HTB Write Up – OSINT – ID Exposed

2020-09-24 

I’ve been doing a lot of TryHackMe rooms over the last week or two, but this morning I decided to jump over to HackTheBox to take a look at their OSINT challenges.

While I’ve never done a CTF write-up before, I want to start doing this a bit more often. Especially when I encounter new topics or concepts I’ve never encountered before.

We are looking for Sara Medson Cruz’s last location, where she left a message. We need to find out what this message is! We only have her email: saramedsoncruz@gmail.com

With this bit of content, I spent a lot of time going through my usual routine…

Sherluckin’ Out

First, I looked for the username saramedsoncruz using Sherlock. It’s a tool written in Python that queries a ton of social media services. (There’s websites for this, too.) This pulled up only a couple results:

[*] Checking username saramedsoncruz on:
[+] Pinterest: https://www.pinterest.com/saramedsoncruz/ 
[+] geocaching: https://www.geocaching.com/p/default.aspx?u=saramedsoncruz

When I saw the Geocaching link, I got excited. We could satisfy all of our requirements.

Her last location? Possibly! A potential message left? Sure! Maybe she took a picture of a message left in a cache. Or had comments about a cache she’d just found.

This seemed to be a lock… but, despite a match on that very specific username, it wound up going nowhere.

Struck out with the Pinterest link, but I had low hopes for that one.

Desperation Sets In…

At this point, I’m trying everything I know. Manually clawing though “Sara Cruz” accounts (and various permutations on the name) on Facebook and other social media sites. One even had a Guy Fawkes mask for an avatar — I thought to myself “Some dumb hacker shit! Surely, this must be it!”

But, no. Another dead end.

As I’m searching around, I see a link talking about Google IDs and Gmail accounts. It looks interesting, but I put it aside.

I’m about to give up — which is fine by me. Yeah, I’m always a little disappointed when I throw in the towel, but that’s part of the reason I do these CTF challenges: to test what I know, and if it’s something I don’t know: learn. (From write-ups. Like this. 😏)

…when suddenly!

So I return to the HTB OSINT page, and I take a look at the name of the challenge so I can google a write-up.

“ID Exposed”… hey, waaaait a minute…

I think for a moment as that piece of information zip-zaps across my mind over to the article I’d found earlier: Getting a Grasp on GoogleIDs.

I’d completely overlooked a clue in the title. Turns out this was VERY relevant!

I’ll leave the article for you to see the details, but long story short: there’s a profile ID number attached to every Google account. There’s a couple ways to get this ID outlined in the article.

In my case, I added it to my existing Google Contacts collection and sniffed the data-personid attribute from the modal dialog of the Contacts page when the contact is opened for editing (it may be seen elsewhere, but this is where I got it).

With this in hand, I went over to the People API people.get page, which lets you try executing an API endpoint. In order to execute this endpoint call, you’ll need to give permission for your own Google account.

Following the instructions in the article, I plugged in “people/c6412528252752365100” for the resourceName, and “metadata” for the personFields field.

The call, successful, returned this block of JSON:

{
  "resourceName": "people/c6412528252752365100",
  "etag": "%EgMBNy4aBAECBQciDG1IQ1NWS3NJSEc0PQ==",
  "metadata": {
    "sources": \[
      {
        "type": "CONTACT",
        "id": "58fde0788976062c",
        "etag": "#mHCSVKsIHG4=",
        "updateTime": "2020-09-24T15:59:18.216Z"
      },
      {
        "type": "PROFILE",
        "id": "117395327982835488254",   // <----
        "etag": "#4eZz2/IuMFw=",
        "profileMetadata": {
          "objectType": "PERSON",
          "userTypes": \[
            "GOOGLE_USER"
          \]
        }
      }
    \],
    "objectType": "PERSON"
  }
}

Under the metadata -> sources entry with the PROFILE type, there is our GoogleID: 117395327982835488254.

Now That’s Brazilliant

From here, we can look for various things (again, check the article for what’s possible).

As it turns out, you can take a look at the ‘contributions’ that a GoogleID has made to Google Maps. This means reviews and photos, for the most part. Certainly the kind of data that would tick the boxes of what this CTF solution asks of us.

So, I tack the GoogleID onto the appropriate URL… https://www.google.com/maps/contrib/117395327982835488254/

…and sure enough:

“Flag Watcher”, huh? 😏

No photos, but they’ve posted a review for the ‘Museu do Futebol’ in Brazil, giving it a whopping five stars, and a terse comment of “really nice museum”…

Wait, there’s more.

Like, literally ‘More’.

Click it.

And there’s our flag, buried in a bunch of percent signs to force the comment to collapse. 🙂

HTB{i_W4S_D_I_S_c_O_v_3_R_3_D}

Conclusion

It’s okay to give up, as long as you’re willing to learn.

Just be careful that you’re not overlooking a clue being given to you. Few things suck more than bashing your head against the wall going down a dead end for an hour when a quick re-read of the CTF details might have prevented it. 😳