Jun 24, 2017 - TMCTF : MISC 200

Author: dade

Publish Date: 2017-06-24

Category: Misc

Points: 200


A scenario of Pokemon Go hacking has been circulating in the internet. It is reported that the attacker is riding on the upcoming Pokemon Go summer events. The attacker has crafted a socially engineered email containing a message that promises to instantly get a random Legendary Pokemon in their Pokemon Go account if the user clicked on the link and then register their Pokemon Go username and password.

Based from previous investigations, it was found that the attacker was saving all collected information in his email account. Given a sample of the malicious email, your team is tasked to find the password (flag) of the attacker's email account. The password is located in one of his website, thus requiring you to use your OSINT investigation skills.

1. Find the attacker's domain using the mail sample. 
2. Then, you need to find his real name in one of his social media account. 
3. Finally, the path is posted in one of his social media accounts. 
Download the file
Decrypt the downloaded file by the following command.

> openssl enc -d -aes-256-cbc -k cCO6kBV3YDBdfNCx0HmN -in files22.enc -out files22.zip -md md5
> unzip files22.zip


I wasted many hours hunting down @Tyage when he registered pokemongolegendaryclaim.com. It was almost like a little mini-ctf on the side, except it just slowed me down from getting the actual answer. Well played, binja.


When we look at the email in this pcap, we see a number of interesting things that I quickly took note of:

Domains of potential interest:

  • skyreward.net
  • pokemongolegendaryclaim.com

Emails of interest:

I started hunting down what I thought of right away and ruled out either email address possessing a facebook, twitter, myspace, linkedin, or gmail account.

I checked the whois on both skyreward.net and pokemongolegendaryclaim.com and didn’t think much else.

I checked the http headers for both websites, and this is where I should have noticed the binja trickery, when I got this response:

HTTP/1.1 200 OK
Server: nginx/1.11.9
Date: Sat, 24 Jun 2017 11:42:16 GMT
Content-Type: text/html
Content-Length: 173
Last-Modified: Sat, 24 Jun 2017 06:10:51 GMT
Connection: keep-alive
ETag: 594e026b-ad
X-MESSAGE: HELLO TMCTF, we sell this domain 10,000 JPY!
Accept-Ranges: bytes

I ended up doing a traceroute www.pokemongolegendaryclaim.com which led to, which called itself mocos.kitchen

You can spend some time following this rabbit hole if you want, but I’ll tell you now that it does not lead to the flag.

Oops, let’s get back on track

Using the email address provided [email protected], and the hunting on tyage’s webpages that I did, I decided I should also check flickr, lo and behold he had an account.

https://www.flickr.com/photos/[email protected]

Using the name provided here, Manolito Taburnek, let’s search google and Google Plus. This led to the following links:

Maybe this g+

Maybe this one, they are both suspicious


$ whois hedgehug2014.info
[email protected]

A little hunting pointed me to hedgehog2014.info as another domain owned by [email protected]

From here, I took the second google plus account I saw, where all the random pictures were being posted with letters, and I tried each of those letters as subdomains against hedgehog2014.info. This did not yield anything, but it was worth a shot.

Finally, I take those same sets of letters and try them as urls after the .info


By the third one I looked at, I was rewarded with the flag. http://hedgehog2014.info/LDFGDSKLGS332



Jun 24, 2017 - TMCTF : OSINT 300

Author: dade

Publish Date: 2017-06-24


Points: 300


Within the ICS enviroment there has been some odd behavior with one of the network switches. You have asked your Network Administrators to see if they could pull some traffic from their packet capture solution. They dug into the issue and couldn't make sense of whats going on but think that there may be an attacker that has figured out a backdoor into the system based off an SSH connection.

Figure out how the attacker was able to exploit the system, and utilize the backdoor to SSH into the system

To submit the flag, you'll have to wrap the backdoor into TMCTF{}

Download the file (https://s3-ap-northeast-1.amazonaws.com/trendmicro-ctf-2017/2VjxmQSdV3uBQvReFLea/files19.enc)
Decrypt the downloaded file by the following command.

> openssl enc -d -aes-256-cbc -k lnlzeirDTOWxKBdpBTsz -in files19.enc -out files19.zip
> unzip files19.zip


Once we’ve got a pcap, I got started by exporting http objects in wireshark. One thing I noticed in the http streams is a file named exploit.tar.gz. Let’s look at that conversation and export the data as raw from wireshark.

