LeakerJo

Challenge Description

A Jordanian developer was involved in a data breach targeting the company he worked for. The compromised data appears to contain sensitive information related to the CEO company. At this point, all we have is the underlying breach data itself, and it’s uncertain whether it has been removed from public access. Our goal is to identify and interpret this breach data, as it may hold the flag we’re looking for.

Download

Challenge Solution

Once we open the folder we can see anything, upon executing ls-a we can see that we have .git folder, based on that we can execute the git log and git show as git show displays details of a specific commit (diff, message, metadata), while git log lists the commit history)

As as can see we have a .pdf file and .txt file, but directly we can’t access the .pdf file to check it’s contents, we can execute the underline command, that takes the file version stored in that commit and writes it to a file

git show commit:file.pdf > file.pdf

So now we have the .pdf and the contents of .txt, opening the .pdf we can see that it need a password to open it, checking the .txt contents we can see that it have 2 links, one that is related to https://rentry.co/ and the other one is related to https://chatgpt.com/.

Once we open https://rentry.co/ine4uvar link we can see that he is describing a location “A city carved into red rock cliffs, hidden deep in the desert. Its buildings and tombs are made straight from stone, shaped by ancient hands. Visitors walk through a narrow canyon before the city suddenly appears. At sunset, the whole place glows like it’s made of fire.”

If we search for “A city carved into red rock cliffs” we can see that he is talking about Petra

Going to open the other link, https://chatgpt.com/share/6885051a-fb64-800c-9784-a6c47732e0e8 we can see that it is a history base conversation as there is a chat of how can you make a platform that is similar to X.

Going back to the Git commands output we can see that there is a username mentioned as that’s the username of the GitHub account from where the leaked data was downloaded

Going to GitHub and check that username there, we can see that there is no Repositories, the only thing there is his birth date and a description that shows the company name and that he is it’s CEO.

As we have previously seen, there is a Chat About to make a platform similar to X, so if we searched the same username within Github, in x.com we can see that he have an account there https://x.com/RabieZayeed

Checking the followers section, we can see that he follows, lot’s of Jordanian, but one account is that seems to be related https://x.com/BekraBaseel, as opening that account we can see within the description section that he is a developer in the same company where the CEO works.

In summary there was on tweet about how people can make passwords, and he is learning about encrypting and encoding data as they where presented in multiple posts

For password creation, as a summary of what he have said, that normal people can make a password based on things they like and combining with a long date followed them for years as it is an indication for birth date, based on that the upper text was related to Petra and the CEO was born in 23/12/1989 mentioned in the GitHub account so the password will be Petra23121989

Using the Petra1989 as a Password we can open the .pdf file and see the data within it

