Challenge - Week 10
Bjørn Johansen i Buovet har stukket av med flagget vårt, ryktene sier han har gjemt det på en passordbeskyttet webapplikasjon han har skrevet selv. Kan du finne det for oss?
Send inn riktig svar via dette skjemaet, og kommenter en passende GIF eller en emoji i kommentarfeltet på #bouvet-informerer for å bli med i trekningen av en 🎁
This was a challenge to show that no matter what you post publicly on the Internet, you need to consider if and how that information can be used by others.
Solution
First off, we need to find “Bjørn Johansen” working at “Buovet”.
All Roads Lead to Rome, but here’s the train of thought we had in mind while creating the challenge.
Let’s try Facebook. One of the most common social media.
Upon searching for his name + workplace, we quickly found him!
His FB profile URI is /bjornjohansen066.
We can see, a harmless picture, of him showing his development progress of the infamous
Buovet Secret Security Flag Vault.
This doesn’t really help us, though. Where can we find more clues?
Facebook supports “social links”, where many people put their profiles on other social media. Bingo!
On Instagram, Mr. Johansen uses the same profile picture, as well as writes out his workplace. He posted a lot of silly photos, mainly aviation-related, but there’s one photo that actually stands out.
Once again, an innocent picture.
Except for the post-it that he forgot to remove before taking a picture of his screen.
It contains a message, what might that be.. Buoveterbestingenprotest!, either he’s just very proud to be working at Buovet, or that’s a secret string for something. Let’s note it down.
In our quest of finding out more info about him and his Internet trails, let’s find our beloved Bjørn Johansen on LinkedIn as well.
He to linked his profile from Facebook and also wrote about it on Twitter, but since LinkedIn is a place to brag about what you do for a living, we can just find him using the search bar.
He’s actually very recently held a presentation about security. What might that be?
Let’s check it out!
https://lnkd.in/eUGGx55
Oh! On slide #3, we can find an URL to his proudly-built vault!
https://uke-10.bouvet.dev/admin
Even though it wasn’t listed on his Facebook social links, let’s try using the very same FB/Instagram/LinkedIn profile URI on there!
Nope.
Oh, right, Twitter only supports 4 to 15-character usernames.
Let’s try removing the last digit of the username, visiting https://twitter.com/bjornjohansen06.
Bingo!
The Vault
Entering the correct password, found on his Instagram, Buoveterbestingenprotest!, reveals the flag!
Bonus way of finding Mr. Johansen
Many people have seen a pattern in the URLs we use for the recent challenges, and just trying to visit uke-10.bouvet.dev will actually take you to a simple splash page.
In the source code of the HTML page, we can find
Access Denied !
<!-- Code By bjornjohansen066 -->
Using that nickname in the HTML comment, we can search for it on various social media, or just Google him, preferably using the dork inurl:bjornjohansen066 to find every indexed URL that contains the word “bjornjohansen066”.
Ending words
You also have to keep in mind that all information you post across various social media (or regular media) can be collected and used to piece together more detailed data. Like in this challenge, you have various parts spread around the various platforms, none of the separate parts are particularly harmful by itself. But pieced together, they give you everything you need to access the secret vault.
Also, the photo of Bjørn Johansen is stolen from https://thispersondoesnotexist.com/.
The flag
BVT{Careful what you put on the internets}