We have a leak - OSINT Challenge

Alright so I found the ‘default’ pass, and based on the previous challenges I have a good idea what the pass for the zip should be but I’m pretty stuck now :confused: If anyone can give me a nudge I’d appreciate it, I’ll gladly pass along my process so far.

Pays to keep it simple on this one and read things carefully.

As others have said, all answers are on social media.

Both files will unzip with the correct password.

Phew, finally got it :smiley:
Turns out my zips were just acting weird on Windows.
While I got a popup for the password on ‘password.zip’, it was actually asking for the password to username.zip. Knocked me off-course for a while. I actually had the correct passes since pretty much the beginning, I was just using them in the wrong order :))

hey guys, im a new chicken here and i was working on the Infiltration challenge. So, im stuck on twitter now. seriously do not know where to go/ what to do next.
Can anyone please dm and guide me through this part please? that’d be really awesome. thanks :))

I am totally lost here. Any guidance from anyone would be really amazing! I think I may be along the right lines and just not piecing it together right but I really don’t know what i’m doing at this stage :smiley:

EDIT:
Solved - turns out I was barking up completely the wrong tree but I solved it after coming back to it. Happy to point others in the right direction if anyone needs a prompt.

Type your comment> @Py0t3r said:

This is crazy, I’ve got the username password for the zip file, the logic on that was rather simple but cool, now the zip password pass I dont have a clue on that one, I found something but not sure if I have the correct frame for this one…

EDIT: Oh well apearently I wass just guessing and no using the right technique… cant say the name… awsome challenge…

Someone actually registered the domain name making this CTF kind of difficult. Someone might go down the path of trying to actually hack the domain thinking it is part of the CTF…

EDIT: Done.

Got a semi-working pass for the second stage, getting an error though.

Edit: Got it, silly mistake

i need password, tried logging in with different variation of password changing changing season and year, not sure what is wrong, any hint please ?

PS: Never mind , i had a typo

Can someone give me a small nudge for the username? Im fairly confident that I have all the necessary data for both the username and the password but apparently im entering it the wrong way.

Got it, must have messed up the input at the beginning and never bothered to try again :slight_smile: thanks to @jmehys

Can anyone give me some nudge as well? Found some information from twitter but not too sure if the order or case of the input matters?

Thanks to everyone who have been a great help especially H11 and 0byte. I’ve managed to get the password to the last zip file after some manual “brute forcing”. I realised that I already have the password in my list of “to try passwords” but I have probably mistyped it while keying it in .

Is the password for the username.zip an actual password or is it a username? I feel like I’m going the wrong direction.

username, have two options nickname and email… as here it is just one of them two.

It’s mandatory to being registered on Twitter?

@Sedekt said:
It’s mandatory to being registered on Twitter?

No, but they make it difficult to use the “Tweets and Replies” tab on a user’s profile. You can still view the tweets and retweets made without logging in, but seeing what someone replied to is more difficult. The search function will work, however.

Can someone send a nudge?

I got through username.zip and am at password.zip.

I think I’ve found all of the relevant twitter profiles, but am failing at putting together useful intel from the info on the profiles. Currently, I’m trying to bruteforce it, but I’d prefer to do this the right way (and without the numerous hours that bruteforcing is going to take).

just need a push in the right direction. Thanks!

@Sedekt said:
It’s mandatory to being registered on Twitter?

While I’m stuck where I’m at, I can say that for OSINT, having burner profiles on all the SM platforms is pretty much mandatory. You shouldn’t have it tied to anything that would identify you as you - just use a burner email to register and don’t use your phone. If you really want to pull out the stops - only use the profile through a VPN or TOR.

Well, finally I’ve got the challenge, all the info it was in front of me, just needed to mount the puzzle.

No twitter account used, but It was more tricky.

The fact that I don’t have for twitter it’s because it always ask me for a phone number, but using the 10 min sms doesn’t work.

Btw, great challenge!