CYBAR OSINT CTF 2020にZuckerwatteとして参加しました。OSINTのCTFへの参加は今回が初めてでしたが、最終的に41/161位でした。詳しいwriteupは公式のものを見てもらうことにして、以下には私たちのwriteupを簡単に書いていこうと思います(感想メインだけど)。前回同様、カッコ内にあるのは解いた人の名前で、基本解いた順番でまとめてあります。
Introduction
Tutorial Island (blaclear)
Welcome to the CYBAR Open-Source Intelligence CTF. Most challenges can be solved with a browser and some know-how - online tools might help too.
When you find something, whether it be a picture, text, code or whatnot, you can submit it into the CTF server by putting the 'flag format' around it. For example, if the flag asked you to find the name of a yellow fruit, and yo confirmed it was a banana, you'd submit "CYBAR{banana}". Don't worry too much about caps, it's not case-sensitive.
To kick it off, let's try your first flag. You get into work, boot up your system and hit Spotify up. You can't remember the name of the artist or song you were listening to the other day but it put you in the ZONE. Scratching your head, you remember just a line of lyrics...
"In the name of the Spam God, that's what's up"
Huh. Let's do a quick search and see if we can find the artist, and submit as a flag. When done, you can kick off their playlist to pair with the CTF.
解答
Googleにて「"In the name of the Spam God, that's what's up" lyrics」で検索するとYTCrackerがhitする 🚩`CYBAR{YTCracker}`Social
You've heard of elf on the shelf, but what about the proliferation of COVID-19? (blaclear)
The Roombas are trying to gain the upper hand over the human population. We believe they're going to target pivotal industries such as real estate, critical infrastructure, information security and healthcare. We don't know who yet, but we know it's a group of close friends and all are infected with COVID-19.
We need to enact Contact Tracing - finding every detail about their lives in order to predict and contain their movements. No one has heard from them since March. We must build up details about them for the agents to then take over. That's where you come in.
Our first piece of intelligence is a gentleman by the name of Marc Hevis - a co-owner of Hevis Properties Pty Ltd. We have agents ready on the ground, and others covering all his other social media - your task is to find his Twitter account.
解答
Marc Hevisでtwitterを検索すると、[@HevisMarc](https://twitter.com/HevisMarc)がすぐ見つかる。 🚩`CYBAR{HevisMarc}`Contact Tracing - Part I (blaclear)
It's suspected the Roomba targeted one of Marc's friends, Alycee, with COVID19 based on her regular flights around the world to different critical infrastructure areas (e.g. gas and oil). We must undertake contact tracing for Alycee without warning the subject. We need to find out every location she has been in the past few years to get a profile. This profile will then help us predict and prevent where she might go next.
What is the full URL of Alycee's art account?
解答
[@HevisMarc](https://twitter.com/HevisMarc)のFFからAlyceeのアカウント[@alyceedoesstem](https://twitter.com/alyceedoesstem)はすぐ見つかる。この人が投稿する絵には#DAっていうハッシュタグがついているけど、何の略称かは分からず...。 その代わり、この人のuser idでGoogle検索すると[devianart](https://www.deviantart.com/alyceedoesstem)のページが見つかる。あ、DAってそういうこと...。 🚩`CYBAR{https://www.deviantart.com/alyceedoesstem}`Contact Tracing - Part II (blaclear)
We need more locations Alycee may have or will visit in the future. What is the exact volcano that Alycee visited?
解答
Alyceeの投稿に[こんなの](https://www.deviantart.com/alyceedoesstem/art/The-day-it-all-changed-832327285)が。よくみると日付が書いてあるので、検索してみると...。Kīlauea山がこの日に噴火したっぽい[(wiki)](https://en.wikipedia.org/wiki/2018_lower_Puna_eruption)。ホーン。 🚩`CYBAR{Kīlauea}`Contact Tracing - Part III (blaclear)
We need more locations Alycee may have or will visit in the future. What is the first name of the park that Alycee likes to visit?
