm is back!

The original NASA insignia is one of the most powerful symbols in the world. A bold, patriotic red chevron wing piercing a blue sphere, representing a planet, with white stars, and an orbiting spacecraft. Today, we know it as "the meatball". However, with 1970’s technology, it was a difficult icon to reproduce, print, and many people considered it a complicated metaphor in what was considered, then, a modern aerospace era.

Enter a cleaner, sleeker design born of the Federal Design Improvement Program and officially introduced in 1975. It featured a simple, red unique type style of the word NASA. The world knew it as "the worm". Created by the firm of Danne & Blackburn, the logo was honored in 1984 by President Reagan for its simplistic, yet innovative design.

NASA was able to thrive with multiple graphic designs. There was a place for both the meatball and the worm. However, in 1992, the 1970s brand was retired - except on clothing and other souvenir items - in favor of the original late 1950s graphic.

Until today.

The worm is back. And just in time to mark the return of human spaceflight on American rockets from American soil.

This excites me to no end!

Now, okay, I'll admit, I'm probably biased towards the 'worm' design because it's the one I grew up with. And I know "the meatball" -- the older style logo -- has just as many fans. Enough to bring it back in the 90s.

I never understood that roll back.

NASA!  Space! The Future!!

The "worm", to me, embodies that spirit. It's a simple, yet futuristic logo. It used to fill my mind with amazing visions back then.

When I see the "meatball", I think... backwards. Old. A lack of progress. Quaint sci-fi rocket ships. Black and white footage. Pre-moon landing era.

But! I know the "meatball" means a great deal to other people, too. So I thought, why not merge them? Put the "worm" on top of the "meatball"? Best of both worlds!

And, as usual, that means it's already been done.😉

Check out the "New Heritage" design:

Wow!

I don't know who the creator is that did the edit (hit me on Twitter if you know and I'll update this), but it's exactly what I'd imagined. This fusion would be perfection to me. It pays tribute to the past, while integrating the future.

But, in the meantime, I'm going to giggle excitedly to myself now that they're moving... back to the future. 😉


Catch These Men

2019-08-24 - Reading time: ~1 minute

Elsewhere...

Hit Counter

33