Post

HACKTORIA - Writeups

HACKTORIA - Writeups

Hacktoria creates CTF exercises that play like a game. Overlaying fictional organizations and conspiracies over our real world, immersing the player in espionage and mystery.



OSINT : Alien Abduction - Easy

Badge

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
We have an urgent case on our hands for the US government. Our allies at the CIA need us to cover up an alien abduction. On the 2nd of April near Broomfield Colorado, a research craft from the Krohndahkyr took several animals and plants.

Although no humans were taken this time, some residents have made photo’s and possibly video of the incident. It’s imperative that we find the original source where this sighting was reported. The CIA wants a cleanup of all the material. So it’s our job to go and find it for them.

Your task is to find the original URL where the following report and photo were posted:

Occurred : 4/2/2023 22:00 (Entered as : 04/02/2023 10:00 PM)
Reported: 4/3/2023 8:25:51 PM 20:25
Posted: 4/9/2023
Location: Broomfield, CO
Shape: Circle
Duration: 10 minutes
Characteristics: There were lights on the object, The object changed color

As always, Special Agent K. The Contract is yours, if you choose to accept.`

Answer Instruction

1
2
3
Full URL of the article

Sample: https://fullurl/category/article.html

Solution

Fyi i love ufo and all of this sort of alien things (wish could see one)

  1. The mission ask us to find the URL report that containe the same image (provided in the material)\
  2. i use a website that store all of the UFO reports from all over the world called nuforc.org (National UFO Reporting Center)
  3. The mission stated the location where the reports or the sight happen, so we gonna find record on the place by going to this section https://nuforc.org/ndx/?id=loc and find the report in CO.
  4. Woah that was a lot of reports there, let use some of the info gave to us to find the exact report we looking for, here i use the location to filter every report on the location of Broomfield and use crtl + F function with the occured date 04/02/2023 22:00.
  5. And yup we found the exact report that contain the same photo. Answer : https://nuforc.org/sighting/?id=175200

OSINT : Caged Princess - Easy

355492432-b95bb6a8-25a7-4a33-b9ff-d5f09afd4d95

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
11
Greetings, Special Agent. 

It has come to our attention that one of our subsidiaries, crucial for reconnaissance operations, has fallen victim to a ransomware attack. This incident has disrupted our ongoing mission in the Riviera region. Although the impact on our overall operations is minimal, we require your expertise to investigate this breach and ensure the security of our digital infrastructure. 

Your mission, should you choose to accept it, is to conduct a thorough investigation into the ransomware attack. You will need to identify the threat actor behind this attack, assess the extent of the damage, and determine how much sensitive data has been compromised. It is imperative that you trace the origin of the attack but also maintain Operational Security as you may become a target yourself. 

To aid in your investigation, you will be provided with minimal details regarding the cyber attack. Our Hacker Dimitri will be available to assist you as needed. Once you have gathered sufficient information and have a clear understanding of the situation, you are to provide a detailed report of your findings back to SERPENT HQ. Time is of the essence in this matter, as we cannot afford any further disruptions to our operations. We have complete faith in your abilities to handle this situation with the utmost professionalism and discretion. 

As always, the contract is yours, if you choose to accept. 


Material

1
2
3
4
5
6
The words below are clues to the answer, all information is available via public domain.

Monaco 2023 

Ransomware 

Answer Instruction

1
2
3
4
5
Answer format: company-name-threat-actor-data-amount-exfiltrated 

GB at the end of the amount-exfiltrated not required


Solution

  1. At first it was kina hard to find the exact answer due to a lot of source, but after a few time searching using the clue give, we ended up to a website that monitor real global cyber threat (https://hackmanac.com/)
  2. You will find the answer here (https://hackmanac.com/news/hacks-of-today-09-10-11-09-2023)
  3. Scroll down, you will see a company called Monaco Technologies and a few details that we need to combine to get the actual answer (The actor : Lockbit3.0, Amount of data 23.7GB). Answer : monaco-technologies-lockbit3.0-23.7

OSINT : Chasing Bigfoot - Easy

355642498-0be2f881-0eee-4d01-a05e-5426eb6d537b

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Greetings Special Agent.

After starting our collaboration with Klumgongyn and his species, a lot of the earth’s mysteries have started to clear up. Not being able to share these with the rest of the world but, suffice to say, a lot of sci-fi movies aren’t that far off from reality.

One of such interesting topics is the existence of Bigfoot, or Sasquatch as it the more formal term. These creatures roam the interiors of the American heartland and reach far up north. For several decades, people have had run-ins and sightings with these creatures.

Originally, Sasquatches evolved next to their human counterparts. But after eventually growing apart, due to our new found aversion to the discomfort of sleeping on the forest floor, they’ve taken refuge in the most rugged parts of the American wilderness. While we eventually opted for sleeping in home-delivered Swedish furniture.

As Klumgongyn now taught us, the Klumgon have been using Sasquatches to keep an eye on human behavior over the past decades. Instructing the beasts to probe human civilization for our reaction to a strange and foreign species. Needless to say, the results are still very negative. The best theory would have humans shoot the alien being and cut it’s guts open. Therefor only a select group of humans know about the existence of the Klumgon and Sasquatch.

Now that we got that introduction out of the way… During the 1970’s, a Sasquatch was spotted by a member of the US Armed forces. Initially reported as “Driver has close sighting of Bigfoot”. While heading home from a late night diner, the soldier spotted the Sasquatch crossing the road late at night. After this sighting, the Sasquatch was never seen again. Even disappearing to it’s Klumgon handlers.

This particular Sasquatch was named “Norman” by it’s handlers. What made Norman special, was the ability to turn his nocturnal vision on and off. A genetic abnormality for the otherwise nocturnal Sasquatch. The Klumgon needed Norman to reverse engineer this ability, to implement in a piece of biotech for their “Future Soldier of 2030” government program.

Needless to say, given our current collaboration, that would be a very useful piece of bio-tech. Not having to rely on clunky and limited NVG’s, but a simple set of new eyes and a microchip instead.

So, I leave you with your assignment. Find the article where this particular soldier describes the incident. This will be the starting point for our investigation. All we know, is that the article is published by someone else, chronicling the story shared by the soldier.

As always, the contract is yours, if you choose to accept.

Material

1
2
The internet – GLHF

Answer Instruction

1
2
3
4
5
6
The answer is the full URL for the article:

Example answer:

https://www.mynicewebsite555.it/my-nice-article.html

Solution

  1. In the mission say that “Driver has close sighting of Bigfoot”.
  2. So i just google dork the text with the double quote (Example : “Driver has close sighting of Bigfoot”)
  3. The result show me 3 top link, but the second one seem suspicious. (https://www.thecryptocrew.com/2014/06/).
  4. View the website, saw a lot of report regarding bigfoot sighting, scroll down and you will a report that use the headline “Driver has close sighting of Bigfoot”.
  5. View the report, copy the url and submit for the answer and voallaaa ! Answer : https://www.thecryptocrew.com/2014/06/driver-has-close-sighting-of-bigfoot.html

OSINT : CrypticSpectre - Medium

355656778-7c6bfaba-bac3-4bbe-946a-cc9fa98f34e8

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
11
Greetings, Special Agent K.

We’ve received intel about a recent cyber attack on a high-profile organization. Our analysts have provided us with a malware hash found during the investigation:

9e7053a4b6c9081220a694ec93211b4e

Your mission, should you choose to accept it, is to analyze this hash and determine the Advanced Persistent Threat (APT) group behind it and the target of their attack.

As always, Special Agent K. The Contract is yours, if you choose to accept.


Material

1
Malware Hash: 9e7053a4b6c9081220a694ec93211b4e

Answer Instruction

1
2
3
4
Answer format: APTgroupnumber_targetoftheattack

Answer example: APT43_departmentofjustice

Solution

  1. Use virus total to analysis the hash, go through the relation and community mentioned, a lot of them mentions Fancy Bears (Threat Actor Group)
  2. Search for Fancy bears in google, i found a website that explain a few details of this group, from the headline (https://www.radware.com/cyberpedia/ddos-attacks/fancy-bear-apt28-threat-actor/), i got the first part of the answer which is the APT group (APT28)
  3. Then use Hybrid Analysis website to find another information we can find regarding the hash (https://www.hybrid-analysis.com/sample/4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976?environmentId=120), in one of the section is the section in the analysis which is Additional context i found a few refference link that bring us to the blog of the attack (https://www.threatconnect.com/tapping-into-democratic-national-committee/)
  4. The answer is APT28_democratnationalcommittee

OSINT : Friendly Fire - Easy

355454340-171f5b97-9056-44a1-a9e0-5ddab423c695

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
Greetings, Special Agent K.

Our friends over at the South Africa National Defense Force have reached out for help. Recently, one of their patrols in the north of their country, came under fire from an armored vehicle. At first they thought this to be friendly fire, however no other units were in the area.

They sent a drone to inspect the vehicle and managed to take a photo, before being forced to retreat. Six out of the twenty-four strong platoon were injured, all survived after being evacuated by helicopter.

As they are unfamiliar with the model of the tank, which has since vanished. Therefor they call for our help in identifying the vehicle. That is where you come in, identify the tank so we can track the origins and maybe get further in this investigation.

As always, Special Agent K. The Contract is yours, if you choose to accept.

Material

Badge

Answer Instruction

1
2
3
4
Find the model and country of origin of the tank

Answer sample: indonesia-cougar-mk-8c

Solution

  1. Use your reverse image skill using google lens on the material.
  2. Found an image that look a like with the materials. (https://commons.wikimedia.org/wiki/File:Armored_Corps_Operate_Near_the_Gaza_Border_(14537008909)-1.jpg).
  3. In the wikipedia website, you can see the description about the image (“Description English: IDF Merkava Mk 4 main battle tank”)
  4. At first i just try to use it as the answer but wrong, try to find which part of the answer that i was wrong, i must be missing something from the truth answer. Try to search the tank wikipedia, and inside the wikipedia, we get the full name of the tank which is “Merkava mk 4m” Answer: free-free-palestine-no-israel-only-palestine.

GEO-OSINT : Gas Attack - Easy

356881289-7fd7efad-d999-4407-b61f-123dcd1e9e97

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Greetings, Special Agent.

We have an urgent and very grim scenario on our hands. About 20 minutes ago, we received word from one of our red teams, that they’ve uncovered plans on the dark-web to test a new neuro-toxic gas on an undisclosed city.

The group’s name has not yet been uncovered, but is believed to operate decentralized online, sharing the same ideal in the radical right spheres. Over the past months, we’ve observed talks and discussions, glorification of and finally concrete plans to build a dirty bomb.

As of today, our HUMINT team was able to infiltrate partial circles of the group. Our Red Team was able to pull images from the browser cache of the member our HUMINT team was in contact with.

The image reveals a city, which is believed to be the testing ground for the dirty bomb. We still do not have a time-frame for the attack, all we know is that the amount of gas will cost hundreds of people their lives. Not to mention the suffering ending caused by the gas itself.

Our priorities are to find out more about the group, this is done in collaboration with EUROPOL, hence our main task is finding the location of the city. We hope the realization that the location of their plans has leaked, will cause some of the members to make a bad move.

Your task is to locate the city in the image below.

As always, the contract is yours, if you choose to accept.

Material

Badge

Answer Instruction

1
2
3
4
Construct the answer using the following format in lowercase:

country-city

Solution

  1. Use your reverse image skill using google lens on the material.
  2. Found an image that look a like with the materials. (https://commons.wikimedia.org/wiki/File:Brussels_by_Sentinel-2,_2020-05-30.jpg).
  3. In the website, you can see the description about the image (“Brussels”), and Brussels located in Belgium.
  4. Answer : belgium-brussels.

OSINT : Naval Intrusion - Easy

Badge

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
11
12
Greetings, Special Agent K.

We have a special case on our hands today. As tensions around the island nation of Taiwan rise by the day, allied nations reach out frequently for our help. Today is no exception.

This morning at 09:43 Taipei Standard Time, the Taiwanese Navy identified a foreign vessel entering it’s waters. Upon making contact, the ship left westward for international waters. However, a UAV was dispatched and managed to snatch a picture of the vessel.

The ship did not identify, nor does it match the database of known vessels operated by any Navy around the world. It comes close to several, but appears to be altered for a different purpose.

The Taiwanese government signed a contract for our services to identify the original make and model of the vessel.

As always, Special Agent K. The Contract is yours, if you choose to accept.

Material

Badge

Answer Instruction

1
2
3
4
Answer Format: type-123q-nato-reporting-name

Answer Sample: type-555d-kingkong-IV

Solution

  1. Use your reverse image skill using google lens on the material.
  2. Found an image that look a like with the materials. (https://shipshub.com/ships/829-2.html#lg=1&slide=0).
  3. View the image and you see the number “575” show below of the ship and the flag of the ship owner which is “China”.
  4. Using the info that we got, search for the china ship that has number 575 and it will lead you to the ship wikipedia. (https://en.wikipedia.org/wiki/Chinese_frigate_Yueyang_(575))
  5. To find the type of the ship scroll down and you will see the type section, wrap it in the answer format andyou solved it. Answer : type-054a-jiangkai-II

FOREN-OSINT : Rogue Agent - Easy

357023198-0a907072-ffd0-4077-9efe-73500ae63926

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Greetings Special Agent.

We have a request on our hands from our friends over at the CIA. In September of 2021, one of their operatives went missing in action. Upon further investigation, it was discovered this operative went rogue and started a smuggling business for the Russians. Mostly dealing in complex electronics, which have become difficult to come by for Russians after sanctions began.

The agent we’re looking for is named Valentino Maggi. Born in Brooklyn New York on 18.05.1987. Valentino is one of five sons of the Valentino family, who moved to the United States during World War II. Having grown up a middle class lifestyle, his father a car salesman and mother working as an elementary school teacher. Valentino was recruited into the CIA during his time as a student at Columbia University.

Most of his 10 years in active service were spent as an analyst working out of Langley. Recently though, in August of 2020, Valentino moved to oversees work. Being stationed in Italy as a liaison officer for the Italian foreign intelligence agency “Agenzia Informazioni e Sicurezza Esterna”.

Doing stellar work, right up until the point he went missing. Prompting an extensive investigation into his whereabouts. Documents were eventually found on his computer, recovered using forensics tools to recover deleted files. These indicate a heavy involvement with the Russian underground. Acquiring much needed microelectronics for the Russian government.

And that is where your task begins, Special Agent K. One of the files recovered from Valentino’s computer, is an image with a text file. We believe this to be the current location of Valentino Maggi. Locate the safehouse, so local authorities can raid the premises.

As always, the contract is yours, if you choose to accept.


Material

Badge

Answer Instruction

1
2
3
answer hint: country-town-coordinate
answer example: spain-madrid-12.345678-12.345678

Solution

  1. Use strings command or strings -tail command to string out the hidden messages from the material, you will get encrypted text which is (Zhh\djrljhZdb`jnphf).
  2. Bake the encrypt text in cyberchef, use this recipe : Magic and turn on instrusive mode, from the various output you can obtain the coordinate (-44.259654-21.057843)
  3. the “-“ symbol in the coordinate that you get is not negative but “-“ in the answer format, remove the “-“ symbol and use that coor in google to find the location of the material.
  4. Found the exact same location in the material, using the answer format we got the answer : serbia-rakinac-44.259654-21.057843

OSINT : The Spy Who Vanished- Easy

Badge

Mission [Get full Materials at G Drive]

1
2
3
4
5
6
7
8
9
10
11
12
13
Greetings, Special Agent.

We have received information regarding the long lost spy from MI5, Deloris Frozenwood. She went missing in action a few years ago, never to be seen again. From what we understand, she went on to provide services to whoever the highest bidder might be.

Before she went rogue, Deloris was a revered operative within MI5. Taking on some of the most dangerous assignments and quickly working her way through the ranks. Discontent with management, she took matters into her own hands. Often skirting the lines between rule of law and criminal behavior. She was eventually terminated from MI5.

What happened after her career at MI5 remains shrouded in mystery. She showed up on the radar several times, but only for very brief moments. Having become a target of the organization she once worked for, she’s even gotten arrogant. Often making deliberate appearances for a brief moment, before vanishing to the shadows once again.

Our colleagues at MI5 have asked us to obtain any information on Deloris Frozenwood we can find. They’re particularly interested in social media profiles. For reference, Deloris often appears as “Deloris Frozenwood”, or as “D Frozenwood”.

If you find Deloris, her presence will lead you to the password to unlock your ZIP file, containing the badge for this contract.

As always, the contract is yours, if you choose to accept

Material

1
Find the spy, find the answer, she’s out there…

Answer Instruction

1
2
You will know it when you see it, there will be no doubt.

Solution

  1. This mission require us to find the spy media social, the spy known as “Deloris Frozenwood”, or as “D Frozenwood”. As i do this chall in 2024, a lot of things must be change expecially for a few media social for example “Twitter” change to “X”. At first searching i find nothing related the spy media social. Got to hit the hint to solve this mission.
  2. i try to find “X” account related to the spy, but seem no user, try to find via wayback machine also not got anything.
  3. After view the cheat sheet, the pathyway i was doing is right already just that in the wayback machine, need to change the URL which is from “x.com/Spyname” to “twitter.com/spyname”. And we found a capture of the spy media social (https://web.archive.org/web/20220831154130/https://twitter.com/dfrozenwood)
  4. he account have one post and in the post contain the password or the answer for our mission (gnf435ynFJEFN#&$FD(*FSJ$Fkdfshh5f)

CYBER-OSINT : Infectious-file - Easy

Badge Infectious File

Mission

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Greetings Special Agent K. 

We have received intelligence that a hacker group known as the Shadow Syndicate has been developing very advanced malware. This group has been responsible for a number of high-profile cyber attacks in the past, and we believe they are planning to launch another one soon.

Your mission is to examine one of the samples of their malware that we have obtained. We believe that it contains clues about their plans and capabilities, and we need you to find out as much as you can about it.

You will be working with a team of experts to analyze the sample and extract any useful information. We need you to be thorough and detail-oriented, as every piece of information could be crucial in stopping the Shadow Syndicate.

It’s imperative to figure out exactly what they are capable of and discover their intentions based on the malware sample. We are counting on you to help us take down this dangerous group and prevent them from causing any more harm.

Pay extra attention on this one, as you are working with a live malware sample.

As always, Special Agent K. The Contract is yours, if you choose to accept.

Material

1
! Malicious file : Download in the safe environment and on your own risk ! : https://fastupload.io/dN4y

Solution

1) Use the Strings command on the material will result us any readable strings inside the file, from all of the strings, we can clearly see o a bunch of word that can be a password, maybe of them is the pass that we need to open the flag file. 2) From the bunch of words, there is one word that uncommon from others in the list (you see it when you see it) but if you can’t see it or not sure about it, you can copy all of the words, make a wordlists and crack the zip file using john the ripper or fcrackzip tools. 3) Use the word as our answer yup got it. Answer : Th3p@$$4th3Fl@g

GEO-OSINT : The Michigan Mystery - Easy.

Badge_The_Michigan_Mystery

Mission

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Sanaya Patel, an agent for the S.I.S.U. had been working tirelessly and finally decided to take a much-needed vacation. She decided she would spend it in a small town in Michigan, hoping to relax and unwind.

One evening, while exploring the town, she met a man named Thomas Griswold. They hit it off immediately and spent the next few days together, enjoying each other’s company, having a great time. Sanaya felt like she had finally found someone who understood her.

However, things suddenly took a turn for the worse when Thomas started acting strange. He was agitated and on edge. Sanaya could tell that something was bothering him and when she asked if everything was ok he lashed out in a fit of rage, almost hitting her. But he stopped himself and stormed out of the room.

Sanaya was left alone and confused, in a state of shock wondering what had happened. Moments later her confusion soon turned to horror when she heard a commotion outside. She rushed out to find Thomas lying on the ground, with someone rummaging through his pockets. The stranger fled the scene when he saw Sanaya running towards him screaming out.

The Michigan Police Department was called and they began investigating the incident. They questioned Sanaya and with the help of a sketch artist they were able to quickly identify the stranger as Jonathan Bedwell. Jonathan is an accountant in the next county, with no criminal record or history of violence. The whole situation was puzzling, and Sanaya couldn’t understand why someone would kill Thomas.

Sanaya handed the Chief her card and then went and sat in the break room. The Chief contacted the SISU Deputy Director and was inform that Sanaya was a Special Agent. The Chief walked into the break room, “Your Director speaks very highly of you, says you are one of the best. He also said to let you know that Thomas Griswold was a recent ex-member of the criminal organization by the name of ‘Criminopeia’ and that all the resources of the SISU were at your disposal.

It didn’t take long for Jonathan to be apprehended, and in questioning he said that he ran because he was scared. He was looking for a USB that Thomas had told him he had. “Thomas called me yesterday saying that he had information about my daughter but that I was not to contact the police or she would never be found alive. The instructions were to meet him outside the shop and that he would bring me a USB that would provide information about the location of my daughter. “My Juanita has been missing for 4 weeks and you have done nothing to find her. Telling me she probably just ran away.” Thomas said after I had the USB I was to walk into the shop and give it to someone named Sanaya. He said she would know what to do. Everyone turned and looked at Sanaya. She put out her hand to receive the USB, “I am Sanaya.”

Sanaya may still be in shock and we need to help. The image below was all the data contained on the data the USB. Help us find the little girl and bring her back to her father.

As always, Special Agent K. The Contract is yours, if you choose to accept

Material

image

Answer Instruction

1
Answer Example: bob_weary_home

Solution

1) Reverse search the material.

image

2) From the result shown, you could get the answer already, to be more confirm use google maps and go to the location Glen Eyrie Castle, you fidn the exactly place like the material. 3) Use it as oue answer : glen-eyrie-castle, and we solved it.

GEO-OSINT : Wheres Klumgongyn - Easy.

Badge_Wheres_Klumgongyn

Mission

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Greetings Special Agent.

We have quite a strange case on our hands today. Our Lead Counsel Klumgongyn, has gone missing in action.

Now don’t be alarmed, I don’t mean this in any dangerous way. Lately the company chat has been used as a dumpster for GIF wars and edgy memes. Klumgongyn was so fed up with this, that he took one of the spaceships and warped to an unknown location.

He says it’s a “surprise vacation” and won’t come back for another two weeks. This is of course unacceptable behavior and we need to find him.

After arrival he sent a picture with the message “see you in two weeks memelords”. We need you to geolocate the image so we can send in a retrieval unit to pick him up.

Whether we’ll actually find him once we’re there is another issue. Shapeshifting alien lizard like creatures are hard to spot. They’ve been posing as politicians for years now and nobody’s really caught on to them either.

