Cyber Detective CTF is an OSINT-focused CTF created by the Cyber Society at Cardiff University.
There are 40 challenges across 3 streams: General Knowledge, Life Online and Evidence Investigation.
Link HERE.
According to the creators, it should be up indefinitely for anyone who wants to practice their OSINT skills.
It should be noted that I do not have solutions to either ‘leaveamessage’ or ‘readyfortakeoff’. If I figure those out in the future, I will add them.
Alright, here is James:
I am somewhat confused about the “Born in” and “Raised in” descriptions, but I will get to that later.
Right now we are trying to discern his political affiliation.
This one is rather simply, because a short ways down his feed you see he has retweeted something from Barrack Obama, saying how he misses him.
James appears to be a Democrat.
Ahh, here we are. Now it’s time to figure out what those two things meant.
After looking through some more of his posts, James seems to be referencing an app called what3words.
After using the online map tool, we can see that James was born at Nuffield Health Bristol Hospital in Bristol, England.
And grew up near Station Road in York, England.
The app seems pretty fun and quirky, but definitely an easy to get people to share their exact locations.
Correlating this info with Google maps, we can see that James claims he was raised at the Principal York, which is a hotel.
The answer to this challenge is simply York though.
There are a couple ways to look into this. Firstly, I found James referencing how the train home was late, so I could try to find out the city he works in by looking at what station he got on at (he could have got on at any stop between Maestag and Ebbw Vale)
There is also a man named George, who is referring to the “Boss”, Phillip. James laughs and agree with him, so this guy seems to be a coworker of James’.
Here he is accidentally posting sensitive data to social media, which I am sure will come in handy later.
The name of the question is “ChooChoo” though, so I’ll start with the train.
The line starts in Maestag, but that was not the correct answer.
He also has a post about how he got off the train at this particular station, Cardiff Central Railway Stations.
Sometimes that train route gets “terminated” at this particular station…maybe due to issues with the tracks or something.
It also looks like people regularly have to change trains at Cardiff Station if they are continuing on to Ebbw Vale, and that there may be a bit of a wait before transferring trains, so he could have just went outside and snapped the picture before his next train left.
But that’s getting ahead of myself trying to find out where he lives.
What we do know though, is that James works somewhere between Maestag and Cardiff.
Weirdly, after trying all of them, the flag turned out to be Cardiff, which did not make sense to me since he explains that he just got OFF the train when he arrives at Cardiff.
Anyways, moving on.
This one is much more straightforward. You can see that James liked an update from someone named Sarah Luxton, who posts a pic of her upcoming holiday locale.
To me this is giving off major Australia vibes, but I did an image search to be sure:
Yes, it’s in Perth, Australia.
You can see on Sarah’s profile she mentions, “Buster’s favorite place.” and then provides some coordinates.
Using Google maps, you can see it’s a bridge at 2 Bridge St, Brecon LD3 8AH, UK.
This is referring to George from earlier. If you look through his profile, you can see he ridiculously posts his password online.
This is simple Base64 than can be decrypted in 1 second. Wow, George.
On George’s Twitter profile, a guy named Pearce mentions he left his credit card laying about a bar, then provides a photo of George’s desk where he left the card for him:
I’m unsure what the numbers mean, but the answer to this challenge is obviously “brown grey”.
What immediately stands out is the pair of blue and green eyes, and then a little bit of text poking out from behind James, which makes him look like he is in the way of some information:
If you click on the eyes, the photo pops up full size:
In one of his tweets, James mentions how it’s tough day of work after 8 long hours. This was posted at 4:02 pm, which means he started work at 8:00 am.
8:00 did not work, neither did 0800, or 08:00, and neither did a bunch of other guesses accounting for possible lunch breaks, etc.
Now I am trying to figure out if Twitter shows you tweet time stamps based on YOUR location or the poster’s location. There was not an option to change your time zone within Twitter, but you could change the country. I tried changing it to UK, refreshed everything, and saw no change to the post.
I also tried changing my system information to Greenwich Mean Time and refreshed my Twitter feed to see if it was based off that. The time zone stayed the same.
I then tried submitting every hour just to see which one would work (RIP accuracy).
14:00 eventually worked. So yeah, I’m still confused about that. He started work at 2pm, got off at 4pm, yet worked 8 hours? Unless he found a portal to the fae realm or something…doesn’t add up. Especially since it’s still light outside at the train station when he gets off. If he started at 2pm, he would get off at 10pm and it would be pitch black.
If anyone has any clarity on this one, please let me know.
This has to be referring to that sensitive info I found earlier that George seemed to post on accident along with a meme:
This is a party that Pearce is hosting:
Here is the outside of the building:
Cardiff has a website for planning your bus trips. I used the information provided to plan my route, making sure to select a Sunday, which was the day of the week the party started.
Looks like the best route is the 58.
You can also find this using Google Maps and checking the Public Transport option:
1000 points for this one!
So the only person we haven’t really looked at that seems connected is Sophie.
She was tagged in Pearce’s party reminder. She could work with them all, or perhaps she is related to Pearce in some way personally, like a friend or family member. Both Pearce and George follow her.
She has an interesting post:
Um. Ok.
I uploaded her profile photo and got this from Google:
And a whole bunch of stuff from Yandex.
Including this one:
Which…is a fake person because the phone number is obviously not real. However, that was not the answer to our challenge.
Looks like she gets used on a lot of fake websites:
I am thinking this is just some popular stock photo of a model. Also, there is an interesting photo behind “Sophie” of a random street during a sunset. I wonder if that has anything to do with it or if it’s just supposed to be “artistic”.
