About
This challenge was a 24-hour OSINT-based ctf. I found it was a lot more about using your brain than using your computer, which was a really cool change of pace. Some of the challenges were absolutely outrageous but that just made the whole thing even better.
This is the roundup and these are the results.
Thank you!
A huge shoutout to the following awesome people who made it all happen:
Organisers / Mods
You are all wonderful people and put on probably the best CTF I have ever done.
Teammates
- team:
#!/bin/false
- @Naraka
- “JakePaul”
You two were both integral parts of the team and we wouldn’t have ended up where we did without you.
You’re the best ❤️
Categories
The challenges were broken down into three categories (two if you don’t count the tutorial).1
Tutorial
1 challenge
- a search engine warmup.
General
7 challenges
- Wider context, use public data sources to find answers.
Social
15 challenges
- Based on social media, traverse social networks to find more clues.
Challenges
Just a quick note, some of the links in these writeups may break eventually. Unfortunately, the web is one big decaying monster 🤷
Tutorial Island
Description
Welcome to the CYBAR Open-Source Intelligence CTF. Most challenges can be solved with a browser and some know-how - online tools might help too.
When you find something, whether it be a picture, text, code or whatnot, you can submit it into the CTF server by putting the ‘flag format’ around it. For example, if the flag asked you to find the name of a yellow fruit, and yo confirmed it was a banana, you’d submit “CYBAR{banana}”. Don’t worry too much about caps, it’s not case-sensitive.
To kick it off, let’s try your first flag. You get into work, boot up your system and hit Spotify up. You can’t remember the name of the artist or song you were listening to the other day but it put you in the ZONE. Scratching your head, you remember just a line of lyrics…
“In the name of the Spam God, that’s what’s up”
Huh. Let’s do a quick search and see if we can find the artist, and submit as a flag. When done, you can kick off their playlist to pair with the CTF.
Method
This was just a quick warmup task, so nothing super difficult here. Mods were even kind enough to supply the correct google dork in the description.
Put "In the name of the Spam God, that's what's up" into your favourite search engine and you’re off to the races!
Flag
You’ve heard of elf on the shelf, but what about the proliferation of COVID-19?
Description
The Roombas are trying to gain the upper hand over the human population. We believe they’re going to target pivotal industries such as real estate, critical infrastructure, information security and healthcare. We don’t know who yet, but we know it’s a group of close friends and all are infected with COVID-19.
We need to enact Contact Tracing - finding every detail about their lives in order to predict and contain their movements. No one has heard from them since March. We must build up details about them for the agents to then take over. That’s where you come in.
Our first piece of intelligence is a gentleman by the name of Marc Hevis - a co-owner of Hevis Properties Pty Ltd. We have agents ready on the ground, and others covering all his other social media
- your task is to find his Twitter account.
Method
Essentially we have to find the existence of “Marc Hevis” on twitter. There are a few different ways to do this, but I chose to search with: site:twitter.com marc hevis.
We can click on the first result which is for @HevisMarc. We cross-reference some information on his bio to confirm that this is the correct person (he’s the CTO of Hevis Properties according to the bio).
Another good clue in this instance is that the account has few tweets and was recently created which suggests that it was purposely made for the CTF.
Flag
Contact Tracing - Part VII
Description
Pong may have travelled international recently, and we need you to find out which city he was in.
Method
Okay, so to do this challenge we were kind of doing the whole Contact Tracing asynchronously as we chatted about it on Discord. So it was a little out of order, but that didn’t affect the task too much.
After scanning over all of the mutual followers of @HevisMarc
, we knew that
Pong was a mutual connection and after searching on twitter with:
!tw from:HevisMarc
we can see that Marc has replied to one of Pong’s tweets.
Just finished! On to find some crab 🤗 pic.twitter.com/C7dP1pQwCJ
— Li "Pong" Weiqi (@LiPongWeiqi778) March 4, 2020
This tweet seemed to be the most likely to suggest that Pong had been overseas. By way of a fluke I recognised the insignia on the building as being similar to the Sri Lankan Flag 🇱🇰.
As the building was quite large and “imperial-looking”. I searched on duckduckgo for sri lankan government building, and after scrolling through the images I found a building that had the same two distinctive inverted glass entry covers.
Interestingly, the correlating image was on an Austrian website (who would have guessed?). The caption of the Austrian site said that it was taken in Colombo.
Flag
Contact Tracing - Part III
Description
We need more locations Alycee may have or will visit in the future.
What is the first name of the park that Alycee likes to visit?
Method
This challenge was part of the wider Contact Tracing series, and Part I asked us to find Alycee’s art account.