Special Agent K, you have 24 hours to locate Klumgongyn. After that we’ll start refusing to reimburse his travel expenses.

As always, the contract is yours, if you choose to accept

Material

image

Answer Instruction

1
2
3
Use the Country and Streetname to form the answer.

Example: turkey-street-name

Solution

1) In the material provided, the image quality is not so good so it hard to actually reverse it, we have to put a little effort here. Firstly, we took the info that we can get from the picture, which is in the image we can the My taxi and the number 2122 (got confuse on the first 3 digits either 588 or what).

image

2) With that info, do a little bit searching on google, and we got a facebook profile that related to it, in the about section of the profile, we got more info which it is a taxi service In S.Hithadhoo, Addu City in maldives.

image

image

3) View the location using google maps, we got a big city in maldives, how to find the exact location of this image?, if you notice in the material provided, at the end of the road on the right side, you can see the mosque dome

image

4) With just a dome, how can i find it, here a trick, google maps also have a dork, i use mosque near S.Hithadhoo, Addu City and it show every mosque in the city, from the result you can find the mosque with the same mosque dome in the material, Ah Taqhwa Mosque.

image

5) The material show a straight road right? the nearest stragith road within the mosque is the Elhe Digi Magu road. use it as our flag : maldives-elhe-digi-magu and we solved it.

GEO-OSINT : A Trip Around The World - Medium

Badge_A_Trip_Around_the_World

Mission

1
2
3
4
5
Greetings, Special Agent K.

We have received a concerning call from Frank, a retired agent who used to work in our agency. He mentioned that his father went on a trip around the world and was supposed to return yesterday, but he never did. Frank is worried that his father may have been abducted in one of the cities he visited, as he is fairly rich and famous. We have collected pictures of all the places the father visited through his Facebook account. Once we have located these places, we will send the B.T.R.U to search for him. Your job is to find these locations and report them to the agency as soon as possible.

As always, Special Agent K, the contract is yours if you choose to accept. 

Material

image

Answer Instruction

1
2
Answer Format:
city1_city2_city3_city4_city5_city6_city7_city8_city9_city10

Solution

1) To solve this challenge we just have to find the city for all location in the materials, it quite easy since most of the material is the significant building for each city, ony the material #9 is a bit different. Let break it :

1
2
3
4
5
6
7
8
9
10
#1 Amsterdam - The bulding and the lake between the building in Singel, Amsterdam.
#2 London - The ferris wheel is one of the tourist attaction in london which the London Eye.
#3 Wellington - The building on the left side is Museum of New Zealand Te Papa Tongarewa in weliington.
#4 Tokyo - The tower is one of the famous tower in japan which is Tokyo tower.
#5 Wierschem - The bulding in the material is Eltz Castle in Wierschem german.
#6 Reykjavik - the white building is Hallgrimskirkja church.
#7 Barcelona - The building is the Port Cable Car - Port Station
#8 Rome - The building is the one and only Colosseum in the city of rome.
#9 Paris - For this one, check for the bus company with the bus number which is RATP 3519, you will find where the bus router usually operates which is Paris. 
#10 Colombo - it is the building of Colombo Town Hall

2) Combine the city all together you will get the answer : amsterdam_london_wellington_tokyo_wierschem_reykjavik_barcelona_rome_paris_colombo

MIXED-OSINT : Valentines Day Tragedy - Hard

Badge Valentines Day Tragedy

Mission

1
2
3
4
5
Greetings, Special Agent K

We have received a distress call from Thalia one of our Analysts, who has been the victim of a criminal syndicate known as “The High Guard.” Thalia was given a note by the kidnappers, but it is encoded with a complex algorithm that we have been unable to crack. We need your help in decoding the contents of this note in order to gain valuable information about the whereabouts of Thalia’s lover and the inner workings of The High Guard. Your expertise in cryptography and code-breaking is essential to this mission. We believe that the encoded note contains key details about the location of the kidnappers and the safe return of Thalia’s lover.

As always, Special Agent K, the contract is yours, if you choose to accept. 

Material

1
籝籸 类籮籽类籲籮籿籮 籽籱籮 籸籷籮 粂籸籾 籵籸籿籮簵 粂籸籾 籶籾籼籽 籹籪粂 籽籱籮 籹类籲籬籮簷 籝籱籮 籼籾籶 籸籯 鲃簾簵簹簹簹簵簹簹簹 籶籾籼籽 籫籮 籭籮籵籲籿籮类籮籭 籽籸 籾籼 籲籷 籬籪籼籱 籽籸 籽籱籮 籵籸籬籪籽籲籸籷 籼籹籮籬籲籯籲籮籭 籲籷 籽籱籮 籯籸籵籵籸粀籲籷籰 籭籮籽籪籲籵籼 籸籯 籽籱籮 籷籸籽籮簷 籏籪籲籵籾类籮 籽籸 籭籸 籼籸 粀籲籵籵 类籮籼籾籵籽 籲籷 籭籲类籮 籬籸籷籼籮籺籾籮籷籬籮籼簷 籝籸 籹类籸籿籮 粂籸籾类 籬籸籶籶籲籽籶籮籷籽簵 类籮籪籬籱 籸籾籽 籽籸 籾籼 籿籲籪 籸籾类 籝籮籵籮籰类籪籶 籼籮类籿籲籬籮簵 簫籝籱籮籑籲籰籱籐籾籪类籭籨籋籸籽簫 籝籱籮籷 籲籷籹籾籽 籽籱籮 籼籮籬类籮籽 籼籽类籲籷籰 簫籏籸类 籢籸籾类 籎粂籮籼 籘籷籵粂簫 籪籷籭 粂籸籾 粀籲籵籵 籫籮 籰籲籿籮籷 籯籾类籽籱籮类 籲籷籼籽类籾籬籽籲籸籷籼簷 籍籸 籷籸籽 籪籽籽籮籶籹籽 籽籸 籲籷籿籸籵籿籮 籽籱籮 籪籾籽籱籸类籲籽籲籮籼 籸类 粂籸籾类 籵籸籿籮籭 籸籷籮 粀籲籵籵 籼籾籯籯籮类 籽籱籮 籬籸籷籼籮籺籾籮籷籬籮籼簷 籠籮 籪类籮 籪籵粀籪粂籼 粀籪籽籬籱籲籷籰簷 簶籝籱籮 籑籲籰籱 籐籾籪类籭簷 

image

Answer Instruction.

1
2
3
Answer format: Streetname-City

Answer sample: Rue-de-Linda-Salvador

Solution

1) First we need to decode the the messages, i use dcode cipher identifier to identify the cipher type of the encyrpted text, as we can see here it is a Rot8000 Cipher, so we can use that to decode it.

image

2) In the decoded message, its lead us to a telegram bot called “TheHighGuard_Bot”, to chat with this bot simply go your telegram and find the bot name. You will find a telegram bot account with Quantum name.

3) use /start fucntion chat with tbe bot, the bot will give 2 more function to us which is /secret and /location. based on the the message that we decode, it wanted us to use the “For Your Eyes Only” as our secret, so use the /secret function it will prompt us to give the secret strings. Insert the secret and we will get an image from the bot (Material 2).

image

4) We need to find the location of the image and use the name of the location to the /location function to the next step, from the instruction under the image, it mentions the location is between laon,France and Reims,France.

