Skip to content

Instantly share code, notes, and snippets.

@Siss3l

Siss3l/ctf.md

Last active February 11, 2025 00:32
Show Gist options
  • Save Siss3l/ba6acc0a895754ce8847f9bba30d8975 to your computer and use it in GitHub Desktop.
Save Siss3l/ba6acc0a895754ce8847f9bba30d8975 to your computer and use it in GitHub Desktop.
Download ZIP
1337UP Capture The Flag 2024 - Writeups
Raw
ctf.md

1337UP Capture The Flag 2024 - OSINT

  • Category: OSINT

Competition

For this OSINT category of this CTF event, we can get through it without too much trouble.

Trackdown 1

There's a fugitive on the loose and we need to track him down!
He posted this to social media recently, do you know where the photograph was taken from?
If you can provide the precise building, we can move in immediately.

Flag format: INTIGRITI{Location_Name} by CryptoCat.

Solution 1

A simple use of Google reverse image tool can help us find the Trang Tien Plaza location and from Google Maps, we can view in front of the building the Si Lounge place.

BLAKE2b flag hash: 5e6f5df575b86c88bd3de726b6ae2406a56a7bf6b1a31c2bb8e9223687978c8d6d68bc1a13eb3fcef7a1eaf3582ddab2b64f2fee54139a22f66fbe6d6984dfe6

Trackdown 2

We didn't get him in time.
Thankfully, we don't believe he's fled the country yet.
He uploaded another photo this morning, it's as if he's taunting us!
Anyway, this may be our last chance - do you know where he is right now?

Flag format: INTIGRITI{Location_Name} by CryptoCat.

Solution 2

Based on the challenge description, we can use the EarthKit machine learning geolocation (or tensorflow-based rotation detection) to detail our search radius on the same country, which will show us several corresponding geographical points including the Express by M Village location.

BLAKE2b flag hash: cbd3417b64cc24971bdee0e8239574371cefb292fe97cf7bba4130554f23e3be29c3126dff387254d9408b4298ab23ae9fd2a0b3ec0590bd1dfe5c780d20a9e0

Private Github Repository

Bob Robizillo created a public instructions for Tiffany, so she can start work on new secret project.
Can you access the secret repository?

Flag format: INTIGRITI{.*} by Ivars Vids.

Solution 3

We use the GitHub search tool with the name Bob Robizillo to find a valid user: https://gist.github.com/bob-193.

Next, we take the base64 openssh private key (with the repository 1337up) as indicated in the only Bob gist data to connect to the secret repository, as follows:

git init
ssh-add ~/.ssh/id_rsa
ssh -T [email protected]
git clone [email protected]:..1337up.git
git diff
git clone [email protected]:..fany/1337up.git
git show
git clone [email protected]:..fany/xxxxxx.git
git log # flag here

BLAKE2b flag hash: 0d5c4ff7df5a16c70fa86397c1b66c95bbc926a51b0db708e1fc303673dd3d279e1110d674b288cddaa9e621104f18443afa41ec4bb7ad41f47ef8a4e7d968f8

No Comment

Or is there?

Flag format: INTIGRITI{.*} by CryptoCat.

Solution 4

We use exiftool to find a weird comment in the ripple.jpg image.
We then ask our local RAG LLM for advice that takes us to plausible domain names, such as bit.ly or imgur.io.

Once done, we see on https://imgur.com/a/pq6TgwS some base64 code in the description, with our same ripple.jpg image.
We do a bit of xoring to recover the flag (of an Instagram reel):

import base64, bs4, chepy, requests

k = base64.b64decode("V2hhdCBhICJsb25nX3N0cmFuZ2VfdHJpcCIgaXQncy" +
    "BiZWVuIQoKaHR0cHM6Ly9wYXN0ZWJpbi5jb20vRmRjTFRxWWc=").decode().split()
pwd, url = k[2].replace('"', ""), k[5]
session = requests.Session() # http_request()
csrf_token = bs4.BeautifulSoup(session.get("https://pastebin.com").text, "html.parser") \
    .find("meta", {"name": "csrf-token"})["content"]
html = session.post(url, headers={"User-Agent": "curl/8.11.0", "X-CSRF-Token": csrf_token},
    data={"PostPasswordVerificationForm[password]": pwd})
div = bs4.BeautifulSoup(html.text, "html.parser").find("div", class_="de1")
d = div.get_text() if div else None
print(d) # 25213a2e18213d2628150e0b2c00130e020d024004301e5b00040b0b4a1c430a302304052304094309
flag = chepy.Chepy(pwd*3).xor(key=d, key_type="hex").out.decode()
print(flag[:flag.index("}")+1])

BLAKE2b flag hash: 3472136e9835ff82197d78f3049688817bf7d4faa74f80807be571779fc38b437765d165507393ed2cbb3b28cc5ba4dcf72c7750459d09f1af7cc132e40334a9

SpongeBob

I'm an epic H4ck3r and I'm trying to start a YouTube channel to show off my skills!
I've been playing around with some of the video settings and stumbled upon a few cool features.
Can you find the secret I've hidden? https://youtu.be/DXZrAGYS6X8

Flag format: INTIGRITI{.*} by Samuel - BlankAmber.

Solution 5

We can use the yt-dlp or https://ytlarge.com/youtube/video-data-viewer tool to help us in our investigation:

# Check the first video.
https://www.youtube.com/DXZrAGYS6X8
# Go to the playlist of the user.
https://www.youtube.com/playlist?list=PLTVHbcqv8C7kzjutGEbFnbzpkp5MZRQ2i
# Go to the unlisted Test2 video and check the tags.
https://www.youtube.com/watch?v=T9yX-ZEoVjc
# Tags/Keywords:  well done, INTIGRITI{...}

BLAKE2b flag hash: 551fcbcb217602a61f4758651d1bed0f9917877f15757c655e021a1ae20004890a67315e400ee6f3d1a1171af949271f06d4d29a9b682a4c7935a2e221add25a

Meme

Appendix

Great competition as always, thus the OSINT category changed from usual and there was a lot to sort out after all.

Comments are disabled for this gist.