No Country for Old Keys
CATEGORY - OSINT
TL;DR
The challenge asks for Anthony McConnolly's API key. After searching for his online presence and using tools like Sherlock to find additional accounts, I discovered his GitHub profile. I then found a hardcoded API key in a GitHub repository and submitted it successfully.
Solution
Step 1: Investigating Anthony McConnolly
The challenge asks for Anthony McConnolly's API key, so my first step was to search for his name online. A quick Google search led me to his LinkedIn profile:
Unfortunately, there wasn't much information there, so I decided to use Sherlock, a tool for finding social media accounts associated with a username. I used the LinkedIn slug and ran Sherlock, but got no useful results.
Next, I decided to check X (Twitter), a popular platform for developers, to see if Anthony McConnolly had an account there. After searching, I found his profile:
Although there was no immediate useful information in his posts, I gained another potential username: antmcconn.
Step 2: Using Sherlock Again
With the new username antmcconn, I ran Sherlock again. This time, I found several results:
Among these results, the GitHub account caught my attention, so I clicked the link:
Step 3: Finding the API Key
On his GitHub profile, there was only one repository. I opened the repository and checked the code. In the main.c file, I found the following line:
To investigate further, I checked the History of the file to see if an actual API key was previously hard-coded. After browsing through the file history, I found this:
Step 4: Submitting the Flag
I submitted the API key: ap9gt04qtxcqfin9. The flag was accepted!
Final Flag
Notes
Sherlock Tool: Useful for finding social media profiles based on usernames.
GitHub Repository: Always check the file history for potential sensitive information like hard-coded API keys.
Keep an Eye on Comments: Sometimes, sensitive information can be exposed in comments or file histories, so check the history if needed.
Last updated