Categories
OSINT UMD CTF

“SpaceY Dump”

SpaceY Dump was a fairly high marks question in the Misc category for UMDCTF 2020. The goal is to try and unmask the anonymous Twitter user claiming responsibility for a hack and subsequent data leak. So immediately we know that this is an OSINT question, we need to analyze this user’s digital footprint to ascertain whether they have slipped up at any point and revealed any kind of compromising personal information that could lead us to their real identity.

Lets start with the Twitter user who made that tweet in the question description:

One tweet that should immediately jumps out at us is this key verification tweet for keybase.io made on May 15, 2018. Keybase is a key directory that maps social media identities to encryption keys in a publicly auditable manner. It could contain more social profiles for this anonymous user, which could uncover more valuable information.

Follow the link and be presented by Keybase’s straightforward interface. We can see a name “Bob Arctor”, another user account associated with this person (GitHub) and their public key. We make a note to investigate all of these data-points later, but lets start with the public key:

Why? If you have set up a PGP key pair before, you will know that certain tidbits of information are usually embedded in the public key. Namely, first name, second name and an email address. This is called the User ID Packet and, actually, it is arbitrary and can be left blank or filled with garbage, review the RFC here (https://tools.ietf.org/html/rfc4880#section-5.11).

Arbitrary or not, the hopes are that this person has filled any kind of information that can expand our search: an email address (even a throwaway one) could be another line of investigation to follow, a fake name, etc. Clicking on the public key opens it in a pop-up window. Not so useful in this format, but if we import it into the GNU Privacy Gaurd tool or gpg for short, we can see the above mentioned User ID information embedded in the key. And very conveniently, the commands are provided for us here by Keybase.

We simply download the key with curl and pipe it into gpg --import

Our previous suspicions were correct, this anonymous user has included potentially compromising information in their PGP public key:

We grab the flag, UMDCTF{[email protected]}

You can remove the key from your keyring again with

gpg --delete-key key-ID

Leave a Reply

Your email address will not be published. Required fields are marked *