解答
Alyceeの投稿に[こんなの](https://www.deviantart.com/alyceedoesstem/art/My-Favorite-Place-832559463)が。親切にも「38°01'27.8 S 145°20'29.0 E」と座標が書いてあるやん。これで検索をかけると、"Wilson Botanic Park"にたどりつく。 🚩`CYBAR{Wilson Botanic Park}`Contact Tracing - Part IV (blaclear)
We are trying to locate in which suburb Alycee's friend Marcel lives in, to zone in on potential areas of risk he may potentially cause having COVID19. Please find it for us so that we can get some agents there on the ground.
解答
TwitterのFFから[@marcelbalkins](https://twitter.com/marcelbalkins)はすぐ特定できる。とりあえず、プロフにある`Victoria`がFlagかなと思って打ってみるも違う。`Melbourne`に住んでそうだが、これもFlagではない。そんな簡単じゃないか...。 Marcelのツイートの中で気になるのは[これ](https://twitter.com/marcelbalkins/status/1233934531888988161?s=20)。RSPCAとはThe Royal Society for the Prevention of Cruelty to Animalsの略称で、要は獣医さんみたいな感じなのかな?ただMelbourneの周囲にはRSPCAの支部がたくさんあって、まだこれだけでは絞ることが難しい。とりあえずGoogleで「RSPCA vic cat ringworm」と検索してみると、こんな[記事](https://www.change.org/p/rspca-stop-euthenising-cats-with-ringworms-or-other-treatable-conditions)が見つかる。Burwood支部だったのね。 🚩`CYBAR{Burwood}`Contact Tracing - Part V (seema)
We are trying to locate in which town Alycee's friend Pong lives in, to zone in on potential areas of risk he may potentially cause having COVID19.
解答
Pongのアカウントは[これ](https://twitter.com/LiPongWeiqi778)。ひとまず[ここ](https://www.service.transport.qld.gov.au/checkrego/application/VehicleResult.xhtml?dswid=-8625)で、Twitterに上がっていたナンバープレートの番号を検索してみたけど、よく分からず…。 ![ContactTracing5-1.jpg](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/659941/58a7ae01-034a-e9ff-ffe3-bd5bdff91ed3.jpeg) Pongのtwitterのヘッダー画像に映ってる「spar」ってお店があるとこをGoogle Mapで巡っていきました。画像とまったく一致するところを見つけたわけではないんですが、似ているところを発見。 ここの地名、{Blackall}を打ってみたら通っちゃいました...。 🚩`CYBAR{Blackall}`Contact Tracing - Part VI (seema)
We've learned that Pong has a vehicle and may have visited nearby towns in the past few months. We were going to do license plate detection but no doubt the Roomba's have either changed this or prevented plate reads. We need to know the exact make and model car Pong is driving to get visual confirmation.
Find the make and model of Pong's vehicle.
解答
前の問題の検索結果でしたね。 [このサイト](https://www.service.transport.qld.gov.au/checkrego/public/Welcome.xhtml?dswid=2896)でナンバープレートを検索。 ナンバープレートは3月3日のツイートより。 🚩`CYBAR{2018 KIA STINGER SEDAN}`Contact Tracing - Part VII (seema)
Pong may have travelled international recently, and we need you to find out which city he was in.
解答
![ContactTracing7.jpg](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/659941/a67fa1ed-0592-54e5-ff14-cade39b95597.jpeg) [3月4日のツイートにある画像](https://twitter.com/LiPongWeiqi778/status/1235036029033140224?s=20)を検索すると「バンダラナイケ記念国際会議場」と出てきた。バンダラナイケは人名みたいで、これがあるのはスリランカのコロンボ。 🚩`CYBAR{Colombo}`Clocking Overtime
Let's start canvassing Marc's working life. Which town is Marc's primary (not newest) workplace located in?
