A world tour behind my desk (OSINT CTF)

19 Sep, 2024

I solved the SEINT_pl OSINT CTF of 2023. It takes you around the world, let's follow the rabbit hole.

It all starts with a spark

In order to start this CTF, I download the initial archive and unzip it while passing the MD5 hash of the string “dive” as the password.

Now and for the rest of the challenge I’ll use the following unix command to generate a MD5 hash (where FLAG_WITHOUT_SPACES will be the flag):

echo -n "FLAG_WITHOUT_SPACES" | md5

First stop

For this step, we are given the following text and image:

Let’s go on a trip again! But where shall we start? I found this postcard from long ago and the view looks promising. But where was this photo taken? Can you help me geolocate the place? In the nearby town, there was a really big event several decades ago. This event had a logo with something very special to the surrounding area on it. The key to the next step is the MD5 hash of the latin name (written in lowercase without spaces) of this special thing, depicted on the logo.

Quick visual analysis: nothing really determining can be seen upfront, a lake, with rather dense vegetation (pines?), houses and a white tertiary building on the right. I feel this might be somewhere up north (Russia, northern Europe, Canada…).

I feed the image through Yandex reverse image search and get some results, some in Norway, Russia and France. It's quite a stretch, so I do something I should have done first: look for the EXIF data of the picture (silly me).

On macOS you can just do a right click on the picture then "read information" or use the Unix program exiftool or use an online tool like jimpl. Anyway, the first method gives me the coordinates of the location: 61°5'39.571"N 10°26'6.468"E. Feeding this to Google Maps points to a location in front of the Lillehammer town in Norway.

The Lillehammer Wikipedia page tells me it is famous for hosting the 1994 winter olympics. That must the big event the CTF author is talking about.

I search the Lillehammer 94' olympics logo on Google, which can be seen on the olympics Wikipedia page : wikipedia.org/wiki/1994_Winter_Olympics.

I don't completely understand what appears on the “surroundings” of this logo (i.e the step 1 text), so I need an interpretation. I find an explanation when going through the wiki page, noticing this note:

The emblem is a stylized aurora borealis (northern lights) and snow crystals.

Aurora Borealis. A latin name. This is the flag we’re looking for.

The MD5 hash of “auroraborealis” gives me access to step 2.

A huge leap

This step gives us the following text:

So you found the location of the Norwegian town, good. But where to next? Let’s see, what is this strange code here: 4KDB1677355222? Is it a database of 4K images? Or a date? Or something else? Where can it lead us? Once you can link this code to a certain place, I will be waiting for you in the nearby café and having the best squares in the world. As strange as it may sound, you task is to find out what are my squares made of. To uncover the next step, make a hash of the name of the ingredient, written in lowercase. Bon appetit!

Searching for the term “4KDB1677355222” in Google directly points to the Rarotonga Airport in New Zealand, I notice a place called “Cafe Jireh” nearby and the text talks about a “café” so that must be the place.

I search through the café’s photos directly in Google Maps and see one depicting “Squares” treats. Custard squares to be exact, as we can see:

1_JoPhvF1yFRwbw33pSn9T2w

The MD5 hash of the string “custard” gives me access to the next step.

A huge leap (again)

For the third stage we get this text:

Those custard squares were the best! Now it’s time for a giant leap over the water and some historical lookup. On October 13th, 2012, something really big happened. It was so big, that it took two days to move it. There was also a strong car involved in the movement. Can you find out tha make and model of this car? The answer, that will lead you to the next step, is the hash of the make and model of the car, written in lowercase without a space, like this: chevroletcorvette. Don’t forget to make a hash of it.

A simple search of the date within Wikipedia gives us a list of major events that happened that day, I immediately spot an event matching the description “It was so big, that it took two days to move it”, a space shuttle sure is big enough:

1_ft0Jrvar2pcXCnE0bIpnhg

Now, what truck did they used to tow the Endeavour?

I simply search “truck used to tow the endeavor” in Google and find this Toyota Newsroom article, explaining it was an unmodified Toyota Tundra.

The hash of “toyotatundra” gives me access to Step 4.

A guardian indeed

What we have for this fourth step:

Ah, this was an enormous endeavour! So now we will need some rest. It won’t be far from the last spot. Let’s go to see a sign with four missing letters nearby. We have to be there on the same day and month, on which the first photo of the first writeup for my 2022 CTF was last modified (in case it’s not available, look at the first hint). Stand on the last remaining letter of the big sign exactly at the time, mentioned in the song, that Mick and Keith wrote and released in 1997. Then, look in the direction the sun is currently shining from. In the distance, about 700 meters from you, there is a very important animal, a guardian of the vicinity. The name given to that animal (not the species, but his first name), written in lowercase and turned into a hash, is the key to the next step.