5) I try to reverse the image to get some familliar image or clue to make search scope smaller, in the image we can see a lot of wood pallet and a few others equipments and warehouse belongs to an wood industrial or sawmill, try to find sawmill near the two location which laon and reims, found several mill but none of them lead me to the location.

image

6) Need a little bit help from others writeup, and yah i was close, just need to think outside of the box which is, what if the location is a sawmill but it spells in france language, so the word “Scierie” is sawmill in france, using google maps use dork “Scierie near laon and reims, got a few more sawmill, but we gonna focuse on three sawmill since the messages say it between laon and reims.

image

7) After a few minute take around those three sawmill, we found the exact location which is Scierie Huberlant, use the location name in the bot /location function, it will give us another information.

image

8) The information that we got is basically related to the mobile network’s cell tower location which is MCC (Mobile Country Code): 208, MNC (Mobile Network Code): 10, AC (Location Area Code): 12102, CID (Cell ID): 9448453.

9) To find the location based on the information that we got, we can use tool called opencellid.org, fill in the search function with the information that we got, and it will lead to the location where the cell tower located.

image

10) There are to many cell towers in the map, how do you know which one is the one that we have to find, simply click the to the symbol and you can see the information of the cell tower, then we will find the exact tower with the same information that we got located at the Rue de Picardie street in Paris, that sound like our password. use it to unlock flag file and yup we got it.

GEO-OSINT : Kanonniers - Medium

badge Kanonniers

Mission

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Greetings, Special Agent.

We are on the hunt for operatives of a competing Order. We believe them to be the continuation of a rival Order “The Golden Creed”, who we eradicated mid 18th century. Somehow the family running the Order managed to reorganize and fund new endeavors. Flying under the radar for several years, they now have a foothold in many European countries.

Unfortunately for them, they’ve chosen to cross paths with some of our bigger clients in several of these countries. Most recently, the Dutch intelligence agency AIVD, started investigating them after being linked to a human trafficking ring. All beginning with the Syrian refugee crisis a few years back.

What made this Order fly under the radar for many years, is their total aversion for the digital world. Barely dipping their toes in web 1.0, The Golden Creed uses mostly analog means of communication. Making them infinitely harder to track.

Our friends at the AIVD however once observed a member of The Golden Creed insert a package into an opening of a monument. Upon closer inspection, it turned out to be instructions for a hit being placed by a client of The Golden Creed.

This leads us to your objective. Last week, an operative of The Golden Creed was arrested by Dutch police. Carrying a picture with him of an old cannon. Given their tendency to hide information in historical objects, we believe this particular cannon is a location of interest. Possibly holding information, or being frequently used to pass information.

Our client has asked us to locate the cannon. Use the image below to find the location of the cannon.

As always, the contract is yours, if you choose to accept

Material

image

Answer Instruction

1
2
3
4
5
6
7
Use your findings to generate the answer. For this you will need the service: [w3w](https://what3words.com/)

Format:
areacode-city-what-three-words

Example:
5555-nice-belt-hamburger-phone

Solution

1) Reverse search the material and the result will show the location where cannon located which is Elburg stadswandeling located in the city of Elburg. 2) Next, we need to find where exact location of the cannon in the big area, here i use th website that show the photogenic spot in the place.

image

3) As you can see the kannon located at the bottom of the area, let take a little more close up look using google maps on that area.

image

4) There are 2 cannon in that area, but with the angle of the image in the material, we know the one that we talking about is the one at the left. 5) Using the W3W website to get the three words, we get these 3 words : punk.runways.messed

image

6) To find the area code, just google for Elburg area code and you will get the area code : 0525. Combine it as our answer and we solved it.

CYBER-OSINT : The Sleeper Cell - Easy

badge-the-sleeper-cell

Mission

1
2
3
4
5
6
7
8
9
10
11
Greetings, Special Agent K.

We have an urgent matter on our hands. For several months we’ve been investigating a group called “Androktasiai”. A radical organization who believes in cleansing the planet of what they call gluttony. Believing firmly that humans are a disease that needs to be exterminated, this radical group is well organized and is preparing to strike several targets.

After breaching one of their email accounts, we were able to extract a sent item. The metadata didn’t prove to be of much help, as it was sent to a disposable 10minutemail address.

The contents however are of great interesting. We believe it contains instructions sent from one of the groups’ leaders to a sleeper cell. This sleeper cell will now be activated and preparing to carry out an attack somewhere.

It is your task to figure out what the text means and provide any intelligence about the plans of this organization.

As always, Special Agent K. The Contract is yours, if you choose to accept.

