CyberSoc | Cyber Investigator CTF

Another OSINT themed one from CyberSoc! Click HERE to access the CTF. It is supposed to stay up indefinitely.

For this one I found a website that was able to look up MAC Addresses:


Here, I looked up “Pig Cipher” and found a Pigpen Decoder that matched the cipher text:


This ended up being a Caesar Cipher:

Follow the money

First I looked up a picture of a digital pin-pad so I wouldn’t screw up the number placement:

Then I looked at the included picture and started from the least intense red dot, because the heat would have dissipated in sequential order, starting from the beginning of the pin.


I have an app called Shaazam on my phone that will listen to a song and then tell you what it is. This one was easily identified as “Limitless” by Elektronomia.


For this one I initially used a Google translate app on my phone set to Chinese, which seems pretty simple, but I got a different result every time.

I actually ended up finding someone who spoke the language and asked them to translate for me.


I found a website where you can input IMEI numbers and receive info about the related hardware.

This is a Samsung Galaxy that is supposed to weigh 138 grams.

So subtract 138g from 300g and we can see that the phone has an extra 162g of weight.


I used “have i been pwned” to search for the email on the business card above:


I used Yandex Translate to upload the image and translate the text (Chinese):

I then searched for Fuzhou Road in Google maps and ended up in Shanghai, China.


I actually ended up finding the exact same pic they used for this challenge on an eBay listing, so that was how I found the version of the Sky remote:

Then I input that into the SKY website to find the code.

Because I didn’t get the model number of the TV, it gave me three options:

Luckily, the first one I tried worked!


I searched for “case number 15–007500 London” and found these results:

Looks like his jacket was from Northface.


I downloaded an app on my phone called DTMF Decoder and just held it up to my speakers to get the flag.


When I listened to the audio it sounded as if it was uploaded backwards, so I did a quick search online and found a place to reverse a sound file. The new file sounded like an English person giving a speech, as if they were a politician or member of the royal family.

I looked up the speech and found this:

Looks like it was a farewell speech made by David Cameron, who is a former Prime Minister of the United Kingdom.

David Cameron

Here is the font in question:

I’m not familiar with it, but I did a quick image search with Yandex and found a bunch of sources saying it was “Plexifont”


The first thing I did was grab a little snippet of the text file and Google it. It brought up something called the PAWN scripting language, which I am not familiar with.

From there I searched for video games made with the language, specifically, multiplayer games.

On the third link I saw that there is a Grand Theft Auto mod that turns it into multiplayer:

Grand Theft Auto: San Andreas Multiplayer

Well, this keeps getting more and more dark.

This one was actually quite hard, and Google proved pretty useless for me. Maybe I just wasn’t inputting the right terms.

Eventually I thought to use which I had a paid account to back in the day when I was really into genealogy. You can still search with a free account, you just can’t look at the actual records.

There were 36 hits, and a few had death years.

I decided to just try the years, and got lucky because the first one in line worked:

I have no idea how the library card, the sewing club, or the bones that the developers found fit in here, because I couldn’t find any articles or anything about that. I’d be interested if any of you did though, so please leave a comment if so.


It looks like this is the bungalow in question.

It looks somewhat unkempt, and surrounded by the same type of duplexes the property developer probably wants to build.

I quickly Googled the address. The first thing that comes up is a website that talks about planning updates for the city of Cardiff:

From here, you can click the link on the lower right to go to the official application:

This will give you a lot more information on the project. You can see that it looks like the application was actually refused:

Notice there is a “comments” tab. If you check that out, you will see that Mrs. Mary Landon Goodman (the next door neighbor) has written a very lengthy objection, probably prepared by some legal counsel.

A little further digging into the documents section and you can see the document the developer received, which outlines the reasons for refusal:

Mary Landon Goodman

I had a lot of trouble with this one. I looked up the Institutional Investors for GameStop, found this, and arranged them all by date:

There are five of them on or before 12/31/2020, with APERIO GROUP, LLC being the largest. None of these worked though.

I spent a fair amount of time searching around the internet and then temporarily moved on because I was getting frustrated. I ended up solving every single other challenge before coming back to this one.

Eventually I got sick of it and just purchased the hint, which was basically useless because it was what I had seemingly already been doing.

I also tried most of the largest investors I found on various sources, and then almost gave up in complete disgust with myself for wasting 200 points on that hint.

Eventually I found THIS website here and looked through all the investors. FMR was at the top in the “December 20” column. I looked them up and they are called Fidelity.


I started by searching for Dogecoin using that link in the question:

If you scroll down a little on that page, you can see this section:

So the first part of the flag is “DH5yaieqoZN36fDVciNyRueRGvGLR3mr7L”. Now we need to find out when that wallet became active.

For this, I basically just Googled the wallet.

That first link will take you here:

You can then sort the transactions by time to retrieve this:

So I tried “DH5yaieqoZN36fDVciNyRueRGvGLR3mr7L 2019–02–05”, but that did not work.

I then looked up some of the other links from when I Googled that wallet, and found this:

DH5yaieqoZN36fDVciNyRueRGvGLR3mr7L 2019–02–06

I started by Googling the markings on the handgun:

I found this picture, which shows that the person probably filed off the two “Glock” logos:

I looked up the model to find the official measurements:

On the Glock website you can see this:

187mm x 128mm

Here’s the attached text file with the log data:

You can see that they are looking for things like “international-domination-strategy.txt” and “new-world-order.pdf”.

