📗 CTF Writeup

ABOH CTF 2023 OSINT Challenges & Official Writeup

date
Dec 2, 2023
slug
aboh23-osint
author
status
Public
tags
BOH
FSEC-SS
OSINT
CTF
summary
I was the challenge creator for the OSINT category in ABOH 2023, and these are the writeups to my challenges! It was fun seeing how participants solved it in a different way :D
type
Post
thumbnail
ABOH23.png
category
📗 CTF Writeup
updatedAt
Nov 4, 2024 05:49 AM
Hello there! So I was the challenge creator for the OSINT category in ASEAN Battle of Hackers (ABOH) 2023, and these are the writeups to my challenges! It was fun seeing how participants solved it in a different way, and also I find it very funny that half of the participants rated them as favourites, and half of them also rated them as the least favourite HAHAHAH
Anyways, enjoy 🥳


1. Hippity Hoppity Your Culture is My Property (Easy)


What’s something that feels British but isn’t? The British Museu-
 
Anyways, what is the registration number of a flute made of human bone in the British Museum, acquired during 1860-1869 in New Zealand?
 
Flag format: ABOH23{RegistrationNumber}

Solution


Since the question mentioned British Museum, a quick google will show you their website: https://www.britishmuseum.org/
 
You can navigate to the Human Remains section in the website, as the question mentions a “flute made of human bone”:
 
Scrolling down will lead you to a PDF file that is has a “list of human remains in the collection”:
 
By Ctrl + F, you will get the answer
Flag: ABOH23{Oc.1716}

2. We All Have That 1 K-Everything Friend… (Easy)


These 2 videos have one shooting location in common, find the full address of that spot!
ENHYPEN (엔하이픈) 'Future Perfect (Pass the MIC)' Official MV: https://www.youtube.com/watch?v=QMlNLo74mOw
Opening Title | 2022 LCK Summer Split: https://www.youtube.com/watch?v=Hs3LFwb8b7w
 
Replace the spaces and commas in the address into underscores, for example: ABOH23{1337_Yeet_Rd_Delulu_Is_The_Solulu_Wakanda}
 
To test for formatting locally, the MD5 of the flag is 7ffb48ee7e16ba67a2a35a83f95213f1

Solution


The Same Shooting Location

You can see that both of the videos have containers as a background:
ENHYPEN (엔하이픈) 'Future Perfect (Pass the MIC)' Official MV
ENHYPEN (엔하이픈) 'Future Perfect (Pass the MIC)' Official MV
Opening Title | 2022 LCK Summer Split
Opening Title | 2022 LCK Summer Split
 

Narrowing the Country

A quick google search on LCK will tell you that LCK stands for League of Legends Champions Korea, which means it is highly likely that the shooting location was in South Korea. (I don’t think I need to explain why is it not in North Korea instead lol)
notion image
You could also view Korean letters on the containers in certain parts of the videos.
notion image
 

Narrowing the Location

There are a lot of approaches to this, but I’ll only show the intended way which is bolded:
  • Googling all da wae
  • Reverse Image Search
  • Finding the container’s location via their container number (Never tried this method, but in a way it might work to some degree)
 
A quick google search on some keywords like “kpop mv container” will show you similar photos, and you might land upon this article by Koreaboo:
notion image
And inside the same article which can be found here, you will see a line that says:
Nestled in South Korea, totally unassuming, is Donga Land Transport Company.
 
You might not get much results just by Googling “Donga Land Transport Company”, so you can try searching the Korean equivalent, its in the article as well: 동아 육운 창고 (Donga Land Transport Warehouse)
Google Lens is da best in OCR <3
Google Lens is da best in OCR <3
 
Clicking on the first link will lead you to their company webpage:
 
If you can’t understand Korean, just translate the page to English:
notion image
 
By going to About Us > Branch Information, you can see their address:
notion image
 
Hence, the full address is: 1068, Poeun-daero, Mohyeon-eup, Cheoin-gu, Yongin-si, Gyeonggi-do, South Korea
Flag: ABOH23{1068_Poeun-daero_Mohyeon-eup_Cheoin-gu_Yongin-si_Gyeonggi-do_South_Korea}

3. A Shark Bit My Report… (Medium)


So I was writing a draft for my shark report for the blog, and a shark bit a huge chunk of it. In order to find him (& ask him to spit out that godamn report so I can explain this situation to my superiors), could you tell me the shark’s last known ping?
 
Flag format: ABOH23{Mm d, yyyy, hh:mm:aa PM/AM}
 
Flag example: ABOH23{Sep 30, 2023, 00:45:10 AM}

Solution


Finding the Hidden Report

Since the challenge mentioned “for the blog”, you can find the blog of the challenge author. By looking into different sources, e.g. competition ebook, Discord, you can deduce that the challenge creator for this challenge is “Chang Shiau Huei”.
 