解答
[これ](https://twitter.com/HevisMarc/status/1234808492294197248?s=20)がヒントかな?このルートは[ここ](https://www.ptv.vic.gov.au/route/16/werribee/)に書いてあるっぽい。 終点はWerribeeだね。 🚩`CYBAR{Werribee}`By A Thread - Part I (seema)
Alright, we need to start building up a profile of Marc's friend, Alycee. Find anything you can that might help us find more information on government databases about her such as an Australian Business Number (ABN).
We managed to locate her tax agent on AirTasker - maybe you could get in touch and somehow convince him to provide some information about her tax return.
https://www.airtasker.com/users/paul-n-19685038/
Public records show his email address is taxteamtechs@gmail.com
解答
AlyceeのTwitterより ![ByAThreadP1.jpg](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/659941/70a6b22f-0a32-5e86-9fff-16ad907d2aa4.jpeg) よく見ると、Alyceeさん、メールアドレスとパスワードを公開してしまってますね... 勇気を出して、これらをPaul Nのメールにこれを送信しました。 重要そうな書類が届きます。 ABNがフラッグでした。 🚩`CYBAR{546877954}`By A Thread - Part II (seema)
Can you locate Alycee's date of birth?
解答
上の重要そうな書類に誕生日も載ってましたね。 🚩`CYBAR{1/1/1989}`WFH (EoM) - Part I (blaclear)
Contact Tracing continues. We need to locate Marc's home and evacuate the neighborhood/building and place them in isolation.
What's the name of the building Marc lives in?
解答
Marcはバルコニーからの眺めを[ツイート](https://twitter.com/HevisMarc/status/1234802973189890048?s=20)している。 この動画に出てくる人の顔が写った特徴的な建物は、"face on building"で検索するとすぐに出てくる["Barak Building"](https://www.theage.com.au/national/victoria/new-face-of-melbourne-rises-32-storeys-20100914-15axh.html)というらしい。 あとはgoogle mapの3Dを駆使してひたすらMarcの家を探すだけ。高さも考慮すると[ここ](https://en.wikipedia.org/wiki/Queen_Victoria_Village)っぽい。この建物の上は[住居](https://www.qv1melbourne.com/about/)になっているらしい。すごいね 🚩`CYBAR{QV1}`##WFH (EoM) - Part II (blaclear)
We need more information on the building to work out the level it's being potentially filmed from. How many levels (above ground) does the building have?
解答
QV1の情報は公式websiteがかなり充実している。[ここ](https://www.qv1melbourne.com/for-residents/)には"The gymnasium and pool are located on Level 45 (roof level)"と書いてあるので、45-1=44 🚩`CYBAR{44}`##WFH (EoM) - Part III (seema)
Alright, we need to figure out how long Marc has lived there for, and the earliest he could have moved in. What was the year the building was finally built in?
解答
年については公式websiteに書いてないので、[wikipedia](https://en.wikipedia.org/wiki/QV.1)を参照してみた。ここにあった`1988`とか`1991`とかを入力してみるも、これらはFlagではないっぽい...。そこで、建物名で改めて調べていると[こんなサイト](https://www.johnwardlearchitects.com/projects/qv1-residential-tower/)が出てきた。工事?が終わった2005年を打つと通りました。 🚩`CYBAR{2005}`Pretty Fly for a WiFi (blaclear)
We need to find Marc's second office location (not the primary workplace) for the contract tracing. Business records tell us it's relatively new. Scour his Twitter account and see if there's anything that can help us geo-locate it. We don't need it down to the road, just the town (not suburb) and we can work from there.
解答
Marcがツイートしていた気がする。BSSIDからの場所検索なら[Wigle](https://wigle.net/index)が定石でしょ。Ballaratらしい。 🚩`CYBAR{Ballarat}`General
Trojan Horse (kanau)
It's 12:57am. You get an SMS from your red team manager - "Hey, we have a situation... Call me.".
