0xL4ughCTF OSINT Writeups
Hey Folks. I hope you are doing well. and hope you enjoyed our CTF. I won’t talk too much and start the walkthrough for my OSINT Challenges.
hope you learn new things :3 ❤
Mini X — Easy
Let’s start with the easiest one and the most solved one. Mini X
So, in this challenge, all you have is an image that seems corrupted and we are looking for an NCIC number that ends with 59.
Here is my mindset on solving OSINT challenges. is to take the description and start extracting keys from it. let’s give an example.
A cybercriminal responsible for a series of high-profile ransomware attacks
has vanished. The only remaining clue is a fragmented NCIC number hidden
within the investigation's scattered files. A corrupted image, found on
a dark web server, is believed to be linked to the suspect, who is rumored
to be on the FBI's Most Wanted list. Your mission is to reconstruct
the NCIC number. Flag Format: 0xL4ugh{WXXXXXXX59}after extracting keys
1- Cybercriminal has high-profile ransomware attacks
2- The FBI's Most Wanted listSo Asknig (Why not extracting found on a dark webserver). simply there are no ways or clues inside the Metadata of the image to go through. that’s why we extracted only these 2 keys. so let’s take a look on MOST WANTED CYBERCIMINALS FOR FBI
So let’s start making some comparisons between the common hackers and the image we have putting some lines on the shape of the person.
Comparing it with other criminals we will notice its similar shape to` ALEXSEY BELAN
And here we got the NCIC Number.
0xL4ugh{W507648159}Maroon — Medium
So let’s get a level up in level. so let’s take a look at this one. and it has no attachements.
So let’s do the same step and extract keys from the description
A notorious cheat coder known as Destroyer2009 shook the competitive gaming
world by disrupting a major event with a multi-million dollar prize pool,
causing the competition to be halted. After vanishing from the scene, he has
resurfaced under the radar, sharing a cheat tool for another competitive game
on an obscure internet forum. Rumors of his return have surfaced, and traces
of his online activity have been uncovered, pointing to a hidden post where
he uploaded the cheat. Your mission is to follow the clues and find the full
URL of the forum thread where the cheat was posted.
Flag Format: 0xL4ugh{Thread Full URL [XXXXX://XXXXXXX.XXX/XXXXXXX/XXXXX/]}Keys are
1- Cheat coder known as Destroyer2009 (Username) competitive gaming
world by disrupting a major event with a multi-million dollar prize pool
(Good Pointer for a game with huge pool prize to filter out low prizes events)
2- Sharing a cheat tool for another competitive game (Specific type of games
Like CSGO, Call of duty and Valorant).
3- Obscure internet forum (The link we are looking for a forum for cheaters)Thats the keys we need to investigate so let’s start searching for “Destroyer2009” on google.
So it’s completely a famous attack from his side about the game (Apex Legend). so googling (Destroyer2009) is not useful because he might hide himself with another name not to be noticed by others. so let’s take a look at OpSecFail
Sheesh found him known as (Timoxa)
IMPORTANT NOTE: THERE ARE MANY WAYS TO FIND YOUR INFORMATION THE PURPOSE OF OSINT YOU KEEP LOOKING AND ITS ALWAYS NOT ONE WAY SOLUTION
so going through that blog and reading about it we will notice an interesting thing.
his second username (Timoxa5651) and that he was using Github.
let’s go to GitHub and look for that name.
You will get only one hit in Users. taking a deep look through the repos (Repositories).
Only 2 repos and he has had many activities before. so maybe he deleted some of the old repos. so the hint I released.
GO WAYBACK MACHINE. so let’s go through this approach.
So only 1 hit in (May 1, 2024) but it wasn’t useful. but there is another option to check if there are pages cached on the URLs tab.
Cool. 183 Hits. and looking through them.
Oh, a cheat loader repo. maybe it should be the one we are looking for.
CSGO is a competitive game. so it should be the thread we are looking for.
Yes, it is :D ❤.
0xL4ugh{https://yougame.biz/threads/84149/}GhostBot — Hard
Oh for the final level in this competition, we are moving to the hard one :D
Our first step. Extracting Keys from the description and the image in the attachment.
I discovered a leaked Discord chat where two individuals discussed a powerful
bot used to track cybercriminals. One plans to use the bot to target someone,
while the other warns of the risks. I’ve decided to investigate the bot’s
origin, its role in cybercrime, and who's controlling it.
Flag Format: 0xL4ugh{}Keys
1- A powerful bot used to track cybercriminals.
2- Use the bot to target someone
- and from image.
3- Date 2021
4- Mentioned MM0X (Username)
5- among discord servers.
So our first mission is to find the message from MM0X. so if I’m not familiar with MM0X we can use Google.
Many of MM0Xs but we will notice there is only One MM0X Related to the author (ME). on CTFTime
Here is the information. so discord servers may be related (0xL4ugh, FREE Palestine, Mistifts). the only active server is 0xL4ugh’s Discord Server. so let’s find an invite for ourselves
here is an invite through (X) there are many invites around social media accounts.
So, welcome to our 0xL4ugh’s Community
Sponser Our Discord Community: you can be active there we have 2 sections
Community: to share resources free materials and free courses and tools
CTF: if you are looking up for Teams or you are looking for help in challenges (DON’T CHEAT IN LIVE CTFs). and share writeups too
Let’s continue our challenge. so from the keys we have. we got the date and username let’s find it in this discord server.
Sheesh here is the message of the cyber criminal bot. let’s go there.
Since (You don’t have access to it.) it will just show #Unkown.
so MM0X’s mention the message ID from the discord server of the bot. so discord URLS go like that
https://discord.com/channels/GuildID[ServerID]/ChannelID/MessageIDSo copying the message
https://discord.com/channels/1321167893559382100/1321167894163226737/1321189372854276098the server ID we are looking up is ‘1321167893559382100’. so let’s take a deep look using Google.
and multiple sites generate a free invite to the server
And yes we are in.
Hello, bot. and hello 7amoksha. we finally reached the bot. send a DM for the bot using !help
Take a deep look at the commands and try to execute some.
There was only one User who didn’t retrieve any data and needs to get higher privilege.
So we can dig. behind the hint I left before I went to sleep
The first thing you hit is expired. hmm, let’s try the login command
it generates a JWT Token. and trying to log in with it.
it’s a guest. so it must be using a secret key. but where to find it?
as we know 7amoksha was digging behind the bot’s owner. and 7amoksha on the server and offline.
Another Key for our keys (7amoksha got hacked by the owner and called ‘Apachei’). Let’s dig behind him.
26 Hit. so Apachei is not a gamer or looking for images. so filter the output to something related to tech or coding (The Discord Bot).
There is a Github Account
4 Days ago. and there is a repo containing Python script.
Hmmm going through the commits.
Ohhhhhhhh the Secret Key. but like this is the first thing we hit (The Hint says it's expired xD). so trying it is not working
I want to shout out to the players who asked the web guys to solve it by executing the .title() vulnerability. from the condition
if name == "Elsfa7 Elmrta7":so changing the first letter to small will bypass the condition and get the flag.
the second solution is to look AROUND GITHUB. which means maybe it is a gist
And yes here it is.
Found the gist. and checking the revisions.
Hello, my little one. let’s use this key to generate an admin token
let’s try our token now :D.
And that’s a GG. ❤
0xL4ugh{Y0u_So1v3d_m3_bu7_It5_N0t_th3_End}to make it funnier. I’ve already sent the flag :V.
Well, that’s the end of the challenges. I hope you enjoyed my write-ups. and my challenges and learn new things from them. I hope no one is sad for me ❤. Best of luck and good luck L4ughers.
