Persona

An open source intelligence challenge on the topic of information gathering. Solved by me (nabilmuafa) with the assistance of daffainfo.

Part 1

We were given a website, https://persona.chall.cyberjawara.pro/. The website is a simple personal page.

The persona challenge page.

Upon inspecting the website source code, apparently there's a hidden part of the flag commented in the HTML. We'll get back to this later.

Part 1 of the flag.

Part 2

Entering the facebook page from the website, there's not so much information because the user has no friends (literally). The user only has a few posts. The interesting ones are only those with pictures.

The user's photos.

The most interesting one is the Visual Studio Code screenshot.

The VSCode screenshot.

At first, I thought the next step would be going to the APP_ID or APP_SECRET and do some OSINT to find the Facebook app metadata. But it turns out that the code in this screenshot is a clone from this GitHub. So this is a red herring. Upon closer inspection, there is a pastebin link on the bottom left terminal.

Truncated pastebin link.

Although promising, this link turned out to be truncated, because the URL leads to a 404 response (I also felt like this link doesn't have the usual pastebin link length). The usual pastebin link has 8 characters as its ID on the path, so I created a script to bruteforce all alphanumeric characters, append them to the link, and find which link leads to 200 response.

import requests as r
import string

url = "https://pastebin.com/raw/a9v29gi"
for i in string.printable:
    if i.isalnum:
        res = r.get(url+i)
        if res.status_code == 200:
            print(url+i)
            break
The result of running the script.

Opening the page gives us the second part of the flag.

The second part of the flag.

Part 3

Looking for the third part took me quite some time. I searched social medias with the keyword "Edina Salmin", tried Google dorking, searching in DuckDuckGo, but none give any result. Then I got curious, maybe the personal website has another path that contains the flag? I tried going to the /flag endpoint and found something interesting.

The 404 page of /flag.

The personal page is hosted on GitHub, just with a custom domain. It means there might (must) be a GitHub repository and account hosting it. I dig'd the website to find its original URL (the .github.io URL) and found edsalmin.github.io.

Dig-ing the website using the web interface.

It means that the user's GitHub account username is edsalmin. Upon stalking the GitHub account, I found the repository to the personal page. Checking the first or second commit of the repository gives us the third part of the flag. Initially, this was the information supposed to be hidden in the personal page, but changed into part one.

The third part of the flag.

Part 4

After the third part, I was stuck for some time, until my teammate daffainfo assisted in finding the fourth part. The fourth part of the flag was hidden (not so hidden, actually) in edsalmin's gist.https://gist.github.com/edsalmin. I also got some insight here: If an OSINT challenge requires us to check for a GitHub account, also check its gist; we might find some interesting information.

The fourth and final part of the flag.

Gathering all the parts, we have the flag.

part 1: CJ{19f43f6db73281
part 2: 14eea9e1b939f40bc
part 3: 453fdb0b69a4e0006
part 4: 575e49e55fc187cc}

CJ{19f43f6db7328114eea9e1b939f40bc453fdb0b69a4e0006575e49e55fc187cc}

Last updated