b00t2root CTF OSINT Writeup
This is my writeup for boot2root CTF OSINT challenges. Kudos to the creator Rasput1n adding a bit of spice to the challenges by making the users to interact with a Discord bot to get the flags after finding each target.
Challenge 1- Target1
As the challenge description mentions, we have to contact the discord bot and type ^info
Once we give the input the bot gives us a hint for the first target.
When we get the Instagram account, we see many pics, and one of the pictures has a url mentioned.
cutt.ly/ig7THmY. The url takes us to google drive with a .wav audio file, which on hearing one can relate it to Morse code.
Using an online Morse audio decoder, we get the following FELIPEANTONE.
On presenting this to discord bot, we get out first flag and also a hint to search next target.
FLAG- b00t2root{m0rs3_d3cod3r_i5_fun}
Challenge 2- Target 2
Under the flag for Target1, we can see a hint asking us to look at twitter account with the same name.
On analyzing the twitter account, we see the user has tried to edit the page of famous fictional character Red John.
On checking the revision history for the wiki page Red John and seeing the differences, we see our user has added another short url which has image named missle.png
On analyzing the image using online steganography or tools like stegoveritas, we get the hidden string and our target2 BENJAMINNETANYAHU.
Giving the string to Discord bot we get the flag for target2 and the next hint.
Flag- b00t2root{1nf0rmat10n_1n_pl@in_5ight}
Challenge 3- Target 3
For the challenge 3, there are two methods, one the intended method by the author and a out of the box thinking method which I used to get the flag before the challenge went online.
I’ll start with the intended method. As the clue tells us, we need to check the wayback archive pages for clues. Looking at the wayback archive for the twitter page, we can see a tweet that is not available in real time.
Critical op intel on reddit. Give it a look
On doing a duckduckgo search for the username redjohn190989 we get a reddit post mentioning the keywords same as the tweet.
We see a pastebin which is locked using a password and needs a date to unlock it. The only two dates we see on the page is one in the username and other birthday on the reddit profile.
So, I tried the two dates and understood the author has put a different format. So tried the usual formats, dd.mm.yyyy/ dd-mm-yyyy, dd-mmm-yyyy/dd.mmm.yyyy and dd.mm.yy/dd-mm-yy. Luckily the format was dd-mm-yy. the password was 19–09–89.
On unlocking the pastebin , we get a coordinate to a location whose health minister is the target.
Location is Brisbane and health minister is Yvette D’Ath. We get the flag for target3 from the discord bot.
FLAG-b00t2root{m@st3r_0f_0s1nt}
Out of the box method
I had found the reddit post initially as mentioned by searching on duckduckgo and it mentioned the user was researching the new health minister of a place, but the place was not mentioned.
Only information I had at the time was the Instagram account and few pictures. From the pictures I knew the location was Australia ( Kangaroos of course :-) ). But I wanted to get the exact location and there were two pictures which looked interesting ( the Brisbane center picture was later deleted by the author), but the other picture gave us two regions in reverse image search using Yandex — Canberra and Queensland.
On googling new health minister for Queensland/Brisbane, we get the name Yvette D’Ath which was the same input for the flag Target 3.