Open in app

Sign in

Write

Sign in

Sector035 OSINT CTF 2020 Writeup

Chad Warner
8 min readJun 9, 2022

--

Here’s my writeup of Sector035’s 2020 OSINT quiz (CTF), including solutions (spoiler alert!). I like that this CTF is educational, sharing plenty of tips and resources.

There are 20 questions in 6 areas:

  • Social Media & Forums
  • Video & Images
  • Source & JSON
  • EXIF & Metadata
  • History & Archives
  • Geolocation & Chronolocation

If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know!

Question

Q: On March 28, 2018 I (Sector035), quoted a tweet by someone else that could very well be a nice geolocation challenge. But what is the display name of the Twitter account that sent out this quiz?

A: I did a Twitter advanced search for tweets from @Sector035 from March 28 to 29, 2018 and found this tweet from @UID_ with display name Rickey Gevers.

01 — Social Media & Forums

Q: Julia Bayer started the Quiztime movement back in April 2017. But can you tell me what the last text was that she tweeted in 2017, while using the hashtag #MondayQuiz?

A: I did a Twitter advanced search for #MondayQuiz in 2017, and viewed Latest to find this tweet which says Merry Christmas.

02 — Social Media & Forums

Q: Quiztime crew member Tilman Wagner posted an image on Instagram on May 12, 2020 that featured a car. In the URL itself you see the unique identifier of the post. But somewhere there is also a numerical ‘ID’, which can be found in the source of the page, or in some ‘JSON output’. But what is this number?

A: I clicked the link to view Tilman Wagner’s Twitter profile and saw a link to his Instagram profile in the bio. I clicked it and scrolled down, looking for a car, and found this post. I searched “how find instagram post id” and found https://www.techuntold.com/get-instagram-user-id/, which I’ve used in the past. I opened https://www.instagram.com/p/CAFBUw0APD1/?__a=1 and found the ID: 2307256208945377525.

03 — Social Media & Forums

Q: In September 2019 someone posted in an aviation forum a quote that explained how Christiaan Triebert was using shadows, that were cast by towers around a launch pad, as sun dials. But what is the username of the account that posted this?

A: I searched “aviation shadows cast by towers around a launch pad as sun dials” and found https://www.airliners.net/forum/viewtopic.php?t=1430561. The username who posted about Christiaan Triebert is Tugger.

04 — Video & Images

Q: There is a weird artwork in Indianapolis that has its own Wikipedia entry here. The photo featured on the Wikipedia page can be found all over the internet, but one of the oldest uploads out there is on a certain stock photo site. Are you able to find this stock photo site? The answer is the originalfilename, including its file extension.

A: I did a Google reverse image search and tried to narrow by year, but didn’t have enough results. I cleared that filter and skimmed through the results. The only stock photo site I noticed was Getty Images, with filename 2010_in-an-at0552v02.jpg.

05 — Video & Images

Q: Can you tell me what the date and time of publishing is of the following video? https://www.youtube.com/watch?v=kUVFeXSdkO8

A: I searched “find upload time youtube” and found https://mattw.io/youtube-metadata/, which gave 2020–06–04T19:19:58Z. I entered it as 20200604191958.

06 — Video & Images

Q: Time to have a crack at the following image: Provide the full name, so first and last name, of the person who initially uploaded it to a ‘wiki’ platform.

A: I did a Google reverse image search and found this Wikimedia result. Under File history it shows it uploaded by Olga Ernst.

07 — Source & JSON

Q: It’s been some time since https://osintcurio.us was launched, and in December 2018 someone posted the link to this website for the first time on Reddit. Find this post, extract the Unix ‘timestamp’ of the post. Whether you’re logged in at Reddit or not, you can find it somewhere in the source of the page.

A: I searched “osintcurio.us site:reddit.com” and set the time frame to December 2018 to find this post. I hovered over “3 years ago” to see Dec 17, 2018 5:30:13 AM EST. I searched “convert to Unix time” and found https://time.is/Unix_time_converter, which I used to get 1545042613. The CTF didn’t accept this, so I searched “find timestamp reddit post” and found this comment which said to add .json to the end of a Reddit URL. I did that and found “created”: 1545042613.0. The CTF didn’t accept this either. I looked for a walkthrough and found this one which used old.reddit.com. That showed 2018–12–17T10:30:13+00:00, which is still 1545042613. I looked on Twitter and found this tweet which mentions epoch time, so I used https://www.epochconverter.com to get the timestamp in milliseconds: 1545042613000.

08 — Source & JSON

Q: When this scan was made, the web server sent out slightly different so-called ‘HTTP response headers’ than it does nowadays. Please provide the exact text that was sent in the ‘X-Hacker’ header.

A: I had to get a hint, which directed me to click the API button. I did a find for x-hacker and found If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

09 — Source & JSON

Q: http://www.virtualradar.nl/virtualradar/desktop.html. By looking at the traffic between your browser and the website, and looking at the JSON, can you deduct the name of the variable that shows the total amount of aeroplanes currently tracked within the view you’ve selected?

A: On the page, I found “Tracking 4 aircraft (out of 3,047)” and inspected that element. The paragraph element had a class of count. In the browser dev tools I looked at the sources to find the JSON files. I looked for 3047 and found it in AircraftList.json, with variable name totalAc.

