Brixel CTF: Winter Edition (26 Dec, 2020 — 03 Jan, 2021)
Let’s start off easy.
For this one, just download the photo and then do an image lookup with Google.
Here is the incriminating photo of Dad:
You can use exiftool to see the person who took the photo, Johnny Dorfmeister.
Do a Google search and Johnny’s LinkedIn pops up:
Looks like he is the “Manager at Zelfstandige”. In other words, self-employed.
But before that, he was a web developer at pishapasha.
If you pull up his contact info from LinkedIn, you can see he has his Twitter account connected. I headed over there to check it out.
No information about his favorite food that I can see so far.
I did an image search for his profile pic and found out that it’s actually of a guy named Skippy, a 34 year old Mormon virgin, living in his parent’s basement…
I even found the YouTube video they grabbed the screenshot from. Watch it at your own risk.
So I did find another social media account on Instagram that has a bunch of food pictures that all look…really gross.
He has a post of some badly burnt macaroni with this caption:
Using a tool called userrecon, I pulled up a bunch of social media accounts with the username, johnnydorfmeister.
This led me to a new account, a github page.
There are some interesting things in the authentication-requests repository, but I assume that is for an upcoming challenge. It includes a username.
Nothing about his birthday though.
It was then that I realized how simple this actually was. I just had to follow him on Twitter and his birthday would appear…
Here is the tweet that the challenge is referencing:
Actually, the internet DOES archive things, using the Wayback Machine! There is one capture for that test page:
I was able to find 40 snapshots of his webpage using the Wayback Machine again (at this point his main webpage was down because of the CTF traffic).
The one from August 5th, 2020 has some reviews from previous customers:
If you translate the Russian review, you will get a flag.
This was an audio file that contained Morse code. I downloaded a Morse code decoder on my phone and ran the audio through my computer speakers.
The challenge mentions the messenger is French, which points towards the popular French cipher, Vigenere.
You usually need a passphrase to decode a Vigenere cipher, and since the soldier shouted out, “confidentiel!”, that was most likely it.
This challenge talks about an Italian, which points to the Caesar cipher. Throwing up a V means that the shift is probably 5:
Looks pretty crazy at first glance, but this one was just simple Base64, then binary.
This is an Engima code. I found a decoder online HERE, and input the values.
It says not to translate the flag from German.
I used Crackstation for this.
First I looked at the requests and then double-clicked the background one.
That opened it up in a new tab. I looked at the source code and found the flag nestled in there.
The Konami Code is a cheat code sequence from the days of glorious gaming past, back in the 80's.
Up, Up, Down, Down, Left, Right, Left, Right, B, A
When you press that sequence on your keyboard, Mario will run by on the screen!
I’ve done a few challenges like this before. It is an SSTV transmission.
When I first started doing them I was using an app on my phone (Robot36) and just putting it next to my speakers to grab the sound. This resulted in very blurry images, and sometimes I would have to take recordings multiple times.
Eventually I found THIS article, that helped me set up a better option for crystal clear images.
Here is the webpage:
All of the robot talks pointed me straight towards the robots.txt page.
This one was quite simple. If you check the source code the flag is sitting right there.
I used the same method here. Just inspect the source code. You can see that it is the same thing, it’s just split apart into a few different bits. Go through the function and append the pieces in order to complete the flag.
When you add in a random username, it pulls from username.txt to see if you have the correct one.
You can navigate there to see the correct username in plain text.
It’s simply, “admin”.
Now, just navigate to password.txt to pick up the flag.
This is the exact same thing as the previous challenge.
Except the password is not in plaintext, it is in Base64.
Ahhh Limewire. That takes me back…
I remember downloading Roller Coaster Tycoon and thinking I was basically an Elite Hacker. I’m sure I downloaded a lot of malware too.
Later, I bought a legit PC copy, lol. Still one of my favorite games, and I now have it on Ipad.
Anyways, I opened this up in Audacity and switched to spectrogram view, where you can clearly see Hello Kitty!
The challenge provides a QR code, when scanned it redirects you to a website.
The website has the next step:
Using an online decoder, the bar code reveals plain text, “code-128-easy”
Entering the code takes you to yet another web page with another barcode.
When decoded, it shows that it is a product barcode, 5449000133335
On to the next one.
After you input, “congratulations_this_is_the_last_barcode”, the flag is revealed!
Here is the adorable Rufus! But what is he hiding…
I was able to extract a text file via steghide, which contained the flag.
Here is the food truck we are trying to gently push to victory.