Materials

1
SSB1cmdzIG9rZSBscGlhIHR2cHYgbXluIGhzZGUgaWxlaHJyaSB5b212ZCB3dWcgZXAgaHJ4IHdnemRhIGF5dXZvbnIgc2h3a21uICh2aSBwY2UgdHJ3IHZvYiBtYnZrIHJlZWwsIGFvbndybnFrLCBveHcgZmd3bHFzdSkgd3lzIG14cmxpaXYgbW53a3NiIGhmIGxwZSB0ZW51ZXNuIEloYXRvYW9ja3ZmYyB1bHdhc21kIGZ3ZmJvLCBwaHd6ZXduIE5vdHZvZnkgb3dyc3MsIGprenpvIHBlIHd2ZG1haXJpIGh5IGllam5la3QgZ2t2IHd3aWVqbmVrdCwgbnF1IGhydHQgb3F0cCB0dWxldWMgZm9qbSB0cGVhIHN2ZnB4Y2wuIElubCBmYnUga3ZrbSBuc2J1emUgdWRqIHJvZWlubXJtZCBodiBrdm8gYm1obXJuZXB3IGZidnIgd2FiaCBiaHIgc3ZmcHhjbCwgcXQgcXMgYnhpIGRra3QgbHcgbWlrciB3eXMgd3R0bG1yIChxbiBna3YgdHlrbXd6IENwYWN3dmZjIHdldXRhemVxIHhlaHkgbnMpIGV3cm0gdHVoZSBkb2tmd2t0IGp5IGJ4aSBvYm1peHFjcWF5IG9ycHlrLiBBZmwgaW4gd3IgbmVjZyBnb2wgYmhtIG1ucWVzYiBoZiBvd3JzaWFqLCBudmttIGlrIGJobSBjbnhqcyBkYWFsIGVlIGxvIGFyayBnb3ggaGdlIG5pdGh1diAoa3JiY3ogd2YgdG9haiBrd3d4IGhzYSBwbXJzaHRob3cgbXdiYXRzKSBxcnZnIG1obmxxbmNheW9wIGt5a2shIFZ3IHdtIG5idyBqc28sIG1oc2IgaXYgdHVoIER3eHhzIGxwcnd1dGsga3ZvIHZvZmJpdnVubyB5c2ttIHR6aXQgcXMgdnEga3ZvIGZvbXZ0aWlhdiBrdm9rZWduLCB0cGUgdHVmZ2NnZWthIG9uIHdud3ZmIHNsIHNnIGxla29wd3ZyIGtnZCBscGlra3JxdnIsIGRhYWwgcW4ga29hd3piZXRudW0gb24gdHZwdiB3ZCB1ZXV3bW1zIE51eHN4bS12YWRlPyBJbnEgd3lvZCBoZiBscGUgbmFncXZnYyBoZiBscGUgbWFld3kgaHJrb21vaCBiaHIgdnJhbyBhZXNiIGF2ZCBxaHRjbW1pZ3YsIFNjbGNrbGYgc2wgZWZvZXZkcnV2ciEgS2dkIGxwYWIgdHV1ZmlxYSB0em0gc2ltciBrdm9kIHBpbHBvY3QgdnFrc2JmaWthaXduIHByZWhzZ3V3bCBpdiB0dWhkLCBvdmUgbXdiYXRzIG51diBzeHplZmxlemVxIHJ3IGhyeG0gc2tjd3JxbGV1IGRoIHR6bWl6IHBodXpoaSB0bnYgcW14dWVsa20/IGtnZCBscGFiIG5ud2xmbyB3b3dhIGJnIGRyZmZxZGJvZiBpbHduciBzdmZweGNsIHdyIHVheGggcnp2IGZlbGlsYSwgYWYgenZ6diBpZWpuZWt0IG52IHphenhyeG1jYj8gMCBla3dpc3d4IG1zbG5tc2YhIHp5b2QsIEIgcGppeSBnb2gsIGZmYmNtcnNxbmEgeWJ4IGtjIGN4ZWMgYm8geGVlaXZxZCBtaHcgbm96ZWZkenIgZGFpZm9zIGp5IGZ3aW94emUgZW1saW5wa2Z6c3ZhZCBpbmwgZm5xa29jbWl1aWwgemV0bGRzeG1zISBzYSBvdmUgZmRwZzogR2hlIGx3IHl3dSBna3JoIGdibGQgd3ZtcnByZHMgeHR0bXplLCBpbnEgcHJ5byBmZWxpbGEgbWJ1diBocnhuIGhtcm5lcHcgc20gayBnZW8gemVvaXpoZWgsIHlrIHdnemsgYXBleGV1IHBrb2UgZ29jciBiemUgZ29nc3d0ZWFzIG91cnd4bC4gR2dsIGhpcyB0bG1zeCBtbyBmaXRjcnIgZCBqaGJ0aXlwdCBlYWwsIHdmIGtzbSwgY2d2dHFuaGRjIHF5Z2Nna3Rxb2EsIGRlciBpaHUgZHFrbSBmYnJjZyBueHNocXNtIGlnLCByaSBzdmxlIGN2b2UgaWcgcWZoLiAoKENoRmEtQXRpZHZ4ZC0zMy45NTM0MTcsLTExOC4zMzg4NjMsMTgpKSBPcXRpZiwgbml6ZSBucXUgT2podCwgc3plIGF1c2l6cXN4bmwgbm96IHlieC4gUmJuIGJuIHN2b2JocnUgZ3prdmUsIFptYWIgcHJ1d3NtbXMgc3RsIGJodnF4Zy4gS2dkIHd0c213dWhpcywgY3hlLCBrbWUsIGFlciwgZGVyIGx4IG5nYiB3bWFlYi4gUmJuIGJuIHN2b2JocnUgZ3prdmUsIGRtdCBnb2h1IHd3YnggYncgb2V2dHloLCByYm4geGFrZywgd3BpcGsgc3NzZ2cgc3R3aXlmIGhoaWtlLCBtc2cgY3duZ2xlaW8gdXVqdml2ZzogbnF1IHpvbSBpbCB2b2IgaWFmaXNrbGUsIHh3ciBxZiB2dyB1Y29sLCB5Z2Mgc3BheW8gamlweWVqIG9ybWFnIG9mZ2MuIFRudiBxbiBpbmJ3eXNiIGlsc2tlLCBTbmJ6IHBjZSBtaHNiIGl2IG9haCBrdnNnZywgbHcgd3F0LCBna3YgZ2RobncsIGp5IHduciB6cm0sIGRoIHdhYiwgZG1jYmZrd3lnLCBhZmwgaXYgb2FoIG1zY2xlZCBiaG0gd3VyY3Mgd3RzbG1yZyBpZiBzdmZwaHJlbWQuIElucSBsZSBveGh0em1yIHhsbmZ2LCBka21pd3Z0dHksIG5xdSBxeWd0YXZ1aWx5YiwgcmJuIGJuIHN2b2JocnUgZ3prdmUsIHl6aXZkIHZ3IGpzZnhuIGxxbW1zLiBOcXUgd3ggdG5nYmhtciBjb3JxbywgQnQgYWEgZ3pvaHF1IGtzbWggeHFybSwgQWFnIHpiIGtnb2xwZXogcHlkdHMsIGRhaWsgZW96ayB2diBtc2JyIGxhc2UgYm8gZ2t2IHFieGFscW92IG9zIHByYjogcGhyIHNhIHRwZSBWcXdveG0gaWYgYmhtIGJyanpieGJueSBxcyB2b2h1emdyeGQgb3F0cCBsdmp5aCB3eGFsYSwgYmN0IGdrdiBweWdlayBqZXFudCB2a2ZvZ2dscGV2ZXEgenpociBsdGp3bm9lZTogdmYgaHJicyBlaXNiZWViIHJ6Y2gsIGZhenNiIGlnIHBsZ2QgYWFubSBhdiBlbnZwIHRza2UsIG9wZXplb2IgbnMgd25zbCBpbGVhbHYgbmNiZCBpZiBtdm1ybCBoamdvZ2N3IHdmIGxlcHJ0aHNobi4gU3ZkIGJoYnh4diBneCBhZGVhZ3MgZnN2b3UgaGYgcyBvZXZ0eWggd3dieCwgeXdiIGl2IHRleGt2LCBneCB0enFucyB0dWRrIHd4IHpvbm1ydmlhaiBrdm8gcG9qcywgdHBlIHNsaXMgd25zbCBpbGVhbHYgc20gdmJ0bHRlIGlucSBvemhkZWUgdG0gaXZjZWhyZ293IGFmbCBhY2d6aGVob3cgdWZibyBiaHIgaGVyLg==

Answer Instruction

1
The answer will be in the follow format: ((this-is-the-flag))

Solution

The Material given is an encoded text so we need to decode it to get the actual messages or maybe even the answer. First, fire up your Cyberchef and cooked the encoded text using base64, then we will get the result which is another encoded text, using cipher idetifir, detected that the second encode is vigenere cipher, we know that to decode vigenere cipher we need a key. To find the key , we have to read the mission briefing back. As you can see in the mission brieffing : “We have an urgent matter on our hands. For several months we’ve been investigating a group called “Androktasiai”.”. Maybe the group name is the key, try using “Androktasiai” and we decode it, read the decode text and you find the answer wrap in exactly like the answer instruction. Answer : ((SoFi-Stadium-33.953417,-118.338863,18)).

image

MIXED-OSINT : Peepeekun - Medium

badge-april-fools

Mission

1
2
3
4
5
6
7
8
9
10
11
Greetings, Special Agent K.

For now, Kotova and Schneider are on the back burner, as they’re under active surveillance. The case is under control, meaning your unit has time to participate in our yearly April training exercise.

This year we’ve chosen to partner with the S.I.S.U. group. An elite group of analysts, roughly the size of one of our ASIC cells. They’re skilled and only use their skills for good. This year, they’ve agreed to partner with SERPENT on a training exercise.

We’ve prepared a training event for them, and they’ve done the same for us. Creating a series of intricate puzzles and exercises to get through. Now I’m not saying this is a match, but obviously there will be some inter-agency rivalry involved.

It’s your team’s task to complete the assignment as quickly as possible. Or not, but I know you couldn’t stand the other teams beating you.

Also, what the hell does “peepeekun” mean?!

Materials

april-fools-start.zip : 1 jpg files

april-fools-start

the-vault-pee-pee-kun.zip (Lock zip filed) : 19 jpg files

Answer Instruction

1
2
3
4
5
To open the vault file: Use the first word of each what3words location.

Example: ball.sky.book

The flag will be a secret you extract from an image, you will know it when you see it.

Solution

Unzip the april-fools-start.zip as our first step for the challenges and we got a jpg image files. At first i was trying to find what is peepeekun, and a bit suprise (its a D emoji :D). This chall is a mixed category so we need to use every way to get the next clue. So here i was trying to get any secret information from our start file. After several trying, i managed to extract the secret from the file, by using Steghide and peepeekun as the paraphase.

image

We got a secret txt file : url-file. From the file we obtain a link to puzzle game website, here is where it consume so many time to complete the puzzle. After a few hours, i managed to complete the puzzle, as you can see in the completed puzzle, some of the pieces contains a white text, seem like another link. Combine it together, i get : bit.ly[Slash]3LDysz7.

puzzled

Visit the link, it bring us to a dropbox file thats contain 3 location images, Here we need to find the what3words for all of the location and take each of the first word to open our the-vault-pee-pee-kun.zip file. Inside of the 3 images, we could see the Peepeekun marked, and we need to find the 3words where the peepeekun was.