10 — EXIF & Metadata

Q: Fiete Stegers tweeted a photo from his new workplace a few years ago. I want you to find the GPS coordinates in the file itself.

A: I downloaded the photo and viewed the metadata, which showed the coordinates, but not in decimal format. So I used https://exifdata.com/exif.php to get 53.5566, 10.0220.

11 — EXIF & Metadata

Q: One of the Quiztime crew members is Philipp Dudek, and he works for HHLab. It’s time to look at his profile photo on the company website. Can you find out the first name of the person who most likely edited this photo?

A: I opened https://www.hhlab.de and found Philipp Dudek. I followed this suggested blog post and used Forensically’s String Extraction to view the strings, and found file paths that began C:\Users\Marc\.

12 — EXIF & Metadata

Q: Open the following website and extract the EXIF information from the image of the typewriter. https://www.behance.net/gallery/11820853/Type-Investigation. The answer for this question is the value of the “Legacy IPTC Digest”.

A: I downloaded the image and used Forensically’s String Extraction to view the strings, searched for legacy, and found LegacyIPTCDigest=”F5B9EFCFD52592DC2821842599A3416F”.

13 — History & Archives

Q: The website of the OSINT Curious Project was launched end of 2018. Back in the early days the ‘robots.txt’, that you can find in the root (or top folder) of most web servers, featured a date. That file still exists today, but no longer contains the date. Time for you to dive into history and find this exact date!

A: I used the Wayback Machine to find this snapshot of https://osintcurio.us/robots.txt from 2018, which contains the timestamp 05 Dec 2018 20:41:27, which I entered as 20181205204127.

14 — History & Archives

Q: Marco Bereth is one of the people that sends out quizzes for Quiztime. Back in 2013 his Twitter bio was quite different compared to his current one. But what was the very first word in his profile back in July 2013?

A: Using the Wayback Machine, the closest snapshot I could find was from Sep 2013. Then, his profile started with Bahnfahrer.

15 — History & Archives

Q: Using the website Elephind, you’ll be searching for articles about open source intelligence. Find a newspaper from October 29, 2007. The term is mentioned in a calendar of some kind. Find the calendar item in question, and look for the name of the person that is mentioned. What is his name?

A: I did an advanced search for “open source intelligence” in 2007, which gave 1 result. Page 2 had a calendar showing Open Source Intelligence and Frank Pabian.

16 — Geolocation & Chronolocation

Q: This statue can be found somewhere in the world and even has its own ‘square’. Can you find out where this statue is and find the name of the ‘square’?

A: The photo has an emergency vehicle which looks like a firetruck, and which says “Feuerwehr” on the front. A translation detected this as German for “fire department.” The photo metadata didn’t help. I did an image search for statue “square” germany but it had too many results, and at a glance, none of them were the right statue. I checked the CTF hint, which recommended a reverse image search using Google, Bing, Yandex, and TinEye, cropping the photo if necessary. I tried all those, and Yandex found this image which looks similar. That led to this site, which led to this Flickr photo which shows similar surroundings, titled Johannes Rau in Düsseldorf. Searching that string led to mentions of Johannes-Rau-Platz.

17 — Geolocation & Chronolocation

Q: Have a look at a beautiful photo posted on Instagram by Tilman Wagner. To go to the last question, submit the postal code of the square where the statue is located.

A: I did reverse image searches, but none helped. I looked at the post via imginn, and saw hashtags #oslonorway, and #oslostreets. I searched “oslo norway statue” and found mentions of Vigeland Sculpture Park in Frogner Park. I searched “Frogner Park oslo address” and saw postal code 0268, but the CTF rejected that. After checking this walkthrough, I did another Yandex reverse image search, and saw this Wikimedia page, which has the description “Oslo. Devant la Gare Centrale” and location 59° 54′ 36.31″ N, 10° 45′ 05.9″ E. I searched for the description, which showed results for Oslo Central Station. I chose https://en.wikipedia.org/wiki/Oslo_Central_Station, then went to the official website https://oslo-s.no/. I didn’t see an address there, so I went to their Facebook page, which had Jernbanetorget 1 0154 Oslo, Norway.

18 — Geolocation & Chronolocation

Q: Look at the following image by Julia Bayer and perform the next steps: Determine the location Julia Bayer was standing. Be sure about the location! Find out where she stood, not just the name of the establishment she visited. Find out the direction of the sun at that particular moment. Read the ‘Azimuth’ and round it up or down, up to 2 degrees accuracy, making it an even number.

A: The post is dated July 19, 2017 and includes hashtags #Berlin, #Katerschmaus, #Holzmarkt, #SichWasGönnen, and #HabenWirUnsVerdient. A few searches showed that Katerschmaus is a restaurant at Holzmarktstrasse 25, Berlin, DE 10243 and Holzmarkt is an area in Berlin. I viewed a hint in the CTF and found the location in Google Maps Street View. I went to https://www.suncalc.org/ and entered the address and date. I then moved the location to be closer to the Spree River. I had to follow this walkthrough to get the rest of the way. 285 degrees worked for me.

Osint
Open Source Intelligence
Ctf
Ctf Writeup
Writeup

--

--

Chad Warner
Chad Warner

Written by Chad Warner

1.1K Followers
0 Following

Web Strategist at OptimWise. Cybersecurity & privacy enthusiast. Bookworm. Fan of Tolkien & LEGO.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams