Cyber Investigator OSINT CTF “Covert Operations” Writeup

4 min readJan 25, 2022

The Cyber Society at Cardiff University runs the Cyber Investigator CTF, a free CTF with OSINT, forensics, and investigation challenges.

Here’s my writeup of the “Covert Operations” challenges, including solutions (spoiler alert!).

If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know!

thermalentry

Q: A couple of nights ago, the officer noticed that there is a digital PIN pad used to open the lockup door, and shortly after the suspect entered and closed the door behind them, our officer promtly approached the PIN pad and took a photograph of the keys with a thermal camera. Research into the PIN pad reveals that it only accepts four digit codes, so that should make things easier. What is the PIN code for the lockup?

A: 4 buttons were warmer than the others. The coolest of these was likely the first number, and the warmest the last. Assuming that the keypad is arranged like a phone, the PIN is 4158.

nightclub

Q: We also happen to know that each of the DJs we’ve been following use Spotify for their music at venues. It would be useful for us to know the name of the song that is playing in the attached recording, as this will enable us to scrape the listening histories of our suspects and match the two up to identify who was there at the time.

A: I searched “music recognition online” and used https://www.aha-music.com/identify-songs-music-recognition-online/ to determine that the song title is Limitless.

orientalnavigator

Q: … we did find what looks to be a dash cam with footage of someone driving through what we suspect is a town or city in Asia. I’ve attached an image showing a road sign from one of the clips found on the camera, could you take a look and see if you can work out where the driver was at the time?

A: I searched “translate text in photo” and used https://translateimages.site/results to see road names. I searched for those road names to see they’re in Shanghai.

telemanipulation

Q: Our guys sat on the hill not far away and spotted the below remote control in one of their hands, together with a TV as pictured on the unit in the lounge. I know that these remotes are programmable, could you find out the code to set the remote to control this brand of TV?

A: The remote is Sky brand, and the TV is Toshiba brand. I used Google Images to find that the remote is a Sky Q Voice remote control and the TV is a Toshiba VL863. I searched “programmable sky remote” and got to https://www.sky.com/help/diagnostics/sky-q-remotes/setting-up-remote, and saw that it’s a New Sky Q remote with voice control. I searched “program Sky remote” and found https://helpforum.sky.com/t5/Sky-TV/How-to-program-your-Sky-remote-control/ba-p/2875750, which links to https://sky.uebv.com/. That site gave the code as 2626.

armsdealer

Q: … handgun in a small compartment of the boot of his car, which following some research on this particular model of the car, measures in at 200mm x 135mm (length x width). … We have no idea what the gun is, so could you use your talents to find out the length and height of the handgun pictured? By the way, the agent said that some parts of the handgun feel rough — like sandpaper — perhaps a brand name has been sanded off somewhere along the line.

A: In the photo, the gun says “19,” “Austria,” and “9x19.” I searched “pistol 19 austria 9x19” and found mentions of the Glock 19. One of the results was the official Glock page, https://us.glock.com/en/pistols/g19, which gives the length as 187 mm and the height as 128 mm.

disembark

Q: I’ve been anonymously emailed some footage with a siren blaring in the background and a scene of chaos and panic, with people running out of open spaces seeking cover. Could you take a look at the clip for me and let me know the name of the country in which it was filmed?

A: The clip has an “RT” logo in the corner. I searched “rt news” and found that RT is a Russian state-controlled international TV network. A van has a URL ending “.co.il.” I searched “.il tld” and found it belongs to Israel. Writing on the van looks like Hebrew.

aviator

Q: Amongst the files on the drive, we have found a recording of a Boeing 737–800 aircraft taking off from some airport. Can you find the latest possible date that the video was taken? This will help us to gain a ballpark idea of the age of the rest of the content on the seized memory stick. Note that the metadata of the video file itself won’t be any use in this case.

A: The plane is branded American Airlines. Another plane is branded LASER, which I found is an airline based out of Caracas, Venezuela. There’s a flag, which I found to be the Venezuelan flag. The mention of the “latest possible date that the video was taken” made me think that something happened to preclude American Airlines Boeing 737–800s from being seen in Venezuela. I searched “american airlines venezuela” and found news articles (such as https://www.miamiherald.com/news/business/tourism-cruises/article228548034.html) from March, 2019 saying American Airlines indefinitely suspended flights to Venezuela as of March 15, 2019.