Challenge Description
tariq salahdin haruni is an Arabian entrepreneur living in Miami. He claims to own over 90 properties there, and honestly, he makes me feel like a failure sometimes I’m just a guy in my early twenties trying to enjoy life. But for him, it’s all about the money. However, An account was created that exposed his secret, if fully uncovered, could destroy his entire reputation. All I need is that secret, and with it, I can bring him down for good.
Challenge Solution
By using Sherlock to perform a social media hunt for the username tariqsalahdinharuni, we discovered an account on Chess.com https://www.chess.com/member/tariqsalahdinharuni
Upon reviewing that profile, we found an account name in the account description SalahdinTariq, Jordanian flag that is related to what the question says that he is from Jordan and a text that says no state is the best state
We can make a google dork to check this text "no state is the best state" within any related things
We can see that this text is mentioned within twitter by @jack as Jack Patrick Dorsey is the co-founder of Twitter so we will search the username that we have in twitter.
After accessing the Twitter account https://x.com/SalahdinTariq, we found several posts where he posts about his Miami properties and wealth.
However, one post stood out it showed him working on his PC, and a website called https://rentry.co/ was visible on the screen, This site allows users to anonymously store information using Markdown.
By visiting the exact link shown in the image https://rentry.co/48n2mn7y, we discovered a PGP public key, then going to the website cirw.in/gpg-decoder parses PGP public keys to extract readable metadata like username and email that are embedded, so public keys are structured and ASCII-armored, tools can safely decode and display fields like fingerprint, key type, and creation date, once that is done we uncovered an associated email address and a username: IrisnigricansHaruni
By using Sherlock to perform a social media hunt for the username IrisnigricansHaruni, we discovered an account on GitHub.
Upon checking her GitHub account https://github.com/IrisnigricansHaruni, we found three repositories. She claims to work as a cybersecurity engineer at the same company mentioned by SalahdinTariqin his Twitter account SaharaNoor TechVentures, This suggests she might possess some confidential information related to that company.
In one repository, there was 4 .eml files. Opening them revealed an emails from tariqsalahdinharuni to IrisnigricansHaruni and vice versa, instructing her to delete his secret. He also promised to double her Salary, “As you requested, I have sent you my secret please don’t share it and delete it.”
When attempting to download and open the a PDF file, we found it was password protected.
While analyzing the Trash repository, we came across a Wireshark capture file containing 190+ TCP packets. Each packet appears to be a question. To determine its usefulness, we examined email4 and found two questions: Did you get the files? and What did you do?, followed by another message: Why asking these questions!!! they match the theme as question base and length base that was found within the pcap file
If we search for these lines within the capture, we find that immediately after the Did you get the files" packet, there is another message stating Searching for WadibinAya?
Using the phrase WadibinAya as a potential password for the PDF as it suggesting this phrase is the key we’ve been looking for in our ongoing search for the password.
After obtaining the password, we used it to open the PDF file. Although the document appeared empty at first, hovering over the page revealed hidden text that could be highlighted.
Based on this, we highlighted and copied the text into a notepad or Notion to examine the actual content provided.
The hidden text reveals that tariqsalahdinharuni was communicating with his friend AliAhmadBinSaad, discussing how he had been printing money since the start of his career. He offered to teach Ali how to do the same, but only in exchange for 30% ownership of his company.
He also shared a suspicious number that resembled a hex-encoded string applying ROT13 based on the tweet that he have mentioned that 13 is constant in his life won’t work, but if we tried the XOR it will work.
The string revealed a link https://rentry.co/u2SCS7b8qqm, then opening the link led to the flag NCSC{M1@m1_De@l_H@v3_B33N_Hunt3d_PGP_HuB}
Challenge Idea
In this challenge, the main theme is to follow a digital footprint across various platforms through usernames and metadata. Starting with a social media search with Sherlock, it follows hidden clues from the profile, decrypted messages, GitHub repositories, and traffic patterns from emails and protocols. The challenge elements include inspecting a PGP key, password protected documents, and encoded strings that reveal criminal activity, and the hidden flag