Once we’ve extracted that, we can run tar zxvf exploit.tar.gz and one of the more interesting files that popped out was /etc/passwd

The obvious thing that stands out in /etc/passwd is this line:

TMCTF:MFzbJnLcqzlvo:0:0:Hold the backdoor:/home/admin:/bin/sh

Let’s take that password, which is probably crypt(), and run it through John the Ripper.

john --wordlist=/usr/share/wordlists/rockyou.txt ./etc/passwd
admin:wibble:101:101:Switch Administrator:/home/admin:/usr/local/bin/adminsh
cli:wibble:102:101:Switch Administrator CLI:/home/admin:/usr/local/bin/cfgcli
TMCTF:odagirih:0:0:Hold the backdoor:/home/admin:/bin/sh
sertest:NO PASSWORD:99:99:Factory Test:/:/usr/local/bin/loopsertest /dev/ttyS00

Hmm, let’s try TMCTF{odagirih}.

No luck with that, I wonder if the password was meant to be longer and it got truncated (DES uses a 56 bit key, where passwords are truncated to 8 characters and coerced into 7 bits each).

$ cat /usr/share/wordlists/rockyou.txt | grep odagirih



Jun 24, 2017 - TMCTF : OSINT 200

Author: dade

Publish Date: 2017-06-24


Points: 200


A customer suspects that his email account is being targeted to be hacked. He has asked you to investigate and trace his attacker's real name (flag).

During your talk, he mentioned a suspicious email that he received about a bank transfer from someone he doesn't know. He actually tried to investigate by himself and found out the email was crafted to hide the real sender. He was able to go as far as finding a related facebook account by adding "tmctf" to the name he found from the email and that was as far as he got. Unfortunately he deleted the email after this, thinking it was just a random phishing email. He provided you with pcap logs from his machine to start your investigation.

ZIP password : virus

Download the file (https://s3-ap-northeast-1.amazonaws.com/trendmicro-ctf-2017/Pi1T3ou0CquyBbYosgng/files18.enc)
Decrypt the downloaded file by the following command.
> openssl enc -d -aes-256-cbc -k PYJU8G1k0fNKwacSJghz -in files18.enc -out files18.zip -md md5
> unzip files18.zip


Let’s start by issuing a unzip pcap_record.zip. Loading up the pcap in wireshark, you can filter for pop and look at mail.

Looking through the mail packets, we can see this tcp.stream eq 307 looks interesting. Let’s follow that. tcp.stream eq 307

We’re told that there’s a facebook page related, so let’s search for mario dboro tmctf on facebook.

From here we can see he belongs to tmctfcommunity, so let’s message that page and see what happens.

“Thanks for messaging us. You are half way in your challenge. In order to proceed, you need to find the magic string “854FJD922KA” in social media post. Goodluck!”

facebook message

I searched facebook for this string with no luck. So I took to twitter, my favorite social media network. I made the following google query: site:twitter.com "854FJD922KA", which yielded https://twitter.com/dboro18673.

There were many tweets that were possibly interesting here, and I’ll let you know that I certainly exhausted every single one of those links.

Tweets of Interest

“the account of Mr. Johnson is CVD12345”

This link (goo.gl/bO9wfS) takes us to https://pastebin.com/71KhaaMK

Contents of pastebin. Pastebin is posted by Johndeculayan. email address of interest: [email protected]

He links to this website http://texttt-01.super-schlank2013.org/

“a lot of people has voted for this man http://bit.ly/11eJDlt

List of possible names

I was keeping a running list of possible names that this person could be, as well as a note to remind me where that name came from.

Liz Fanning Holdorf (fake email name)
Mario Dboro (facebook name/email name)
Mikhailov Kosovo (twitter name)
Jon Rebutang (pastebin contents)
John Deculayan (pastebin username)
Mr. Johnson

After like 2 hours of banging my head against the keyboard, I realized that I hadn’t seen any linkedin yet tonight, and so I took to linkedin. LinkedIn

Now we have Jon Kravitsky Rebutang, let’s give that a shot as the flag.


TMCTF{Jon Kravitsky Rebutang}