47 5a 43 55 57 36 53 47 4f 4e 54 47 49 59 5a 57 49 4a 47 46 43 4d 5a 57 4d 46 5a 55 59 59 54 54 4e 56 4a 56 45 35 44 52 4a 52 58 48 41 52 42 58 4f 4a 4c 55 49 35 4b 46 4a 4e 33 47 32 34 4b 44 47 45 33 44 47 57 44 56 49 52 5a 44 53 51 32 52 4d 4e 42 45 4d 4d 32 47 4b 52 32 45 45 52 33 58 47 52 47 56 47 34 54 59 4a 4e 34 44 49 4d 54 32 4e 4e 53 58 41 52 4c 56 4f 46 44 55 59 59 54 55 49 52 44 58 45 56 42 55 4e 4a 58 58 53 33 33 43 49 52 43 45 59 4f 4b 53 49 35 46 57 4f 5a 44 59 4b 4e 33 44 45 56 4a 57 49 5a 44 57 51 35 4c 4a 4a 56 46 54 49 55 43 42 4d 52 55 44 4b 55 32 4c 4c 46 32 45 4d 53 44 55 4b 56 4e 45 4d 57 52 58 47 5a 43 54 4d 35 53 4c 4f 4e 42 45 43 32 32 32 4f 52 44 55 4f 57 4b 53 4b 41 5a 45 49 52 53 52 49 46 54 46 55 52 54 57 4f 46 4d 57 36 54 4b 49 4a 4e 4a 55 43 55 53 4e 4b 35 35 44 45 36 4b 51 4d 5a 53 56 49 36 4a 59 4b 42 45 46 47 33 4c 57 47 35 47 56 4d 53 32 43 47 35 45 46 51 33 4b 57 4e 46 5a 56 51 57 54 46 4b 56 49 58 47 55 52 53 4e 42 55 47 47 36 4b 55 50 4a 53 44 47 57 52 54 4f 5a 59 57 36 5a 33 54 4a 59 5a 45 4f 34 32 5a 4b 35 41 56 47 36 54 45 4a 4a 5a 57 51 4f 4b 47 4d 5a 53 44 47 5a 43 58 4f 4a 49 47 51 55 53 42 4a 56 42 47 49 57 53 52 4f 5a 4a 55 4f 57 54 4c 4d 52 56 44 4d 51 4a 57 4d 34 34 55 49 36 4b 55 4b 4a 4d 46 55 34 44 46 4c 4a 4d 44 4f 35 32 44 49 4d 32 56 4b 56 5a 59 49 4a 43 55 4f 5a 42 56 4c 46 4c 58 4b 35 42 5a 47 35 33 57 32 36 54 55 4b 4a 4b 57 32 54 53 51 4a 52 46 47 57 53 54 42 4e 4e 41 58 47 54 4b 4e 4f 42 34 56 47 36 43 4e 4e 4a 57 54 4d 33 53 55 4d 4e 49 56 43 51 4c 59 4a 4a 42 58 4d 53 44 52 4d 35 5a 46 4f 35 5a 54 4b 4a 59 47 36 32 5a 58 4c 46 32 54 47 52 52 58 4b 42 57 56 49 56 53 51 4f 52 5a 57 36 34 32 45 49 46 4a 55 43 53 42 59 49 46 56 58 53 56 4c 48 48 46 51 58 45 57 4b 52 4b 42 56 45 4b 54 53 5a 47 4e 58 48 4b 51 33 59 4b 42 44 58 4d 51 4a 59 48 42 4b 58 4f 59 33 4b 48 42 5a 48 43 56 32 32 48 45 34 57 45 4f 44 42 47 4e 5a 47 45 54 44 58 49 56 32 46 47 32 53 32 4d 52 5a 44 43 5a 54 32 49 56 5a 58 43 4e 32 4c 4b 42 57 54 47 32 33 5a 47 4d 34 57 34 56 4c 5a 4d 46 35 44 51 53 53 4b 4d 56 49 48 55 5a 53 51 4d 5a 4d 44 43 52 4c 55 4c 42 51 58 47 5a 44 4b 4d 35 44 48 53 55 32 53 47 56 42 57 34 55 44 42 4a 4e 34 48 4d 52 54 51 4e 35 48 46 4b 35 4c 49 4a 52 5a 57 4f 56 44 59 50 46 42 55 32 4d 52 52 47 52 54 58 43 33 32 55 4b 35 46 55 49 34 53 4c 47 52 47 57 4b 5a 5a 52 4d 56 4a 47 36 5a 54 57 4f 52 52 56 49 55 4b 53 4b 4a 46 47 32 54 53 52 4c 4a 34 55 57 32 53 44 47 55 34 48 49 4e 4a 58 4b 55 5a 48 41 35 33 52 4e 46 54 55 59 52 54 4c 4f 42 32 47 34 35 53 56 48 42 32 46 4b 57 53 52 47 59 59 55 57 54 44 4c 4c 4a 47 58 49 34 53 57 49 46 41 57 32 33 52 59 49 35 47 45 43 56 4c 47 48 46 53 55 45 56 44 50 4b 52 4a 44 53 52 53 45 50 42 43 54 49 57 54 4f 4d 4a 49 56 53 4d 4c 4c 48 42 34 47 49 4e 4b 57 47 46 5a 45 43 57 44 59 4c 45 32 45 43 54 54 52 48 46 44 54 4f 5a 32 49 4f 35 42 58 4d 5a 5a 53 49 51 5a 56 4b 4e 44 4f 48 42 33 44 49 57 4a 54 49 35 43 56 49 35 53 4b 4a 59 34 45 55 56 33 44 47 4e 48 44 4b 54 42 56 4b 41 34 57 49 33 4a 58 4c 45 59 55 59 35 4c 59 4b 4e 33 46 47 52 4b 48 4f 56 4c 56 51 52 4b 46 4b 45 32 54 4b 53 33 4a 4d 49 5a 48 45 34 32 43 4b 4a 4e 45 49 57 4c 4a 49 45 32 56 51 57 54 52 49 4e 32 56 41 59 54 53 4f 56 4c 44 