 Hello everyone, my name is John Hammond. Welcome back from the YouTube video We're looking at some down under CTF, which was a capture the flag competition that was going on this past weekend And it's been a little while since I've showcased some CTF stuff. So I want to get back on the saddle Let's not waste any more time. We'll hop on over to my screen here So to get started I want to showcase some of the OSINT or open source intelligence challenges I'm kind of gonna go a little bit backwards I want to showcase that second challenge first and then kind of go back to welcome to petstagram So here we go. This challenge is called bad man. It said we've recently received reports about a hacker who goes by the alias Under Maitre Okay, and let's speak cool. He's been threatening innocent people for money and must be stopped Help us find him and get us the flag Roger Dodger. So since this is an open source intelligence challenge I'm assuming I'm going to be googling. I'm assuming I'm going to be doing an internet scavenger hunt, which might not always be the Most logical thing to do But it's probably going to be looking at some social media probably finding some online websites So let's hop over to our good friend uncle Google and let's simply look for Under Maitre Nice Okay, so We could try regular social media things we could check him out on Twitter, but it's look like there's nothing going to be Returned from Google that doesn't exactly help us whatsoever so in that case we could just go back and use like Going to Twitter comm and then supplying the username that we can assume That is going to be his alias. Maybe he has some accounts on social media pages Twitter LinkedIn Facebook, etc. So if I specify my URL Twitter comm slash Under Maitre with the Leedspeak characters Let's go to that page and see if we've get anything. Okay, and it looks like we found someone or something or some account Let me zoom in on this a little bit. Well, it's like we have Under Maitre with the spooky scary hacker man profile picture. Nice 16 following 16 followers joined July 2020 so Recent oh retweeted tweets from down under CTF. Okay, so it looks like we are probably on the right track Oh DC cyber sec had done a really cool video to hype it up. Awesome Shout out to you DC cyber sec if you guys like cyber security videos like mine or others Support other content creators and go check him out. He does really great stuff The very first down under CTF will be held on 18 September What other tweets do we have I am not a bot Okay, whoo that was close. I put out a tweet that contained personal information. Well, I'm glad we have a delete button Interesting, I wonder if we could like maybe retrieve old deleted tweets. I don't know if that's a thing since when is VP colon QJ six I XM FZA not a strong password shaking my head. Hmm I Thought that was kind of peculiar Originally because I look at this and I see kind of that colon syntax sometime you see like a username colon password Um, I thought like oh was this like base 64 and I just copied this and would try and just throw in a little terminal over here You could just simply echo that into a base 64 D Decode, but that's nothing. So okay Maybe that's a password. Maybe that's his password. Maybe we could log in with his account. Maybe that's a thing Twitter Pretty sure probably has two-factor authentication though People say I'm a skid to which I say here's your address. Oh, oh What's that? What's that like Neil de Crasse Tyson meme where he's like, oh, we got a badass over here Why are the cases rising up again? Okay What do we particularly do here we have maybe a password and we have this notion Okay, put out a tweet that contained personal information Glad we have a leap button. So we deleted some tweets I went down a rabbit hole to be like, oh, let's recover deleted tweets and you could probably see I Don't know if I have any Recent searches in here, but I would just Google like oh, is this a thing that I can do Can I actually recover deleted tweets if you like search for their account? I Didn't end up dealing with this Honestly, I read about this a little bit and tried like oh if you search for that user and like Maybe the advanced search or something you could do Maybe some magic regardless. I realized like okay if he put out a tweet that contained personal information I'm glad we have a leap button sometime in the past. I thought well, maybe we're doing some Way back machine action or maybe there was a snapshot of his account at some point previously and Maybe there's a record of what that tweet would have been So if you haven't heard of the way back machine It's kind of a cool archiving website where you will be able to particularly look at websites or different web pages on the internet at a Certain specific particular point in time. I think we actually showcased a challenge on this at one point called like Timekeeper I don't know if that was non-con or I don't know if that was a verse that Connor was one of the CTF So we were doing by the way besides Boston CTF September 26th. You guys should come play So if you go to archive.org Slash web you've got the internet archive or the way back machine here So you could simply supply a link or URL that you want to see are there any history? Are there any snapshots? Are there any records of this at a previous time in the past and Searching for this page in particular. It looks like we have some entries here. I See September 19th, and I see July 23rd Let's start with this guy and see what that looks like. So click on that Get the date Peculiar and the you can see in the URL or the address bar now. It's at a particular time. It says good job Here is your flag. Oh, okay. Awesome. It looks like that was all that we needed to do So can I click on that and go to it? Yeah So when I was doing this in real time Originally when I had it was playing the CTF. I didn't see this September 19th one Probably because I was playing on like September 18th and what is today like the 19th? I'm not positive This is not gonna load whatever so we've got that flag. We can go ahead and submit that cool Solved our quote easy challenge and that did not copy That's refusing to copy. Let me right click copy There we go, and yeah, we've already kind of solved that so good job. Here's your flag nice and neat I didn't see this one originally. So I'm curious why there's a second entry. I don't know if that challenge just had something Different on it, but that looks like the same flag so whatever the case may be that was that solution simply using the way back machine to be able to kind of go back in time and Determine maybe a potential earlier tweet that was sent out. I don't know how realistic that would be in IRL right? I don't know if anyone will go ahead and snapshot their Twitter accounts or someone else might do that for I don't know weird interesting people but Regardless that was that challenge that was using Twitter You might have been wondering. Okay. How do we make that giant leap for this alias or this username? How do we know to go to Twitter? Yeah, we could have gone to LinkedIn. Yeah, we could have gone to Facebook Yeah, we could have gone to Instagram. Whatever the heck plenty different things Let me talk about that and let's pivot to that other challenge. Welcome to Petstagram So this challenge prompt is who is Alexandros the cat exactly and who is this mysterious mum? He keeps talking about submit his mum's full name in lower case with the underscores instead of spaces as the flag Do you CTF curly braces and name? Okay? So they released a few hints on this challenge because it was kind of a struggle bus. I Thought based off the title here. Welcome to Petstagram. Okay, that's obviously a play on words for Instagram I thought Alexandros the cat Alexandros might be a username So I went back to of course uncle Google and asked him yo, dude, do you know anything about? Alexandros the cat So be googled it Alexander the cat is an incredible book apparently on Amazon and That didn't particularly help me. What the heck is that? All right. Okay, Alexandros the cat Instagram. Maybe I could zoom in a little bit more on that I have some other particular individual accounts And I could go look at these this is the danger of looking at Instagram pages in a video What are we gonna? What are we gonna see? I don't think that's it. I don't think that's it I don't think that's it. It's obviously that I'm just kidding Alexandros Instagram we could keep looking we could Google around a little bit more eventually what I ended up doing was just Instagram comm slash Alexandros the cat Whack that in and we've got this Instagram page here We've got Alexandros the cat with two posts 12 followers and hi. My name is Alexandros. I love catnip and me mom So Maybe this is it if he's mentioning my mom. That's totally what it mentioned in the challenge prompt So this looks kind of promising. We have two wonderful pictures of an incredibly adorable cat here Oh, and I guess I have to log in Last pass. Thank you security No, you don't need my you don't need to save my login info dude Last pass. I used to be small throwback Tuesday P. S. Check out my mom's new YouTube channel. Oh a bitly link sketch I don't know if I trust that link. I want to do it anyway. Great. Let's keep looking around before I go visit that but Alexandros the cat looks about right and Mom gave me a bow tie hashtag cool cat hashtag welcome my Insta You could do peculiar things if you wanted to like okay like download this if you could you could click on go to post and then you could probably like right-click and Extract the image out of here if you want to do some crazy steganography Strings exit tool steg hide steg solve. I don't know. I thought well, okay We've looked at the post that he has on his Instagram page I want to check out if he's tagged anything else. It doesn't look like he is so I could check out who his followers are I want to click on all these and I could go look at these individual accounts if I really really wanted to whoever you are random strange people Get excited because now you're apparently going to be in a video private account random folks Roger Dodger Okay The one that struck out to me because if if the capture the flag event the capture the flag Competition itself is going to be kind of preparing and staging this challenge to be visible by other people I want to look at some of the beginning earliest like followers I wanted to see if there was anyone that maybe they had Staged or set up for this exercise to kind of test us What might one of their friends be so I looked at m waters Emily waters sounds like a female mother name and it says m waters 92 I love gelato and my cat alexandros. Oh Okay, this is totally it for business inquiries. Please contact mlt waters 92 at gmail.com Emily waters is that going to be her name you could try and submit that if you wanted to Emily underscore waters Actually that's going to be wrong The gimmick is you need her full name Full name including middle name and I saw some folks in the discord kind of be like, okay. What the heck? I don't know about that. How do I wear what indicates that this is a full name including a middle name? I noticed this Emily t So we got an initial that's obviously not her full name You can't just say Emily t waters and that's not all of it that view hint will say here Hey, I'm looking for my mom's a full name. Are you sure you have everything you need? So we need to know her middle name We