Take the DoD Cyber Awareness Challenge!

2020-12-03 - Reading time: 6 minutes

I was doing a bit of OSINT-ish poking around on this character, Mellissa Carone.

She's a supposed voter fraud "whistleblower" for Rudy Giuliani. His star witness claims to have essentially seen all the voter fraud ever in her seemingly-drunken, insane testimony at a hearing in Michigan. You really have to see it to believe it. She made a complete ass out of herself trying to bullshit everyone in the room. Even Rudy, at one point, had to be like "whoa, down girl".

temp.jpg

Ordinarily I wouldn't be dwelling on a private individual in a blog post, but Mellissa chose to step into the public arena.

So I figured I'd see what I could dig up on the web, in relation to a couple of her claims. Just practicing some OSINT on a public figure.

Anyway, in her testimony she claimed to be an IT contractor hired by the current conspiracy scapegoat "Dominion". Now she says she can't get work anymore because "the Democrats destroyed her life", and so on.

As far as jobs go, her LinkedIn says she's been an intern at a place called Ciber Global but with the title "Cyber Security Analyst". She mentions Ford Motor in a subheading on this one.

Next one down, same timeframe as the Ciber job, again, "Cyber Security Analyst" for Ford Motor Company. Maybe lent out as a temp?

Further back, an internship as an IT Technician at a local painting company.

And even further back, an IT Specialist/Help Deak [sic] person for Millennium Servica [sic]. This might be a Remodelling and Repair Contractor, or this unknown, defunct company.

Whichever. Doesn't matter.

Along side all this, she's also listed as being a graduate of ITT Technical Instutute and the University of Michigan, working on an associates degree in Computer/Information Technology Administration and Management.

UPDATE: Apparently she's been up to some other stuff, too. Whoops...

In addition to her work experience, her profile features a set of certificates and awards:

temp2.png

Nothing really of interest. I can't even verify her Ciber employment, never mind this certificate. But that's fine. I don't really care. Any discrepancies are probably easily explained with a little more detail. (Benefit of the doubt, and all that.)

But then I scroll over to the third cert; the "Cyber Awareness Challenge" completion certificate:

temp3.png

What's that logo? Department of... hmm.  I can guess, but let's ZOOM AND ENHANCE:

temp4.png

The Department of Defense?!

Woo! Impressive, right?

So I looked around for that, and found... THE 2021 CYBER AWARENESS CHALLENGE!

You too -- yes, YOU -- can take the unclassified training course, just like she did, and get your very own DoD Certificate of Completion for you to type "FART BUTT" on and save to a PDF and put on your own profile.

And best of all, it's in COLOR and updated for 2021!

temp5.png

But in all seriousness, I encourage you to take a look at this small, free course they're offering.

It's actually well put together and rather creative for a multiple-choice quiz that marks you correct even when you're wrong. You can't lose!

The real meat of it, though, are the details it provides. There's a lot of "duh" basic security things (don't bring in external devices, don't hold security doors open for anyone, etc), but it actually gives some interesting insights into how they handle working with classified security information, among other things.

Quite a bit of video, too. Here's my favorite:

 


HTB Write Up - OSINT - ID Exposed

2020-09-24 - Reading time: 9 minutes

I've been doing a lot of TryHackMe rooms over the last week or two, but this morning I decided to jump over to HackTheBox to take a look at their OSINT challenges.

While I've never done a CTF write-up before, I want to start doing this a bit more often. Especially when I encounter new topics or concepts I've never encountered before.

We are looking for Sara Medson Cruz's last location, where she left a message. We need to find out what this message is! We only have her email: saramedsoncruz@gmail.com

With this bit of content, I spent a lot of time going through my usual routine...

Sherluckin' Out

First, I looked for the username saramedsoncruz using Sherlock. It's a tool written in Python that queries a ton of social media services. (There's websites for this, too.) This pulled up only a couple results:

[*] Checking username saramedsoncruz on:
[+] Pinterest: https://www.pinterest.com/saramedsoncruz/
[+] geocaching: https://www.geocaching.com/p/default.aspx?u=saramedsoncruz

When I saw the Geocaching link, I got excited. We could satisfy all of our requirements.

