Clay
Clay Identify, educate, empower, and inspire technical talent to solve the biggest challenges

Impossible Pen Test - DawgCTF

Impossible Pen Test - DawgCTF

The team at UMBC put on a great CTF over the Easter weekend of 2020. This CTF has a set of problems that you don’t see too often. Many times groups will have you do RECON type challenges over the Internet, but the UMBC Cyber Dawgs created their own internet for us to use for these challenges.

“The Internet”

All five challenges used were based out of the “Internet” at https://theinternet.ctf.umbccd.io/ with a simple “Froogle” homepage.

As you can see, they had a three different services you could search: a professional and casual social media pages and a databreach page (our version of LinkedIn, Facebook, and HaveIBeenPwned). The social sites you could search by person’s name but you need some other data to search the breaches.

The Target

All the problems were focused around a penetration test of “Burke Defense Solutions and Management.” Their homepage could be found from the internet site also. https://theinternet.ctf.umbccd.io/burkedefensesolutions.html

The Challenges

Ok, lets find out everything we can about Burke Defense.

Problem 1 - 50 points

So, an affliate companies CEO… lets see what people we can learn about from the Burke Defesene Homepage. Scrolling down, we see a message from the CEO of Burke Defense thanking some affiliates.

Ok, we have five names nows. The BDSM (let’s not use that acronym) CEO and four affliate CEOs. Looking up each on both SyncedIn and FaceSpace we find out a few things about them.

Name email Employeer Other Names
Truman Gritzwald trumangritzwaldwix@fragile.com CEO - Burke Defense Solutions & Management Spouse - Trudy Gritzwald
Corporate Colleague - Madalynn Burke
CFO - Fired Unamed
CTO - Isabela Baker
Todd Turtle oxmf1yyzeka@sticky.com Combined Dumping & Co Spouse: Lauryn Turtle
Hotel: Charriott International
Mohamed Crane cranemohameduuddyq@wemail.cc
mohamedc@chubby.com
Babysitting, LLC Spouse: Kevin Crane
Parent: Zachary Crane
Grandparent: Truman Booker
Hotel: Charriott International
Sonny Bridges bseok@parcel.com Oconnell Holdings Hotel: Charriott International
Emery Rollins rollinsemery@wemail.com
emeryrdzbiu@shy.com
Combined Finance, Engineering, Scooping, Polluting, and Dumping, Incorporated Sibling: Iyana Rollins
Hotel: Charriott International

So we have three of the affliate CEOs mention that they stay at Charriott Intenational, and then on Facespace, the fourth (Emery Rollings) posts the following message.

OMG just found out about the charriottinternational data breach repo!

So, lets go see if we can search that breach data for Chariott Internatonal. Sure enough, over 39,000 email addresses and passwords are found when searching data breaches for charriottinternational. Originally found here on the CTF site, but you can now find it here locally. With some command line kung fu and a simple list of the emails, we can try to find some password leaks of interest.

1
2
3
4
5
6
7
8
9
10
$ cat affilate_emails.txt
oxmf1yyzeka@sticky.com
cranemohameduuddyq@wemail.cc
mohamedc@chubby.com
bseok@parcel.com
rollinsemery@wemail.com
emeryrdzbiu@shy.com

$ for email in `cat affilate_emails.txt`; do grep $email charriottinternational.txt; done
bseok@parcel.com        fr33f!n@nc3sf0r@ll!

So, Sonny Bridges had his password included in the Charriott International data breach. We now will try and login to the Burke Defense website with those credentials.

and we get back the following message: Success! DawgCTF{th3_w3@k3s7_1!nk}


Problem 2 - 50 points

Ok, now we need to find a disgruntled former employee. We see that Truman mentioned a fired CFO, so that might be who we are looking for, but we cannot search by title. So lets look at the other two current (or maybe former) Burke Defense employees that we know from Truman’s post (Madeyln Burke and Isabela Baker).

Using both SyncedIn and FaceSpace, we complete a table of information as before:

Name email Position at Burke Defense Other Names
Madeylnn Burke 5eh9rn@trap.io CISO (left Jan 2020) Grandchild: Fernando McMahon
Child: Madalynn Burke
Company: Spot (data breach)
CTO: Royce Joyce
Isabela Baker bisabelagjd9v1@fml.com
bisabela@salty.com
isabelabakerl4@wemail.com
isabelabakerqj1hc@yam.com
isabelabo9y6f@advertisement.gov
ibakerq6z6u4@trick.tk
CTO (current) Complicated: Drew Green
Company: Spot (data breach)

Some interesting things on these two individuals. First of all, Madeylnn is a former employee but does not post andything to make us thing she is disgruntled. In fact, a few days before her departure, Truman posts about a great meeting. So I don’t think that’s our employee.

But we do get the name of another Burke Defense Employee and find two mentions of another data breach. Royce Joyce mentioned as the CTO so he will be useful to find additional employees. The company Spot has suffered a data breach with another 43,000 emails and passwords. The spot file could originally be found here but can now be found locally here.

We can start a file for current or past Burke Defense employee email addresses so we can search for leaked passwords.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ cat burke_emails.txt
trumangritzwaldwix@fragile.com
5eh9rn@trap.io
bisabelagjd9v1@fml.com
bisabela@salty.com
isabelabakerl4@wemail.com
isabelabakerqj1hc@yam.com
isabelabo9y6f@advertisement.gov
ibakerq6z6u4@trick.tk

$ for email in `cat burke_emails.txt`; do grep $email spot.txt; done
5eh9rn@trap.io	C1S0!sN0C70
bisabela@salty.com	H0ld1ng5!sN0So1u7i0n5

$ for email in `cat burke_emails.txt`; do grep $email charriottinternational.txt; done

So we have found some more dumped credentials for a person of interest (current CTO, Isabela Baker) but luckily for them (unlucky for us), those are not valid for the Burke Defense homepage.

