ch1se
  • Home
  • CERTIFICATES AND PARTICIPATIONS
    • HackTheBox - Cyber Apocalypse CTF 2025: Tales from Eldoria
    • The SecOps Group
  • bitsctf-2025-writeups
    • HotPause
  • BRONCOCTF-2025-WRITEUPS
    • theflagishere!
  • ACECTF-2025-WRITEUPS
    • The Mysterious Building
    • Social Circles
    • Broken Secrets
    • Cryptic Pixels
    • Tabs&Spaces
  • PEARLCTF-2025-WRITEUPS
    • Hidden Marker
    • SentMail
    • Van Gogh's GARBAGE hunt
  • 1753CTF-2025-WRITEUPS
    • Dude where is my car
    • Happy New Year!
    • Somewhere in Space
  • CITCTF-2025-WRITEUPS
    • Timesink
    • Throwback to the Future
    • No Country for Old Keys
  • BYUCTF-2025
    • Universal-ty
  • OSINT-WRITEUPS
    • gralhix
Powered by GitBook
On this page
  • TL;DR
  • Solution
  • Step 1: Investigating Anthony McConnolly
  • Step 2: Using Sherlock Again
  • Step 3: Finding the API Key
  • Step 4: Submitting the Flag
  • Final Flag
  • Notes
  1. CITCTF-2025-WRITEUPS

No Country for Old Keys

CATEGORY - OSINT

PreviousThrowback to the FutureNextUniversal-ty

Last updated 1 month ago

TL;DR

The challenge asks for Anthony McConnolly's API key. After searching for his online presence and using tools like Sherlock to find additional accounts, I discovered his GitHub profile. I then found a hardcoded API key in a GitHub repository and submitted it successfully.

Solution

Step 1: Investigating Anthony McConnolly

The challenge asks for Anthony McConnolly's API key, so my first step was to search for his name online. A quick Google search led me to his LinkedIn profile:

Unfortunately, there wasn't much information there, so I decided to use Sherlock, a tool for finding social media accounts associated with a username. I used the LinkedIn slug and ran Sherlock, but got no useful results.

Next, I decided to check X (Twitter), a popular platform for developers, to see if Anthony McConnolly had an account there. After searching, I found his profile:

Although there was no immediate useful information in his posts, I gained another potential username: antmcconn.

Step 2: Using Sherlock Again

With the new username antmcconn, I ran Sherlock again. This time, I found several results:

[*] Checking username antmcconn on:

[+] AllMyLinks: https://allmylinks.com/antmcconn
[+] Freelance.habr: https://freelance.habr.com/freelancers/antmcconn
[+] GNOME VCS: https://gitlab.gnome.org/antmcconn
[+] GitHub: https://www.github.com/antmcconn
[+] LibraryThing: https://www.librarything.com/profile/antmcconn
[+] Mydramalist: https://www.mydramalist.com/profile/antmcconn
[+] NationStates Nation: https://nationstates.net/nation=antmcconn
[+] NationStates Region: https://nationstates.net/region=antmcconn
[+] Spotify: https://open.spotify.com/user/antmcconn
[+] TorrentGalaxy: https://torrentgalaxy.to/profile/antmcconn
[+] Twitter: https://x.com/antmcconn
[+] YandexMusic: https://music.yandex/users/antmcconn/playlists

[*] Search completed with 12 results

Among these results, the GitHub account caught my attention, so I clicked the link:

Step 3: Finding the API Key

On his GitHub profile, there was only one repository. I opened the repository and checked the code. In the main.c file, I found the following line:

#define API_KEY "YOUR_API_KEY_HERE"

To investigate further, I checked the History of the file to see if an actual API key was previously hard-coded. After browsing through the file history, I found this:

#define API_KEY "ap9gt04qtxcqfin9"

Step 4: Submitting the Flag

I submitted the API key: ap9gt04qtxcqfin9. The flag was accepted!

Final Flag

ap9gt04qtxcqfin9

Notes

  • Sherlock Tool: Useful for finding social media profiles based on usernames.

  • GitHub Repository: Always check the file history for potential sensitive information like hard-coded API keys.

  • Keep an Eye on Comments: Sometimes, sensitive information can be exposed in comments or file histories, so check the history if needed.