Sector035 OSINT CTF 2019 Writeup
Here’s my writeup of Sector035’s 2019 OSINT quiz (CTF), including solutions (spoiler alert!). I like that this CTF is educational, sharing a few tips and resources.
There are at least 23 questions in 7 areas:
- Geolocation
- SIGINT (3G/LTE, Wi-Fi)
- Social media
- News articles
- Surface web & dark web
- File metadata forensics
- Tracking traffic and objects
You start the CTF by sending an email to osintquiz@gmail.com with the SUBJECT start.
Each question required that the answer be sent as an MD5 hash. I used https://md5calc.com/hash. I’m not going to include this step in my writeup.
If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know!
01 — Puzzletweet
Q: In December 2017 @Sector035 posted a photo of a puzzle. What is the ID of the photo? That is the highlighted part in this URL: https://pbs.twimg.com/media/{photo ID}?format=jpg&name=900x900
A: I used Twitter Advanced Search to look for tweets from @Sector035 in Dec 2017 and found this tweet. The image URL is https://pbs.twimg.com/media/DR_EM4XX4AAllRD?format=jpg&name=900x900.
02 — Instaquiz
Q: What is the profile id of the following Instagram account? https://www.instagram.com/micro_bar
A: I searched “find profile id of Instagram user” and found https://www.techuntold.com/get-instagram-user-id/, which told how to append ?__a=1 to the end of the user’s profile URL to view the page source. There I found profilePage_2260998159.
03 — FacebookFind
Q: What is the MD5 hash of following Facebook ID: https://www.facebook.com/SilensecGroup
A: I searched “find Facebook ID” and tried a couple tools, but they failed. I followed https://www.wikihow.com/Find-a-User-ID-on-Facebook to check the source code for profile_id and found 403139539857741.
04 — TikTokTest
Q: At what timestamp was the following TikTok posted? This will be a 10-digit number in ‘UNIX time’, that can be found in the source. https://www.tiktok.com/@aizhana_or/video/6754400110869859590
A: I searched “get timestamp tiktok” and found https://dfir.blog/tinkering-with-tiktok-timestamps/, which linked to the tool https://dfir.blog/unfurl/. It showed the timestamp as 1572631325. However, this was incorrect. I checked the page source and found the createTime as 1572631328.
05 — DatingDomains
Q: On what date was the domain facebook.com registered for the first time?
A: I used https://whois.domaintools.com/ to find the Creation Date as 1997–03–29.
06 — WhoHistory
Q: What is the name of the person that was mentioned as the registrant in 2016 of the domain ‘driftwoodaruba.com’ ?
A: I searched “historical whois” and used https://www.whoxy.com/driftwoodaruba.com to find the 2016 registrant as Harinder Singh.
07 — CertificateCheck
Q: Can you find the SHA1 fingerprint of the very FIRST SSL certificate that was issued for the company website belonging to this Facebook profile?
A: The Facebook profile is https://www.facebook.com/SilensecGroup/, and the associated website is https://www.silensec.com/. I searched “see what certificates were issued to domain” and found this thread which suggested https://crt.sh/. I used that to find the first cert and its SHA-1 value of A10E6771B7102AD146D51E6717855CA124C39C53.
08 — ReverseSearch
Q: What domain name was registered by the person with email address “rfuller2316 [at] gmail.com” in July 1995?
A: I searched “look up domains registered to email address” and used https://viewdns.info/reversewhois/ to see grca.org was registered in July 1995.
09 — DarkerSide
Q: What is the onion address for the US Central Intelligence Agency?
A: I searched “cia onion site” and found https://www.cia.gov/stories/story/cias-latest-layer-an-onion-site/, which gives ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion.
10 — ServerSide
Q: What is the name of the server that is hosting the website for ‘Transparency International Italia’ on the following address: ‘j2loe6dcxbu2hpuarvbnhy6fls5u2ekcl3zvd55tz4bchvqj5numbxid.onion’?
A: I opened the address in the Tor Browser, then opened the Web Developer Tools, went to the Network tab, looked at the response headers, and found the server listed as GlobaLeaks.
11 — ExitStrategy
Q: Let’s say you find out that you use the exit node that has the contact info ‘torATzoneDno’, what IPv4 address does your connection have?
A: I searched “torATzoneDno” and found https://www.dan.me.uk/tornodes and https://nusenu.github.io/OrNetStats/w/contact/250f771750c8c89c400bd3aed371284c.html, both of which show the address as 128.39.8.29.
12 — PhotoFacts
Q: What is the exact brand and model phone that was used to capture the following image?
A: I looked at the photo metadata to see OPPO RX17 Pro.
13 — FileFacts
Q: What is the name of the author of the following PDF file?
A: That link is broken, so I had to get the PDF from the Wayback Machine. I looked at the PDF metadata to see VARTA Microbattery GmbH.
14 — EXIFextraction
Q: Visit the following page and investigate the EXIF information of this photo. Retrieve the exact GPS coordinates in the standard lat/lon form: -xx.xxxxxx, -xx.xxxxxx and calculate the MD5 hash!
A: The website doesn’t allow right-clicking the photo, so I used the browser’s dev tools to find the image URL. I downloaded it and viewed the metadata to find 51.233507 degrees S, 72.978952 degrees W. I looked up which directions are positive and negative, and found that south and west are both negative, so the answer is -51.233507, -72.978952.
15 — Location Labels
Q: Have a look at the following two screenshots. Can you determine in what city these screenshots were made? https://drive.google.com/open?id=1_uOQ3ni_JkFVwfWv0BOZMdiA0pqBeSU4, https://drive.google.com/open?id=1YRj3kWQtRBi-OCn-t_0jD9MlYObcrFtF
A: The screenshots show iOS settings listing available Wi-Fi networks. I opened https://wigle.net/ and did a basic search for several of the SSIDs, and got multiple hits for each of Manakamana and FRIEND. One screenshot shows the carrier “CSL.” I searched for this and found it’s a Hong Kong telecom company. I looked back at the Manakamana networks and found 2 in Hong Kong.