Having previously done this, "JakePaul" had the art account link and there are a few examples of drawings that she enjoys making. One of them was “My favourite place”.
Upon closer inspection, this image contained a set of coordinates:
38° 01' 27.8" S (latitude)
145° 20' 29.0" E (longitude)
I’m a very decimal kind of person, much the same as most technology that deals with maps so I opened up a GPS coordinates converter which provided the correct decimal conversions from the original degrees, minutes and seconds. Google maps does also accept the old-style coordinates but without the degree symbol readily available on my keyboard, I just went for the quick and easy solution of getting it converted. 🤷♂️
!maps 38°01'27.8"S 145°20'29.0"E
Those coordinates led us to Wilson Botanic Park on Google Maps, so boom, another flag.
Flag
Contact Tracing - Part II
Description
We need more locations Alycee may have or will visit in the future.
What is the exact name of the volcano that Alycee visited?
method
For this challenge, once again we are hanging out on Alycee’s deviantart page (she’s pretty great at drawing, I won’t lie).
The day it all changed
is a drawing of an erupting volcano in Hawaii, and much like Part III, there is
information hidden within the drawing: A date, 30 April 2018
.
Using the query: hawaii volcano eruption "30 april 2018" on duckduckgo, we scroll down a few times and find a wikipedia article about the 2018 lower Puna eruption which mentions Kilauea by name at the correct point in time, so we have the name of our volcano 🌋.
Flag
WFH (EoM) - Part 1
Description
Contact Tracing continues. We need to locate Marc’s home and evacuate the neighborhood/building and place them in isolation.
What’s the name of the building Marc lives in?
Method
Oof, okay, this one was pretty tough, not going to lie. We’re still dealing with the twitter peep @HevisMarc, so that at least makes things a bit easier, no new people. Our biggest data source on Marc has been twitter so we’ll keep rolling with that until it runs out.
If we search twitter with: !tw from:HevisMarc we can go through all the posts that this account has ever made, and one of them has a video taken from a balcony.
#pollution is bad today :( Can't even go outside on our balcony. pic.twitter.com/mgPIiJIn0e
— marc hevis (@HevisMarc) March 3, 2020
It’s possible that an office building could have a balcony, but it seems much more reasonable to assume that this is in fact taken from a place of residence.
Okay, so we have found the video and we’ve got a pretty strong case that this will be the correct source to show where Marc lives, now we have to geolocate the building from which the video was taken, to figure out where his house is.
One of the most distinctive features in the footage is a building that has a face as part of the facade.
If we drop: "building with a face" into duckduckgo, we discover that this building is located in Melbourne, Australia, off Swanston St in the CBD. This fits the profile of the twitter account, so things are starting to piece together now.
We have a rough idea of where this took place, we now need to find the correct perspective in order to establish which building in particular it came from.
I went into 3d satellite google maps to check this out:
Turns out there are actually more than one QV1’s in Australia, so that caught me out once 😬
Anyway, we have the building’s name now: QV1.
Nice, a tricky but very fun challenge.
Flag
WFH (EoM) - Part 2
Description
We need more information on the building to work out the level it’s being potentially filmed from. How many levels (above ground) does the building have?
Method
Well, the good news is we’ve already done most of the hard work for this challenge in part 1.
On duckduckgo we put in: qv1 melbourne storeys
We end up with the third result being a link to the architects who designed the building that we’re looking into.
It turns out we actually end up with essentially two flags in one on this page as what we need for the next challenge is available here too, but for this one at least, we know the number of storeys now: 44.
Flag
WFH (EoM) - Part 3
Description
Alright, we need to figure out how long Marc has lived there for, and the earliest he could have moved in. What was the year the building was finally built in?
Method
Not much method here, we refer to the resources from the previous challenge, and we have a completion date of 2005 for the build of the project, so that would make it the earliest possible year that Marc could have moved in there.
Flag
Fake News
Description
We’ve just received a report of The Daily News publishing an article that is causing a lot of concern and fear in the public. Given its wording and theme, we are sure it’s fake news generated by the Roomba. However, TDN will not disclose their source. Here’s the article, we need you to find the exact number of people that went through Southern Cross Station at the exact time referenced so we can determine if the article is fake. SX Station has released a statement saying that all footage of that night has been deleted so we can’t rely on visuals.
Article text:
“Wild scenes as 40 people confirmed to be infected with COVID-19 ran through Southern Cross Station at 4:00am on Friday, the 28th of February 2020. The frightening witness account has caused panic buying at stores around the country as people prepare to stay indoors. Our source confirms they were the only witness and that this infectious routine could be happening at other major transport venues through the country without the public’s knowledge."
