[ESAIP CTF 2022] - The Proof of the Malware
Here is the writeup of
The Proof of the Malware, a cool OSINT challenge categorized as
medium during the ESAIP CTF.
After some time without anybody solving the challenge I managed to first blood it🩸.
According to the instructions, we are searching for someone who is working at
The first idea that came into my mind is to do some research on LinkedIn. To do this, I used a simple Google dork :
The first result seemed interesting.
Apparently, there is a certain
Noe Trimax working at
Metacortexxs as Informatics Specialist. Interesting 👀. So I went on his profile to find some more informations.
As you can see, I saw there was some additionnal contact informations on his profile.
In order to see this, you have to be logged in on a LinkedIn account. Otherwise you’ll miss it !
The investigation proceeds with the finding of his email.
I can now pivot on EPIOS. For those who doesn’t know the tool, it is an OSINT search engine that allows performing reverse email search. Using it, I am able to retrieve information linked to an email address without notifying the user.
Holehe, we can see that Noe’s email is used on two different websites : Github and Twitter. Since we have to find the proof of the development of a virus, the github seems to be the most interesting place. But let’s see if I can find something interesting on his Twitter account (like a link to his github profile for example).
In order to find his Twitter account, I just typed his username :
Sadly, there’s nothing interesting on his profile. But I liked his bio. (:
Here’s the tricky part of the challenge. I had to use a technique that is not very well known in order to find his github profile. Because yes, it is actually possible to find a Github username only with the associated email.
To do so, I needed to make a commit on a personal repository with the flag
--author. The value of this flag must respect the following format :
--author="Name <firstname.lastname@example.org>". In this case, I ran the following commands :
Then, I went on Github in order to find out Noe’s account :
Hmm, so he is the so-called
Und3rc0ver-h4xx0r-fr0m-the-m4tr1x. The cover is burnt Noé.
By going on his profile, I can see there’s an interesting repo :
The repo called
Backdoor-python-polymorph is very suspicious, right ? Let’s see what’s in there.
It looks like we’ve found our virus development proof here. I was quite chocked when I found out that Linus Torvald was involved though 😢 !
Now we have to find the flag. Let’s see the commits :
We can see there’s plenty of them. After some manual inspection, the
added bin and header one contains what I was looking for : the flag.
Thanks to the author Hippie for this challenge. It was very entertaining and it was a great opportunity to put some light on this secret github technique.