DownUnderCTF 2021 (24–26 Sept)

One of my favorite CTFs is here!

DownUnderCTF is mostly targeted at Australian students. However, anyone can join and play. The questions span all difficulty levels, which is good since I’m definitely a bit rusty right now. Last year I enjoyed the DUCTF OSINT questions immensely, so I am excited to see what this year brings!

Let’s start off easy with the Discord question:

If you head to the #request-support tab, the flag is plainly there:

DUCTF{if_you_are_having_challenge_issues_come_here_pls}

I looked through the file in Binary Ninja and saw the flag here:

DUCTF{stringent_strings_string}

If you do a WhoIs lookup, you can see that this domain was registered, using NameCheap, by a person named “Isa Haxmoore”…

All of “Isa’s” contact info is here:

DUCTF{+61420091337}

Here is the picture. It shows a random bridge somewhere:

I uploaded this to Yandex, which found a couple good hits:

Like this one here:

And this one:

And then finally this one:

The last one led me to a Shuttershock page that identified the bridge location as Dutton Park.

Using Google Maps, I saw that this was located in Queensland, Australia, and I spotted the bridge:

Here is the angle the photo was taken from. You can see the railing for the walking path is exactly the same:

It is called the Eleanor Schonell Bridge:

You can see the total length here as 1,280 feet. Since I am in the USA, I converted this to meters (390m) but had some trouble with the flag for awhile. In the Wikipedia page, I noticed there was another number for just the deck length (185m). That turned out to be the number they were looking for.

DUCTF{Eleanor_Schonell_Bridge-185m}

CTF Clock is probably referring to CTF Time, which is like a tracking website for CTFs around the world.

I’m not sure what 404 refers to, but I am thinking probably 404 error?

I then opened the DUCTF CTF Time page in The Wayback Machine and found this:

DUCTF{a5abef5222adc680a453607384bcb4d2}

Yeah, I can already tell this one is going to be a pain in the ass. It’s just a random pile of rocks in the middle of nowhere:

I do see what looks like a sign, which may indicate a historical marker or something educational?

As I thought, exiftool offered no information:

I started looking at Yandex, and found a couple hits in Australia with the same type of scraggly trees, which I think are called the Eucalyptus Wandoo or Brittle Gum?

So after about two hours of looking up random tree facts and trying to correlate them to geographical areas in Australia, then sorting through national park photos…I looked at the riddle once again:

“Right at the heart of the nation, no piece of the bush inside the circle remains untouched by us”

I decided to take this in the most simple way possible. The heart of the nation would mean capital. The Australian capital is Canberra. So I went there on Google maps, and look, right there in the middle is a huge circle:

I went to street view and noticed right away that the street lamps looked very similar to the original photo. Hope started to blossom. I made my way around the circle closely using satellite/street view and found this:

This obviously isn’t the same one in the picture because of the different angle, but it looks like these are all around the “Capital Circle”.

Here’s another:

Here’s a close up of one by the “Surveyors Hut”, which looks like it might be the one. This pic below was taken in 2015.

I mistakenly started rounding my coordinates when submitting the flag, but that was incorrect. The correct answer is to just use the last three decimal points as you find them, even though that will actually put you way over on another street (State Circle).

DUCTF{149.120,-35.306}

Here is the photo, it opens upside down:

You actually get a lot of info using exiftool on this one, and you can see the artist’s name reveals the flag:

DUCTF{sicc_paint_skillz!}

I probably should have done this one first, but here is the introductory challenge:

You put in a name and it starts spitting out the Hacker Manifesto

You just have to claim that YES you are a hacker, and it will spit out the flag.

DUCTF{w3lc0m3_70_7h3_duc7f_7hund3rd0m3_h4ck3r}

For this one you have to look at their Twitter page and try to find a flag in the background of some of their pics. Like this one:

It’s hard to see at first but if you put on a filter like this it is a bit easier:

They are all basically repeating continuously, and nothing seems to stand out or break the pattern.

Looking at the other Twitter posts though, eventually I came to this one:

Look closely at the bottom right:

DUCTF{EYES_ON_THE_PRIZES_TWITTER}

So this is a GIF that rapidly shows a bunch of broken up pieces of QR codes.

I found an online tool that can split up the frames:

I’m like, 100% sure there is an easy way to create a script to put all these back together, BUTTTT, I really suck at scripting, especially since I haven’t done any in like a year…

I noticed there were 12 stills of each different color, for 10 total QR Codes. I also know of an online tool that will take a number of photos and squish them all back together, from when I had to piece together a photo of the Prime Minister of New Zealand’s face for another CTF, lol.