Stepping out of bed and into the sleepy lights of the city, you tighten your hoodie and hit call. - "Hey. So a crime-stoppers report just came in, and apparently a passerby spotted a roomba trying to implant a consciousness into a... yeah this is going to sound weird... horse. Said something like 'the horse had a name on its side', but couldn't remember what. He said it was no more than 200m past the BP Petrol station in Mansfield, VIC on his way to Mt Buller. Located on the side of the road. Find the horse, find what name was on its coat. Once you've done that, we can put out an All-Points Bulletin for it."
Find and submit the name on the horses' coat to notify local law enforcement in the area.
解答
BP Petrol station in Mansfield, VICからMt Bullerに向かう道をストリートビューで探した。 「145 Mt Buller Rd, Mansfield VIC 3722 オーストラリア」から南東に少し進む。 道の脇に作り物の馬があって、横に文字が書いてある。"SWAGS" ![スクリーンショット 2020-06-06 17_0.53.50.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/659941/14258ce0-2544-c169-ba0a-c47549601041.png) 🚩`CYBAR{SWAGS}`Static on the Wire (blaclear)
Roombas everywhere are using social media to try and spread COVID propaganda about 5G infecting the public...basically saying people will start emitting Wi-Fi radiation.
However, a new tactic has just hit our radar. We've just received reports of propaganda spreading through amateur radio. We're unsure of the call-sign, but the caller reported the following statement:
"I was on the phone to my wife in Florence, Alabama. In the background of her HAM radio, I heard someone calling himself 'Scotty' in some weird-ass robotic voice, clamoring on about that 'demic giving everyone 5G and sorts."
That's all we have to go off for now. Find the call-sign and submit it to us so we can start tracking down their home address.
解答
コールサインを探す問題。コールサインはアマチュア無線(HAM)のものだと思われる。コールサインから住所の特定に繋がると書かれているので、場所ごとに割り振られたコールサインを答えるのか。[適当に見つけた検索サービス](http://www.arrl.org/advanced-call-sign-search)で「Florence, AL」を調べてみる。するとScottのコールサインが`KG4RFV`だと分かる。ScottyはScottの愛称だし...? 🚩`CYBAR{KG4RFV}`Where in the world is Wuhan - Part I (blaclear)
ping
Subject: Possible compromise - Facebook superadmin account Message: We've received an alert from CERT Australia of a possible superadmin compromise within Facebook's backend servers. As you know, they control a number of global node servers and if the roombas get access to pushing content....who knows what they might do. But we're currently looking at Roombas trying to learn the genetic structure and makeup of the novel coronavirus...from various supercookies tracking scientists browser history research. Of course, this can all be found out via the GraphQL API.
Facebook being facebook, they're not providing any word at this point. However, combining this with the thousands of Federal Police ACORNS reports we've had in the past few days, it's possible. Let's start from the top. Find Mark Zuckerbergs email address and submit it into the portal; we'll run some automated checks to see if it's appeared in any 3rd party breach sites.
解答
ceoemailとかいうヤバそうなところに[掲載されている](https://www.ceoemail.com/s.php?id=ceo-9927)。有名人は大変やね。 🚩`CYBAR{zuck@fb.com}`Where in the world is Wuhan - Part II (kanau)
ping
Subject: Possible compromise - Facebook superadmin account Message: Got it, thanks. We were right; breached in a few online dumps; trust Zuck to have "I_hate_myspace_tom" as his password. Long story short, we can link this to the breach. Problem is, we're unsure exactly which global node server the roomba's are going to target.
We did however find this image on the server, as the most recently changed file. It could be a geo-map of where they're planning to strike next, or it could simply be the ex-admin's next holiday destination. Either way, we need to know where that is NOW to start targeted keyword analysis. There's no metadata on this one - you're going to have to recognise the physical features.
Find the source of the image online, and I'll take care of the rest.
NOTE: This challenge is marked manually. It will state "incorrect", please ignore. PLEASE CONTACT A MOD WITH SCREENSHOT EVIDENCE WITH YOUR SUBMISSION.