I checked on Sophie’s email address that she left for Kendall because that seems to be the obvious target, but that email address refuses to show up anywhere I search, and apparently doesn’t exist anymore.
The thing I kept constantly getting as I searched around was a Pinterest account with some random Christmas crafts. But that seemed to lead nowhere.
At this point I started going through Chapter 15 of Open Source Intelligence Techniques by Michael Bazzel, which also produced nothing.
But I know it’s the email now, because I paid 250 points for the hint after reading that chapter and failing to retrieve a result from every single tool in there.
I’m probably missing something entirely simple. And yes, I even visited a bunch of weird Kendall Jenner fan fiction websites…*shudders*
This one remains unsolved for now.
Here is the picture we are provided:
I typed the plate in Google and I pulled up a registry lookup site, which showed it is a 2010 Ford KA.
I went to the earliest inspection entry and used that month:
For this one, I immediately started using The Wayback Machine to look through snapshots.
I found this at the June 1st, 2016 snapshot.
Here is the boarding pass:
The thing that stood out to me was the huge barcode. I cropped just that bit and ran it through a barcode scanner.
Ah, Sarah Luxton. Looks like she is headed from London to France in seat 22B. She seems to travel a lot, just two months after this she is headed for Perth.
Here is the live camera feed:
I took a screenshot of just the village and ran it through Yandex and got a few hits naming a village in Belgium that has a webcam:
I translated some of the results and saw that the town was called Grammont.
I was able to find the town square shown in another of the webcam stills:
If you turn around and look up, you can see the webcam is actually in a church.
This is where all of our friends work, because Pearce included it in his Twitter bio:
I tired my barcode scanner out on this again, but it was just a representation of X8WVNRS3.
I actually had trouble investigating this company earlier when I found it with Pearce, because there are so many with similar names. But now with the Company Number provided, it is much easier.
If you go through the Filing History, you will come to a “Total exemption full accounts” PDF that you can look through. Within this there is a balance sheet:
Notice the “cash at bank” portion, 102.347.
The feed is clearly marked as Bornholm airport, which is an airport in Rønne, Denmark.
Looking at their departures for the current time period, we can see that there are a few different flights every morning, but they are basically all headed to Copenhagen.
I picked DX31 because it is the normal weekday flight first thing in the morning. Looks like it gets to Copenhagen a little before 7am. The STA is 07:00 every day.
However, this did not work. And neither did the weekend flight times. So I switched it around in case they meant the suspect comes TO Rønne from Copenhagen:
But neither of these three morning arrival times worked. To be fair, this challenge was created a year ago, so the times could have definitely changed.
I’m not sure if these are being updated, but someone did solve it a day ago. They could have definitely used the same tactic I did on the other time-based one by just guessing a bunch of stuff until something worked.
And yeah, this is definitely the right airport judging by the patterns on the runway:
As for now this remains unsolved.
Here is the image:
Using the tool they provided, I was able to decode the image and extract a text file.
The live cam seemed to be down at the moment, so I used the attached picture:
Searching for “The Birchmount Lofts” on Google brought me to results showing that this is actually a vet clinic called the Birchmount Animal Hospital in Canada. This camera right here is where you watch the cats.
I was hoping to see some cute puppers playing around in the main play room, but the whole place seems abandoned. I am assuming it’s because of Covid.
The road out front is actually called Birchmount Rd.
This is definitely Morse Code:
Here I looked up one of the intersections to find the exact location:
Then I headed down for street view and landed right on top of this guy:
I used THIS wifi mapping service because I have used it before. I scrolled out and searched for “jammy”
It looks like nothing is here but if you look kinda northeast you will see two little purple dots. Zoom in on those:
If you open up the PDF and hit select all, scroll down and you will see something written in white text.
Just copy that and paste it into notepad or something like that:
Open up the attachment and you will see a copy of the invoice.
If you right-click on the PDF and choose ‘properties’, it will show that the last time it was modified was Sunday, May 13, 2012, 2:00:00 PM
If you use exiftool on the image, you can see it was taken on a Moto G3
Here we have a pastebin link to what looks like a middle eastern language. I found it interesting that in the middle there is obvious Chinese just randomly hanging out.
I used Google translate on the whole page to turn it into English, and after that I was able to find multiple areas where other languages were used:
Here is a random word that says ‘Clouds’, which turned out to be the flag:
Like most government websites, the Land Registry is an absolute nightmare to navigate, and most things you click end up asking you for credit card info to search through the data.
I eventually found a page (HERE) to search the data for free, and added the date in question plus a minimum of £40,000,000. I figured there wouldn’t be too many at that price.
So it looks like it used to be owned by Tesco before it was purchased.
So for this one I opened up all the links and set the date of the data to February 1st, 2020.
After that, I multiplied the ‘open’ amount with the amount of bitcoin received, 3.581074451254057. I went through each country’s price, until I found a nice even number, 50,000.
This was in Australian Dollars.
Interesting that a Sarah Luxton just went on “vacation” to Perth…hmm. However, she apparently did not arrive until the 26th of February, over 3 weeks after this transaction.
The rest of the questions were just basic stuff you could Google, like “What does HTTPS stand for”. I figured that did not need a walk-through.
I still need closure though! What was the outcome of this investigation! What is the answer to leaveamessage!
Overall, I thought this was awesome. It’s rare to find a CTF entirely dedicated to OSINT stuff, so I was very happy when I found it. There is actually another CTF from them called Cyber Detective CTF, which is also mainly OSINT focused. This one is much more recent.
Happy Hacking! ❤