Find the exact number of pedestrians that walked through Southern Cross Station that morning at 4am, on Friday, the 28th of February.
Method
What the heck!?
Definitely a good reason why this was set to 650 points, from the first time hearing it, this challenge sounds basically impossible. Let’s break it down.
The good news is, we have something very specific to shoot for, we know the exact target so we don’t have to use too much guesswork to know if we’ve arrived at the right solution, the problem in this challenge is mostly in the “where do we find this information?".
I took a number of failed approaches here, I copied different excerpts of the article text and tried to get something out of that with no luck. Searching for COVID-19 southern cross news also failed pretty spectacularly.
I took some time away and worked on other tasks before coming back to this one, and started to reason about what was the information I was really after.
I entered:
…as a query into duckduckgo. After scrolling down a tiny bit, I stumbled on a news article from the Herald Sun (a local Melbourne newspaper). Reading through the article, they had graphs showing levels of foot traffic through various places throughout the city, one of them including Southern Cross station. The source that was quoted for these graphs was the City of Melbourne. Time to go data hunting.
Another search:
Oh? They have a whole website dedicated to city-related data, and it’s completely open access? Excellent, just what we need!
An internal site search for foot traffic returned a dataset that contained hourly pedestrian counts since 2009.
After using the site to filter out the data to get to the point in time in question, we arrived on our magic number: 14. Not very many people to be going through the station at that time of the day, but it is 4AM, so that sort of makes sense.
Turns out that The Daily News' article was definitely fake, we found the official data to prove it …unless that was fake too? 😱
Flag
Pretty Fly for a WiFi
Description
We need to find Marc’s second office location (not the primary workplace) for the contract tracing. Business records tell us it’s relatively new. Scour his Twitter account and see if there’s anything that can help us geo-locate it. We don’t need it down to the road, just the town (not suburb) and we can work from there.
Method
Ahh Marc, I will miss you after this.
We need to find Marc’s second office location, and judging by the challenge name, we’re going to be looking for something to do with wifi.
We scroll through his tweets one last time and we stumble on this:
Newest office internet up and running but...not that fast. Can't wait for those sweet, sweet 100/100 speeds pic.twitter.com/oLaoG7LOMG
— marc hevis (@HevisMarc) March 3, 2020
I hope that Marc does finally end up with 100Mbps speeds, he seems like a pretty good guy, and we all deserve to have the internet speeds that we dream of. But that doesn’t stop me from wanting to pinpoint the location of this network that he’s on.
He’s given us the BSSID and the SSID, both of which are pretty handy in narrowing down his location using a tool like wigle.net.
We do need to make an account for the service in order to use the advanced search features, but that’s fine. Once we do, we can use the advanced search to fill in his BSSID and SSID, and hey presto, we end up with his network pinpointed on the map.
If we zoom out a bit, we can see that the town in question is Ballarat.
Game, set, match(ed by BSSID)
Flag
Summary
This event was freaking awesome. The first time I’ve ever done an OSINT CTF and I loved it. There were some really weird and funky challenges, but it was almost like a big treasure hunt on the internet.
In the end our team managed to complete all but one of the challenges which was really cool. The one we couldn’t manage was Curious Case of COVID, but honestly I’m not even mad about that because we gave it a massive go and for our first time doing something like this, I’m really proud of where we placed in the end.
Super excited for the next OSINT challenge, the best part of these is that you don’t need to be technically-minded to be able to do them, you just have to have a reasonable methodology of how to find out certain bits of information and how to deduct a result from the available resources.
My team and I came in 21st position with a whopping 4225 points, and I’m really proud of that achievement because we worked super well together. Thanks again to the people mentioned at the top of this post, I had a great time and your hard work and dedication is seriously appreciated.
Some extra tidbits
I figured I would drop a few tools I used which made this whole event a lot easier for me.
Tools
Duckduckgo
Not only is this a pretty great search engine on its own, but it also gives you internet-searching super powers through the use of their “bang” functionality.
You can read more about bang here, but basically it gives you shortcut access to a vast array of search functions on various websites. So if I wanted to get Google Maps of Mexico City, I could do:
!maps Mexico City…and it will deliver you to the page (via duckduckgo).
(I have duckduckgo as my default search engine in Firefox so I can type this straight into the url bar and away I go, super quick and handy.
TinEye
This is a reverse image search, so you can upload an image and find where else it has been use on the web. I didn’t end up using it for the challenges that I managed to solve, but it was good when helping out teammates and thinking out of the box a few times.