300 PTS
Tl;dr: From the DEFCON 25 OSINT CTF (capslock enjoyed this title). This challenge was based around OSINT on the x64 Corp github. Requires general knowledge of how Git works and a willingness to look at code
Topic:
“Our company doesn’t spend a lot on paid products, and we use a lot of open source / free products. For example we use git for version controlling – https://github.com/x64Corp
Since teams don’t use any centralized chat system, it’s difficult to monitor the same. Our CTO suspects that someone is keeping an eye on our discussions. Not sure how.
Can you help?”
Solution:
This URL will lead you to the x64 Corp github page where they host their site (shown above). Nothing too interesting here.
I looked through both of the repositories and did not find anything particularly interesting, just some flat text for their site and a typical theme. Checked commit histories and did not find anything private so I moved on.
After checking the repos and not finding everything I went back to the start. Next thing I noticed was there are two people associated with this account: jrianjack and malakhshou. Wonder what they have been doing!
First up, jrianjack.
No dice.
Next up, malakhshou.
Now that’s what I’m talking about! “Private_server” seems to be exactly what I’m looking for.
The README for the report has me even more confident I found what I am looking for
Looking through the files here was mostly uninteresting. However, there were some interesting config links, a commented out token that got me excited under chat/views.py
But this was returned from a query to that link
Damn. Foiled again. HECKING BAMBOOZLED
I keep looking around and decide to check out the appengine_config.py file. Oh what do we have here?
Looks like those security guys breathing down his neck did not like that the keys were being saved in the code so he removed them.. But wait… They were there before?
Ha ha ha. To the commit history I go!
Three commits to appengine_config.py ey? Now that’s suspicious. Let’s check those out.
Gotcha!
And the other:
Looks like we have some nice keys here. Now I just have to access the slack and figure out where the flag is.
Using the python api for Slack, Slacker, I set up this script to get the channels list.
from slacker import Slacker
consumer_api = "TLMx9b2GcPAeUBMElKY8PwJhE"
consumer_secret = "IRUF7n9Q0idV5QOzGMrDgT75LKqLK8OkscrxAUYg1dJV1NCmWp"
access_token = "876140352347840513-15aKHglha33QnmoAyiTZH3lFl9FUVMu"
access_token_secret = "uyMP91Dk2yI6aCbC2ybxQ9ycXak57WNHH3QxsT9hJtGNX"
slack = Slacker('xoxp-204882332822-203523130257-204081355250-8200a7efb0bec7fbd5894bf09bc7ab08')
response = slack.channels.list()
channels = response.body['channels']
for channel in channels:
print(channel['id'], channel['name'])Running this script comes back with this response:
Awesome! The api key works and I got the channels list. Now to get the history for the general chat (where I guess the key would be)
I modify my code to look like this and place a debug point just after running the channels.history command, as I do not know the structure of the response and viewing the contents of the variable in the PyCharm debugger seemed much easier.
from slacker import Slacker
# Actually not needed, was put here while testing
consumer_api = "TLMx9b2GcPAeUBMElKY8PwJhE"
consumer_secret = "IRUF7n9Q0idV5QOzGMrDgT75LKqLK8OkscrxAUYg1dJV1NCmWp"
access_token = "876140352347840513-15aKHglha33QnmoAyiTZH3lFl9FUVMu"
access_token_secret = "uyMP91Dk2yI6aCbC2ybxQ9ycXak57WNHH3QxsT9hJtGNX"
slack = Slacker('xoxp-204882332822-203523130257-204081355250-8200a7efb0bec7fbd5894bf09bc7ab08') # set up the slack instanc
response = slack.channels.history('C60RY9W8N') # get the channel history for the channel id
print(“Hold here”) # breakpoint hereWhen digging into the response in the debugger, you find a lot of info (including that sweet, sweet flag we have been looking for!
Including the full screenshot here, in case there are some hints for other challenges and others are still working, but the flag discovered is: flag{myp@ssw0rdi5y0urfl4g}
Guess someone was watching their discussions!
Cheers!
Joker
Two-Percent Milk 