Screenshot 2024-09-08 215810

It take at least a few minutes to find the location due to the signature building in the image, the tricky part is to find the 3 words for each Peepeekunlocation, after a few try, i found it. here is the breakdown :

1
2
3
1) Statue of Liberty - ///case.shift.hush
2) Pyramid of Gazi -  ///thrillers.recline.annoys
3) louvre pyramid -  ///jams.banana.canines

Using each of the location first words as the password to open the the-vault-pee-pee-kun.zip files, and we in. There is a total of 19 images fiies, in the vault zip file, Examine one by one of them.

image

After examined them, one of the files : 0004.jpg, on the bottom left of the images, we’ll see some kind of text threre : D94KF932409KGL09324, must be the password to open the flag file. Use it as the password to open the flag file, and yah we solved it.

0004

OSINT: Insider Threat - Medium

Badge Insider Threat

Mission

1
2
3
4
5
Greetings, Special Agent.

Your mission, should you choose to accept it, involves a critical insider risk management audit for Equilibrium Wealth Management. Your objective is to employ social engineering techniques to glean sensitive information that could help assess potential internal threats within the firm. Your targets are two social media accounts, already identified and linked to individuals within Equilibrium. It's imperative that you exercise discretion and maintain your cover at all times. You are not to engage directly with Equilibrium. Your task is to engage these social media accounts, identify anomalies, and report any information that could pose a risk to Equilibrium. Your unique set of skills in reading subtle cues and decoding hidden meanings will be invaluable in this mission.

As always, the contract is yours, if you choose to accept.

Material

image

2 Facebook account : facebook[dot]com/profile.php?id=100093059295034 (Tyra Williams) & facebook[dot]com/profile.php?id=100092575855849 (Sofia Jiminez)

Answer Instruction

insiderfirstName_classification_SixDigitCode

Solution

Investigate both of the EWG staff profile, going through on every posts, captions, like, images, photos and every details of each account. After a few searching, on the second profile - Sofia jiminez, one of the post seem like she exposed her login credentials which is her work email and password for the company forecast modeling system database.

image

Focus the investigation on Sofia Jiminez, trying to looking any other things such as six digit code or hint but nothin, but remember that Sofia Jiminez had leaked her work email on the previous post right? maybe we can contact or interact with her work email. So here I composed an email and sent to her work gmail and see if there will be any response from it. Fortunately, we in the right path cause the work email response to use by giving out the six digit code.

image

So our insider threat was Sofia Jiminez, the classification of her threat was Negligent, she ignoring the company security that can bring risk to the company which is by leaking her credentials. combine together with the six digit code as the answer and we solved it.

MIXED-OSINT : Red Star Recon - Hard

Badge Red Star Recon

Mission

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Greetings, Special Agent.

This is a mission vital to national and international security. Recent intelligence has uncovered that North Korea has launched a
new type of reconnaissance satellite, capable of advanced surveillance and potentially equipped with offensive capabilities. Your
mission is to decipher the intercepted communications from this satellite to prevent a possible threat.

Intelligence reports indicate that the satellite is set to scan and potentially target three specific buildings across the globe. These
locations are believed to hold significant strategic value, and their security is paramount. Your first task will be to collaborate with
our cyber operations team to decipher North Koreas encrypted transmissions.

Furthermore, you will coordinate with SERPENT to ensure the protection of the buildings once identified. Each location will
require a tailored approach, considering both the physical and cyber defenses in place. Your expertise in strategic infiltration and
countermeasures will be crucial in thwarting any offensive actions taken by North Korea.

This mission demands a combination of stealth, precision, and rapid decision-making under pressure. Success will not only
neutralize a potential threat but also provide us with valuable intelligence on North Korean satellite capabilities.

As always, the contract is yours, if you choose to accept.

Material

image

Korean.pcapng

Answer Instruction

1
2
3
4
5
Submit your findings in the following format in English: 

location-one-location-two-location-three-transmission-signature

Answer Example: northwest-tech-hub-city-hall-blue-tower-m1548

Solution :

Start my solution with the Korean.pcapng file, open the file, filter packets with icmp protocol, view any icmp packet details, i find this :

1
yowh3TwEE1nzdSMeBSLioi3SjpwZeuXSytW1odeembSbNUPsLoimghXn51tpzU12yqoYiG6WdnyVmGoD6iwLFGS3gzE99CoCPCkENwyHFrvcXtys3iSCcLXtJ8GtFdLRTEstGpXvYyvkratH1SUVoBurPBAx8VSvjv3LzFQhFfVcgSWfTDBd4LPu7Wbmr6Wz8zvNxqXWVS4avidDVchwVHo7BS2MqJt5FKaret4qBD8j4hUZYGXpx3L23BW3JVMNkQCitHueCB4i1Sv1LGE8AtXNBWyKagNvi8D8YGiVxnzkfGVVgTENxSw7RipEwjL6F3Gyswc2WQJyjGwLZ4LKsqnsGMey6Rk3dEYz23cNd4sbdE54ZVdW7qk5Z44xu7Hmw6MWDeVrQeot4XYe8FPLtA4MaiLP9gr3vqRT4gJMqmUGXF8j11ZbDvFuNH3d7j8tHtVBUkfnzDETqmf1HTbPrmPS4xT8gW5XVVRkDmT9qjXBfwXYYETHRE6qxi3FbuahxMDf4AQqmUv9evf2SMec5ToTh6PN3SoNs34L4v1h3rdJ1 

it may be some sort of encode text that could lead us to the answer or maybe this is the transmission that need to find, let try to decode it, fire up my cyberchef and and use base58 to deocde the text.

image

Look like korean language, need Google translate to help me translate it. Here is the translation :

1
Sir Mali-1 Transmission Start Region: Alpha, Bravo, Mike Status: Data Collection Complete Payload Specified Information Retrieved Transmission: Compressed Data Package Link Uploading: Set, Bandwidth Optimum Eta: Full Upload Completed Message: Information Specified by Region Buenos Aires, Brasilia, Miami successfully transmitted Malillon-1 transmission terminated -G0032

Based on the transmission, it mentioned 3 location : Region Buenos Aires, Brasilia, Miami maybe that is the location for all the 3 images gave to us. And then we get the transmission signature as part of the flag which is : G0032

So next we need to find in english all of the 3 locations in the materials, here the break down along with the location english.

1
2
3
1) Southeast Financial Center, Miami - no need to translate anything the location is southeast financial center
2) National Congress, Brasillia - National Congress
3) Casa Rosada, Buenos Aires = Translate casa rosada to english its mean Pink House. 

Combine everything as our answer and we solve it : southeast-financial-center-national-congress-pink-house-g0032

CYBER-OSINT: The alien Stalker - Hard

Badge The Alien Stalker

Mission

1
2
3
4
5
6
7
8
9
10
11
12
13
We've got a peculiar case on our hands. It involves an alien, a stalker, and a misplaced phone.

A young woman named Kate reported a strange encounter on her patio. She claims to have witnessed a humanoid figure with unusual features, staring at her from the shadows. This wasn’t your typical creepy stalker, however. Apparently, the figure had a bit of an existential crisis when she noticed him staring. He panicked, tossing a smartphone onto the patio before disappearing into the night.

We've retrieved the phone, and our IT forensics team has discovered a curious program hidden within. They believe this program might hold the key to identifying the alien.

