Hunt him down!

GovTech CSG did a phenomenal job in organising a 48-hour CTF competition over the weekend. While my team and I only captured 15 flags and got stuck on various stages of the other challenges, it has been such an awesome experience learning from my fellow team mates, learning new tools on-the-go, and thinking out-of-the-box.

Our team is doing some post-CTF write-ups, and this is an entry of a fun (non-technical — which I’ll explain in a bit) and relatively straightforward one on OSINT, but yet got me in running in circles for some time.

The following challenge is presented:

The eml attached doesn’t contain much other than the sender email address:

The originating domain is c0v1d.cf. Being familiar with Freenom, I know the domain isn’t owned by the malicious actor, theOne, so I skipped whois and jumped right into looking up the domain as well as results associated to it. As there wasn’t much data on that, I broadened my search on its related subdomains. Using DNSDumpster, we see a txt record bearing the theOne’s handle and email address, namely lionelcxy and lionelcheng@protonmail.com.

From there, it was just a matter of extracting useful information from Lionel’s social media accounts — Facebook, LinkedIn, Twitter, Instagram, Carousell.

Full name, which was required as part of the flag, was obtained from LinkedIn:

While his Facebook profile didn’t return anything useful, his Instagram account did provide a couple of hints — i) he stays near Lau Pa Sat.

And ii) his exercise route that’s just north of Lau Pa Sat:

His Strava activity link didn’t provide any additional clues other than where he might be staying:

I got his contact number, 963672918 — part of the flag, from Google Cache of his Carousell postings (I was pretty sure he didn’t have any active postings, but when I searched back some time later, one posting was publicly listed.) It’s pretty telling that it’s the correct mobile number because it’s an invalid one with an extra number.

The location “City Hall MRT” also suggests that his residence is near Lau Pa Sat and the Marina Boulevard area.

Now, we are only short of his postal code:
govtech-csg{fullname-phone number[9digits]-residential postal code[6digits]}

This was where it started getting embarrassing. Based on his running route, Carousell meetup location, and dining place, I started to triangulate to get postal codes of residences nearby. I started trying out flag submissions with postal codes of nearby private residences, then service apartments, sleeping pods, motels, hotels, and eventually (and desperately) office spaces — to a point I was getting my wife to help google postal codes so that I could trial-and-error my way through. It wasn’t only after almost a hundred attempts that I came to an overdue realisation that it probably was the wrong route.

I traced back my steps and redid them to make sure I hadn’t missed anything else out. It was then that I was curious on why his Strava activity was unlisted and that his profile didn’t show any activities.

Another (unintended) change that I spotted was increment in the number of followers that he has (had to be other CTF players)! That indicated that I had missed out some crucial details. True enough, after registering a Strava account and following him, I saw another activity that now indicates that his residence is where Social Space is located.

I hit another wrong flag, but quickly realised that there were two Social Space offices in that area, and the second one postal code got me the right flag.

Overall, this was a straightforward challenge that didn’t involve the need to possess or pick up skills for any particular technique. And the lesson taken away for me is to fall back on proper reconnaissance as opposed to the unintelligent trial-and-error approach.