CSAW 2012 – Recon

There were 5 recon challenges:

    Jordan Wiens
    Jeff Jarmoc
    Julian Cohen
    Dan Guido (What are Dan Guido’s two favorite foods?)

Jordan Wiens
Jordan Wiens his nickname is psifertex and he has a website on: http://cty.psifertex.com/

In the source of this website we can see:

<!-- The CSAW key is not on this domain. -->

When we go to: http://psifertex.com/csaw/ we see the following page:

Reading the first characters of the string “Some Understanding Becomes Dominant On Manipulation And Inquisitive Naming” gives us SUBDOMAIN.

We tried some domains which did not work, such as:

However, the domain http://key.psifertex.com/ did work and gave us the following:

And there is our key.

KEY: secret sonambulist

Jeff Jarmoc
After searching jjarmoc’s social footprint without any luck, we found a photo of Jeff on the Judges page which contained EXIF metadata:

:~/CSAW$ jhead jjarmoc.jpg 

File name    : jjarmoc.jpg
File size    : 22516 bytes
File date    : 2012:09:29 02:57:00
Resolution   : 213 x 284
Comment      : finger://jjarmoc@finger.offenseindepth.com:79/

After we installed finger, we could finger the server:

# finger jjarmoc@finger.offenseindepth.com
Debian GNU/Linux      Copyright (C) 1993-1999 Software in the Public Interest
Username: jjarmoc                   In real life:                       

This is my .plan.  There are many more like it, but this one is mine.

{flag:does anyone still use finger?}

Debian GNU/Linux      Copyright (c) 1993-1999 Software in the Public Interest

And there is our key.

Key: does anyone still use finger?

Julian Cohen
The nickname of Julian Cohen is HockeyInJune, as can be seen on his Twitter account (https://twitter.com/HockeyInJune).

After searching the internet for a while we stumbled upon the reddit user page of HockeyInJune on http://www.reddit.com/user/HockeyInJune

There are some comments on the CSAW topic there including the following one:

[–]HockeyInJune[S] 1 punt 5 dagen geleden
You don't like roosters? πŸ™
NSFW: http://cockcab.com/

It might be NSFW, but we visited the http://cockcab.com/ site anyways:

The site shows us the key as: key{The_first_step_of_owning_a_target_is_recon.}

KEY: The_first_step_of_owning_a_target_is_recon.

Dan Guido (What are Dan Guido’s two favorite foods?)

After browsing half of the internet we once again ended up at reddit. Here we found Dan Guido his account at http://www.reddit.com/user/dguido/

This page showed us his latest reactions:

The reaction which we should examine more closely is: “WHO ARE YOU”. Which leads us to:

Where we will see “I like this guy, he eats a lot of salami and cheese.”

KEY: salami and cheese

We knew yoda hung out on IRC since he kicked some members of the team from the channel earlier that day… so we started our search there with a /whois yoda:

yoda [~o@ISIS-B0CFAD3E.com]
ircname  : key{hockey lock outs mean probably april}
channels : @#csaw 
server   : isis.poly.edu [ISIS IRC Server]
          : is using a Secure Connection
idle     : 0 days 0 hours 22 mins 1 secs [signon: Sat Sep 29 21:31:54 2012]
End of WHOIS

KEY: hockey lock outs mean probably april

{One Response to “CSAW 2012 – Recon”}

  1. For what it’s worth, the /csaw/ page was listed in the robots.txt so you didn’t have to guess it. The other intended solution at the end was to run one of the common dns brute forcing scripts with the built-in dictionary to find the subdomain. Tried to at least hint in the right direction to go to minimize guessing. Recon challenges can be frustrating…