Let’s gather some information about Royce Joyce now from SyncedIn and FaceSpace.

Name email Position at Burke Defense Other Names
Royce Joyce roycejoyce@wemail.net
jr7lp@homeschool.com
CTO (present) Company: skayou(data breach)
The Team:
Carlee Booker
Lilly Lin
Damian Nevado
Tristen Winters
Orlando Sanford
Hope Rocha
Truman Gritzwald

Wow… thanks Royce! Six more new members of the team and another data breach.

Name email Position at Burke Defense Other Names
Tristen Winters wintersttd@flow.com Chief Information Security Officer (current) Ignore:Rudy Grizwald
Lilly Lin ll0v@gullible.cc Windows Admin (June 2019) Relative: Isaias Lin
Damian Nevado dnevadoame@homeschool.com Expert in Cryptocurrency (left in Aug 2019) Relative: Caleb Nevado
Hope Rocha hrocha@thread.com Linux Admin (left Aug 2019) Relative: Zaria Mcintosh
New Linux Admin at Burke: Guillermo McCoy
Carlee Booker cbookerq3j@wemail.edu
bookerc7qfz@homeschool.com
Security Analyst (left Sep 2019) Mollie Page
Relative: Todd Meyer
Orlando Sanford osk52hx@fml.com Help Desk Worker (current) Relative: Dwayne Sanford
Relative: Alexus Cunningham

With have two new non-relationship names from our Burke Defense employees above a new Linux Admin, Guillermo McCoy, being welcome to the team by Hope Rocha. We also have a new nameRudy Griwald who we are told to ignore his messages by Tristen Winters.

First, lets get the information about Guillernmo, it may be useful in the future (spoiler alert: it will be)

Name email Position at Burke Defense Other Names
Guillermo McCoy mccoyggwe3@yam.com
2jabjj5mm3m@stupid.io
gm5f@judicious.com
guillermomm3rcr@homeschool.com
mguillermo@wemail.cc
Linux Admin (current) Spouse: Kenny McCoy

.

Let’s go see what he actually said on (I assume) FaceSpace.

And this lines up with the date where Truman announced the firing and Rudy’s job history on SyncedIn.

As the prompt said, the URL would be the flag, and both SyncedIn and Facespace URLs for Rudy Grizwald end with DawgCTF{RudyGrizwald}, so part 2 complete.

Interlude

Before we move to the third challenge, lets keep up to date with our former and current employees of Burke Defense and the data breaches.

The data breach at Skayou was originally here and now is here.

Updating our Burke email list and comparing to the three data breaches now, we see

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ cat burke_emails.txt
mccoyggwe3@yam.com
2jabjj5mm3m@stupid.io
gm5f@judicious.com
guillermomm3rcr@homeschool.com
mguillermo@wemail.cc
5eh9rn@trap.io
bisabela@salty.com
bisabelagjd9v1@fml.com
bookerc7qfz@homeschool.com
cbookerq3j@wemail.edu
dnevadoame@homeschool.com
hrocha@thread.com
ibakerq6z6u4@trick.tk
isabelabakerl4@wemail.com
isabelabakerqj1hc@yam.com
isabelabo9y6f@advertisement.gov
jr7lp@homeschool.com
ll0v@gullible.cc
osk52hx@fml.com
roycejoyce@wemail.net
trumangritzwaldwix@fragile.com
wintersttd@flow.com
grudyx8lnhv@foamy.mil

$ for email in `cat burke_emails.txt`; do grep $email charriottinternational.txt; done

$ for email in `cat burke_emails.txt`; do grep $email spot.txt; done
5eh9rn@trap.io	C1S0!sN0C70
bisabela@salty.com	H0ld1ng5!sN0So1u7i0n5

$ for email in `cat burke_emails.txt`; do grep $email skayou.txt; done
roycejoyce@wemail.net	c0r^3cth0rs3b@tt3ryst@p\3

It appears our CTO’s password has been leaked, and still works (but we will talk about that below)


Problem 3 - 100 points

The effort put in above to enumerate all the Burke Employees is going to be be beneficial here. We see a help desk worker already.

Name email Position at Burke Defense Other Names
Orlando Sanford osk52hx@fml.com Help Desk Worker Relative: Dwayne Sanford_Relative_: Alexus Cunningham

We see on the help desk employees FaceSpace page they are married to Dwayne Sanford and their mom has a cat which she likes to throw out the window.

The mom’s name is Alexus Cunningham and both her SyncedIn and FaceSpace account URL end with DawgCTF{AlexusCunningham}


Problem 4 - 100 points

Having followed all thread above, we know of two Linux Admins at Burke Defense. Hope Rocha has moved on as of August 2019 and Guillermo McCoy is currently employeed.

Guillermo’s page URLs end with DawgCTF{GuillermoMcCoy}


Problem 5 - 100 points

Oh yeah, the CTO’s password. We have already seen this.

1
2
$ for email in `cat burke_emails.txt`; do grep $email skayou.txt; done
roycejoyce@wemail.net	c0r^3cth0rs3b@tt3ryst@p\3

So lets see if it works on Burke Defense homepage.

Sure, enough… Last flag DawgCTF{xkcd_p@ssw0rds_rul3}

Notes:

Besides the URLs that were for individuals that were flag, the URLs end with DogeCTF{FirstLast}. As Doge is the internet meme dog (or dawg)… that is pretty funny. Well played, UMBC Cyber Dawgs, well played!

comments powered by Disqus