Hi there! I hope you enjoy this tricky challenge. It was really fun because it looked like a real-life case scenario. So yeah, I hope you have fun

I made a small mind map I hope it helps you understand everything and see how all the pieces are connected : )

None
https://ibb.co/zT7yRjb7

Ok start with description

How much a person can reveal about himself? connect through nc

So We connect through nc, and we are presented with three options:

1- login

2- Forget password

3- Exit

None

The Login option requires a username and password, which is our final target However, at this stage, we have no idea what the correct username or password is, or how to obtain them.

So yeah, let's move to the next step: Forgot Password.

None

Forgot Password

When we enter a real email address, we receive a message and that's where everything starts

Here is the email we received:

None
From: support@vulnbydefault.com
To: bamaxem963@hudisk.com
Subject: Password Reset Request
Message-Id: <4dmlPS0w8vz3wmM@de-fra-smtpout6.hostinger.io>
Date: Wed,  7 Jan 2026 23:59:08 +0000 (UTC)
X-CM-Analysis: v=2.4 cv=ALriHGRn c=1 sm=1 tr=0 ts=695ef34c a=iGevgHD+Lw1/Gbpf551+wQ==:117 a=iGevgHD+Lw1/Gbpf551+wQ==:17 a=sWKEhP36mHoA:10 a=g8TUdU_LZmEA:10 a=Xsvl1oH0AAAA:8 a=INwbWJrH-rvYCkSZB70A:9 a=CjuIK1q_8ugA:10 a=8RYlvNRTLsSkW-wCn2Mp:22 a=kSDhmIrXGRTD-Z8k7k_I:22
X-CM-Envelope: MS4xfIP/hM4yMDXsP5ufGtctZiYbCdKPAFfstXK+egXbewNZ0zzdXkyrnJ/90aSUNK+ed9pgkJ83wlGjaJVfTArrNywGGGheFcoHCHWTdKmigBEcOOEAtBJ9 9KoCD+DivjhdeR8QTssIPPNKZewK9v+m14pqhBNqOUBqumTb2gWAw+DADFD7lC/6JATpe1tqFtqFjJyoUslSYU6XqVUyEA42fRI=
X-AuthUser: support@vulnbydefault.com
--===============9157127908829319951==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
            Hello,
            Remember if you forgot your password, the company policy for password is to use 3 things that are important in your life as password.
        
            Contact support if you have any questions.
            Regards,
            Owen Rosz
            Owenrosz@vbd.com
            Support Team

Ok Now the real work starts

None

First important clue

The company policy for passwords is to use 3 things that are important in your life.

Second important clue

            Owen Rosz
            Owenrosz@vbd.com
            Support Team

Soo now we have a Full name and user and the company policy

First Name : Owen
Last Name : Rosz
User : Owenrosz

OSINT Enumeration

first HIT was instangram account

None
None
None

From the Instagram account, we found four things:

1-istanbule 
2-Turkey
3-Taksim Square
4-cuteomencat

So Based on this, we need to identify three important personal elements, similar to common security questions used by companies like Google or Apple.

For ex

What is the name of your favorite pet?
In which city were you born?
What is the birthdate of one of your siblings?

At this point, we already had two strong candidates, so this confirmed we were on the right path.

Note thesee and move to the next step which is check the cuteomencat account

None
None

This led to a Reddit account

None

and we have

DOB: 7 sept 2013 (edited)

Since the date of birth was edited, I tried to find the original value. I looked for deleted posts and comments, but it was a dead end because the Wayback Machine was down.

None
None

So yah i skipped that part for now and focused on the social links

None

which lead to really something interesting

None
i love my house number its literally leet so nerdy remember its numbers only

and here was main trick

As a CTF player, "leet" immediately translates to:

leet = 1337

Unfortunately, I overthought it and started looking for the actual house location. To be honest, I learned a lot about Iran doing this 😅

So yah

Geolocation Attempt (Overthinking Phase)

None

First thing we can see here the

None

which is Persian language

None

here we can see number 22010 something if we goo deep into it

None
None
None

So now we know this image in iran specifically Tehran

None

also saw motorcycles parked in front of what looked like a restaurant or business

So the reall challenge is find them

None

And what make it more harder is no view street in google map for most street

in fact they have there own google map : )

like balad and neshan

But was so limit and many websites you can't access : (

None

So I found a series of videos of a person who was roaming all over Tehran

but the hard part is there is 93 video there So yah only see my goals i don't believe in failure ;)

until now the plan was

{first part}{cat name}{house number }
which mostly the First part is the DOB

the last part was left So yah i foucsed on these videows and foucse at these points

None
None
None

So yah finlay i goat lead

None
None

So now we found that area

Then in that area we found the other motorcycle

None

which is foodbell

None
None

and they currently serves 8 restaurants

None
None

So let's check them with balad ir

None

but unfourtaly it's was wrong password

None

So yah let's back to our findings and see what we have

city = "Turkey"
leet= "1337"
animal_name = "Omen"
birthday_years= "1995–2025"
house_number = "1-20"

so the if you think about it as passwords mostly gonna end with numbers

which mean

{part1} Omen {part3}

So after make my worldlist which huge ngl

i faced issue which is the time

None

every container have limit 1h and our world list is huge

None

So I came up with an idea: which is split the wordlists into smaller parts and keep the connection open using the same pipe I used a single connection to send credentials to the login function If a login attempt failed don't close the pipe and re connect instead, I simply sent the next credentials and retried the login

None
None

So yah After some really hard work

None

The reall password was

1337Omen2003

The funy thing after i solved i asked the admin what was the idea

None
None
None

So yah maybe i overthinking but at least win is win : )

None