Hussien Misbah

Hussien Misbah

Cybersecurity consultant & Wannabe red teamer

CyCTF 2024 Finals OSINT Writeups

7 minute read

CyCTF is organized by Cyshield’s cysec team every year , demonstrating new ideas and techniques in different categories (web exploitation , cryptography ,reverse and malware analysis , pwn , osint , mobile). it was my pleasure to be the author of SMS and vengeance challenges in web exploitation category and for the osint category in qualifcation and finals. this blog post will be about the solutions for the osint category in the finals round. My approach for creating the challenges was to not make it sherlock/yandex style ones and to introduce new ideas/techniques that can be used in real life scenarios.

New Friend

challenge New Friend
about osint process , video analysis , GEOINT , SOCMINT
description we have been tracking a female suspect recently and we were able to hack into her mobile phone , however she seems to be very cautious and most likely she already know her phone is not safe anymore , while trying to locate her place it was located in Egypt however we are sure 100% this is not true. we were able to record a short video from her phone before she powered it off eventually and we were not able to identify the location, she has been visiting this places a lot recently, can you help us? an extra information that might be helpful she has been a friend to a multi faceted hairstylist. our goal from this simple task is to reach the hairstylist so we can contact her and get more details about our suspect. the flag is her email address , example flag CyCTF{fake_staylistmail@gmail.com}
attached challenge.mp4
solves 4

Our starting point will be the video given , best approach is to :

  • extract all frames from the video to deal with it as images
  • extract audio from the video (to identify language used)

Using online tools like ezgif we can extract all frames , the idea of this point is to extract important frames that can help us identify the location. there are 2 important main frames :

First frame , we can identify the following artifacts :

  • snow everywhere (we are in winter most likely , this is not the same status always)
  • a river (so we are standing on a bridge)
  • stairs in left and right of the river
  • blue lights
  • Tress on left and right

image

Second Frame :

  • Contains 2 big buildings
  • one with blue colors
  • the other one has the word “Terrassen” in it

image

Doing basic GEOINT on the 2 frames and using google lens on the river frame , will find most images point to sweden , and this frame has same stairs in our frame

image

we can take the image in results and drop it into geospy tool which quickly identifies the location

image

it is not the most accurate location as from video we are standing on a bridge by a river which matches this location

image

dropping street view we are in same location in video but different weather.

image

Now our goal is to search for the hair stylist/dresser mentioned , form maps there is a hair studio very close to the bridge which we can investigate

image

image

visiting the place website and in about us page will find team members listed

image

the description mentioned a “Multi-faceted” hairstylist which matches this one called “bero”

image

the page doesn’t contain a mail for each person in the team , however a quick search will find the instagram page for the salon and they follow the team members on social media

image

will find bero’s account which contains a link on her bio

image

and finally will find her mail address.

image

Maybe in another UniVerse

challenge Maybe in another UniVerse
about osint process , GEOINT , Metaverse
description The Authorities have been tracking a hacker goes with the name “PWner” , he has been travelling from a country to another to erase his steps , he was very cautions recently , he has deleted most of his social media accounts like facebook , instagram and others based on our observations ,so any user with same name you might found most probably a fake one. But recently we were able to find his wife location and she told us the last thing he sent her was this letter , We are sure that she is hiding something although we believe this is the last message from him ,But we can’t solve this puzzle , can you help us ?
attached challenge.png
solves 1

image

The idea of challenge is to introduce new area of search which is metaverse assets ,the challenge image gives a big hint with the “another Universe” keyword,also mentioned 2 meta products facebook and instagram , which points to maybe the meta verse ?

Searching for that will find a blog from osint Curios which discusses users can create a space and other users can join it so they can talk together and interact with VR in this space.

image

The url format is https://www.spatial.io/@jake we can try add our target instead of jake to be https://www.spatial.io/@PWner

image

and we have a match , checking his spaces will find one called 1337 Room , accessing it we can find a cyshield room

image

Walking through the space will find the flag in an image on the wall

image

Complicated

challenge Complicated
about osint process , advanced GEOINT , SOCMINT
description Hello Old Friend , One of my friends challenged me to solve a case but you have never disappointed me and i don’t think you will this time , all we know is that during tracking our target , he have recently attended a football match in France and after that he walked to KFC to have a nice meal, the catch is he made a mistake sharing something that reveals his identity while doing these activities. you may think that you have weak clues to find the target however actually it is not. The flag is the person’s name , example “Mohamed Samy” will be CyCTF{Mohamed_Samy}
Hint1 did you know about french territories
Hint2 can you “over pass” ?
attached none
solves 0

The challenge description contains several information :

  • the search area is France
  • targets went to a stadium to watch a football game
  • the stadium is still active as he was there “recently”
  • he walked to KFC after game meaning the branch is close to the stadium

So our initial approach is to search for KFCs near stadiums in France , searching this manually will be very time consuming so we can take a smarter approach which is overpass queries , the area is France the target is KFC near stadiums (we can start with 500m) as a start

[out:json][timeout:25];

area["name"="France"]->.searchArea;


(
  node["leisure"="stadium"](area.searchArea);
  way["leisure"="stadium"](area.searchArea);
  relation["leisure"="stadium"](area.searchArea);
)->.stadiums;


(
  node["amenity"="fast_food"]["name"="KFC"](around.stadiums:500);
  way["amenity"="fast_food"]["name"="KFC"](around.stadiums:500);
  relation["amenity"="fast_food"]["name"="KFC"](around.stadiums:500);
);


out body;
>;
out skel qt;

This narrows down possibilities a lot as we can see below

image

The odd thing we can see in the image is this one , we search “France” and this showed up in results

image

Searching about that we found the information that france has what is called “Overseas” contains several islands so basically this is french

image

Zooming in will find the stadium and the KFC Branch

image

Searching for it in google maps

image

Found stadium name is “Stade Roger Zami” , after finding the place the description said he shared something that might reveal his identity , where can we find places and people rather than social media ?

Checking The most famous apps for the location we have found :

  • Flicker
  • Instagram
  • Snapmap

image

image

Finally we found our target and we can confirm it is him by checking comment and description

image

image

Hope to see you next year !