Ok, so we have more information to look for this time:

“won’t be far from our last stop” : supposedly it’s Los Angeles.
“a sign with four missing letter” : I immediately think about the Hollywood sign, but… missing letters? I search “hollywood sign missing letters” and Wikipedia tells me this: “The restoration and removal of the “land” portion of the sign was conducted in September 1949.” So that might be the sign we’re looking for.
I didn’t find the writeup the author is talking about, so I open up the hint and read this date : December 28th, 2022. Taking note of it.
“Stand on the last remaining letter of the big sign” : so I’ll have to stand on the letter “D” of the Hollywood sign in Google Maps/Earth.
“exactly at the time, mentioned in the song, that Mick and Keith wrote and released in 1997” : Mick and Keith… so I have to find a Rolling Stones song released in 1997. A quick search “1997 rolling stones songs” directs me towards the Bridges To Babylon album. I explore each lyrics of the album on Genius. Looking for a particular time (hours/minutes/seconds). I find the time “three in the afternoon” in the Anybody Seen My Baby song.
“look in the direction the sun is currently shining from”: ok this is new to me, how do I get the sun direction on December 28th 2022 3pm at the Hollywood sign, LA? A quick search and I find the suncalc application, I give it the information I have and get the sun direction vector in yellow:

1_l53DmtCNqxWAAYucIQoqew

“In the distance, about 700 meters from you(..)”: so I’ll need to use Google maps or Google Earth, but how do I transfer the sun direction angle from suncalc? I don’t know, so I just use a ruler. I launch Google Earth, enter the coordinates, target the letter D of the sign and with the ruler tool of Earth I trace a 700m path in the sun direction/angle I got:

1_E6FM3d0hZQKC6mm_yZFR4A

I trigger Street View and go to the closest accessible point from the end of the path, and after a quick rotation I find what appears to be someone matching the description “there is a very important animal, a guardian of the vicinity”:

1_5IGg_85D0puqTxQyn8Rl8A

His name is Smokey, so, the hash of “smokey” gives me access to Step 5.

Road trip

Here is the text:

Now it’s time to move on. Let’s change the continent and meet some friends. They started their road trip from San Diego, through Barcelona, heading to Valencia. We are heading from Valencia, on the same route, but in the opposite direction. We ride our cars with roughly the same speed, so we shall meet in the middle, after driving 154 miles. Can you look into the map and tell the name of the town we will be meeting in? The name of the town, written in lowercase and turned into a hash, is the pass to the next step. Look out for the traps on the road described above! :)

For this one we must find a city name. Of course Barcelona and Valencia made me think immediately of Spain, but San Diego? I don’t think there’s a city named San Diego in Spain. To check this, I go to the Geotargit website, search for San Diego, and find out there’s no such city in Spain, so we are looking for a less obvious country.

I continue using Geotargit, searching through San Diego, Barcelona and Valencia. I notice Philippines has all these 3 cities. But once on Google maps I notice that the Valencia => Barcelona trip in Philippines is done by boat. So that can’t be the right country.

Another country has these cities : Venezuela. Let’s try this one.

Around 154 miles (247km) on the Valencia — Barcelona trip, there’s a city named “Marizapa”:

1_nFJ-iKY1PGa_zfJ-JJdbEA

And indeed, the hash of “marizapa” let me open up the step 6 archive and go forward.

Is it Santa?

We get a text and a picture:

This is the last part of our journey around the world! It’s winter time and everybody’s looking for Santa. Are these guys also wishing to see his sleigh in the sky? What can they be looking at? The name of this thing they are looking at, written in lowercase and without spaces, turned into a hash, is the key!

I went to Japan not too long ago so I recognize the road Japanese writing immediately, we’re in Japan, maybe in Tokyo.

First, I have the impression the author is emphasizing on the time of the year (December, Christmas), so I focus on that.

Reading the picture metadata gives me a date: 14th December 2023. I try to look into any particular events in Tokyo at this date, but nothing really shines.

I just look at the picture and notice a sign in the back, a yellow one with Japanese writing, and a black one with “Vigor” written on it:

1_RBG_FcC66_gM54uCZ9TwqQ

I open up Google maps, search through “Vigor” in Tokyo, and notice one place with the same Japanese name we see on the yellow sign. I try to analyze the angle of the picture and I think it matches:

1_bMNsXIIAOjQVCIME11_REw

I underlined the Skyduck place because ther term “sky” made me think about the fact that the people on the picture are looking up.

Ok, we got our place, but what are these people looking out?

I zoom back Google maps a little and notice the Tokyo Skytree is really close to the location.

My recent trip to Tokyo has taught me this tower is really high and can indeed induce to look up a lot.

So I give it a try with the hash of “tokyoskytree” and indeed this gives me access to the next (final) stage! Honestly I didn’t think this would be it.

Finally arrived

CONGRATULATIONS! You’ve successfully made it through this year’s CTF by The SEINT! Thank you for participating and I hope you had fun doing the puzzles. You can also find a badge for doing this quiz here. If you like this quiz, please share it with your friends! Thanks again!

1_QJQEaJWEga7U3XgHA-aT5A

I made it through! This was fairly easy but also quite pleasant to go through, especially the fourth part (Smokey and the Hollywood sign).

See you next challenge, cheers.