My tactic here will be to first look up the IP addresses. has a location finder:

From this we can see that the IP initiating the GET requests might be from North Korea:

That other IP in the logs also belongs to North Korea.

In order to find the target, I looked at the first GET request:

“GET /vips/%u0412%u043B%u0430%u0434%u0438%u043C%u0438%u0440%20%u041F%u0443%u0442%u0438%u043D/”

This can actually be converted to Cyrillic, which is Russian. I figured this out by Googling those characters:

From there I looked for a decoder.

Afterwards, I found out you can actually do this more easily in CyberChef:

This can be translated as Vladimir Putin.

NorthKorea Russia

I opened the file up in Autopsy.

Looking through what popped up, I noticed that the USB stick was named “Tyler’s USB”

Continuing on, I found some data about “Allan Leonard”:

It even has a username on there, with which I was able to find Mr. Leonard’s Twitter:

However, after trying “Allan Leonard”, that did not work. I did some further digging and it seems that this is just a photo of the outside of an Irish passport Tyler grabbed online, maybe to use as reference for forging:

Eventually, in the recycle bin, I found a picture of someone else’s passport:

Angela Zoe Smith

Here’s the key file:

For this I used ssh2john, which I think may come installed with Kali(?), but if you don’t have it:


Usually you would use this command to accomplish the process:

However, apparently there are some known errors going on relating to compatibility issues, which THIS thread details. While a new release is being worked on, someone posted a workaround:

This is basically just making the SSH Key readable for John. Copy and Paste it into a text file.

Then you can run John normally. We can see here that the password is “banana”


I started by Googling this:

Right away you can see that he broke it while acting in Macbeth. From this piece of info, I assume Exhibit A is probably his script.

Yep, Act V: Scene 2

James McAvoy

I started by searching for the weight limits for these tires, and found THIS article which cleared some things up for me:

So 91 is the tire’s load index:

I converted that to Kilograms:

I don’t really know much about tires, but I assume you multiply that by 4 to get the total weight they can all handle.

So that’s 2,460.2852 KG

The car was 2200 KG, so if we subtract that we are left with 260.2852 KG

The driver was 85 KG, so now we are at 175.2852 KG

Then they had three engine blocks weighing 160 KG each, so subtract those and we end up with -304.7148 KG

Round up, and you have 305 KG.


Here is the invoice:

It looks like the European Union agreed to pay 15.50 euros for each dose:

I used a random calculator I found online to find the percentage increase:

This wasn’t the answer though. When I went back to that article about the EU agreeing to pay 15.50 per dose, there is a small section that talks about Belgium:

So while, they officially AGREED upon 15.50, apparently they only paid 12. Interesting.


I started by putting the face pieces together in a new folder:

But I did not recognize this person at all.

I then checked out exiftool to see if I could gather any more info, maybe location data or something, but there was nothing much of interest.

Then I found a tool online to merge the face together:

I screenshot this and looked through Google images:

Looks like it is New Zealand Prime Minister, Jacinda Ardern.

Jacinda Ardern

I decoded the first part, which was hex:

“There are 195 independent sovereign nations in the world, but which one is it?”

The second part was binary, which decoded to:


This further decodes to:

“2.478615, 45.621192”, which looks like coordinates to the middle of a field in Somalia:


I took a screenshot of the prominent building in the video:

Then I used Yandex to search for it:

The first hit brought me to a page about HaKirya Tower in Israel.


The first part of the video shows an airplane branded with “Laser”.

This is an airline based in Venezuela. This could just be a random airline visiting this airport, but it’s the only lead I have right now.

Next, I looked up that airport in Caracas to see if I could use Google maps to match the terrain or something:

I mean, it kinda looks like it could be this area here?

Then I spotted a flag in the video that I missed before, which looks to be the Venezuelan flag:

So it looks like I’m on the right path.

I started looking through the photo uploads from random people on Google maps, and saw this one:

That’s definitely the building in the video that I screenshot. So this is the right airport.

I found that there is an airplane that matches the one in the video, that flies from Miami to Caracas daily, or used to.

Looking through the flight data HERE though, I don’t see any flights from the US coming in.

I found this, which shows that there are travel restrictions in place due to various reasons.

I then found this:

Another article gives the exact day that those pilots stopped:

This article was published on March 15, 2019, which was a Friday.


Here’s a closer look at that png:

This seems like some type of sound/spectrogram thing. I threw the photo in Yandex to see if I could get anywhere.

The first hit brought me HERE, which shows a program that works with spectrograms and can apparently “synthesize from images”?

I got the program to work at least…but I have literally no idea what I’m doing.

I played around with the settings and could only ever produce blank sound files.

Then I found THIS YouTube video and downloaded the program he was using. I was immediately able to transfer the image to sound.

It’s a female robot voice that seems to be giving out the coordinates 37.241000 -115.804326

Lol! Nice.

Well, I tried “Area 51 Alien Center”. Then I tried “Homey Airport”, which is where the marker actually ended up:

Neither of those worked and I have one shot left. I can just try “Area 51”?

Wow. This is a lot of pressure.

Ugh, I’m just going to do it.


Area 51

Happy Hacking! ❤




CTF Writeups to facilitate cyber education.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


CTF Writeups to facilitate cyber education.

More from Medium

THM Advent of Cyber — Day 1

Advent of Cyber 2021 — [Day 4] Santa’s Running Behind

[EN] TryHackMe 25 Days of Cyber Security: Day 5 Walkthrough

Password Attacks WriteUp TryHackMe