At this years Insomni’hack there was a fun Recon / OSINT challenge with the name “Who’s your daddy?”. A login page was presented to the participant, who had to try to reset the password of the page owner. On the login page the user was able to:
- Login with username / password
- Insert a username in order to send a password reset link to the registered mail
- Reset the password by answering different secret questions
Clicking on the “Password Reset through secret question” link, the participant had to insert a valid username. With some basic guess work, we found that “admin” was the user that we were looking for. After inserting the username, the first secret question was shown to the user: “What is your real name?”.
Clicking on the “Send password reset” link, the participant also had to provide a valid username. After inserting the “admin” username, the following message was disclosed to the user: “The password reset link was sent to mail address admin@swyberdyne.ch”
Using the whois service and looking for the domain swyberdyne.ch, the real name of the admin was disclosed and therefore the first answer of the secret question could be found: Drunkelvore Sparklenose
$ whois swyberdyne.ch Domain name: swyberdyne.ch Holder of domain name: Swyberdyne Systems Drunkelvore Sparklenose Super secret location CH-1028 Somewhere Switzerland Contractual Language: French
After a successful submit of the first secret question, a second question was asked to the user: “What is the name of your best friend?”
Searching in Facebook for the profile of “Drunkelvore Sparklenose”, we found a profile which had only one friend, Johnny Tramvelan, which was the correct answer for the second question.
A third and last question was asked to the user in order to be able to reset the password: “What is the street name where you grew up?”
Searching on LinkedIn for “Drunkelvore Sparklenose”, we found a matching profile which disclosed the URL of a personal blog.
Accessing the blog, a picture was shown to the user:
The picture contained GPS coordinates embedded in the EXIF data, which disclosed the exact position where “Drunkelvore Sparklenose” grew up, Ave de Ngamaba. Inserting this as the last answer, we were able to successfully change the password of the page administrator and capture the flag INS{2_Much_infofm4tion!}
Leave a Reply