Challenge Description
A developer who had been on the run for a long time was finally tracked to their home. However, by the time authorities arrived, they were already gone. During a search of the room, a flash drive was discovered and sent to the forensic lab for analysis. The investigation revealed that the drive held a database containing records of accessed websites, but it had also been tampered with. This evidence supported the primary goal of the investigation, locating a report that details the developer’s dealings with the company they had fled from. It appears the contract had been altered, the agreement was misused, and funds were taken. Finding the unmodified contract is key to resolving the case.
Challenge Solution
First of all, we have been given a database file. Opening it using SQLiteBrowser or using online tools such as https://inloop.github.io/sqlite-viewer/ can help us see the contents of that database. Once we open it, we can see that we have a list of visited links.
Checking each one, we can see that they are either related to development tweets, YouTube videos, or other things. But one website has been a key called https://www.zaindevcode.fun/, as it mentioned a developer.
Once we check the website, we can see that it is a portfolio about her her achievements, projects, skills, her name, and more. If we use that name for a social media search, we won't find anything useful, as some people may name their social media account names differently than their actual names. But as a portfolio, for sure, this is her real name.
The question has mentioned the same database file has been tampered with, as checking the ID values of the history, we can see that there are some missing ID numbers.
Based on that, we need to check more information about the same domain, as it may reveal some information where is it hosted, are there any websites pointing in the CNAME ?, is there any information in the TXT record ?. Based on that, we will use DNS Checker https://dnschecker.org/ to see DNS information.
If we check the CNAME, we can see that this website is hosted on GitHub, as GitHub has a feature to host websites called GitHub Pages. But we can see that the subdomain has a username called nicolesadeekalhammed, as GitHub names the website based on the username located as the subdomain. We can use that to search on GitHub and check where this repository is located.
Going to the Only provided GitHub repo https://github.com/NicoleSadeekAlHammed/GitHubPages, we can see the same repository that has the website code.
We can check the repos there and the commits, but nothing is useful unless we see the assets folder https://github.com/NicoleSadeekAlHammed/GitHubPages/tree/main/assets, as it contains 6 pictures, and this is the stage a developer will put the ones that can be used only in the website.
They are putting 6. Based on that, if we check the ExifTool information about these pictures after we clone the repository, we can see that one of the pictures Picture03.png has an author name, also we may open them and check if they have any information, as we see they are all profile pictures for her.
Based on that, we can make a social media user search https://www.idcrawl.com/ and check if it has any information.
As we see, we have found her Twitter profile link https://x.com/MonaAlAyoub. Based on that, we need to check it. She has lots of pictures, as she may be a photographer.
Based on that, we need to check some things that might help us go to the next stage. From a photographer's perspective, they always tend to write their names in the bottom right corner. If we check the same thing, we can see that there is a picture https://x.com/MonaAlAyoub/status/1952488017194610967/photo/1 that has a Discord link, which may have been left there by mistake. We can use that Discord link and access it to check what it contains.
Going to access the Discord link discord.gg/y4JHzKv5 , we can see that it is an invite Discord link.
Once we have logged in, we can see that the Discord is called Mona, the same name as the Twitter account. Also, there is a channel that has lots of notes called self-notes, including the same code that was presented to build the website and the pictures she had posted.
Based on that, we need to check if there is any link or password secret, as from the Discord server, she seems to mention in the same Discord server that "yooooo I can write whatever I want now," and the channel name represents that she uses this as her notes. Two key things we have seen are a hidden text and an ID in the same code presented in one of the code blocks.
If we go back to the website and view the source code, we can see that this code is not present there, as she may have written that by mistake.
One of the key links we have seen earlier in the database is a Google Drive link https://drive.google.com/drive/folders/1UHKhwvCrGkgW_pgkmYS_vj82LxN2KQDz. If we open it, we can see that it has a QR code that points to a YouTube video https://www.youtube.com/watch?v=BLZWkjBXfN8&list=RDSbjKOI8VTY0&index=9.
From an OSINT perspective, we always check links to see things that may be related, because each platform has it unique set of code identification. For example, Twitter uses for its posts things called a snowflake, a random number generated for that tweet. For example, YouTube has its own unique video identification.
If we compare these two links, we can see that they have the same character count 33.
/1UHKhwvCrGkgW_pgkmYS_vj82LxN2KQDz: in google drive
/1pHudtNFn0cWj6CkGW7Ai-Tjj905tK9xF: in discord notesIf we change the old one to the one we have identified, we can see that we have access to a secret folder.
If we access it, we can see an agreement PDF. Once we download it, it needs a password. We will use the one we have seen in the Discord server rszJw|YP}Mg%R.mr0m)#22MGN;I_#0}J{Q0 and we get access to the flag and the agreement.
NCSC{L0nG_J0urn3y_H4v3_F1n1sh3d_S33_y0u_S00n_D0nt_F0rg3t_M3_Guys_Fr0m_semo}
Challenge Idea
The player will have a .db file, upon checking the provided links, he will locate the correct one based on the context, opening it will see it is related to a developer, then preform DNS lookup to check the CNAME, that will revile the GitHub username based on the GitHub hosting criteria, then will access the user account to check a repo that will have some pictures, based on that one of them will have a author tag based on the exiftool execution, based on that we will make social media account search that will lead to a twitter account, after that we can see that one of the 15 pictures have a discord link underneath, based on that we will access that discord server and see the developer notes, 2 key main notes we have seen, a hidden text and a long 32 text, if we go back to the .db file we can see a shared google drive link, based on that we can change the URL unique ID and access the secret folder then download the PDF, unlock using the hidden text as a password and then get the flag.