Rating: 5.0

Hidden Dispute (20 solves)
---

SKETCHY challenge!

> So, @inf073chk4, our dispute is still on! I've promised to hack all your hidden services and, believe me, I'll do it!

Finding the handle on Twitter:

![](twitter1.png)

This Russian appears to be very interested in password dumps. Further down the page are two suspicious links:

![](twitter2.png)

The first site gives some clear leads about what to research next (but note that the onion site referred to in the title was inactive):

![](blog.png)

The second is a scummy looking hidden service accessed through a HTTP(!) Tor gateway:

![](onion.png)

Both sites provide a free leak of Amazon credentials, a kind of freebie ~~hacker-mercenaries~~script-kiddies offer to prove they're "legit". The hidden service has an haveibeenpwned-style creds search engine, except that it actually shows the passwords. And the list seems rather comprehensive. Lastly, the source code contains a Neuromancer quote about the consensual hallucination of cyberspace. The challenge wins top marks for style.

Our next step was to search for the hacker in his own credentials dump. Sure enough, a password for his mail.ru account appeared. It worked as an SFTP login on the first website. However after poking around a bit, we found that SFTP was completely locked down. Trying SSH next, we were immediately logged-out—however, not before some stderr flashed up, "could not change directory to /sftp/s00zaran".

The challenge was drip-feeding us clues. After heading down the wrong track a few times, we returned back to nmap scans kicked off in the background, and discovered that the hidden service mentioned by the first website, which did not appear to be up, actually had an open port 22. We used a locally-compiled version of proxychains4 as the SOCKS proxy for these scans, as other software (proxychains3, torify) didn't play nice with nmap.

Trying 's00zaran' as the SSH login for the hidden service, along with the password from the leak, gave the flag.

A lesson about credentials reuse, especially for aspiring script-kiddies. But surely [real cybercriminals aren't that stupid?](https://www.bleepingcomputer.com/news/security/crooks-reused-passwords-on-the-dark-web-so-dutch-police-hijacked-their-accounts/)

Original writeup (https://github.com/hyperreality/ctf-writeups/blob/master/2018-ctfzone/README.md).