CSAW CTF 2012: Recon 3

0 Comments | This entry was posted on Oct 03 2012

So, this was the challenge we had to solve:

Julian Cohen – 100 Points Julian Cohen

Obviously, we were given in the search the username HockeyInJune

After scratching our heads and searching his twitter, his github, his websites, we remember a general hint that was given: “Hint for Recon: Lots of judges really like Reddit.”

So, I started searching on Reddit and found one of his comments pointing to a webpage 

You don’t like roosters? :(



On that page we saw the key. Challenge solved! 

CSAW CTF 2012: Recon 1

0 Comments | This entry was posted on Oct 02 2012

We were only provided with the google search string on Jordan Wiens.

From Jordan’s Twitter account, we noticed that he has used the nick @psifertex there. Googling with psifertex led us to But the site contained nothing but the following text:

Nothing to see here, move along.

 What to do next? Let’s see what site’s robots.txt file says. Hmm, something was there.

User-agent: *
Disallow: /
Disallow: /csaw

It means that there is a directory /csaw there. Pretty interesting. We blindly tried to access the index.html there. What we found was the following:

Some Understanding Becomes Dominant On Manipulation And Inquisitive Naming

Don't bother brute forcing file paths, you'll never find it that way.

Collecting the initial letters of the first line gives the word: SUBDOMAIN. But, still the question was: which one?

We tried to google for the subdomain(s) of psifertex:, but the only subdomain we found was Corrupt The Youth. The source of the home page had this line commented:

Stuck! We tried nslookup and got as response. Accessing threw the following error:

Site Temporarily Unavailable

We apologize for the inconvenience. Please contact the webmaster/ tech support immediately to have them rectify this.
error id: "bad_httpd_conf"

We tried the quoted text above as the key, but no luck.

Also we found a download section with a bunch of rubbish documents lying around and one admin login form, too.

As the last resort, we started bruteforcing for possible unlisted subdomains:

The last one was the one which we were hunting for.

Solution: secret sonambulist