STACK the Flags was a CTF organised by GovTech’s Cyber Security Group (CSG) over the weekend from 4th — 6th of December. I took part in this CTF in hope to hone my skills in various aspects of cyber security and the challenges in this CTF were certainly insightful. My team and I have definitely learnt a lot from this CTF. Here is the write-up for the OSINT challenge that my team did not manage to solve during the CTF and only managed to do so slightly later after the end of the competition. Let’s get started! 😃
Challenge Name: What is he working on? Some high value project?
Challenge Description: The lead Smart Nation engineer is missing! He has not responded to our calls for 3 days and is suspected to be kidnapped! Can you find out some of the projects he has been working on? Perhaps this will give us some insights on why he was kidnapped…maybe some high-value projects! This is one of the latest work, maybe it serves as a good starting point to start hunting.
Flag is the repository name!
Challenge Category: Open Source Intelligence (OSINT)
For this challenge, we were only given a link to the developer’s portal. This webpage is shown below:
After scrolling through the webpage, there does not seem to be any useful information regarding the lead Smart Nation engineer. However, there are some Github repository links on the bottom of the webpage which belongs to the various departments/groups in GovTech.
This is where my team went off in the wrong direction for several days. Initially, we thought that the repository would be contained in either the Github repository links listed or the forums/blogs of the respective departments. Hence, we spent a long time sourcing for information on these forums/blogs as well as Github repositories but to no avail.
Just hours before the CTF ends, I decided to inspect the source code of the webpage. Here is where I obtained an interesting piece of information:
We can see that the source code contains a comment which says: “Will fork to our gitlab — @joshhky”. This seems to be a comment written by the developer with the username joshhky.
At this point, I made yet another mistake again by having a tunnel vision of finding a user with that username on Github only. Needless to say, this user does not exist on Github. I even thought that the user perhaps changed his username after posting this comment and thus, I spent the time to see if there is a way to track his Github gists etc, which might point us to an account with his new username.
After some time, I decided to take a look at Gitlab instead of Github, since that was mentioned in the comment. Perhaps it was the lack of time before the end of the CTF, I was too fixated on a wrong clue again, by trying to find repositories associated with GovTech. This was obviously in the wrong direction as well, unfortunately.
Just 30 minutes before the CTF ends, it struck me that I have not checked if this user exists on Gitlab yet! I immediately did a quick search on Gitlab and sure enough, a user with the username joshhky was found.
I quickly clicked on the user profile to see if we are able to discover the project that he is currently working on. I noticed something interesting in the activity section of his profile:
My team worked on the challenges in the Mobile category where Korovax was mentioned as well. I made the link that KoroVax group could contain the repository of the high value project that the lead engineer is working on.
Hence, I took a look at the repositories found in KoroVax group as shown below:
With 10 minutes left, I tried all three repositories name as the flag since the challenge description mentioned the flag is the repository name. However, these three repositories were incorrect.
I decided to take a closer look at each repository, by visiting the website of each repository in hope of finding any new clue on what joshhky is working on.
It was right that I focused on korovax-employee-wiki repository as I assumed that it would contain employee information such as their roles, projects etc. However, I made a mistake by looking at the website instead of the README file in korovax-employee-wiki repository.
The website did not contain any information about Korovax or their employees. This actually stumped me as this was not what I expected for the repository website. Another mistake was to look at the content folder of the repository to source for possible information. Before I knew it, time ran out and the CTF has ended.
Just 5 minutes after the CTF ended, I realised that the repository that joshhky is working on is stated clearly in the README file in korovax-employee-wiki repository😱.
It is stated clearly in the README file that Josh is in charge of krs-admin-portal. The sentence following which also stated that not all repository should be made public.
Hence, it was clear that the project or respository name that Josh (Lead Smart Nation Engineer) is working on is krs-admin-portal!
In fact, the README file also pointed out that the repository site is just a POC (Proof of Concept) site. Hence, it will not contain any useful content, which is an opposite of what I had expected previously.
Therefore, the flag for this challenge is
It was definitely regrettable that I did not manage to find the correct repository before the CTF ends after reaching so far 😢
However, this does allow me to learn that when solving a CTF challenge, one should never have a tunnel vision.
In addition, one should always remember to step back and take a look at the bigger picture or rethink their strategy in solving a challenge again if the current method does not seems to be working out!
Such take-aways are definitely worth more than the points associated with the flag and would help me become better at the next CTF! 😃