Cyber Detective CTF

https://ctf.cybersoc.wales/

Challenge 1 – voteforme

Task

https://twitter.com/jammymarkson
You’d have thought politics was a bit of a dry subject; not for some.
What US political party does James over here support?

Initial assessment

User has a public twitter profile full of private data and possible clues about what he might be thinking and doing.

Analysis

Possible lines of investigation:
Personal information published by target, likes, follow, followers, images, target nickname and name

https://tweeterid.com/
@jammymarkson => 1226978129970855936

The target follows @BarackObama and @jeremycorbyn. He also seems to dislike Trump judging by the following quoted retweets:

Conclusion

For 200 points it is a save guess to just assume he is a Democrat. Flag: Democratic Party

growingup

Task

https://twitter.com/jammymarkson
Where did James spend his childhood?

Analysis

In this tweet https://twitter.com/jammymarkson/status/1226982119009914880 the target expresses his excitement about a geolocation app that allows you to determine a geolocation using three words. In his profile bio he uses exactly this technology: Born in ///purple.pulse.force, raised in ///push.asking.barn.

Conclusion

Checking those on what3words.com reveals that he was born near Bristol and raised in York:

Flag: York

choochoo

Task

We need to make sure James is far away when we try and break into his house. In what city does James work? NOTE: If you’re having trouble working out who this person is, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;).

Analysis

On Feb 10, 2020 the target posted a photo of a railway station:

Following the first result in a reverse image search with TinEye shows that this station is located in Cardiff:

Conclusion

Flag: Cardiff

suntan

Task

People love telling the world about their holiday, but is this really a great idea? What CITY is Sarah going on holiday to at the end of February? Hint: unless you’ve been there before, you might need to use a tool to get the answer. NOTE: If you’re having trouble working out who this person is, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;).

Analysis

A tweet posted by Sarah Luxton (@sarah_luxton) on Feb 12, 2020 has been liked by James

The oldest result on TinEye directs to an Indonesian website which describes the photo showing a bridge that crosses Swan River in Perth, Australia:

Conclusion

Flag: Perth

wagthetail

Task

The team has been trying to work out where Person of Interest, Sarah, walks her dog. This is part of building up a profile of her movements. Can you have a look to see if you can find the TOWN in which Sarah tends to take the dog out to? NOTE: If you’re having trouble working out who this person is, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;).

Analysis

Latitude/Longitude annotation of Buster's favorite place allows to lookup the exact location on findlatitudeandlongitude.com:

Usk Bridge, Llandefaelog fach, Brecon, Powys, Wales, LD3, United Kingdom

Conclusion

Flag: Brecon

narcissism

Task

There’s a new Person of Interest, George something or other. Can you find anything interesting on him? Something he perhaps thinks you can’t work out? Take a look. NOTE: If you’re having trouble working out who this person is, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;).

Analysis

In his bio he states that he is very good at his job without revealing what that job is. I guess that’s what we are looking for.

A good starting point is to look at first tweets and first follows since they can reveal a lot about a persona on Twitter. First follow for George is Sophie Jones (@Sophjones77). A friend? A coworker? A CTF sockpuppet? Almost certainly!

Followers, Friends and Mutuals of the target mapped out by twitual.com:

The results show that @Sophjones77, @PearceRees, @jammymarkson, @GunnarssonEmbla, @KatalinKlmn1 and @GeorgeWatson428 have something in common.

The coworker theory is confirmed by a tweet from @PearceRees:

Conversation between @jammymarkson and the target in which they talk about their boss (Phillip):

@sarah_luxton sharing a password with the target:

The company is Technology Services LTDand their Chief IT Specialist is doing a bad job…

…at educating employees. George Watson obviously has not learned about the difference between encoding and encryption, since he posted his base64 encoded password on his public twitter account:

Conclusion

Flag: imamazing123

proppedup

Task

We’ve obtained what we believe to be an office CCTV camera feed. We have reason to suspect that it is overlooking one of the work desks belonging to one of our targets. Can you confirm the COLOUR of the DESK SURFACE and the COLOUR of the DESK LEGS, just so we can be sure of what we’re seeing and task the reconnaissance team further. (SURFACE COLOUR) (SPACE) (LEGS COLOUR) NOTE: If you’re having trouble working out who this person is, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;).

Analysis

The task is referring to the photo tweeted by @PearceRees https://twitter.com/PearceRees/status/1227605522926444544/photo/1

Conclusion

Flag: brown grey

bluengreen

Task

https://twitter.com/jammymarkson James has a habit of getting in the way of things ;).

Analysis

A lot of hints in the task. No comment.

Conclusion

Flag: icanseeyou

clockingout

Task

We’re trying to plan when is best to break into James’ house to plant a bug. What time does he start work? (UK time). NOTE: If you’re having trouble working out who this person is, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;).

Analysis

In this tweet the target states that he worked for 8 hours https://twitter.com/jammymarkson/status/1226989808783888384. We only have to rest 8 hours from the timestamp and convert to UK time if needed.

Conclusion

Flag: 2pm

meme

Task

We’ve been watching a bloke called George recently, you might have already done some work on him. He’s not that smart by the looks of things, could be a good person to look for a social media presence on. In particular, we’re after an access key for a program his company uses so that the team can ex-filtrate information to aid with our ongoing fraud investigations. NOTE: If you’re having trouble working out who this person is, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;). Let us know when you’ve found it…

Analysis

This tweet shows a meme which the target forgot to crop.

Conclusion

Flag: CTF3404X71

partytime

Task

Our intelligence analysts have reported that a whole bunch of our targets are having a party together on a Saturday night soon. We want to deploy agents to see whats going on, but we can’t risk blowing our cover turning up in a car. The road is pretty quiet and the property has very clear view of its surroundings, our reports suggest. Find the location of the party and the best BUS ROUTE NUMBER to reach the party from Principality Stadium, Cardiff – where the surveillance team will be deployed from. This sounds silly but we need to blend in with the public. The stakes are high. Enter the BUS ROUTE NUMBER you think is best for this situation. NOTE: If you’re having trouble working out who these people are, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;).

Analysis

159 Llanedeyrn Rd, Cardiff, CF23 9DW

Funny side story: for Feb 16, 2020 there were no buses because of the lockdown

Let’s go with it anyway…

There are only 3 buses that stop at the direction for the give time:

Conclusion

Flag: 57

leaveamessage

Task

Our analysts have been trying to get proof of a target’s phone number. We want to move ahead with the arrest but we must get evidence that the phone number we’ve got is indeed theirs. We need to be sure. Due to the highly sensitive nature of the case, we cannot confirm the target’s name with you at this time. Please have a look to see if you can find their phone number. When you call the target’s number what are the LAST THREE WORDS you hear (you can also just enter the phone number as your answer and that is fine as well)? Hint: It will be obvious when you find it, but finding it will not be obvious. *NOTE: If you’re having trouble working out who this person is, have a look at other Life Online challenges as they could provide you with an entry point to find these people ;).

Analysis

The email for Sophie is [email protected] and I tried leveraging tools like infoga, Holehe, HaveIBeenPwned, Dehashed, spokeo/ThatsThem, …

But without results for a phone number 🙁

https://null-byte.wonderhowto.com/forum/perform-email-reconnaissance-with-buster-0202180/

dvla

Task

We’ve managed to snag a picture of the front of a new Person of Interest’s car. We need you to find out the make of the car and the month it was made in! We’ve attached the photo from a local CCTV camera, take a look? Enter as such: (Brand)(SPACE)(Month) For instance: Renault March

Analysis

DVLA stands for Driver & Vehicle Licensing Agency. License plates can be search on the offical government website https://dvlaregistrations.dvla.gov.uk/. In the results below we can see that CY10 HHB has been taken.

https://www.check-mot.service.gov.uk/ provides a search interface for the MOT history of a vehicle.

Since we are looking for the month the car was made in, the best option is to search via https://vehicleenquiry.service.gov.uk/

Conclusion

Flag: Ford June

connectionrefused

Task

We’re trying to access this web address: http://time-traveler.icec.tf/The server is not responding! It is essential that we find the information contained on this site as we suspect it to be part of a criminal enterprise. Sources suggest that the site was accessible about 4 years ago, not sure how that is relevant but it might mean something to you?(Please enter the line of text in the box below, when you find it…)

Analysis

Conclusion

Flag: IceCTF{Th3y’11_n3v4r_f1||d_m4h_fl3g_1n_th3_p45t}

chemtrails

Task

We’ve been rummaging through a Person of Interest’s wheelie bins. We’ve found this boarding pass; although it looks like whoever had it was a bit paranoid that someone like us would find it.I think we can still do something with this though… There is one thing in particular on here that may help us.We really need to find the SEAT NUMBER of this person, in order to connect it with other evidence the team has gathered.We’ve attached the boarding pass for you. Please find this out for us.

Analysis

The barcode can be scanned online on https://online-barcode-reader.inliteresearch.com/:

Conclusion

Flag: 22B

bigbrother

Task

We’ve intercepted a live camera feed overlooking a public space. The camera owner has not bothered to put a password on it and its open to the world!An extremely dangerous criminal on the run was recently spotted by our surveillance team using this camera. It is essential to our investigation that we find out the COUNTRY where this camera is operating from so we know which law enforcement agency to follow up with. Please find this out for us. LIVE CAMERA FEED: http://81.82.201.132

Analysis

It feels a bit like cheating, but a reverse image search on yandex inmediately returned the following result:

Denderleeuw

Flag: Belgium

balancethebooks

Task

We have reason to believe that a particular company, TECHNOLOGY SERVICES LIMITED is complicit in a case we are investigating. To gain a better understanding of the size and scale of this company, we need you to find out the AMOUNT OF CASH currently held by them. We’ve attached a document we acquired from hacking one of their laptops; hopefully this will help you find this information? Thank you for your continued support. E.g. if the AMOUNT OF CASH was £94,200, for the flag you’d enter: 94.2

Analysis

The logo in the letter head looks a lot like a logo used in the UK for official communications.

Company Number: 01867162

Conclusion

Flag: 102.347

readyfortakeoff

Task

The special operations team has learned that a target of theirs always takes the first flight out of their local airport every morning.Please find the TIME OF ARRIVAL AT DESTINATION of that first flight, so that we can place officers to arrest them.Once again we have very little to go on, aside from what I think is a camera feed.LIVE CAMERA FEED: http://87.54.59.228 If you’re having trouble viewing it, we’ve also been given a screenshot by them, which is attached.Please enter the time as HH:MM.

Analysis

Conclusion

Flag: 07:20

gunpowder

Task

Our surveillance team has discovered another camera that has been left open to the world!The microphone on this camera recently picked up the sound of gunfire from what we suspect to be the street outside. The team needs to confirm this. Could you please find the NAME OF THE ROAD that runs outside the building this camera is in.LIVE CAMERA FEED: http://50.100.241.155:8081 If you’re having trouble viewing it, we’ve attached a screenshot of the camera in action.

Analysis

Searching for “The Birchmount Lofts” reveals the website of the Birchmount Animal Hospital:

Only two streets are adjacent to the building:

Conclusion

Flag: Birchmount RD

sos

Task

One of our SIGINT (Signals Intelligence) analysts recently found a strange broadcast sent over the airwaves. We are not certain on the source.Can you please draw a conclusion on the attached transmission?

Analysis

Use CyberChef to convert morse code:

Conclusion

Flag: GOLDENEAGLE

rollingeyes

Task

We’ve been deploying drones to photograph the South Wales region for some time. The analysis team has been picking through the mass of imagery we’ve got from this activity. We’re particularly interesting in confirming the sighting of one of our most critical targets. Fortunately, one of those Google cars with cameras mounted to the roof appears to have been sailing by at the time. Perhaps this might help you? So we can be confident we’ve actually spotted them, can you confirm the COLOUR of their HOODIE and the COLOUR of their T-SHIRT. All they’ve given me is an overlay from the drone… Hopefully this is enough? I’ve attached it to this tasking for you. We think they were getting out of a car at the time. Enter the flag as such: (HOODIE COLOUR) (SPACE) (T-SHIRT COLOUR)e.g. white black for a white hoodie and a black t-shirt. You only have three attempts, so make sure you don’t just guess!

Analysis

Searching for the Pet Shop and the street names I first digged around London, when in fact the City we are searching for is far more east. Better read the task.. it clearly says “South Wales”.

