Category: Misc

Points: 200

Description:

A scenario of Pokemon Go hacking has been circulating in the internet. It is reported that the attacker is riding on the upcoming Pokemon Go summer events. The attacker has crafted a socially engineered email containing a message that promises to instantly get a random Legendary Pokemon in their Pokemon Go account if the user clicked on the link and then register their Pokemon Go username and password.

Based from previous investigations, it was found that the attacker was saving all collected information in his email account. Given a sample of the malicious email, your team is tasked to find the password (flag) of the attacker's email account. The password is located in one of his website, thus requiring you to use your OSINT investigation skills.

Hint:
1. Find the attacker's domain using the mail sample. 
2. Then, you need to find his real name in one of his social media account. 
3. Finally, the path is posted in one of his social media accounts. 
Download the file
Decrypt the downloaded file by the following command.


> openssl enc -d -aes-256-cbc -k cCO6kBV3YDBdfNCx0HmN -in files22.enc -out files22.zip -md md5
> unzip files22.zip

Note:

I wasted many hours hunting down @Tyage when he registered pokemongolegendaryclaim.com. It was almost like a little mini-ctf on the side, except it just slowed me down from getting the actual answer. Well played, binja.

Investigation

When we look at the email in this pcap, we see a number of interesting things that I quickly took note of:

Domains of potential interest:

  • skyreward.net
  • pokemongolegendaryclaim.com

Emails of interest:

I started hunting down what I thought of right away and ruled out either email address possessing a facebook, twitter, myspace, linkedin, or gmail account.

I checked the whois on both skyreward.net and pokemongolegendaryclaim.com and didn’t think much else.

I checked the http headers for both websites, and this is where I should have noticed the binja trickery, when I got this response:

HTTP/1.1 200 OK
Server: nginx/1.11.9
Date: Sat, 24 Jun 2017 11:42:16 GMT
Content-Type: text/html
Content-Length: 173
Last-Modified: Sat, 24 Jun 2017 06:10:51 GMT
Connection: keep-alive
ETag: 594e026b-ad
X-MESSAGE: HELLO TMCTF, we sell this domain 10,000 JPY!
Accept-Ranges: bytes

I ended up doing a traceroute www.pokemongolegendaryclaim.com which led to 160.16.226.39, which called itself mocos.kitchen

You can spend some time following this rabbit hole if you want, but I’ll tell you now that it does not lead to the flag.

Oops, let’s get back on track

Using the email address provided [email protected], and the hunting on tyage’s webpages that I did, I decided I should also check flickr, lo and behold he had an account.

https://www.flickr.com/photos/150839077@N03

Using the name provided here, Manolito Taburnek, let’s search google and Google Plus. This led to the following links:

Maybe this g+
https://plus.google.com/101710284495299138820

Maybe this one, they are both suspicious
https://plus.google.com/108586041295363265969

http://hedgehug2014.info/
125.212.43.55

$ whois hedgehug2014.info
[...]
[email protected]

A little hunting pointed me to hedgehog2014.info as another domain owned by [email protected].

From here, I took the second google plus account I saw, where all the random pictures were being posted with letters, and I tried each of those letters as subdomains against hedgehog2014.info. This did not yield anything, but it was worth a shot.

Finally, I take those same sets of letters and try them as urls after the .info

F2489SFKJKS35 HSAKJF3859035 LDFGDSKLGS332 34GDHF594O92J 24JVO92KFDFD SOO32KDOSGFG D8921O3SNFJSFX DSGDSGVC5436 ZQO3581OFFKJF S9832943654V

By the third one I looked at, I was rewarded with the flag. http://hedgehog2014.info/LDFGDSKLGS332

Flag

TMCTF{ThreatDefenders37859}