Here is the purple QR code, together:

I used my phone to scan the message, which is, “The princess is in another castle”

I continued on like that, randomly choosing colors. Green was RFVDVEZ7UI, which was Base64 for “DUCTF{P”

Ok, so it looks like different colors might have bits and pieces of the flag. Grey contained “f0ll0w 7h3 wh173 r4bb17”. This looks like it could be the flag, but I see the DUCTF part had a “P” in the beginning. Anyways, I tried DUCTF{f0ll0w_7h3_wh173_r4bb17} and it did not work.

Teal just said ()()

Brown had another nonsense message, (\(\

Navy took me to a YouTube video of Jimmy Barnes screaming for 10 hours.

Black rick-rolled me…

There was another Black, this sent me to a YouTube video about how GIF was pronounced. Just FYI, I pronounce it GIF like in GIFT.

Next was…Dark Green? Anyways, it had some more code, fMV9oYVhYMHJfbjB3P30=

But I had a lot of trouble trying to decode it. It looks like Base64, but none of my decoders seemed to be working.

Moving on for now, a darker purple took me to another YouTube video, HERE.

That’s all the colors. What I need is probably in that code that I can’t crack for dark green, fMV9oYVhYMHJfbjB3P30=

UNSOLVED

I opened this up in Audacity and heard some annoying singing. But underneath that singing I heard what sounded like Morse code.

I found a tool that separates audio and music, then re-uploaded just the music portion in audacity.

I changed it to spectrogram view and saw the Morse code standing out:

Here’s a close-up:

From here, I got “I COULD LISTEN TO THIS ON A OOP A N R DAY”

Which did not make sense to me but I tried a bunch of different variations on that, like I COULD LISTEN TO THIS ON A OOP A N Y DAY, and I COULD LISTEN TO THIS ON A OOP ANY DAY, I changed OOP for LOOP a couple of times and tried all those variations. I wasn’t sure if OOP was a play on words referencing Object Oriented Programming or something.

Uh, I think I’m going to head back to my safe space, which is OSINT questions.

UNSOLVED

Here is the view from the apartment building:

I tried using Yandex on the original photo, but just got a bunch of generic looking skyline photos. I decided to crop the photo to focus on the two more unique looking buildings:

But this just brought up a bunch of buildings in Kazakhstan, lol. I tried zooming in EVEN CLOSER:

At which point I found this:

This was tagged on Instagram as the ANZ World HQ, located in Melbourne, Australia.

After messing around with some angles on Google maps for a bit, I was able to get this view:

After seeing this, I’m pretty confident the hideout is in this building here:

This is located on McLean Alley.

DUCTF{McLean_Alley}

Oh no…

…and the flashbacks have started…

So what we have here is an extremely fuzzy, crap photo of a random sketchy train station somewhere in Australia.

I spent another few hours of my life on this, mostly just looking at random train stations through-out Australia, but also getting immersed in Aussie graffiti culture.

I noticed that some of the stops in Melbourne had similar looking stations, especially the arches above the tracks, and not only that, but the apartment building from the last challenge was in Melbourne.

I stared at the pixelated photo. It stared back at me. I was disgusted. It looks like someone took this on a Nintendo DS.

Then my brain seemed to finally actually SEE the photo. That train station looks derelict, overgrown, and abandoned. I typed in “abandoned train station Melbourne” and found info about the General Motors railway station right away. Then I found this picture:

DUCTF{general_motors_railway_station}

Here is the entire transcript:

I actually have a good online tool that I have used for a couple flight tracking OSINT challenges before, found HERE. This shows you up to 7 days of historical flight data for free without making an account.

I started off looking at flights from Melbourne, thinking the hackers were there because of the previous questions.

I tried these flights here:

None of those worked though, so I then moved on to Canberra, since another question focused on it earlier.

I remembered that at 15:06 Isa was saying that it will “be close”. This one was taking off at 15:07 so it seemed like a good guess.

DUCTF{VH-YIB_Melbourne}

I ended up finding him on Twitter first:

Then TwitchTV:

Steam:

Then weirdly…Pinterest:

Reddit:

I will focus on the Twitter and Reddit ones since they are the only accounts with any interesting content.

His Reddit account has some good info:

He actually comments back on this about how he let some info slip to the authorities:

He also posts a screenshot of him apparently trying to hack into something:

I headed back over to his Twitter account to see if I could find anything else. There were a lot of dad-tier hacker puns. Some were encoded in various ways:

After this I found yet another account on GitHub, which didn’t really show much:

I decided to look closer at the photo he posted to Reddit. He has a lot of crap open at once, but in the corner I see a MAC address:

I queried it in Wigle.net and got a hit in Sydney:

DUCTF{Charles_McIntosh_Pkwy}

A great time was had! I look forward to next year! Cheers mates.

CTF Writeups to facilitate cyber education.