Remember to change Street View to the latest date and let’s go on a road trip:

Conclusion

Flag: Red Blue

proofinthesignal

Task

We’ve received fresh intel from the team leading an important investigation. We’ve become aware that one of our targets, James Markson, has retained his links with the city of Bristol, UK. We’ve also learned that this individual always has his personal hotspot enabled on his smart phone, as he does not wish to subscribe to a regular home broadband service. This means the target’s WiFi signal from their phone may have registered on a public WiFi mapping service. One intelligence analyst noted that ‘jammy’ may be the SSID (the name of the wireless network).The team says you’ll need a sharp eye for this one. What is the STREET NAME where we the target has likely been in the city of Bristol?

Analysis

Wigle.net has an advanced search option:

Conclusion

Flag: St Marks Road

undercover

Task

The intelligence analysis team has recovered a mysterious file from one of our target’s computers following a sting operation in the early hours of this morning.It seems like there’s nothing there, but why would a target have a blank file on their computer? Are they hiding something?We really need to find the lock combination for the self-storage unit where the target has stashed counterfeit bank notes. We’ve trawled through all the other files we’ve found already, and its just this one that remains.Have a look for us would you?

Analysis

file target-recovered-file.pdf 
target-recovered-file.pdf: PDF document, version 1.7 (password protected)

<</Author(Jack Tilson) /Creator(

In the raw data of the file we can see metadata revealing the program that was used to create the pdf (Microsoft Word for Office 365) and the author (Jack Tilson). Is the document really password protected? pdfcrack says no and this is an OSINT CTF…

pdfcrack target-recovered-file.pdf                                                                                                                   1 ⨯
Error: Encryption not detected (is the document password protected?)Error: Encryption not detected (is the document password protected?)

So is it just a white sheet of paper, CTRL+A, CTRL+C to the rescue:

Lock Code: 956445

Conclusion

Flag: 956445

defrauded

Task

A gold reserve holdings company, Hutchings Gold Reserves of London, has been receiving emails from a source claiming to be Thomas Parker and Co. The source made contact with Hutchings via a Junior Accountant who just started their job one week prior; perhaps they saw this new employee as a potential weak link to target. Their email, marked as urgent, stated that the invoice must be paid immediately or else the business relationship with Hutchings will be terminated. It contained a PDF of an invoice dated 03/02/2020, however upon looking up the Invoice Number, Hutchings realized that it referred to a genuine transaction, but was paid many years ago. They also deduced that the company named (TP and Co.) no longer exists!Feeling compelled to act with haste owing to the apparent significance of the business relationship, the Junior Accountant almost paid the £ 39,956.00 demand, however a supervisor intervened just in time.To help us narrow down our investigation into how the fraudster even got the original invoices to manipulate in the first place, we need your help…Can you have a look at the attached fraudulent invoice and find out the ORIGINAL DATE OF CREATION by the legitimate TP and Co? Enter your response as: DD/MM/YYYY.

Analysis

Conclusion

Flag: 13/05/2012

photophile

Task

We’ve been investigating an allegedly corrupt infantry soldier. We have strong reason to believe they have been involved in assisting serious organised crime groups with opium production.I’ve recovered an image I think was taken by this individual from an unnamed online file storage folder. The name of the file doesn’t really give anything away either.We need to find out what device the attached photo was taken on, as this will be a major breakthrough in linking the individual we have in custody with the drug conspiracy.If the photo was taken on a device we know to be owned by the accused, then we are a step closer to throwing the book at them.What is the CAMERA MODEL / DEVICE MODEL of the device used to photograph the poppies?

Analysis

Again, exiftool to the rescue:

Conclusion

Flag: Moto G3

xorelse

Task

A colleague in the cryptography team said something about a particular target using XOR encryption? I’m not going to pretend I know what that means.Anyway… we’re planning on parking up outside their house and having a look at what’s going on inside their home network. We think that this XOR business will lead us to their WiFi password. All we’ve got to go on is this: QeOhnsr{KuZu)(

Can you break in? NOTE: YOU ONLY HAVE THREE ATTEMPTS TO ENTER THE WIFI PASSWORD HERE, SO BE CONFIDENT ITS RIGHT BEFORE ENTERING. Enter the WiFi password as the flag.

