Secret Code Hunt: Aware Online Academy OSINT Challenge #002

Greetings everyone,

I always love doing OSINT challenges and have recently found out that Aware Online has a trove of free and paid OSINT challenges in Dutch.

I began with doing OSINT Challenge #002.

After completing this challenge I now know how to agent spoof, find valuable information in a website’s source code and protect myself against malicious code by disabling JavaScript.

In this blog I will outline what I learned and the steps I took to solve this OSINT challenge.

Let us begin!

The challenge

More details about the challenge can be viewed here.

FYI: Please keep in mind that these challenges are written in Dutch, since the language of communication in my blog is English, the challenge has been translated accordingly.

Secret code

As indicated, this task consists of finding a number of secret pages and secret codes. Once you have found all the secret pages and codes, they will result in one final code. To complete this challenge, you need to enter this code below. Your challenge starts on this page.

I began the challenge by going to the linked page.

Status = Fail

Sorry. You cannot access our secret page because you do not have the correct user-agent. You can find the correct user-agent in the source code of this page.

The text tells us that to proceed we must find the correct user-agent in the source code of the page.

What is the user-agent?

According to developer.mozilla a UA is a HTTP request header that represents a person, such as a browser. A user-agent string can look like:

"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0".

The developer.mozilla page notes as well that a user-agent could be a web scraping bot, a download manager or another app. It also mentions that some browsers employ agent spoofing, where browsers will send a fake UA string to announce themselves as a different client.

Time to agent spoof

DISCLAIMER! Although agent spoofing can be used ethically, there are many nefarious ways to employ this feature. I do not condone/encourage agent spoofing for any nefarious means.

From the information provided in the developer.mozila webpage and the challenge task, it seems that we have to first find the appropriate user agent to do some agent spoofing and ‘pretend’ to be a different client.

First, I decided to look for my own user-agent in the source code. To do this I started with opening the developer tools on Safari. Then I went to Network -> useragent_mismatch -> Headers. Then I refreshed the page and scrolled down until “Request”, where I could see my user agent.

Finding the “correct” user-agent

Initially, as I knew very little about the user-agent I decided to look for patterns in what a typical user agent string looks like. So I broke it down. The user agent string contains information about wether or not the page is compatible with Firefox, the platform, the Gecko version and the browser.

With this information I used the find function in the source code and entered “gecko”.

Through this I was able to find the navigator.userAgent.index0f string, which contained the correct user-agent.

The correct user-agent is: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/75.0.3770.142 Safari/537.36

Changing my user-agent

To change my user agent in Safari I went to Develop -> User Agent -> Other…

Then I pasted the correct user agent found in the source code and… done!

We are automatically refreshed to a new webpage.

When was the page last updated?

You have found the correct user-agent to view this secret page. The following message is located on another secret page on our website www.academy.aware-online.com. The name of this page is the time this page was last updated. For example, is the time 17:10:06? Then use the notation “zeventienuurtien” as the name of the page.

According to the page description, the next task is to find when the webpage was last updated. With this value, we can then access another page and move on with the challenge.

In the source code we can find when this page was published under the “datePublished” string, and can also find out when it was modified under the “dateModified” string.

According to the source code the page was last modified at: 2024-04-19T10:06:13+00:00

With this information I typed in the search bar: http://academy.aware-online.com/tienuurzes/

And with that, we have moved onto another secret webpage. I proceeded to click the link to go to the next task and page.

Time to go to: https://academy.aware-online.com/challenge_voltooid/

Disabling JavaScript

After accessing the challenge_voltooid page a bunch of pop-up messages appeared on my screen, they read as follows:

You are viewing this page with a web browser

A web browser was created to execute JavaScript

JavaScript can contain malicious code

This could have been malware, for example

Then your computer might be infected now

Fortunately that is not the case

But you haven't solved the challenge yet

And that has to do with JavaScript

Go back to the 'challenge_voltooid' page

Good luck :)

Based on the messages we can learn a valuable lesson when gathering open source information, we need to be aware of the potential risks that come with it and protect ourselves accordingly. One of them being malicious code being executed and infecting your computer by having JavaScript enabled.

To disable JavaScript on Safari we can go to Safari -> Settings -> Security and untick the “Enable JavaScript” box.

After that I went to https://academy.aware-online.com/challenge_voltooid/ with my JavaScript disabled and was able to access the webpage with the secret code.

And there we have it! I then typed the secret code onto the first exercise page to complete the challenge.

Until next time! :)