can Take a look at this video. I'm going to make sure my audio is off because I know what this is This is coffee and gelato earlier today with this cutie. Sorry for the annoying background noise lull. So annoying If I click on this video I'm not hopefully allowing the audio to go through but you could probably hear some beeping some beeps and boops Uh, I guess I can turn my volume up and maybe you'll hear it through the microphone and it won't be extraordinarily loud dope Someone is like pressing buttons on their phone, right? Maybe they're texting. Maybe that whatever the case may be Comments on living the good life super duper cool I'll go to the next one My first host excuse me. My first post has to be my handsome boy. Love you alexandros and he's so handsome I love you alexandros incredible One like Thanks, Helen Social media This is the pinnacle of human civilization instagram is just an app where you can pull up and immediately look at advertisements on your phone That's great Something that we could do now that we've seen this video and we're hearing these weird interesting beeps and boops Is that we could go ahead and download this video and extract what those dtmf tones might be? um I'm going to put in the disclaimer that this is a rabbit hole or at least it was for me I kind of fell down this road for a little bit But I just want to show you how you could follow that through in the case that this Is something that you might need in the future So maybe this is bad skip ahead in the video if you're like, this is stupid. John. I don't care Let me just show you what this really is We've got this instagram video and we want to download it so we could extract out the audio We want to get the dtmf tones or that those phone dialing sounds Out of the video and kind of interpret what they might be and what they are so I've Going ahead and viewed the post I kind of went in that instagram button and hit go to post and I can copy the link Because what I do what I need to look for like okay instagram download video Searching uh that on google Looks like we've got a couple different links. You could download instagram videos online in mpv format And all this takes is a url to download. So when we slap this guy in there Download the instagram video. It looks like it got it. I'll download the video in mp4 um Yeah Yeah, all right cool That save us like 11 something massive In my ctf folder. I had a du ctf where I've been working with some of the stuff Ossent, uh, let me make a directory for youtube pets Grand pets to gram pentagram. I don't know. Whoa Okay, and now let's move our downloads 11 mp4 all the way into this directory and now we've got it So I could m player this and you'd totally be able to see it Wow incredible M player just a command line tool to watch a video not what we're trying to do We want to extract the audio and the sounds from this So what I like to do is I like to just use ffmpeg because it's super duper easy You can use ffmpeg And if you don't have that it's a sudo app install ffmpeg on a ubuntu or debian based systems tack i for our input file And then the following argument will just be What we want uh the Output to be so I'll just call it sound mp3 and then ffmpeg Whoa ffmpeg will realize okay. We just want to carve out the audio from this We just want to now render it as an mp3 file rather than mp4 file So if I m player that sound mp3 Now there's no video. I just have the audio handy nice cool I could file on all of these if I wanted to you can see that this original mp4 file is an mp4 This sound an mp3 file is just an mpeg mp3 mp3 So Now we would want to convert those dtmf tones dtmf And I can tell you a little bit more about those dual tone multi frequency It's the signal phone company. Excuse me when you press an ordinary telephone touch keys So if you want a decoder dtmf tone decoder You could simply find One of the ones that I really really like is this like abc123 Uh, maybe I need to specify the word dtmf decoder on the line. Yeah. Yeah. Dial abc. That's what it is Detect dtmf tones and we have to go ahead and supply a file. So I have this in ctf do ctf Ocent right youtube pentagram sound mp3 I will go ahead and whack this in there and I ran headfirst into this wall because when I click on this And upload an mp3 file, it'll tell you. Whoops. Sorry. That's not a supported audio file format We need to work with something different. They suggest we support Riff, microsoft wave files and sun next audio. So okay wave file Sure, whatever ffm peg can still work that magic So let's go back to our command ffm peg tack i with our input file And now we'll just use sound.wav and whack that in there. Cool. All right. Now let's upload that wave file And let it do its thing It's going to take a little bit of time because it's churning through this video however long it may be However much sound and audio it needs to extract out And we'll see if we get anything peculiar. Oh, we do six three three eight zero six three zero two Etc So these numbers that are indicated here are the buttons that that person is pressing on their phone I'm still in the middle of the rabbit hole here. Maybe this isn't important. Maybe somehow it is for some people regardless I want to continue to showcase this because that's good to know for a future So what i'm going to do is i'm going to take all of those values and i'm just going to slap them in a text editor Really gross I only care about the lines Because i've just copied and pasted this The numbers that I saw were six three three et cetera So in this case, it's just a line that has just the number and nothing else on it So what i'm going to do is i'm going to do a fine replace. I hit control h on my keyboard So I have the regular regular expression mode on so what i'll do is i'll just look for a like backslash d to denote a Digit and i'll note a dollar sign to note the very end of the line So care it to note the start of the line Backslash d to denote a single digit and then dollar sign regular expression to denote the very very end of the line So you can see my six is highlighted. My three is highlighted. My three is highlighted, et cetera What i'm going to do is i'm just going to actually hit that find all So now I have those all selected within sublime text I'll hit control x so I can copy them and put them on my clipboard Then i'll just remove literally everything else in this file So when I hit control v or to paste all I have are those numbers That's kind of nice and kind of easy if I wanted to kind of remove all those new lines I could use like a backslash n and replace all of those now. I just have that specific string So I have in sequence the numbers that that person typed on their phone This is a thing if I were to go to github.com slash john hammond slash ctf hyphen katana This is just kind of a resource that I had put together. Here's like my checklist of things or my my I don't know Playbook of things that I might be looking for or remind myself to do during a capture the flag for different kind of Capture the flag challenges different categories different things, et cetera one of these in here is a cell phone cypher like the keypad cypher So you can check this out if you have any interest in it, but Down down below. I see a phone keypad Some messages may be hidden with a string of numbers, but really being coded with old cell phone keypads like text messaging with numbers repeated So typically a zero is a space But all these other numbers that might be tapped in sequence could be what you're typing on that old cell phone So the number six, okay, that might be m because we've only hit that button once three Looks like we've got three Three so that pressed it twice that would be an e and then eight Okay, that's a t that's interesting, et cetera and we would go ahead and Maybe fill that out. You could use a tool to be able to track down all of this information Uh, what I'll do is I'll just look up like t nine cypher decoder T nine it can be kind of the notion for that. Okay typing on that that text pad Looks like decode fr has a decent one for it. So let me go ahead and just go to that I will slap that syntax in here and then I will decrypt t nine And it found 6338 could potentially be meets looks like it has a lot of certainty 6 3 could respond to me Maybe or md or mf or md, et cetera meet me makes the most sense and two eight could be at at u, et cetera any of those Um meet me at And then other letters that I don't exactly understand After I had found this in real time when playing this challenge and playing the ccf. I didn't really know what to do I was like, okay. What the heck meet me at wd Meet me at wf waterfront. I don't know w Anything x all any of these things. I didn't exactly know what I would be doing with that Um And I was kind of at a loss so I took a step back and kind of went back to everything that we had Remember when we were looking through this alexandra's the cat page and we were looking at this emily waters page all the stuff We had one notion that said hey, please check out my mom's new youtube channel and we had that bitly link So let's go to that page and it'll bring us to this youtube channel gelato el gato Great they have 36 subscribers, but they have no content on the home page Absolutely no videos no playlists no channels and Um, I left a comment in here like hey can I have the flag? I guess they hadn't deleted that one yet. I left a comment on the instagram ones too And I guess they deleted those but nice good troll john 10 out of 10 um in the about page They just welcomed my youtube channel and when they joined so This again seemed like a dead end and I was like Wtf what do I do with this? Why can't I solve this? This is supposed to be easy Or beginner and I'm like I am wracking my head against this. I don't know what I'm doing um Eventually We had this thought this gelato el gato account That's a new username because we've seen m waters 92 or emily waters or alexandris the cap But we hadn't seen gelato el gato before that was kind of a new name And we had fallen down the rabbit hole of checking out m waters and how she loves gelato We we literally looked through all the pictures here on gelataria gelataria on the docks and was like oh ice cream people stuff Literally nothing else that would correlate to the ctf challenge. It's just a legitimate real restaurants. That was not good for us to fall down that rabbit hole But we hadn't seen this gelato el gato username before and we thought once again uh This is actually Like idea came to us after we had looked at the previous challenge the badman one So we had solved that because I had a bit more. I don't know traction It was easier to do we just found it on twitter and then we thought like oh shoot Yeah, this account might be on other social media platforms So maybe this gelato el gato has an instagram account. Can I just go to that? That's not a thing Let's go to twitter.com slash gelato el gato and there we go Call me teresa. I love gelato and my cat alexandros and We have an inkling now with that t initial that we saw earlier Her full name is emily teresa waters and we could submit that as the flag And I like these memes here nice nice Cool Let's go ahead and submit that we did emily teresa waters and that would be the correct flag I've already solved this so it doesn't showcase that That was how we ended up solving that challenge And we were bumping around lost Like not exactly knowing what to do for the longest time here and I had