Her last location? Possibly! A potential message left? Sure! Maybe she took a picture of a message left in a cache. Or had comments about a cache she'd just found.

This seemed to be a lock... but, despite a match on that very specific username, it wound up going nowhere.

Struck out with the Pinterest link, but I had low hopes for that one.

Desperation Sets In...

At this point, I'm trying everything I know. Manually clawing though "Sara Cruz" accounts (and various permutations on the name) on Facebook and other social media sites. One even had a Guy Fawkes mask for an avatar -- I thought to myself "Some dumb hacker shit! Surely, this must be it!"

But, no. Another dead end.

As I'm searching around, I see a link talking about Google IDs and Gmail accounts. It looks interesting, but I put it aside.

I'm about to give up -- which is fine by me. Yeah, I'm always a little disappointed when I throw in the towel, but that's part of the reason I do these CTF challenges: to test what I know, and if it's something I don't know: learn. (From write-ups. Like this. 😏)

...when suddenly!

So I return to the HTB OSINT page, and I take a look at the name of the challenge so I can google a write-up.

"ID Exposed"... hey, waaaait a minute...

I think for a moment as that piece of information zip-zaps across my mind over to the article I'd found earlier: Getting a Grasp on GoogleIDs.

I'd completely overlooked a clue in the title. Turns out this was VERY relevant!

I'll leave the article for you to see the details, but long story short: there's a profile ID number attached to every Google account. There's a couple ways to get this ID outlined in the article.

In my case, I added it to my existing Google Contacts collection and sniffed the data-personid attribute from the modal dialog of the Contacts page when the contact is opened for editing (it may be seen elsewhere, but this is where I got it).

With this in hand, I went over to the People API people.get page, which lets you try executing an API endpoint. In order to execute this endpoint call, you'll need to give permission for your own Google account.

Following the instructions in the article, I plugged in "people/c6412528252752365100" for the resourceName, and "metadata" for the personFields field.

The call, successful, returned this block of JSON:

{
  "resourceName": "people/c6412528252752365100",
  "etag": "%EgMBNy4aBAECBQciDG1IQ1NWS3NJSEc0PQ==",
  "metadata": {
    "sources": [
      {
        "type": "CONTACT",
        "id": "58fde0788976062c",
        "etag": "#mHCSVKsIHG4=",
        "updateTime": "2020-09-24T15:59:18.216Z"
      },
      {
        "type": "PROFILE",
        "id": "117395327982835488254",
        "etag": "#4eZz2/IuMFw=",
        "profileMetadata": {
          "objectType": "PERSON",
          "userTypes": [
            "GOOGLE_USER"
          ]
        }
      }
    ],
    "objectType": "PERSON"
  }
}

Under the metadata -> sources entry with the PROFILE type, there is our GoogleID: 117395327982835488254.

Now That's Brazilliant

From here, we can look for various things (again, check the article for what's possible).

As it turns out, you can take a look at the 'contributions' that a GoogleID has made to Google Maps. This means reviews and photos, for the most part. Certainly the kind of data that would tick the boxes of what this CTF solution asks of us.

So, I tack the GoogleID onto the appropriate URL...

https://www.google.com/maps/contrib/117395327982835488254/

...and sure enough:

"Flag Watcher", huh? 😏

No photos, but they've posted a review for the 'Museu do Futebol' in Brazil, giving it a whopping five stars, and a terse comment of "really nice museum"...

Wait, there's more.

Like, literally 'More'.

Click it.

And there's our flag, buried in a bunch of percent signs to force the comment to collapse. :)

HTB{i_W4S_D_I_S_c_O_v_3_R_3_D}

Conclusion

It's okay to give up, as long as you're willing to learn.

Just be careful that you're not overlooking a clue being given to you. Few things suck more than bashing your head against the wall going down a dead end for an hour when a quick re-read of the CTF details might have prevented it. 😳


Elsewhere...