Tags: keybase osint github pgp
Rating: 5.0
# misc/pretty-good (OSINT) @ DamCTF Oct. 2020
* challenge author: **Lyell Read**
* solves: **30**
* points: **483**
This was a fun **OSINT** challenge! I was second to submit
the flag on this one, almost first blood!
## Description
> Nothing like getting a project assignment on a Friday afternoon.
>
> Flag is the IP address (ex: `dam{169.254.42.42}`)
## Analysis
First of all, we are given an `assignment.zip` file. This zip archive contains
a PDF file named `assignment.pdf` and a picture named
`CTG-2020-10-0001-S1-001.jpeg`.
### Assignment
This assignment document reads like an FBI document:
![](https://i.imgur.com/3DcNeG5.png)
It's two pages long but we retain only two very important things that read
like clues:
![](https://i.imgur.com/icZgtis.png)
So, **Keybase** is crucial to solving this case. The case will be considered solved
once we find an IP address linked to this individual (the IP address is the
flag).
### Keybase
> Keybase is secure messaging and file-sharing.
> We use public key cryptography to ensure your messages stay private.
> Even we can’t read your chats.
If we take a deeper look into keybase, we can see that to encrypt a message, it
prompts us into using **PGP**, this is very important later on.
### Getting a foothold
Since we don't really have anything to use for keybase at the moment, we take
a look at the other resource we have:
![](https://i.imgur.com/oht5IHt.jpg)
It's someone's portrait. We could try to do some stego-analysis on it but since
we're working on an **OSINT** challenge, our best bet is probably to do a
reverse image search on it.
I first tried this on google, but that didn't give us any useful results.
Next, I tried **tineye**, and voilà:
![](https://i.imgur.com/MWmC1uL.png)
An exact image match that links us to a
[blog](https://rayhaanhodgson.com/about-rayhaan-hodgson/)! Are we sure this
is it?
![](https://i.imgur.com/gEReBhr.png)
Yes, we are.
### Next step
We spend some time going through the blog, how it is setup, whether there is
some sql injection to be done or not, but then once again we realise this is an
**OSINT** challenge.
In one of the subject's blog posts, we learn that he has recently setup two
github profiles:
![](https://i.imgur.com/2vSi8u6.png)
In the same blog post he also mentions he has recently learned about **ssh** and
**gpg**. Big hints!
![](https://i.imgur.com/IkLbtWO.png)
Now then, we know we have two github profiles to look for!
### Finding the github profiles
The only thing we really have to go off of here is the subject's name, so we
just chuck that into GitHub's search engine. We find what we were looking for!
![](https://i.imgur.com/DQdHnvH.png)
Sadly we only find one profile though, his work profile.
After taking a look at this user's repositories and commits, nothing of interest
seems to be there. If we remember our previous clues though, in this case
**PGP**, we could remember that GitHub has a way to verify the legitimacy of
commits, wonder what they use for that?
![](https://i.imgur.com/8JbQCSB.png)
Oh. Of course. So, let's check if our subject's commits are verified:
![](https://i.imgur.com/o7QcgC7.png)
Yup! We find a key ID: **D66D33D350AAB609**.
### Putting the GPG/PGP clues together
Some people didn't really know or think that this key ID was important. If we
think about the clues we have, and the clues we haven't used though, we notice
that **Keybase** and **PGP** seem to belong together. So we head on over to
[keybase.io](https://keybase.io) and try to lookup the GPG key ID we just found:
![](https://i.imgur.com/110rRaf.png)
We immediately see the second github profile from the search results.
## Finding the flag
This personal github profile has one repository named **dotfiles**. On the
current commit there doesn't seem to be anything interesting, but looking
through the commit history we notice this:
![](https://i.imgur.com/38N4DiH.png)
Oh? SSH config? That sounds like there could be some IP addresses involved!
We take a look at the commit diff and voilà:
![](https://i.imgur.com/wvCcHgW.png)
There's the IP address!
Flag: **dam{182.24.89.5}**