Analysis

Conclusion

Flag: MyStrongWiFi54

mothertongue

Task

One of our linguists has found a strange email between two targets, it seems to be some kind of foreign script. We can’t make sense of it, find whatever is lurking in there? It could be big or small. It could be meaningful or meaningless. But its there. LINGUIST’S EXTRACT: https://pastebin.com/mkQYkMk9

Analysis

Conclusion

Flag: Clouds

hostiletakeover

Tasks

We’ve become aware of a particular uber-rich foreign multi-billionaire systematically purchasing properties en masse from British businesses for prices they cannot refuse.It isn’t unusual for businesses to remortgage some of their properties in order to secure a low-cost cash advance, but our intelligence suggests that our target has paid well over the odds for the properties they’ve recently bought.This strikes us as very unusual as intuitively, it seems like a complete waste of money. We are concerned that there may be nefarious objectives held by this individual; perhaps to gain control over how much businesses pay for the newly-owed rent of the stores/branches in which they operate and cannot afford to lose.We’ve seen instances such as this in the past – well funded parties using their wealth as leverage to essentially hold firms to ransom by driving up rental costs. It is feared that this trend will leave many significant players within the British economy susceptible to blackmail and manipulation or be forced to downscale to absorb the price hikes.We must act; the UK economy could be on a collision course to disaster. This is particularly dangerous as not only does it place power in the hands of potential adversaries, but also artificially inflates the profits of companies.I’ve attached a bank statement we secured after infiltrating the target’s personal holdings company network. It shows the sum paid for the property and the date of the purchase.We know there is publicly searchable data made available by the Land Registry which could help us with what we’re after.We must start gauging the risk to each business that this individual has acquired property from.Can you find out the BUSINESS NAME of the previous owner of the property that can be inferred from the seized bank statement?NOTE: You only have three attempts so don’t just guess! 😉

Analysis

Conclusion

Flag: Tesco Stores Ltd

bitcoinbuster

Task

We’ve been monitoring the Coinbase account activity of a target we know to be involved in writing and distributing ransomware throughout the internet.An internal source has told us that they usually use a ‘bitcoin tumbler’ service to hide their activities however they’ve stopped doing this now, making it much easier for us to connect the illicit transactions to a particular individual.Our target recently released a new wave of ransomware under an alias we know to be attributed to past attacks.The analysis team found that the ransomware demands a peculiarly specific sum of 3.581074451254057 bitcoins exactly. We know that the writer of the virus is highly likely to have selected this figure on 1st February 2020.We have reason to believe that this particular malware writer always uses the Market Open price as their point of reference (i.e. the price of one bitcoin at the very first moment of every day).We also know that they use Yahoo Finance to lookup price information for bitcoin.It is not uncommon for cyber criminals to arrive at a specific amount of cryptocurrency from an arbitrary figure from their home currency. E.g. 10,000 British Pounds might get 1.34745439576493 bitcoins.For instance, if someone based in the UK wanted £5000 worth of bitcoin at a time where 1 bitcoin costs £20,000, then they would end up with 0.25 bitcoins. They didn’t choose 0.25 bitcoins, its just what they got for the £5000 at the time.Although someone in Sweden may need to spend 61,223 units of their currency, Swedish Kronas, to get the same 0.25 bitcoins at the same time…. Think, which is easier to write – £10,000 or £9,965.31? It would be easier to say that someone asking for 1.34745439576493 is from the UK if converting this to British Pounds gives exactly £10,000 yet $13,548.78, €11,432 and so on. It just seems too specific, and it probably is.We feel we know where our target is based, but we need you to confirm this to help us build up evidence to arrest and prosecute.Based on the 3.581074451254057 BTC figure being obtained on 1st Feb 2020 from the Market Open price alone, which COUNTRY is the ransomware creator most likely to be from?We’ve attached a HTML document containing links to all of the relevant bitcoin price pair history data-sets on Yahoo Finance.NOTE: You only have three attempts so don’t just guess ;).

Analysis

I used a tool on the same Yahoo Finance Site to make this handy chart:

image-20210221024815613

You just have to multiply each currency by 3,518 and the conversion rate of BTC to AUD stands out:

Conclusion

Flag: Australia