Cyber Investigator OSINT CTF “Cyber Crime” Writeup
The Cyber Society at Cardiff University runs the Cyber Investigator CTF, a free CTF with OSINT, forensics, and investigation challenges.
Here’s my writeup of the “Cyber Crime” challenges, including solutions (spoiler alert!).
If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know!
mysterymachine
Q: The MAC address is: 00:0a:95:10:e2:1b. Could you tell us the manufacturer of the device that we are looking for?
A: I searched for “mac address lookup manufacturer” and found https://maclookup.app/. Entering the MAC address showed the manufacturer as Apple.
mulemobile
Q: There seems to be a white powdery substance synonymous with this drug leaking out of the phone in trace amounts, but attempts to open the phone have failed. We’ve weighed the device and right now it is showing as 300g. We suspect the device may have been gutted and stuffed with cocaine. Is there any way you could find out the difference between the current weight and the original (expected) weight of the device? IMEI 352602081794916.
A: I searched for “imei lookup” and found https://www.imei.info/. I entered the IMEI and it showed the phone’s weight as 138 g, which is a difference of 162 g from the phone’s current weight.
databreach
Q: I’m trying to work out whether Elon Musk’s email address has ever been included in these huge data breaches which tend to arise from organisations’ databases/sources being left exposed to the public or attacked by black hat hackers. Can you find out the name of the company whose data breach Elon’s email was spotted in? elon.musk@gmail.com.
A: I put the address into https://haveibeenpwned.com and it says that address was in the Adobe breach of October, 2013.
stencil
Q: I have spotted a few documents using this peculiar font, seemingly discussing the drop-off of goods (attached here). My thinking is that it would be easier to filter out the millions of documents that we have seized if we know the name of the font used in the exemplar document.
A: https://www.myfonts.com/WhatTheFont/ didn’t find it. I searched “identify font” and tried a few results until https://www.whatfontis.com/ identified the font as Plexifont.
unmonitored
Q: Upon inspecting the contents of the hard disk in the machine, we’ve found some code held in TXT files; the person in question seems to be something of a gamer with a preference for older titles. If it’s any help, every single one of their computer games seems to be rated PEGI 18+. Could you find out the name of the video game that the scripting language shown in the attached text file is used with? This will help us to potentially narrow down who else they have been speaking to by checking for the presence of the game on other seized machines. NOTE: Remember, its a multiplayer game.
A: I noticed the script contained “AMX Native Error 4 — AMX_ERR_BOUNDS” so I searched for that, and found https://wiki.alliedmods.net/Pawn_tutorial, which mentions Half-Life. The CTF didn’t accept this, so I kept looking, and found mentions of Counter-Strike, Quake, and Unreal, but the CTF didn’t accept these either.
nationstate
Q: I’ve attached a text file which represents a section of the log data for this honeypot server, I’m wondering whether you could tell us which country is responsible for the traffic and which country is the likely target?
A: In the log, the requesting IP addresses all start with 175.45.176. I used https://geoip.com to find that these are North Korean. The timestamps are +0300. There are several countries in the UTC+3 time zone. One of the get requests is GET /country/%D0%A1%D0%A8%D0%90. I put %D0%A1%D0%A8%D0%90 into https://www.url-encode-decode.com and it decoded to США. Google Translate detects that as Russian for USA.
stolenidentity
Q: Can you tell me the full name on anyone’s passport you find on this drive image?
A: I downloaded the .dd file, but macOS couldn’t open it. I searched online and saw recommendations for The Unarchiver, but it didn’t work. Then I found this Stack Exchange answer which said to change the extension to .dmg, the image format for macOS. That worked, and I could mount the image, which showed a drive named TYLER’S USB. I didn’t see any other indications of names in the files, so I unlocked a hint in the CTF, which recommended using Autopsy. I opened a Kali VM and opened the disk image in Autopsy. I noticed a hidden $RECYCLE.BIN directory which contained deleted images. One of them showed an open passport with the name Angela Zoe Smith. I then realized I could have done this on my Mac, by showing hidden files.
remoteaccess
Q: We recently compromised one of the SMB shares connected to a criminal organisation’s network, and would you believe we have found some SSH keys on there; I thought I’d give you one of them to have a go at cracking.
I’ve attached the private key file below for you, could you let us know the passphrase tied to the key? This might help you.
A: I searched online for “ssh private key passphrase rockyou” and found https://medium.com/the-padlock/cracking-ssh-private-key-passphrase-459ba17e8d5d. The python command didn’t work on my Kali VM, so I had to use python3 instead. John the Ripper gave the passphrase as banana.
d3c0d3r
Q: 54 68 65 72 65 20 61 72 65 20 31 39 35 20 69 6e 64 65 70 65 6e 64 65 6e 74 20 73 6f 76 65 72 65 69 67 6e 20 6e 61 74 69 6f 6e 73 20 69 6e 20 74 68 65 20 77 6f 72 6c 64 2c 20 62 75 74 20 77 68 69 63 68 20 6f 6e 65 20 69 73 20 69 74 3f 01001001 01001001 00100000 00101110 00100000 01001001 01010110 00100000 01010110 01001001 01001001 00100000 01010110 01001001 01001001 01001001 00100000 01010110 01001001 00100000 01001001 00100000 01010110 00100000 00100000 00101100 00100000 00100000 01011000 01001100 01010110 00100000 00101110 00100000 01010110 01001001 00100000 01001001 01001001 00100000 01001001 00100000 01001001 00100000 01001001 01011000 00100000 01001001 01001001
A: The first series looks like hex, so I searched online for “hex to ascii” and used https://www.rapidtables.com/convert/number/hex-to-ascii.html to get There are 195 independent sovereign nations in the world, but which one is it? The second series looks like binary, so I used https://www.rapidtables.com/convert/number/binary-to-ascii.html to get II . IV VII VIII VI I V , XLV . VI II I I IX II. These look like Roman numerals, so I turned them into decimals 2 . 4 7 8 6 , 45 . 6 2 1 1 9 2. Those look like coordinates, so I searched online for “coordinates lookup” and found https://gps-coordinates.org. I entered latitude 2.4786, longitude 45.621192 and found Somalia.