51 57 44 4b 49 46 33 44 43 5a 43 44 4f 59 59 57 57 51 5a 54 49 46 57 54 45 4e 4b 55 47 56 4a 46 45 35 4b 4f 4e 4e 33 58 4b 32 4a 52 49 52 4e 45 45 34 54 4e 47 35 52 47 4b 4e 54 43 4c 45 33 46 55 55 4c 57 4e 4d 32 47 4d 4d 4c 54 4f 35 42 46 51 55 4b 4d 47 35 49 58 4b 32 43 51 4d 55 32 57 32 5a 5a 5a 49 46 52 56 53 4d 4a 53 4f 4a 54 55 34 34 4b 4b 50 42 59 45 57 4e 52 5a 4f 46 4b 46 51 52 44 58 4a 52 57 57 53 54 4b 49 4f 4e 47 47 49 33 54 56 4a 56 59 45 45 51 4c 49 4f 52 49 44 4b 51 4c 57 4b 4a 45 47 57 59 4c 32 50 42 55 48 41 33 53 5a 4e 46 5a 57 43 4e 4b 42 4a 51 34 58 53 56 33 42 4d 56 42 54 45 34 32 49 50 46 56 57 55 32 54 51 4c 42 42 44 4b 56 43 58 4e 4a 58 48 41 5a 43 53 4a 4e 55 56 49 33 33 42 49 55 5a 55 49 59 4a 56 4c 41 32 54 47 36 44 42 4e 56 4d 55 49 4d 32 46 4a 56 55 46 49 5a 32 5a 4f 5a 53 55 51 5a 4c 54 50 4a 4c 57 47 51 4b 5a 4b 5a 42 44 51 4d 32 57 4f 41 5a 57 47 55 4c 49 48 42 58 47 49 36 43 44 4b 52 41 56 4b 35 4c 4a 4d 4e 42 58 45 55 4c 53 4e 46 33 56 51 32 4b 55 4f 5a 34 54 45 56 43 48 4e 4d 32 54 49 33 53 43 4a 4a 49 58 45 36 52 5a 4e 35 57 58 43 5a 42 56 4e 56 56 57 4f 55 53 46 47 52 5a 48 55 5a 4c 49 4f 52 46 46 47 5a 43 5a 4d 52 56 57 43 53 44 57 4a 49 34 57 51 57 4a 52 49 4a 4b 45 4f 53 53 46 49 4a 54 45 4d 36 44 4e 47 45 59 58 55 4e 4c 56 49 5a 49 44 49 52 54 57 4e 42 32 57 55 56 32 56 4a 4a 5a 45 45 5a 42 55 4e 46 34 46 45 4e 33 52 4d 5a 58 56 47 4e 4b 45 4d 5a 59 54 51 33 4c 52 4c 46 49 47 47 52 44 5a 4d 56 4c 55 59 36 43 44 4e 5a 43 46 4b 33 32 4d 49 5a 47 55 47 34 32 4f 4d 46 34 56 55 54 4a 55 4a 52 4c 44 4f 34 42 56 49 4e 4d 58 41 54 43 45 4a 4e 52 47 4f 52 4b 46 4a 42 47 48 4d 4e 33 48 4a 4a 4d 47 57 36 4b 46 4b 59 34 47 4d 55 54 32 4b 4e 46 45 49 57 53 55 4c 49 34 47 45 33 4b 32 4e 42 45 44 45 4d 4b 4c 4d 49 5a 46 43 32 43 57 4b 4d 34 57 32 57 4c 4e 4e 55 5a 48 4d 55 4c 54 4b 42 47 48 49 56 53 5a 4b 4e 47 54 4b 54 4c 57 4e 56 4a 47 47 56 53 4f 50 42 47 55 47 56 54 4f 4a 4e 32 46 43 52 4c 4c 47 35 59 46 4b 54 54 32 4d 35 52 57 55 51 4c 51 47 52 4d 55 59 54 43 59 4b 4a 43 48 53 59 4b 5a 50 42 42 55 47 32 53 4c 47 4a 5a 46 55 55 4a 54 50 42 4a 46 55 59 54 46 4d 35 4b 58 45 55 44 53 4c 4a 53 48 43 52 43 43 4b 4a 4b 57 4d 59 54 57 4e 35 58 55 4f 4d 4c 4c 4d 4a 53 54 45 51 32 51 47 5a 32 44 47 56 44 55 4b 56 55 58 4b 33 32 32 49 56 54 57 4d 34 43 58 4d 52 43 58 53 52 4b 4d 4b 42 4c 47 57 34 4b 47 47 35 54 58 55 4f 44 59 47 35 59 44 4f 4d 4b 53 50 42 4d 45 59 53 32 49 49 52 4c 47 4f 5a 4c 55 47 51 59 57 51 55 42 54 47 35 43 57 51 35 32 45 4b 4a 34 45 4d 36 4c 56 4a 4e 56 46 51 54 43 4e 4a 5a 43 46 49 52 53 54 4e 4d 34 58 4b 4d 5a 59 4f 35 59 45 4d 53 42 59 4b 52 33 55 43 56 4b 58 4b 52 4a 56 4b 5a 4c 4e 4b 42 5a 45 51 55 4a 54 4d 51 5a 47 55 51 4a 58 4a 52 57 55 4f 53 44 46 4b 56 32 55 45 32 4c 58 4c 4a 58 56 43 55 33 51 4d 5a 4b 58 49 51 33 53 49 56 53 58 4d 56 43 42 4b 42 56 54 49 56 53 53 4d 4a 51 57 43 5a 4c 55 50 46 33 54 47 53 42 58 4c 4a 42 44 4f 35 43 53 4a 4e 52 45 55 51 32 45 47 55 33 54 4d 35 44 4f 48 46 55 56 41 52 4b 49 47 56 59 48 43 5a 33 43 4f 46 49 45 43 54 44 55 4c 42 4b 46 4b 51 54 45 4a 5a 54 46 51 56 43 43 47 4e 44 57 36 5a 53 4d 47 46 58 55 34 51 33 54 4b 46 49 57 36 56 53 44 4b 56 4e 46 49 4e 32 32 4c 46 52 46 4d 35 59 3d

