recon1 & recon2

9447 CTF Misc Challenge: 140pts & 190pts

Challenge Description:

RECON 1 "Someone has attacked your site. We have attached a log collected from the time of the attack."

RECON 2 "Find the attackers full name. See attached file on Recon 1."

Material:

Solution:


Recon 1

1) Analyze the logs

   Sifting through the logs looking for IP's, we see alot of uninteresting POST requests to the login page.
   However, the IP 192.241.254.77 is accessing the admin page - far more interesting!

2) Accessing the site

   The IP we found in the log files resolved to www.williestoleyour.pw, unfortunatly a generic site template.
   Using the internet wayback machine we see that the site actually did contain useful information.
   An email address "info@dynamiclock.pw"

3) Using the email

   Going to the email domain, dynamiclock.pw and scroll down the page, we get the flag.


Recon 2

1) Contact form

   We continue using the material we gathered in Recon 1.
   On the site with the flag, dynamiclock.pw, there is a contact form.


   Filling this out, we get an email with headers that contain a suspicious IP address 162.243.7.88.

2) Accessing the site

   The IP we found in the email resolved to a simple directory list of 3 files.
   One of which was a contact card, "dynamicWarl0ck.vcf.

3) Contact card username

   Using the username found on the contact card, we check popular sites for matching username accounts.
   Finally we find the user account on github only to find the user has moved everything to bitbucket.

4) Bitbucket search

   We go to the bitbucket account under the same dyamicWarl0ck username.
   The user has one repository, dynamics, with one commit.
   Looking closer at this commit, we get the flag.

Flag:

Files:

LOG FILES