2020 OSINT Quiz Writeup 3/6 – Source & JSON

-

I continue with the 2020 OSINT quiz, this time doing questions for the Soruce & JSON category.

Intro

At the start of the year I decided to do a writeup of the OSINT quiz 2020. If you’d like to know more about the challenge or want to find the other parts of this writeup you can find links below.

Part 1

Part 2

 SPOILER WARNING - this article will go over everything, so if you're currently playing the quiz or interested in doing so I would advise that you don't continue reading. Sorry, but knowing the answers spoils all the fun.

Question 7


So, in question 7 we have been asked to find the exact timestamp of the first reddit post linking to https://osintcurio.us.

In order to find this, let's look at

Here's what we know:

·         We need to be looking on reddit

·         We're looking for a post (not a comment)

·         The post is from December 2018

·         The post will link to https://osintcurio.us

·         The timestamp will be in the source of that post.

The obvious starting place was to find the post in question. Usually to find a post on a website I would use that website's search function. However, Reddit has a reputation for having a pretty poor search feature, and even for non-OSINT use Google is often suggested as the best approach.


I wrote a google dork that I thought would show me pages that link to https://osintcurio.us. It didn't.

This however, lead me to a reddit feature showing all posts linking to the domain, which is not something I expected.


From here, I could see that the most recent post was the bottom one, submitted 2 years ago. This would roughly line up with the appropriate dates, as now to December 2018 would round down to 2 years.


So, I clicked on the link to see more. You can actually just hover over the part that says "2 years ago" and it'll tell you, but I'm going to do this the intended way anyway because it's more educational (and it'd probably be easier to copy the date stamp from the HTML).


I decided the quickest way of doing this would be to inspect the element of the "2 years ago" stamp, as it made sense for it to be there. Upon checking, it wasn't, which is great because I get to be even more educational.


I tried searching for 2018, +00:00 and a couple of other things, and nothing showed up, which I thought was really weird. There was a link to a page that would give us the date, but not the time.


Anyway, I went back to the domains page and it turned out that you can see the date there. It seemed weird to me that it would be on the list of posts, but not the post itsself. The biggest difference I could see is that the domains page is using the old reddit interface, and I was viewing the post in the new interface.


I checked the post in old reddit, and I could see the timestamp there, meaning I was pretty sure it was an caused by the new reddit interface. To view a page using the old reddit interface, you can just replace "reddit.com" in your address bar with "old.reddit.com" instead. I did double check if an extension I use, reddit enhancement suite, was somehow causing this to change but it's the same without it. I'm sure there's a way to get this timestamp somewhere in the source for the new interface, but I'd suggest you stick with the old interface as it definitely makes things easier!

Anyway, I handed this timestamp in, and moved onto the next question!

Question 8

Question 8 asks us to look at a scan from urlscan.io and look at the content in the "X-hacker" header. That content would be our key for the next challenge.


As you can see, URLscan gives us quite a bit of information about a target URL, and it stays saved, meaning that you can look at previous scans, as I'm doing here. If you'd like to mess about with it a bit, here's the scan for my site. I clicked on the API button in the top right corner and was sent to a version of the data in JSON.


You can do a lot with JSON, but luckily you don't need to do anything complicated - I just filtered down for "x-hacker". Unfortunately, I wasn't quite familiar enough with JSON to realise that the string in the image was concatenated, and spent several minutes trying to submit variations of "If you're reading this, …n, mention this header." as the answer. Honestly, I probably should have noticed this earlier, but I just assumed that the message was addressed to someone named "n". This is pretty silly in hindsight, but it made sense at the time!


Luckily, I eventually managed to figure out that clicking the down arrow shows the rest of the text, and submitted the final text as my answer.

Question 9 


Before I start, I'd like to link to the two articles shown in the email, Getting a Grasp on GoogleID’s and Keeping a Grip on GoogleID’s. They both go into google IDs and how they can be used to track you across multiple google services. I've used this in challenges before, and it blew my mind when I found out about this trick, so I'd very much recommend giving them a read.

Anyway, the question is asking us to find the variable in the website's code that tells us how many planes are currently visible.



Going onto the site, I messed about a bit (technical term), moving around and just generally using the website. I noticed that it was set to track only the visible aircraft. Given this, it seemed likely that the variable showing how many planes are on screen was affecting the "Tracking X aircraft" part of the page, so I started there.


I had a look and there wasn't anything other than the full statement, written in HTML, so I moved on.


I went to the network tab. The get requests didn't seem to be anything interesting, but the post requests seemed to contain data about where I was on the map, meaning that this seemed like it would be a good place to find this kind of data.


 


I having a look at the JSON in the POST request I couldn't see anything that looked like a variable for total number of aircraft onscreen. I tried submitting acList as in my case that was a list of all aircraft onscreen and would presumably be used to generate the total number of aircraft onscreen, but this didn't work. Eventually, I got kind of desperate and submitted totalAc as my answer. I thought I might have misread the question, and as it turned out I had. It was looking for the variable used to store the onscreen value that showed the total number of planes, not a variable that showed the total number of planes that are on the user's screen. With that submitted, I was done.

Conclusion

This was a great category to play through! Unfortunately I made some mistakes that got me stuck sometimes, but that's part of the learning process, and I feel like I know more about web requests than I did before. I really enjoyed this writeup, and hopefully I'll be able to get onto the next stage soon (hopefully less than a month 😀)

 

Comments

Post a Comment

Comments are always lovely, just don't forget to be nice!

Popular posts from this blog

Google account cookie theft via blogspot

-
Image
Intro Hi all, I'm going to run through this as I do it. That's because, even if it doesn't work on , I don't think this is a bad idea per se. It could work on other sites similar to blogspot that allow you to directly edit HTML and add scripts to a site with external cookies on them. If this comes to an abrupt end, then I'll definitely try some of those. I'm also pretty sure this has limited use see. Idea After seeing some examples of XSS being used to steal sessions. Now XSS is usually used to steal the cookies of someone else's site, but I had a thought - what stops you from stealing other website's cookies on your website, from other websites. For example, if you have a google account cookie on your blog, can you steal that? This has probably been thought of before, and it has probably been thought of. However, I feel like knowing something has been done before, or knowing that it isn't possible, can often get in the way of a good learning experie...
Read more