Cyber Detective OSINT CTF “Life Online” Writeup
The Cyber Society at Cardiff University runs the Cyber Detective CTF, a free OSINT CTF. I started with the “Life Online” challenges, which involve SOCMINT (social media intelligence) using Twitter.
Here’s my writeup, including solutions (spoiler alert!).
If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know!
Q: What US political party does James over here support?
A: James RT’d Barack Obama and said, “miss this guy like crazy,” so I assume he supports the Democratic Party.
Q: Where did James spend his childhood?
Q: In what city does James work?
A: He tweeted, “Lovely shot after getting off the train this afternoon” with a photo of Cardiff Central train station in Cardiff, Wales.
Q: What CITY is Sarah going on holiday to at the end of February?
A: I looked at James’ tweets & replies and saw a tweet to @sarah_luxton. I viewed her profile and saw this tweet that says, “This place looks so amazing, can’t wait to go, just two weeks today!” with a photo. I used Google Images to search by the photo, and it gave the location as Perth.
Q: The team has been trying to work out where Person of Interest, Sarah, walks her dog. This is part of building up a profile of her movements. Can you have a look to see if you can find the TOWN in which Sarah tends to take the dog out to?
A: Sarah’s bio says, “Buster’s favorite place x : 51.947528, -3.393953.” Buster sounds like a dog’s name. The GPS coordinates are in Brecon, Wales.
Q: There’s a new Person of Interest, George something or other. Can you find anything interesting on him? Something he perhaps thinks you can’t work out?
A: I looked at James’ tweets & replies and saw this tweet from @GeorgeWatson428. Looking at his tweets I saw this thread where he said, “I’ve encrypted my password and now it is secure and unbreakable!” followed by, “aW1hbWF6aW5nMTIz.” I put that string into https://hashes.com/en/decrypt/hash to decrypt it to imamazing123.
Q: We’ve obtained what we believe to be an office CCTV camera feed. We have reason to suspect that it is overlooking one of the work desks belonging to one of our targets. Can you confirm the COLOUR of the DESK SURFACE and the COLOUR of the DESK LEGS, just so we can be sure of what we’re seeing and task the reconnaissance team further.
Q: James has a habit of getting in the way of things ;).
A: This is a statement, not a question, but I took it as asking me to provide something that James is in the way of. I didn’t see anything in his tweets or replies, or in Sarah, George, or Pearce’s. After a while, I noticed that James’ profile photo was literally in the way of the string “icanseeyou” in his header image.
Q: We’re trying to plan when is best to break into James’ house to plant a bug. What time does he start work? (UK time).
A: This tweet says “Just finished work…….. That was a tough 8 hours….” and it was tweeted at 5:02 PM ET, which is 10:02 PM GMT. 8 hrs before 10:02 PM is 2:02 PM.
Q: We’ve been watching a bloke called George recently, you might have already done some work on him. … In particular, we’re after an access key for a program his company uses so that the team can ex-filtrate information to aid with our ongoing fraud investigations.
Q: Our intelligence analysts have reported that a whole bunch of our targets are having a party together on a Saturday night soon. We want to deploy agents to see whats going on, but we can’t risk blowing our cover turning up in a car. The road is pretty quiet and the property has very clear view of its surroundings, our reports suggest. Find the location of the party and the best BUS ROUTE NUMBER to reach the party from Principality Stadium, Cardiff — where the surveillance team will be deployed from.
A: Sarah tweeted the address, date, and time of a party. I searched “bus from Principality Stadium, Cardiff” and found https://www.cardiffbus.com/. I used https://www.cardiffbus.com/plan-a-journey to plan a trip from Principality Stadium, Cardiff to 159 Llanedeyrn Rd Cardiff CF23 9DW, arriving at 20:00. I tried putting the date as Mar 7, 2020, but it wouldn’t accept that date, so I left the date alone. It showed bus routes 57 and 58 as options.
Q: Our analysts have been trying to get proof of a target’s phone number. We want to move ahead with the arrest but we must get evidence that the phone number we’ve got is indeed theirs. We need to be sure. Due to the highly sensitive nature of the case, we cannot confirm the target’s name with you at this time. Please have a look to see if you can find their phone number. When you call the target’s number what are the LAST THREE WORDS you hear (you can also just enter the phone number as your answer and that is fine as well)?
A: I looked through James, Sarah, George, and Pearce’s tweets and replies several times, and didn’t see anything in the text or images. In the tweet about the party I noticed 2 other people mentioned, @Sophjones77 and @jenmp7. @Sophjones77 is suspended, and @jenmp7 no longer exists. So I paid 250 points to get a hint which was, “I shouldn’t be telling you this but the target’s name is Sophie Jones. You’re looking for her email address and that could potentially help you get the phone number.” That doesn’t help as @Sophjones77 is suspended and I can’t see any of the tweets. This challenge can’t be solved at this time. Others have reported the same.