Complete Transparency

Challenge:

At ICMP Industries, we recently created a new subdomain off of our company website. Since our new super secret project is still in development, we chose a long subdomain so no one will know to visit it yet. We also went ahead and upgraded the site to use HTTPS to be more secure.

The flag is the name of our secret subdomain. Note there are dashes between words instead of underscores since it's a domain name.

Update: The right domain redirects to Cloudflare when visiting it - the company isn't hosting anything at the main website, but just off their secret subdomain

Update 2: super_sketch_subdomain_not_so_sketch_flag is not the right subdomain, keep looking. That subdomain was used in an old problem we built.

Solution:

Between the combination of the challenge’s title and the description mention, that they had “…upgraded the site to use HTTPS” I had enough of a clue to know that certificate transparency logs were key to solving the challenge. The first issue though was determining which domain I should be searching for the subdomain. A quick Google search for “ICMP Industries” returned a link to a Twitter account for Bob Fischer(CEO of ICMP Industries) but none of the tweets provided links to a domain.

Early on in the competition “Update 2” was added to the challenge description which then made it fairly easy to identify the domain. Performing a Google search for “super_sketch_subdomain_not_so_sketch_flag” returned just two results, AlienVault and Hybrid Analysis malware reports for “super_sketch_subdomain_not_so_sketch_flag.icmpindustries.com”. Yup, I’m a bit embarrassed that I hadn’t simply tried “icmpindustries.com” to begin with. Moving on…

The Certificate Transparency framework is a standard that provides the ability to monitoring SSL Certificates. A domain owner can leverage the framework to track certificates being issued for a subdomains of their domain, and in much the same way I can use it to solve this challenge. Google provides a search interface where certificates can be searched by the domain. I performed a search for “icmpindustries.com” and one subdomain was in the results: