Challenge Description
A Jordanian national, wanted by authorities and identified by the name MajidSharif remains unverified, has been taken into custody. During forensic analysis of his device, the most frequently used application on his laptop was a well-known music app, and a .kdbx file was discovered, which he refuses to unlock, claiming it contains credentials that must remain secure. Meanwhile, our CTI platform issued an alert regarding a data leak from a breached database.
When he noticed this alert through the room window, his face visibly reddened suggesting he recognized exactly where the leak originated. Although we didn’t confront him directly, the situation raises significant suspicion. We’re considering to investigate the leaked database further, as it might contain valuable information that could advance our current investigation or potentially help us reveal the actual flag.
Challenge Solution
Based on the upper Question the Only thing that we have now is a secured .kdbx file, the usage of a well-known music app and the name MajidSharif
As opening the .kdbx it needed a password to check the saved credentials
The first thing will come to mind is to search for a well-known music apps in google as we see the top first application is Spotify, and as a plus the Question name have the rhythm of fy
We will Search in Spotify for the mentioned name within the question MajidSharif
We can see MajidSharif, he have some Playlists related to Arabic Songs.
Going to the followers Section we can see that there is a user called SharifMazari once we view his account we can see that he also have playlists, but one have captured our attention, a playlist with the name LotfiWaleed that have a picture for MajidSharif and SharifMazari together as we have seen there faces from there Spotify accounts
If we think about it is a name LotfiWaleed, also having both of them within the same picture playlist makes it more curios, as it may indicate something, if it was a name we need to check some social media accounts if they may have that name.
Going to use https://www.idcrawl.com/ to search for LotfiWaleed and we can see that he have a twitter account, same picture as MajidSharif so it may be his real name, as within the question the name remains unverified.
Checking the Twitter account we can see that he have Bitcoin posts, and other related music posts, but there is one post that mentioned the data leak
One thing that can hop in our mind related to Hub is GitHub, going to search for LotfiWaleed or MajidSharif we can’t see anything
But if we searched for the same text within the twitter post, we can see the related repository, why is that ?, that’s because the description of the repository is indexed but, the actual content within the files won’t be, so searching for the text within knowing the repository name won’t be beneficial, another question why searching for the same text ?, lot’s of people may copy and past the same text from online resources and past it as it is, specially in news.
Opening the Repository https://github.com/EmadbinSaeedAhmad/Leaked and search for LotfiWaleed we can see that it have the underline value
LotfiWaleed kder , Ha_A&d3mIS(cC8*2kwIgGoing to used Ha_A&d3mIS(cC8*2kwIg as the .kdbx unlock password and all the sudden we can see that it have opened
Going to check the passwords, we can see that there is a https://pastebin.com/ link, with a provided password
But the Actual unique Link that is used for that password is not presented, Going back to his Twitter Account we can see that there is a tweet that he mentioned a code, and the word within the .kdbx
Appending that Code to https://pastebin.com/ link as a result the link will be https://pastebin.com/fqFDka80
Using the password within the .kdbx file and we can see the Flag is presented NCSC{L0tf1Wal33d_bu_M@j1dShar1f_Ha_A&d3mIS(cC8*2kwIg_kdbX_uNL0ck3d}
Challenge idea
The player will check some of the most well known music platforms, then he will search the given name in Spotify, check the followers section and then check a suspicious playlist name that have the same two previous accounts picture, based on that he will see a twitter account for the identified username, going to GitHub based on the Hub Keyword hint, search for the presented text, then search for the new identified name in the identified Repository, after that he will use the password presented to unlock the .kdbx then check the Pastebin link and select the unique ID based on the one that is presented in the twitter post and open it based on the password within the .kdbx