解答
画像だけ。むずかしい。緑色のところは公園?広め。中の道はぐねぐねして整備されていない。黄色いところはそれなりに大きい道だと思う。国道みたいなやつ。国道が海岸ぞいを走っているのは案外珍しそう。よく見ると海岸線がかなり綺麗。海岸の近くに丸い不思議な道路がある。よく見ると街がかなり綺麗。ほぼ碁盤の目状。気のせいかもしれないが、行き止まりの道路がある。 🚩分かりませんでした##Lies and Treason (blaclear)
An email comes in from a Threat-Intelligence lead in France. Apparently, in a routine Occupational Health & Safety (OH&S) check, inspectors found a warehouse stacked to the roof of roombas. Fortunately, none of them had been pre-loaded with consciousness, but when police arrived on the scene the entire stock was gone.
Fortunately, the warehouse's company was tracked down to an expensive suburb in Sydney's harbour district. "CYBAR PROPERTY PTY. LTD" The TI is only a junior and mentions they've done a quick search of the owner - Lillie - but can't find any more information. A laptop found in the French warehouse requires a password and we NEED to find if there are any other Australian warehouses owned by Lillie storing potentially dangerous roombas.
The TI has left you a voicemail: *"The password hint on the laptop is 'my middle name'. Can you grab the current company information and see if the records contain her middle name? I'm sorry, but no one's going to expense you on this one, you gotta find it yourself. Goodluck"
解答
めっちゃ悩んで超EZだった問題。ヒントは会社の名前のみ。これで検索すると[このwebsite](https://www.abr.business.gov.au/AbnHistory/View?id=46064503064)が見つかる。他にも[ここ](https://abr.business.gov.au/ABN/View?id=85546026196)になんか情報がありそう。ほう、L CAWTHORN & CYBAR PROPERTY PTY LTD SUPERANNUATION FUNDですか...。L Cawthornって誰よ。 問題文から推測するにLはLillieかな?と思い"Lillie Cawthorn"で[ここ](https://express.illion.com.au/personal-name)あたりにて検索をかけてみる。すると、Lillie Theresa Cawthornさんがいるではありませんか。Lillie Theresaって問題タイトルのL&Tとかけていた訳ね。なるほど〜。 ちなみに会社の住所とかも調べると[分かる](https://online.nswlrs.com.au/wps/portal/six/find-records/!ut/p/z1/hY7LDoIwFER_pXxBb7FAWRZQnlIeKtCNYUEUI4iJwd-3GhNX6uzuzLmTwRLXWI7t3B_aW38Z27O6G2nu7Yww4jA9AsIY8Dh3aKGvCDATV_8AqWL4Ig7qX74Q1-cBtRJlUqZD6DmBZ9lrgNB8Az86GrXB-mwQUWYAL_NMcBIvACxcPjuuuFmYKBHbsOSoENxDTli4gV-I3RKlZYV0oASnm2M3dHgaajgZ03znmvYAgQcGEw!!/dz/d5/L2dBISEvZ0FBIS9nQSEh/#)んだけど、検索しても何も引っかかりませんでした。 🚩`CYBAR{Theresa}`Fake News (blaclear)
We've just received a report of The Daily News publishing an article that is causing a lot of concern and fear in the public. Given its wording and theme, we are sure it's fake news generated by the Roomba. However, TDN will not disclose their source. Here's the article, we need you to find the exact number of people that went through Southern Cross Station at the exact time referenced so we can determine if the article is fake. SX Station has released a statement saying that all footage of that night has been deleted so we can't rely on visuals.
Article text: "Wild scenes as 40 people confirmed to be infected with COVID-19 ran through Southern Cross Station at 4:00am on Friday, the 28th of February 2020. The frightening witness account has caused panic buying at stores around the country as people prepare to stay indoors. Our source confirms they were the only witness and that this infectious routine could be happening at other major transport venues through the country without the public's knowledge."
Find the exact number of pedestrians that walked through Southern Cross Station that morning at 4am, on Friday, the 28th of February.