Aperi’CTF 2019 - Hey DJ
Challenge details
Event | Challenge | Category | Points | Solves |
---|---|---|---|---|
Aperi’CTF 2019 | Hey DJ | OSINT | 175 | 4 |
Votre ami vous assure que sa compositrice préférée Twisore
garde son identité secrète. Prouvez-lui le contraire en investiguant.
Le flag est sous la forme APRK{SHA1(NOMPRENOM)}
.
Par exemple, si l’artiste s’appelle Foo BAR
, alors le flag serait APRK{f100629727ce6a2c99c4bb9d6992e6275983dc7f}
.
Note: Il s’agit d’un challenge réaliste.
Credits: Compositeur original des morceaux - LIND (ne fait pas partie du challenge)
TL;DR
Search for the profile on soundcloud , download the available files. Run exiftool
on it and get the name from metadata. Second part is to send a mail to twisore999@gmail.com (in the description). We’ll get an automatic answer containing the first name.
Methodology
Social Network
Since Twisore
is an artiste, I’ll try to look for her on differents social networks such as… soundcloud !
I search the pseudo Twisore
on the website and got one artist: Twisore.
Search URL : https://soundcloud.com/search/people?q=Twisore
Profile:
Informations gathering
First of all, we got an email address in the profile description: twisore999@gmail.com.
After listening to the sounds we do not get any information.
We can notice that two of the five sound can be download: Concealed(edit Short)
and Nephelim (preview)
(see here “Télécharger un fichier” in French).
We download the files (need to be connected) and got 2 files: - Twisore - Concealed(edit short).mp3 - Twisore - Nephelim (preview).mp3
I ran exiftool on the two files to check for metadata:
exiftool "Twisore - Concealed(edit short).mp3"
ExifTool Version Number : 10.40
File Name : Twisore - Concealed(edit short).mp3
Directory : .
File Size : 8.5 MB
File Modification Date/Time : 2019:05:06 17:04:53+02:00
File Access Date/Time : 2019:05:06 17:04:58+02:00
File Inode Change Date/Time : 2019:05:06 17:04:53+02:00
File Permissions : rwxrwxr-x
File Type : MP3
File Type Extension : mp3
MIME Type : audio/mpeg
MPEG Audio Version : 1
Audio Layer : 3
Audio Bitrate : 320 kbps
Sample Rate : 44100
Channel Mode : Joint Stereo
MS Stereo : On
Intensity Stereo : Off
Copyright Flag : True
Original Media : True
Emphasis : None
ID3 Size : 56009
Picture MIME Type : image/jpeg
Picture Type : Front Cover
Picture Description :
Picture : (Binary data 53799 bytes, use -b option to extract)
Title :
Artist :
Album :
Year :
Comment :
Genre : None
Duration : 0:03:41 (approx)
No information on this one, lets check the other one:
exiftool "Twisore - Nephelim (preview).mp3"
ExifTool Version Number : 10.40
File Name : Twisore - Nephelim (preview).mp3
Directory : .
File Size : 1463 kB
File Modification Date/Time : 2019:05:06 15:26:43+02:00
File Access Date/Time : 2019:05:06 15:26:47+02:00
File Inode Change Date/Time : 2019:05:06 15:26:43+02:00
File Permissions : rwxrwxr-x
File Type : MP3
File Type Extension : mp3
MIME Type : audio/mpeg
MPEG Audio Version : 1
Audio Layer : 3
Audio Bitrate : 320 kbps
Sample Rate : 44100
Channel Mode : Joint Stereo
MS Stereo : On
Intensity Stereo : Off
Copyright Flag : True
Original Media : True
Emphasis : None
ID3 Size : 56086
User Defined Text : (PATH) C:\Users\J.MOORE\My Music
Picture MIME Type : image/jpeg
Picture Type : Front Cover
Picture Description :
Picture : (Binary data 53799 bytes, use -b option to extract)
Title :
Artist :
Album :
Year :
Comment :
Genre : None
Duration : 0:00:36 (approx)
We got a “PATH” tag:
User Defined Text : (PATH) C:\Users\J.MOORE\My Music
In this path we can recover the name: MOORE
and the first letter of the firstname: J
.
First Name
We can now have a look to the email addresse we found: twisore999@gmail.com. Sadly, there is no information about this addresse on internet. It is time force social engineering ! Let’s send our best email to get in touch with the composer:
I wait a few seconds and got an automatic response:
And that’s it, the composer just gave us her name: Julietta
Compute the Flag
echo -n "MOOREJULIETTA" | sha1sum
a445a4b4e031c3b7c933a5b28ea825bccbe86da5
Flag
APRK{a445a4b4e031c3b7c933a5b28ea825bccbe86da5}