For this one I used Burpsuite to intercept a request for 5 votes and changed it to 5000 before forwarding it.
The first step is to find BE-MINE hill. After a bit of Google, I located THIS blog, and was able to pinpoint it on Google maps shortly after, in the town of Beringen.
From here, I opened up THIS website, and entered in all my search parameters.
There were various military flights that day. I do know that a C130 is a cargo plane, so I looked at those first to save time.
The flight path of CH-09 headed right over BE-MINE hill. I pulled up a photo just to double check that it had four propellers.
From there, I had two pieces of the flag, but I still need the registration month and year.
I did some more lurking on Google and found THIS website. Which shows that it was first registered in March of 1973.
This corresponds with another picture I found of the CH-09 from 18 December, 2020, which says that it was actually taking a last flyby after 47 years of service!
I used Binary Ninja to look through the contents of the program and found this nestled in there:
For this challenge I downloaded an app on my phone called BirdNET, which was developed by Cornell University.
It was able to identify the bird sounds as coming from a white stork, or Ciconia ciconia.
For the next one I used a tool called Foto Forensics, with the ELA filter, which can detect digital modifications.
Here’s an explanation of how it works, which I found interesting:
I was able to find a virtual punch card reader online that worked perfectly.
I used Hashcat to crack the hash, using mode 10, md5($pass.$salt)
It only took a few seconds to find that the password was “brute”
First I found the Halen district contact information HERE.
After that I looked for a free carrier lookup service online, and found out they were using COLT Telecom (otherwise known as Colt Technology Services).
BUT, I also found a different carrier lookup that claims it is Orange Business Belgium.
I only have three chances to get this right, so I was becoming a bit concerned, especially with all the different variations the two companies go by. It could be any of these:
I grabbed three at random and luckily, on my 3rd try, it turned out to be…
I just wanted to give a shout out to “Visit Limburg #2” for tormenting me for hours and teaching me more about coal mines and random bridges than I ever wanted to learn.
I found multiple maps of the different coalmines in Limburg Province. HERE and HERE.
The farthest from all the others on that map is obviously the one at the top, Beatrix Mine. Apparently construction was abandoned and it was never a working coal mine, but it does have two shafts.
The one farthest from that point looked like Willem-Sophia Mine, down near the bottom.
After that I searched for “Church with Ridges” and found this church here, called Doorkijkkerk, “Reading between the lines”. It’s out in the country somewhere in Belgium.
Using Google maps, I got the coordinates of the exact location for all three of these things.
I plotted the coordinates with an online TOOL, which gave me the center point, here:
Looking around this area, I found a few bridges near the highway, but not much else. I combed through graffiti markings and adjusted the dates in Google maps.
Then I tried combinations of other mines.
I tried Maurits and Willem-Sophia, thinking that maybe since Beatrix mine wasn’t officially completed it didn’t count.
Interestingly, this landed me almost directly on top of a bridge:
I did look through this bridge and the numerous surrounding bridges with Google maps, multiple times each, adjusting the dates back and forth, but still came up empty handed!
But then, dear reader, I found out that there is a Limburg, Belgium AND a Limburg, Netherlands, and that I was getting the two confused.
From here, I found THIS website which describes 7 coal mines in Limburg, BELGIUM.
I plotted these all on a map, after researching the exact locations of each one.
Now to add the two farthest points to the original map (Eisden and BE-Mine), and get rid of the Netherlands mines.
Hmm, the middle of the woods. Not a good sign.
A little ways away though, I found a bridge near a canal, that had a Google maps snapshot from June of 2013, with a date written on the wall. Has fate smiled upon me?
I actually couldn’t get this one for the longest time because I was using the Wayback version of his webpage since the live one was down. I contacted him through the form there, but nothing happened. On the live version though, you will receive a reply.
After you hit submit, this webpage pops up with his address:
Here is the house in Belgium. I am going to use the same tactic I used for “Visit Limburg 3” and just change the date using Google street view.
I actually had no idea you could change the date until this CTF!
If you move back on the street a little, you can see it says, “JUST MARRIED”
Awww, so there is a Mrs. Dorfmeister?
I really enjoyed this CTF and appreciated how long it was, giving me time to complete more challenges than I usually do. I could tell that the creators were influenced by the Down Under CTF, which continues to be one of my favorites because of the crazy OSINT challenges.
And also, it was seemingly just one guy (Kevin aka “kefcom”) running the entire Discord server, answering questions and managing everything. I was super impressed with the whole thing.
Happy Hacking! ❤