0xk4k45h1
Active Directory
Domain Enumeration
Kerberoast
Kerberos Delegation
LLMNR poisoning
SMB relay
Shadow Credentials
CTF
0xL4ugh 2024
0xL4ugh 2026
Arab Cyber War Games Qualifications 2024
CyCTF qualification 2024
ICMTC Qualification 2024
IEEE Victoris 2024
PortSwigger
Wani CTF 2024
HackTheBox
Machines
Administrator
Cicada
Devvortex
Drive
Editorial
Haze
Instant
Intuition
PC
Visual
Sherlock
Mobile Pentesting
Android
Android Basics
Android Dynamic Analysis
Android Static Analysis
Mobile Hacking Labs
Home
Contact
Copyright © 2024 |
Yankos
Home
>
CTF
> 0xL4ugh 2026
Now Loading ...
0xL4ugh 2026
OSINT: Clowns APT (medium)
Welcome Welcome to my walkthrough. This is very special for me, cuz it’s for the first time for me as Challenge author. And this is more special cuz the challenge is in 0xl4ugh CTF 2026. Huge thanks to my friend Mushroom who collaporated with me in creating this challenge. The challenge is solved 18 times in 41 hours. Congratzz to 0xfun team for the First blood and Let’s dive into the walkthrough. Description Hello agent 73 You have a new mission. We have a victim to some kind of attacks, but we aren’t sure about the full impact until now. This is the message we received from the victim: “Hi, I’m a beginner nodeJS backend developer. I was practicing my skills on developing a random project. After I finished my work I didn’t find my work (seems to be deleted) and found this strange image (attached below), am i really hacked ?!!” You only have this image, Agent 73. Do your job. Solution This is SOCMINT (Social Media Intelligence) challenge Here we are going to solve this challenge. This won’t be just a solution, but also discussing why we used this approach to get the flag. Let’s dive together and I hope you enjoy the challenge ;) foothold on the first the threat actor When we examine the image attached well we will find many interesting info: youssifseliem may lead us to the hacker’s identity instapoo may lead us to a domain controlled by that APT The victim is nodeJS developer After searching for instapoo we didn’t find any useful information. instapoo is a rabbithole and won’t lead you to a valuable info, but youssifseliem will. I need to get any useful information and i only have the username: youssifseliem using sherlock which is an open source tool for Hunting down social media accounts by username searching through search engines like Google, bing, ….etc. When i used sherlock i got results like this Not all of them will be useful of course, but github was more than enough. Let’s visit https://github.com/youssifseliem We found this github profile page We have many notes here The person in the image is almost the same as in the attachment of the challenge, but without sunglasses xDDD. This means that we are on the right way and this is this person is one of our targets. There are additional links in the bio to other profiles for the same user and this gives us more space to know more about him. I’m not active on github recently :((((( What can I do here? I can navigate the repositories of this user’s github account, but i didn’t find an interesting repo. After that I went to the links in the his bio He shared linkedin , FB , his personal blog links. His personal blog was more interesting for me. In that blog a found more profiles for him. At this point: I navigated the blog for any project related to nodeJS development (as given in the challenge description) of something useful, but i didn’t find I started my deep search in his social media accounts attached in his blog. After going to the next step, I remind you that reaching this point can be from other paths as example you can find X account directly by searching on google or bing and his personal blog link will be right there at his bio. Finding the desired conversation This search may take some time, but i prefer starting with the accounts with less activity. So I made FB and Linkedin my last resort and started with X , reddit . When i open reddit and look carefully i find this post. This was the second post in his profile. The post seems to be normal but the comments are very interesting. From the last comment i think that youssifseliem and MushroomWasp collaborated in creating a packages in the past and these packages seems to be malicious cuz they called them pranks. and when we link the puzzle’s pieces together we will remember that in attached image in the challenge we had 2 persons, so we are likely on the right way. Checking Mushrooms blog Let’s check the blog of Mushroom When we visit his own profile on reddit we find this Let’s visit this blog and look for the challenge he was talking about which is called stylish boss Mushroom has a great content btw, so i needed to search using CTRL + F to get the blog fast. A very valuable blog BTW, and we found out target. Let’s check it for the package as they said earlier. Finding Mushroom’s packages When we read the writeup we will see that there’s a package called metadata-stripper on NPM and It’s the only package mentioned in this writeup. Let’s go to NPM for more information and after moving forward we should remember here that the victim is nodeJS developer and he suffered from a malicious as he thinks, so the package is more likely will be on NPM . This makes me happy and comforts me about being on the right way. Reaching the target package When we search for this package in npm we find this It’s created by mushroomwasp, but this package isn’t malicious as we saw in the writeup so it is not out target. Let’s look at mushroomswasp npm profile. only terminal-style-pro is the interesting one for us, cuz metedata-stripper is already checked and xsstesting is almost empty When we examine the source code here and deobfuscating it we will find that it loads theme from /lib/path Note: The code isn’t that hard to understand, you can use AI for deobfusication and understanding it. When we go to that path and examine theme.js file we will find that it does the malicious action as mentioned in the challenge description like this Getting the image from .?.theme (should be the image attached with the challenge as mentioned in the description) then decodes it using b64 then saves it on victims machine Getting the flag So this is what we are looking for when we decode the text in .?.theme file we will find this image This is totally right and this all we have uptil now. After some time i noticed that there’s old versions of this package when i examined 1.0.0 i found that the behavior is the same and difference is in .?.theme file only. Let’s decode it now and we got the flag 0xL4ugh{1_th1nk_w3_c0uld_f0rm_4_g00d_4pt}
CTF
· 2026-01-25
<
>
Touch background to close
