I’ve been doing a lot of TryHackMe rooms over the last week or two, but this morning I decided to jump over to HackTheBox to take a look at their OSINT challenges.
While I’ve never done a CTF write-up before, I want to start doing this a bit more often. Especially when I encounter new topics or concepts I’ve never encountered before.
We are looking for Sara Medson Cruz’s last location, where she left a message. We need to find out what this message is! We only have her email:
saramedsoncruz@gmail.com
With this bit of content, I spent a lot of time going through my usual routine…
Sherluckin’ Out
First, I looked for the username saramedsoncruz
using Sherlock. It’s a tool written in Python that queries a ton of social media services. (There’s websites for this, too.) This pulled up only a couple results:
[*] Checking username saramedsoncruz on: [+] Pinterest: https://www.pinterest.com/saramedsoncruz/ [+] geocaching: https://www.geocaching.com/p/default.aspx?u=saramedsoncruz
When I saw the Geocaching link, I got excited. We could satisfy all of our requirements.
Her last location? Possibly! A potential message left? Sure! Maybe she took a picture of a message left in a cache. Or had comments about a cache she’d just found.
This seemed to be a lock… but, despite a match on that very specific username, it wound up going nowhere.
Struck out with the Pinterest link, but I had low hopes for that one.
Desperation Sets In…
At this point, I’m trying everything I know. Manually clawing though “Sara Cruz” accounts (and various permutations on the name) on Facebook and other social media sites. One even had a Guy Fawkes mask for an avatar — I thought to myself “Some dumb hacker shit! Surely, this must be it!”
But, no. Another dead end.
As I’m searching around, I see a link talking about Google IDs and Gmail accounts. It looks interesting, but I put it aside.
I’m about to give up — which is fine by me. Yeah, I’m always a little disappointed when I throw in the towel, but that’s part of the reason I do these CTF challenges: to test what I know, and if it’s something I don’t know: learn. (From write-ups. Like this. đ)
…when suddenly!
So I return to the HTB OSINT page, and I take a look at the name of the challenge so I can google a write-up.
“ID Exposed”… hey, waaaait a minute…
I think for a moment as that piece of information zip-zaps across my mind over to the article I’d found earlier: Getting a Grasp on GoogleIDs.
I’d completely overlooked a clue in the title. Turns out this was VERY relevant!
I’ll leave the article for you to see the details, but long story short: there’s a profile ID number attached to every Google account. There’s a couple ways to get this ID outlined in the article.
In my case, I added it to my existing Google Contacts collection and sniffed the data-personid
attribute from the modal dialog of the Contacts page when the contact is opened for editing (it may be seen elsewhere, but this is where I got it).
With this in hand, I went over to the People API people.get
page, which lets you try executing an API endpoint. In order to execute this endpoint call, you’ll need to give permission for your own Google account.
Following the instructions in the article, I plugged in “people/c6412528252752365100
” for the resourceName
, and “metadata
” for the personFields
field.
The call, successful, returned this block of JSON:
{ "resourceName": "people/c6412528252752365100", "etag": "%EgMBNy4aBAECBQciDG1IQ1NWS3NJSEc0PQ==", "metadata": { "sources": \[ { "type": "CONTACT", "id": "58fde0788976062c", "etag": "#mHCSVKsIHG4=", "updateTime": "2020-09-24T15:59:18.216Z" }, { "type": "PROFILE", "id": "117395327982835488254", // <---- "etag": "#4eZz2/IuMFw=", "profileMetadata": { "objectType": "PERSON", "userTypes": \[ "GOOGLE_USER" \] } } \], "objectType": "PERSON" } }
Under the metadata -> sources
entry with the PROFILE
type, there is our GoogleID: 117395327982835488254
.
Now Thatâs Brazilliant
From here, we can look for various things (again, check the article for whatâs possible).
As it turns out, you can take a look at the âcontributionsâ that a GoogleID has made to Google Maps. This means reviews and photos, for the most part. Certainly the kind of data that would tick the boxes of what this CTF solution asks of us.
So, I tack the GoogleID onto the appropriate URL⌠https://www.google.com/maps/contrib/117395327982835488254/
âŚand sure enough:
âFlag Watcherâ, huh? đ
No photos, but theyâve posted a review for the âMuseu do Futebolâ in Brazil, giving it a whopping five stars, and a terse comment of âreally nice museumââŚ
Wait, thereâs more.
Like, literally âMoreâ.
Click it.
And thereâs our flag, buried in a bunch of percent signs to force the comment to collapse. đ
HTB{i_W4S_D_I_S_c_O_v_3_R_3_D}
Conclusion
Itâs okay to give up, as long as youâre willing to learn.
Just be careful that youâre not overlooking a clue being given to you. Few things suck more than bashing your head against the wall going down a dead end for an hour when a quick re-read of the CTF details might have prevented it. đł