Posted on by Shir Klein

old-times

OLD Times (OSINT)

Challenge description

There are rumors that a group of people would like to overthrow the communist party. Therefore, an investigation was initiated under the leadership of Vlaicu Petronel. Be part of this ultra secret investigation, help the militia discover all secret locations and you will be rewarded.

Author: FeDEX

CoAuthor: Legacy

Solution

  • The first lead we noticed in the challenge description was the name Vlaicu Petronel. We decided to Google him, and found his Twitter account @PetronelVlaicu.

  • We noticed few interesting points on the account and tried to investigate them:
    • The fact that he follows only one person (@nicolaeceausesc). The profile seemed legitimate and did not bring additional clues.
    • The pinned photo, that turned out to be the flag of the Socialist Republic of Romania during 1965-1989. We tried searching the image using Google Reverse Image Search and TinEye, and also extracted the image’s metadata to find hidden details. These searches did not bring any relevant information.
  • Since we were told this is an ultra secret investigation, and due to the lack of clues in the Twitter account itself, we decided to use Wayback Machine to search for archived versions of the account. There we found two tweets that did not appear before:



* We tried to following the lead 1XhgPI0jpK8TjSMmSQ0z5Ozcu7EIIWhlXYQECJ7hFa20. At first, we tried to decode it by base64, and to search for it in several search engines. Then we tried to using CyberChef to analyze the sting to check if it’s based on a well-known hashes. These methods did not produce relevant results.

  • While trying to collaborate between all team members, we opened a Google doc, and noticed a resemblance between the doc identifier format and the twitted string. By entering the string in the doc URL, we reached a document containing a report about Lovesco Marian.

  • The report stated that the target’s nickname is E4gl3OfFr3ed0m, and that he used “free and open platform”. Since he is an IT programmer, we immediately suspected that he uses GitHub, and indeed we located his account.

  • The account only had one repository named “resistance”, which included two files: a picture of the Romanian flag, and a README file, which did not seem to contain useful information at first. However, when checking the raw version of the README file, we noticed the commented address http://138.68.67.161:55555.

  • When viewing the commits to this project, we noticed that the target deleted a file called “spread_locations.php” that provided access to a file called “locations.txt“. That matched the information on the Google doc, saying that the target deleted his work a few days ago. Since we were looking for secret locations, and the commit name that added this file was called “top secret”, we knew that we are on the right track.

  • Combining the above and inspecting the php content we understood that we can fetch all coordinates using the following format: http://138.68.67.161:55555/spread_locations.php?region=? (where ? is in the range [0,128])

  • We created a csv file containing the locations, and imported it into Google Maps to plot the locations on the same map. The locations formed together the term “HARD TIMES” over the country of Romania, and this turned out to be the Flag for this challenge: HackTM{HARDTIMES}

### Last remarks

The challenge required us to think outside the box and come up with creative ideas to work with the leads we found. We took advantage of the multidisciplinary nature of our team, combining technological and intelligence experts, to derive insights and achieve the challenge’s goal.