As we see the data is somehow encrypted, or encoded we can’t identify, but we can put the data within CyberChef and apply the same encoding algorithm that the developer have mentioned based on the time these resources have been posted, and we will use the reverse of it, so as an example if he posted about based64 encoding we will use base64 decode, also note that we will select the encoding algorithm based on the post order, for example the last post is the last algorithm that he used for securing the data so we will use the reverse of it first.

For the -2 if he studied first base64 do that means he is referring to base62 we know that base on simple search within a google search or simple ChatGPT prompt then check the order of them based on the order we have had within the posts

Based on the upper executions we can see that there is a link related to https://rentry.co/

Internal memo from CEO RabieZayeed reveals expansion plans into three new global markets by Q2 next year. Confidential budget allocation of $12M earmarked for AI-driven product enhancements. 

Early prototype of "Project Horizon" mentioned, promising breakthrough in virtual collaboration tools. 

Hiring strategy includes recruiting 50 top-tier engineers from rival firms. Zayeed’s message emphasizes “speed, innovation, and bold risk-taking” as pillars for 2026 growth.

For more Information Check this Link: https://rentry.co/47podscy

Opening that file we can see that the flag is revealed NCSC{By3By3_Z@y00di_Th3_Rabi3_Zay33d_Hunt1ng_C3O_w@Z_D0n3}

Challenge Idea

The question will be based on basic git commands that will be used to retrieve files from specific commit, and then using the username that we have seen to check other social media accounts based on shared ChatGPT conversation history, then make a relation based on the followings and followers with company name and the seen tweets that are about used encoding algorithms and most crafted passwords idea, based on that the protected .pdf file can be opened by apply them in reverse order base on the learned encoded algorithm to retrieve a clear text with link for the flag.