Singaporean CTF team Social Engineering Experts just hosted their first Capture The Flag (CTF) competition. There were a number of great Open Source Intelligence (OSINT) challenges.
Most CTF writeups do a great job showing you the tools, tricks and techniques used to find the flag. However, lots of learning also happens by trial and error. Let's face it, no CTF experience is complete without some head-scratching, brow-creasing moments where you and your team is completely stuck.
Therefore, I present you the first capture-your-own-flag CTF writeup.
Click on the links below to select an action. You will see the outcome appear at the bottom of the screen. Be warned: each action costs you a little bit of your sanity. Will you succeed in finding the flag, or will Batnet 1 take over your mind? Choose wisely!
Sanity: 100%
Your Choices:
What Happens:
Author: Mythiology
"With so many people starting to use the Internet, Master Wayne has also joined in the fun. He has been fixated on using all kinds of online accounts not just for leisure, but also for monitoring and surveillance as part of his new artificial intelligence project. For Master Wayne's own safety and as my position as his butler, I need your help to find all of his accounts that use the username
Note: There are 4 flag fragments to find. There are also limited attempts to this challenge so do not try to bruteforce the flag.
Basically, there are four parts of a flag that you have to find. Each one is located on a social media account with the username 1mn0tb4tm4m."With so many people starting to use the Internet, Master Wayne has also joined in the fun. He has been fixated on using all kinds of online accounts not just for leisure, but also for monitoring and surveillance as part of his new artificial intelligence project. For Master Wayne's own safety and as my position as his butler, I need your help to find all of his accounts that use the username
1mn0tb4tm4m." ~ Alfred
Note: There are 4 flag fragments to find. There are also limited attempts to this challenge so do not try to bruteforce the flag.
You mess around with some of the other challenges, down load a few binaries to disassemble, take a look at the ciphers. But something about the Batnet challenge keeps gnawing at you. Surely it can't take too long to find all four parts.
You open a ticket, and one of the organizers is nice enough to clarify that yes, you should only look for accounts that match the username exactly. So much for that idea.
Sherlock (https://github.com/sherlock-project/sherlock) is a nice CLI tool for these kinds of challenges. Unfortunately, this time you get only two correct results, Instagram and Github.
The OSINT Framework (https://osintframework.com/) is a huge collection of tools you can use. Perhaps the Username Search Engines section will help you find 1mn0tb4tm4m.
One of your teammates has also been working on this challenge. He has two fragments, from Instagram and GitHub. You tell him that you'll keep looking.
NameChk gives you one good hit for GitHub. Flag fragment found! Couple of false leads, too.
NameCheckr tells you a bit about the 1mn0tb4tm4m domains you could register, if you wanted to. GitHub account pops up, there's a flag fragment there. A hit for TikTok too, that's cool. A couple of red herrings, but most of those accounts have been deleted.
Instant Username Search seems to give the best results. Instagram, TikTok AND GitHub all returned. You go through the rest of the results to see if you missed anything, but no dice. The fourth fragment has eluded you.
Quite a few groups are tackling this challenge, most of them seem stuck on the second and fourth flag fragments. Once in a while, someone makes a breakthrough, leaving their frustratingly cryptic thoughts on the challenge.
One of the sponsors N0H4Ts is running a short cybersecurity trivia competition. The first person to answer each question gets some special stickers. Feeling that a little more Googling can't possibly hurt at this point, you decide to answer a question.
Fingers shaking with excitement, you go to the Discord search bar and execute the search. There is a user! And their profile has a base64-encoded chunk. Could this be it, or is it another red herring? (Spoiler alert: the base64 decodes to the fourth flag fragment. Yay, you did it!)
Some of my closing thoughts
Closing Thoughts
From a challenge creator's point of view, there were several elements of Batnet 1 that really stood out to me.
First of all, the premise and story behind the challenge was both believable and exciting, which isn't easy to do. Using a username to discover a person's online presence is often used when a malicious hacker starts making attacks, or when someone goes missing. Quite naturally, I found myself building a up a profile of the user behind the accounts, storing tidbits of info I found on each website.
Secondly, splitting the flag into fragments is a challenge mechanic that I'm starting to see more often. It definitely makes the solving process more realistic, especially for an open-ended discipline like information gathering.
I like using this to chain several steps together take players through a story or narrative. However with Batnet 1, you could find the flags in any order. This non-linear solution meant that every person found the flag through their own unique process. (With varying levels of sanity loss along the way, heh heh.)
Lastly, the organizers also managed to spin up a cool flag validator service halfway through the competition. You could submit each flag fragment, and find out if there were any mistakes. Especially helpful since the submission website only allowed 10 attempts.
Credit to the Social Engineering Experts team for hosting this event, and to Mythiology for creating this amazing challenge. See you at SEETF 2023!