[CSAW-2012 Quals Recon]

There were 5 Recon challenges at CSAW CTF 2012. All challenges provided us a link to Google with a search string, filled with some name and surname (like Jordan Wiens) and in one challenge it was filled with a nickname.

So the first opened Recons were Jordan Wiens, Jeff Jarmoc and Julian Cohen. All of them were Recons100. We found that there was a page on the CSAW website named judges where photos and some information about these people were stored. The first thing we tried to do was getting the pictures of these people and discover them for some hidden information. And BINGO! We found a comment in Jeff Jarmoc’s photo:

So after some googling we found that finger is a simple network protocol for exchanging of human-oriented status and user information.

So the key for Recon100-2 was:

does anyone still use finger?

Unfortunately, we didn’t find anything else in judges photos. So we tried to Google that Jordan Wiens. We found his Twiiter – https://twitter.com/psifertex. He had a strange status, but we didn’t find any clue in it. So we tried to Google his nickname – psifertex. The first link was his twitter and the second was the website – http://psifertex.com/. It says to us:

Nothing to see here, move along.

So the first attempt was to search directories on this website with the help of DirBuster. It found a lot of files and folders but nothing of use. We tried the “csaw” folder and succeeded(http://psifertex.com/csaw/). There was the second clue:

Some Understanding Becomes Dominant On Manipulation And Inquisitive Naming

Don’t bother brute forcing file paths, you’ll never find it that way.

The first letters of each word in the first sentence combine into “subdomain”. We tried some obvious words like “flag” and “key” and found http://key.psifertex.com/
key

So the key was:

secret sonambulist

The next Recon100-3 was Julian Cohen. There was his nickname in Twitter – HockeyInJune. We found Wikipedia user HockeyInJune and took a look at his revisions: https://en.wikipedia.org/wiki/User:HockeyInJune. Then we took a look at his contributions: https://en.wikipedia.org/wiki/Special:Contributions/HockeyInJune. And clicked the arrow in string:

03:34, 29 September 2012 (diff | hist) . . (+62)‎ . . User talk:HockeyInJune ‎ (→‎You don’t like roosters? :(: new section)

And got a link to the http://cockcab.com/ website=) There was the key under the image:

The_first_step_of_owning_a_target_is_recon.

Okay. It was also the answer to Trivia100-1:

What is the first step of owning a target?

The answer was:

recon

Then on the second day two new Recon tasks were added: Dan Guido and Yoda. Both are Recon400. And there was the hint at the top of the page:

Hint for Recon: Lots of judges really like Reddit.

The question for Dan Guido was:

What are Dan Guido’s two favorite foods?

So we tried to search Dan Guido profile at Reddit and we found it – http://www.reddit.com/user/dguido. After having some look and google we found a comment in this thread: http://www.reddit.com/r/netsec/comments/10kxoo/securitywatch_chats_with_dan_guido_ceo_of_trail/ which says:
http://m1sa.ru/csaw2012/salami.png

So the key for this task was:

salami and cheese

And the last Recon was Yoda. We tried to have a look at judges page – https://csawctf.poly.edu/judges/. We found that there is no image for John Terrill. And also there is “elite X-Force” in his information:
http://m1sa.ru/csaw2012/terrill.png
http://m1sa.ru/csaw2012/terrill1.png

But there we stuck out. So we tried to take a look at IRC, where the judges were administrators and wrote this command in #CSAW channel:

And got the answer from the server:

The key:

hockey lock outs mean probably april

 

 

One thought on “[CSAW-2012 Quals Recon]

  1. I do not know whether it’s just me or if everybody else encountering problems with your blog.
    It appears as though some of the written text within your posts are running
    off the screen. Can somebody else please comment and let me
    know if this is happening to them too? This might be a issue with my browser because I’ve had this happen previously.
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">