CyberSoc Cyber Detective CTF: Life Online

CyberSoc Detective CTF is a platform that contains many OSINT-based challenges. It was created by the Cyber Society at Cardiff University.

In this post, I will be covering my write-up for the Life Online challenges.

NOTE: I do not have the flag to the challenge leaveamessage. In fact, at the time of this writing, I found out from the creators via their Facebook group that the challenge was broken and had several inconsistencies making the challenge not completable. They are currently working on a fix.

voteforme

200 points

We’re given Mr. James Markson’s twitter profile so let’s see if we can deduce from his profile his political affiliation.

After searching down his feed we discover him retweeting something from Barrack Obama (Democrat).

Adding to that, we see him retweeting Ron Wyden essentially expressing his disdain for Donald Trump (Republican).

Suffice to say James is a Democrat.

growingup

200 points

Looking back at James’s Twitter account, we see some strange almost cipher-like wording.

Born in ///purple.pulse.force, raised in ///push.asking.barn.

After browsing through more of his tweets, James references an app called what3words.

Essentially the tool allows people to use 3 words to encode a person’s precise location on their online map tool. Let’s put in the phrases found on his Twitter before.

Born in…Bristol

Raised in…York

choochoo

200 points

Amongst two tweets I was able to discern the answer to this challenge. For one, the train James usually boards on his way home is pretty consistently late.

Secondly, he tweets a picture of the train station he departed from.

Upon reverse image searched the picture of the train station I discovered the name of the train station to Cardiff Central Railway Station which is located obviously in Cardiff.

suntan

200 points

Amongst James’s Twitter likes that he liked a tweet from an associate named Sarah Luxton(Twitter: @sarah_luxton). This tweet details a picture of what perceives to be her upcoming vacation in two weeks and the location thereof.

Again I did a reverse image search in Google.

The location is Perth.

wagthetail

200 points

Inspecting Sarah’s profile she mentions, “Buster favorite place” and then provides some latitude longitude coordinates. I’m assuming “Buster” is her dog name.

Cross-referencing the coordinates with Google Maps, we have a pin on a bridge at 2 Bridge Street, Brecon LD3 9AH, UK

Diving into Google Streetview…

The answer for this challenge is simply Brecon.

narcissism

200 points

Looking back again at James Markson’s Twitter likes I stumbled upon a bold but stupid tweet by another associate by the name of George Watson(Twitter: @GeorgeWatson428). He thinks his password is “…secure and unbreakable!”

His password is encoded in base64 which can easily be decrypted using the following command:

# echo aW1hbWF6aW5nMTIz | base64 --decode

imamazing123

proppedup

200 points

On George’s Twitter profile, we find another target named Pearce Ress(Twitter: @PearceRess). Pearce casually mentions George left his debit card laying around and states he left George’s credit card on his desk. Also provides a proof photo of George Watson’s desk.

I’m still puzzled by what the numbers mean but the answer was Brown Silver.

bluengreen

250 points

Circling back to Mr. James Markson’s Twitter I noticed a small piece of text slipping out from behind his profile photo.

Blowing the banner up in full size reveals a flag: icanseeyou

clockingout

250 points

In one of his tweets, James mentions how it was a tough 8 hour day of work. The timestamp on the post reflects 4:02 PM, which subtracting 8 hours from then means he started work at 8:00 am.

Twitter shows the tweet timestamps based upon the viewer’s location or the original poster’s location. Converting the timestamps from the US to UK time resulted in 14:00.

meme

250 points

This one was really easy as I had already seen through my enumeration of each target the text message conversation referencing a meme and a Software Access Code.