|=-----------------------------------------------------------------------=| |=------------------=[ 2013 CSAW Quals - Recon Writeup ]=----------------=| |=----------------------------=[ wwong@RPISEC ]=-------------------------=| |=-----------------------------------------------------------------------=| -- [ Intro Here we go: another year of CSAW with another set of judges to stalk. --[ Alexander Taylor (fuzyll) If there's one thing to learn after a few years of CTFing, it's to always check metadata. The judges have been known to hide stuff in their Judges' Page photos before. So, a quick check on regex.info/exif.cgi on fuzyll's photo brings us to three PNG chunks with "textual data." When we open it up, we see the text chunks, but no key. So aside from the standard PNG chunks (IHDR, IDAT,etc.), we have some non-standard chunks like xork and ktxt. From the looks of it, we have this could be a xor key and key text. Using a hex editor (or dd), we can simply carve data out of that file and xor the two values together. Boom, key. -- [ Julian Cohen (HockeyInJune) Julian Cohen seems to have a thing for animals. After making cockcab, he's branched out and spread some links on Twitter and Wikipedia (maybe more). http://twitter.com/HockeyInJune - Check out my new website: http://catsoncupcakes.com/ http://en.wikipedia.org/wiki/User:HockeyInJune - Check out my new website: http://omnom.nom.co/ So, let's see what else we can find on these sites. Doing a DNS query on all three of the sites returns the same IP: 23.23.196.37. So in order to serve all these sites on the same IP, there's probably some vhost stuff going on. Depending on the configs, navigating to the IP address instead of a domain name will bring the client to a different site entirely. In this case, we get a site with terrifying HockeyInJunes with lasers and a coveted flag. --[ Jordan Wiens (psifertex) Alright, this one is an exercise in web search. First, Michael Vario apparently signed some PGP keys. It's kind of a big deal. So where does that lead us? PGP public keys can be sent to a central keyserver. Let's see if we can find psifertex's: Go to http://hockeypuck.gazzang.net/ Search for Jordan Wiens and scroll down. Dat Key, doe. -- [ Kevin Chung (codekevin) One of my friends once made a remark that went: if you're one in a million in China, there are a thousand people just like you. Well, the first page of Google results kind of confirms that. Bing doesn't fare much better. So, if we head back to the Judges' Page, we see that Kevin competed and won the CSAW High School Forensics challenge. When we browse the CSAW web site, we can find a section dedicated to previous HSF winners. Kevin Chung's name is the only one with a link on the whole page. We can follow that to a key. -- [ Historypeats Click on the link to his google search query, click on his github profile, go to public activity, and take a look at the most recent commit: a31512a Removed comments. Another key down. -- [ Brandon Edwards (Dr. Raid) Pretty much the same as before. This one was a little bit trickier because github wasn't in the first page of results and his profile has zero public repos. Even so, we see a commit in his Public Activity feed, where he removed some content from his github page. Content being a key. -- [ Odin I don't too much about Odin; I just remember way overthinking his challenge from CSAW Finals last year. The google search is profoundly unhelpful and I don't know his real name, so the Judges' page isn't all that helpful, either. I do remember seeing him in IRC, so maybe we can grab some useful info based on a /whois. 03:53 [isis] -!- snOwDIN [~o@ISIS-B0CFAD3E.com] 03:53 [isis] -!- ircname : linkedin:chinesespies 03:53 [isis] -!- channels : @#csaw 03:53 [isis] -!- server : isis.poly.edu [ISIS IRC Server] 03:53 [isis] -!- : is using a Secure Connection 03:53 [isis] -!- idle : 0 days 4 hours 55 mins 26 secs [signon: Thu Sep 19 15:04:20 2013] 03:53 [isis] -!- End of WHOIS That ircname leads us to http://www.linkedin.com/in/chinesespies Surely enough, the LinkedIn profile exists. It's a bit easier to tell where the key ends if you log out. -- [ Theodore Reed (Theopolis) This guy. This took way too long to track down. Go to his projects. Check out the video under embedded trust. Once the YouTube page loads, unhide the comments at the bottom and unhide the "spam" comment (y'all CTFers are assholes). There's our 8th and final recon flag. -- [ ACK Thanks again to the CSAW organizers and judges, and congrats on the decade of CSAW! Here's to another successful 10 years!