The problem? It’s heavily obfuscated and encrypted, so we need your expertise.

Your mission:

Reverse engineer the program found on the alien's phone. Inside, you'll find a crucial piece of information that identifies the alien. Remember, the clock is ticking! This alien might be watching from the shadows, waiting for the perfect moment to strike. This is a high-risk mission, Special Agent. But we have faith in your skills. The fate of Earth, and Kate, may rest in your hands.

The contract is yours, if you choose to accept.

Material

Alien (LF 64-bit LSB pie executable, x86-64)

Answer Material

1
2
3
Note: The flag for this challenge is the name of the alien. 

Format your answer as:    FLAG{NAMEALIEN}

Solution

Yup, you right we need to reverse it, thanks to my reverse expert friend and explanation expert chatGPT for helping me solve this chall, my friend said in reverse focus on the main function. Using open free reverse tools call IDA and open the alien file, the program language for this file is Rust. Here is the main function :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
var_41= byte ptr -41h
var_40= qword ptr -40h
var_38= qword ptr -38h
var_30= qword ptr -30h
var_28= qword ptr -28h
var_20= qword ptr -20h
var_18= qword ptr -18h
var_10= qword ptr -10h

; __unwind {
sub     rsp, 48h
mov     al, 50h ; 'P'
add     al, 4
mov     r8b, 40h ; '@'
add     r8b, 0Fh
mov     r9b, 40h ; '@'
add     r9b, 0Dh
mov     cl, 40h ; '@'
add     cl, 1
mov     r10b, 40h ; '@'
add     r10b, 0Ch
mov     dl, 40h ; '@'
add     dl, 9
mov     sil, 40h ; '@'
add     sil, 5
mov     dil, 40h ; '@'
add     dil, 0Eh
add     r8b, al
add     r9b, cl
add     r9b, r8b
add     r10b, dl
add     r10b, sil
add     r10b, r9b
add     r10b, dil
mov     [rsp+48h+var_41], r10b
lea     rax, [rsp+48h+var_41]
mov     [rsp+48h+var_40], rax
mov     rax, cs:_ZN4core3fmt3num3imp51_$LT$impl$u20$core__fmt__Display$u20$for$u20$u8$GT$3fmt17h11bdb571725e3232E_ptr
mov     [rsp+48h+var_38], rax
lea     rax, off_55768  ; "Checksum: \n"
mov     [rsp+48h+var_30], rax
mov     [rsp+48h+var_28], 2
mov     [rsp+48h+var_10], 0
lea     rax, [rsp+48h+var_40]
mov     [rsp+48h+var_20], rax
mov     [rsp+48h+var_18], 1
lea     rdi, [rsp+48h+var_30]
call    cs:_ZN3std2io5stdio6_print17h5ebd7bee694de10eE_ptr ; std::io::stdio::_print::h5ebd7bee694de10e ...
add     rsp, 48h
retn
; } // starts at 13A00
_ZN5alien4main17ha8891d697215bed0E endp

There is a few mov and add function, so i paste the function in chatGPT for explanation (cause im suck at rust) and focus on the mov and add function. Here the breakdown :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
1) mov al, 50h and add al, 4:
mov al, 50h: Load 50h (ASCII 'P') into the al register.
add al, 4: Add 4 to al. This results in 54h, which corresponds to 'T' in ASCII.

2. mov r8b, 40h and add r8b, 0Fh:
mov r8b, 40h: Load 40h (ASCII '@') into r8b.
add r8b, 0Fh: Add 0Fh to r8b. This results in 4Fh, which corresponds to 'O' in ASCII.

3. mov r9b, 40h and add r9b, 0Dh:
mov r9b, 40h: Load 40h (ASCII '@') into r9b.
add r9b, 0Dh: Add 0Dh to r9b. This results in 4Dh, which corresponds to 'M' in ASCII.

4. mov cl, 40h and add cl, 1:
mov cl, 40h: Load 40h (ASCII '@') into cl.
add cl, 1: Add 1 to cl. This results in 41h, which corresponds to 'A' in ASCII.

5. mov r10b, 40h and add r10b, 0Ch:
mov r10b, 40h: Load 40h (ASCII '@') into r10b.
add r10b, 0Ch: Add 0Ch to r10b. This results in 4Ch, which corresponds to 'L' in ASCII.

6. mov dl, 40h and add dl, 9:
mov dl, 40h: Load 40h (ASCII '@') into dl.
add dl, 9: Add 9 to dl. This results in 49h, which corresponds to 'I' in ASCII.

7. mov sil, 40h and add sil, 5:
mov sil, 40h: Load 40h (ASCII '@') into sil.
add sil, 5: Add 5 to sil. This results in 45h, which corresponds to 'E' in ASCII.

8. mov dil, 40h and add dil, 0Eh:
mov dil, 40h: Load 40h (ASCII '@') into dil.
add dil, 0Eh: Add 0Eh to dil. This results in 4Eh, which corresponds to 'N' in ASCII.

Convert the hex value to Ascii and we get the alien name as our answer : FLAG{TOMALIEN}

CYBER-OSINT: Nouralpha8 - Medium

Badge NourAlpha8

Mission

1
2
3
4
5
6
7
8
9
10
11
Greetings Special Agent.

The Galactic Election Commission of Nour Alpha 8 has contacted us with an urgent matter. They suspect foul play in the recent elections, and they've requested our expertise to investigate a potential breach of their voting website.

Your Mission:

Conduct a thorough penetration test on the Nour Alpha 8 election website. You must conduct a pentesting on the login area to identify potential vulnerabilities. It seems the developers on Nour Alpha 8 are notorious for their...clumsiness. While investigating the breach, be sure to check if they accidentally left anything else vulnerable. There might be more sensitive data lurking around, waiting to be exploited.

Remember, the integrity of democracy in Nour Alpha 8 depends on your success.

The contract is yours, if you choose to accept.

Material

https://nouralpha8elections.pythonanywhere[dot]com/

Answer Instruction

1
Flag format and example:    Flag{donut_is_awesome_with_coffee}

Solution

This challenge is web based chall, so the get the flag, the mission said to find the vulnerablity in the login part, but when we view the source code, there is comment said there must be something on the search function. I’m more to believe the source code then the author tho :D, so here i focus on the search function. The vulnerablity is Click Vulnerability. Dont believe me? just simply click the search function and we get the flag. Flag : Flag{donot_trust_in_the_gov}

CYBER-OSINT : Xenoprint-case - Medium

Badge XenoPrint Case (1)

Mission

1
2
3
4
5
6
7
8
9
10
11
Greetings, Special Agent.

We've been contacted by President Dunildid Lkumplets of Nour Alpha 8. It seems a serious breach has occurred within the Department of Defense. Classified information has been printed, and they suspect an inside job.

Your Mission:

You've been assigned to the XenoPrint Case, a top-secret investigation. We've obtained a memory dump (.bin) from the printer that printed the classified information. Your mission is to analyze the printer memory dump, identify the user responsible for printing the sensitive documents, and uncover the evidence that will reveal their identity.

This is not a simple case of "who clicked the wrong button." The Nour Alpha 8 government believes this is a deliberate attempt to undermine national security.

The contract is yours, if you choose to accept.

Material

alien_holo_projector_dump.zip

Answer Instruction

1
Flag format:    Flag{PrinterBad9_No_Alien}

Solution

Unzip the zip file, and you will get bin file, i just using the simples way to solve this (dont know intended or not), just use strings and grep the flag format Flag{ on the bin file, and we get the answer. Answer : Flag{NourAlpha8_Secrets_Unveiled}

This post is licensed under CC BY 4.0 by the author.

Trending Tags