16 — CellCoordinates
Q: What city are we in when our phone connects to an LTE-node with the following details:
Cell ID: 134327553 (hex: 801ad01)
eNB ID: 524717 (hex: 801ad)
MCC: 505
MNC: 1
Region/LAC: 8240
A: I opened https://wigle.net/ and did a basic search for the Cell ID, but the results covered much of the world map. I tried other details that were supplied, but still the results covered much of the world map. I searched “look up location cell id” and found https://opencellid.org/, which showed the location as Canberra, Australia.
17 — CaptureCommunications
Q: Go to the following coordinates: 34.069958, -118.403740. Zoom in all the way and find the two Samsung series 7 TV’s that were captured in April 2019. What is the full MAC address of the TV that starts with “54:bd”?
A: I opened https://wigle.net/ and did an advanced search, Bluetooth search for the coordinates, then searched the results for Samsung series 7 TVs with MAC address starting 54:bd. I found 54:bd:79:4d:a9:a0.
18 — Aircraft&ADS-B
Q: In November 2019 it was known that at least 8 flights were recorded by a helicopter with the ICAO address ‘4984B0’. Can you tell in which country this aircraft is stationed?
A: I looked up the address on the 2 sites the question suggested, and got a hit on ADSBExchange, which showed it as a Czechia military helicopter. I searched “4984B0” for confirmation, and found Call Signs of Aircraft Operating in Eastern Europe on Reddit, which showed it as Czech Air Force. I learned that Czechia is another name for Czech Republic.
19 — FindingVessels
Q: Find out the MMSI number of the following vessel: ‘GUAYAQUIL EXPRESS’
A: I searched “MMSI” and found https://www.marinevesseltraffic.com. I searched for “GUAYAQUIL EXPRESS” and found the MMSI as 218851000.
20 — ContainerCertification
Q: Have a look at the following container: https://drive.google.com/open?id=1nhQHrGeS0T5rS96rhclfalrJedIzW-xe. Can you find the certification document of this container, and find out the approval reference id?
A: In the photo, the container is labeled “CARU” and “0014975” and “22U0”. I searched “look up shipping container” and found that the labels in the photo mean the container number is CARU0014975. I tried a few sites for looking up shipping container certification documents and approval reference numbers, but none worked; they were broken or simply linked to https://portal.carucontainers.com/. I couldn’t get further without registering for that portal. I registered, but never received the email confirmation.
I contacted Sector035, who said the CSC documents are no longer indexed by Google, and CARU has closed off access. Sector035 gave me the document number: F/BV/11891/12.
21 — QuizimeQuiz
Q: Tilman Wagner (twone2) is one of the Quiztime crew on Twitter. One day he went for a walk and took a photo of a light bulb on a beach somewhere. At the exact same day this photo was posted another Quiztime crew member created a German post on social media, about how sad he was that he didn’t stay another 3 or 4 nights in a certain city. Can you tell me the name of that city?
A: I did Twitter advanced searches for light and light bulb from twone2, and those didn’t find it, but a search for beach did. The date is Jan 30, 2018. I translated sad didn’t stay another 3 or 4 nights into German and did a web search and Twitter search for content in German on that date, but didn’t find it. I did a Twitter search for tweets in German with #quiztime on that date, but didn’t find it.
I did a web search for “quiztime crew” and found this tweet which lists the Quiztime crew members as of May 15, 2018. I looked for those with German in their bios, and checked their tweets on Jan 30, 2018. I found this tweet which includes, “nicht 3 oder 4 Nächte,” which looks like “3 or 4 nights.” I translated the entire tweet to find that the city is Krakau (English Krakow).
22 — LocatingLars
Q: On April 16, 2018 Lars Wienand from T-Online was busy on Twitter, but somewhere else he posted a photo of an old city on that same day. In that photo you are looking down on a street somewhere in the world. What is the name of this street?
A: I did a reverse image search with Google, TinEye, and Yandex. Yandex found a match on Instagram, showing the location as Perugia, Italy. I didn’t see any signs or other easy identifiers in the photo. The only thing that seemed helpful was that it looks like it’s near the edge of the city, with fields and mountains in the distance. I looked on Google Maps, but didn’t know where in Perugia to start.
I looked for a hint online and found this Reddit comment which told what to look for. I still wouldn’t have been able to find the street by myself, but the comment linked to the Street View which showed the street name as Via Galeazzo Alessi.
23 — FindingPhotos
Q: In the first two months of 2014, another Quiztime crew member posted photos of passports and money. Two days later he posted a photo online of a few men roasting food over an oil drum. Can you provide the IPTC Digest of this photograph?
A: I started by trying to find a list of Quiztime crew members at the beginning of 2014. The closest I could find was this list from Apr 30, 2018 (Quiztime was started toward the end of 2017). I saw that @twone2 mentions photography in his bio, so I checked his Instagram, but didn’t see a photo of passports.
I googled for “passports” plus the usernames of the crew members, then the real names of the crew members, filtering by results from Jan 1 through Mar 1 2014, but didn’t find anything. I did image searches on Google, Bing, and Yandex for “men roasting food over an oil drum” and “roasting food over an oil drum,” but didn’t find anything. I searched for the usernames of the crew members plus “instagram” and “flickr” and found a few Instagram accounts, but not the photos described.
I contacted Sector035, who said to look on Facebook, and Julia Bayer is visible in the photo. I couldn’t find the photo, so this is as far as I made it in the CTF.
