This weekend we competed in Defcon 31's Recon Village CTF. As team "AtomicChonk" we came in second place and wanted to share some of our legwork on the challenges.
Please be aware that some of the challenges I'll cover involve real personas and therefore should be handled accordingly. Screenshots will be redacted for that purpose.
Philip's Fremont Street Birthday
Challenge prompt: Philip celebrated his birthday on Fremont Street on 5th July - how old is he?
For this, a simple Google query worked.
The second Google search result comes up with:
Clicking on the link with a valid instagram account (or a sock puppet) will lead you to Philip's instagram page. Scrolling through recent photos eventually winds up at the one with the above caption on July 5th.
Cecilia Lima's Password
Challenge prompt: Cecilia Lima has been breached...what's her password?
Solution: This was another Google success. Here you want to think about possible email/username combinations and search for things like "PasteBin" (where leaked credentials are typically hosted/stored) and "password" or "email."
"cecilialima" pastebin email
From there you will see a result and don't even have to click on the link:
Joe's First Sprint Triathlon
Challenge prompt: Joe finished the Snowdonia trail marathon in 7hrs 23 minutes. What was his race number for his first sprint tri?
Solution: This required a mild amount of thread pulling. First we look up the results of the 2023 Snowdonia Trail Marathon. We know that Joe finished in 7:23 so we look around that time frame.
Clicking on the photo on the right brings up images of Joe, which would allow you to confirm you have the correct social media profile in the next steps.
Looking up "joe phillips" on Instagram brings up a social media profile that matches the race photos.
Clicking on the profile and scrolling down, you find the following post with the flag:
Challenge prompt: We are hexapps. We build apps for others. We are quite new and do not have an old footprint. Visit our website for more info: https://hexapps.xyz
Solution: The hint here is the reference to the domain age. There's an online website archive called the Wayback Machine that will take snapshots of websites over time and store them for future reference.
We went to the Wayback Machine and saw there were snapshots from August 5th for the domain provided.
We pivoted to the URLs link and selected the "index.html" url on the second page. We thoroughly scoured that snapshot of the page and found the flag in the FAQs section:
Cambodian Cycle Cafe
Challenge Prompt: There is a cycle cafe in Cambodia that I just visited. How many Riels did I pay to get my bike cleaned?
Solution: Googling "Cambodia cycle cafe" brings up the following:
Clicking on the page, we don't really see any specific details about the cost of bike cleanings but can confirm that this establishment does perform them. Continuing to scroll we see a profile that posts referencing the cafe:
Clicking on the profile we see that the individual is the CEO of Vicious Cycle and links a Cambodian instance of the Vicious Cycle Cafe page:
If we pivot to that page, we find our answer:
HexApps Tech Guy WhatsApp
Challenge Prompt: Our HexApps tech guy can be reached at whatsapp, can you contact him? He might help you with something. Please note, he works for few hours only.
Solution: We need to figure out who the HexApps tech guy is. Often times, domain registrations provide information on persons associated with website maintenance, so performing an ICANN WHOIS lookup on the website gave us a lead:
Under "technical," we find an entry with a phone number:
When you message that number on WhatsApp, you get a response saying the following:
Thank you for your message. I have moved aways from WhatsApp because this does not allow any bots. Find me on Telegram! #LoveBots
Messaging the same phone number on Telegram didn't get a response until specifically at 10:11 PST, which lines up with the "clock" logo on the village's badge. The message read:
You are close. Find the "bot" on Telegram. Talk to the bot.
Remember that Kunal is the tech guy for HexApps? Search for "HexApps" on Telegram and a bot comes up. To interact with the bot, interact with it as you would with other Telegram bots (this we figured out using Google). "/start" was responded to with a greeting. I replied to the greeting and received the flag.
Thank you for contacting HexApps. Here is the flag:[flagvalue]
Thank you to the organizers of this event, we absolutely enjoyed the thought-provoking challenges and the opportunity to put our skills to the test. Also, congratulations to Pinja on his first place victory and to Pheonix for their third place standing as well! Lastly, thanks to all of those who let us "rubber ducky" and soundboard through some of the challenges as we worked them!