a thought after I went through this because I think The right methodology the right mindset to have when you're doing this oscent stuff or this open source intelligence Information gathering looking up doing human intelligence on social media networks like social networking sites, etc Is to keep track of those usernames because the same way that people will synchronize passwords or like use the same Password on different sites. There's still the concept and idea of synchronized usernames People will probably have the same username on different accounts or social media pages So whenever you find a new username, you should keep track of that And then look to see does it exist on other potential platforms? There's a really really neat tool that does this if I look up python sherlock oscent The sherlock project or sherlock has the script this tool to hunt down social media Accounts that are based off of a specific username So hunt down social media accounts by username across different social networks and it's super duper easy All you really need to do is clone the repository move into it install the requirements and then you're good to go Let me show you this thing. Let's do it I will just go ahead and get cloned it into this current directory And we can read you a little bit about some of the usage here All you really need to do is supply a username and then just find it It'll just keep hunting and look for things you can supply other output like how you want to be What directory or folder if you want to work through a proxy or tor comma separated value or json or time out or colors, etc And that's neat. So I'd hop over to sherlock and I have that requirements dot text file So I could as the documentation is suggested. Let's use like pip 3 to install stuff based out of the requirements Text file and all this should already be installed for me. So I could simply python 3 sherlock and I don't need that note there dot pi What the heck it is it is sherlock dot pi. Oh, can I just use the whole module? Is that how that works? Python 3 sherlock I guess it just figures it out. Okay, cool. So I need to supply a username So let's go ahead and supply our elgato gelato or gelato elgato Let's paste that in there and see if it tracks it down automatically for us When I ran this when I tinkered with it and played with it I'll be honest It was kind of slow and I don't know why Uh, I know this thing is using threading. I know this thing is doing cool stuff I know it's supposed to be lightning fast. It took a little bit of time for me to get all those results Anyway, it found twitter. It also went to mobile twitter, which is kind of peculiar but sweet good enough And it could find on linkedin I don't know if that's actually an account or not. Nope. Guess not And turinga whatever the heck that is Okay, good. I'll trust that Anyway, sherlock was running a little bit slow for me. So I actually recommend Using the docker file. So if you want to you can just grab it from Docker hub and you can literally docker run sherlock and then the username that you want to supply So let me do that docker run sherlock I've already got that pulled in that image If you hadn't ran that command before it might have to pull the image down for you to work with So docker run sherlock and then the command that you want to work with or the username It was gelato elgato Please I think I repeatedly forget this Gelato elgato. Yep Let's whack that and now it's like whoa boom. Okay. We're checking out all these different locations academia bandcamp basecamp bit bucket blip askfm nine gag Etc. Some of these might not have accounts that'll tell you hey not found so you could grab that out if you really really wanted to But this it seemed to be doing a little bit more Faster than the other one was and it got a lot like oh, hey, here's that twitch account. Excuse me Here's that twitter account. Here's that youtube account, etc. Even tinder nice uh, okay That's that holy cow This has been a long video and it probably really didn't have to be but I hope you don't mind me talking a Lot, I hope you don't mind me showcasing some of the things that uh the rabbit holes that I found down Just showcasing some more of my methodology and stuff that happened. What was that second hint they released? Well, they actually use here if you have alexandra's mum's given name and surname What else could there be left to find to get her full name? Okay, so yeah mentioning the middle name and doing a little bit more Hunting and digging around on the internet. So that's the thing with oscent. It's an internet scavenger hunt sometimes I'd like to be able to showcase this Going to take off because not a ton of people solved this and I know we did So I will see if I can remind myself what we did to go through that but uh That is bad man and that is walking to petstagram. So I hope you guys enjoyed this video I know I talked forever and this is way way longer than it needs to be but thanks so much I appreciate you tuning in check out another capture the flag video doing some oscent with me And that is enough of me yapping if you did like this video, please do do those youtube algorithm things I would love if you could like the video. Maybe leave a comment. Maybe subscribe You know, I'm super duper grateful and if you like capture the flag, please please please register for b-sides boston ctf You can go to b-sides boss dot ctf dot games that website and september 26th I'm hosting that capture the flag event. It'll run for about eight hours We're gonna try and some new stuff with dynamic scoring a new infrastructure like user-based containers It'll be cool. It'll be fun. So that's enough of me talking. Let me end the stinking video. Thanks everybody I love you. Take care