A quick look into this name on Google will show you a LinkedIn profile:
notion image
notion image
 
By clicking into the blog link: https://cybersec-blog-plzentertext.vercel.app/, you can see that there’s a search bar. By searching “shark” or any related terms, there’s no result at all.
notion image
Maybe it was removed (Well, since it got bit off), so the next course of action is trying to see if there are any other previous versions of the website!
 
By inserting the blog link (https://cybersec-blog-plzentertext.vercel.app) into archive.org, we can see that there is 1 snapshot made on 24 October:
notion image
By clicking into the snapshot, there is a blog post related to sharks, and it has a Base64 string.
notion image
Since the Base64 string is truncated, viewing it on Inspect Element will give you the actual string.
The Base64 string:
UmVtaW5kZXIgdG8gc2VsZjogVGhlIGRyYWZ0IHJlcG9ydCBzaG91bGQgYmUgaW4gL2Nhc2Utb2YtdGhlLWJsdWItYmx1Yi1nbHVwLWdsdXA=
Decoding the Base64 string will show:
“Reminder to self: The draft report should be in /case-of-the-blub-blub-glup-glup”
 
So now we know that the link to the post would be at https://cybersec-blog-plzentertext.vercel.app/case-of-the-blub-blub-glup-glup. You can also arrive at this conclusion by right-clicking on the blog earlier and clicking on “Copy Link Address”.
 
By inserting the link (https://cybersec-blog-plzentertext.vercel.app/case-of-the-blub-blub-glup-glup) into archive.org, we can see that there are 2 snapshots made on 24 October:
The content of both snapshots are the same, I did a small oopsie while doing the challenge HAHAHA
The content of both snapshots are the same, I did a small oopsie while doing the challenge HAHAHA
By clicking into the snapshot, you can see a long report regarding a shark. Scrolling to the end of the report will lead to an interesting find:
Well, it looks like a shark bite somewhat AHHAHAHHA
Well, it looks like a shark bite somewhat AHHAHAHHA
 

Decoding the Barcode (Shark Bite LMAO)

Investigating further will show that this is an IMB Barcode, which you can use this tool by USPS to decode IMB barcodes:
 
Putting the correct barcode characters (ATDDAATFDAFFDFFTFFDFDFTFFTADFFDTFFFADFADDTFFDFDADTTADTAFAADDFDFDT) and decoding it will show 5 numeric parameters:
notion image
Joining them together we get a large numeric sequence: 1151169711210433459811198
 
By using CyberChef to change the sequence from decimal with the correct spacing, you will get a text:
Maybe the shark bit off the report because it didn’t want anyone to see the contents that came afterwards ya know
Maybe the shark bit off the report because it didn’t want anyone to see the contents that came afterwards ya know
Well now we know that the name of the shark is “Bob”, nice!
 

Finding the Shark’s Last Known Ping

Now time to find the last known ping of this shark! A quick google will show you a shark tracker website:
notion image
 
By putting the shark’s name in the filter, it will show you details of the particular shark (https://www.ocearch.org/tracker/detail/bob):
notion image
By looking at his travel log, you can now find his last known ping!
Flag: ABOH23{Dec 2, 2023, 10:30:09 PM}
💡
So I know this challenge was solved in an unintentional way by most of the participants because THE SHARK’S PING SUDDENLY WENT ALIVE ON THE DAY OF THE CTF AFTER 2 YEARS OF INACTIVITY! THAT’S WILD YOOOOOOO 🔥 Anyways Bob will now be my favourite shark HAHAHHA 🦈

4. Who’s That Pokemon? (Medium)


Certified Guaranty Company (CGC) did an oopsie by grading a Pokemon Card wrongly, but the cert records still remain (Cert number: 4302093025). Find out what was the card error type, card name, and the original grade 👀
 
Flag format: ABOH23{Card_Name,Card_Error_Type,Grade}

Solution


Quick Brief of What’s CGC and Card Errors

 

Cert Number Lookup

By going to the CGC website and entering the cert number given (4302093025), you could see some of the details:
From that alone, you could get the Card Name (Charizard VSTAR), however it does not state the card error type and original grade (Can be deduced by it being 0, meaning it was graded by mistake)
 
A quick google of “Charizard VSTAR” will show you how the card looks like.
notion image
Since there are a lot of different Charizard VSTAR cards, you can determine the exact look of the card based on its Card Number (SWSH262).
notion image
 

Time for Some Social Media Hunting

You can just search for terms like “pokemoncards”, “cgcgrading”, “cgcpokemon”, “errorcards” and find for thumbnails/images that has a Charizard VSTAR image.
There are 2 solutions to this:
  • Using Instagram to search for related terms/hashtags
    • notion image
 
Then you could compare if it was the same card by their cert number in the video, and get the other relevant information from the tag:
notion image
So we now have all the information needed:
  • Card Name: Charizard VSTAR
  • Card Error Type: Narrow Miscut
  • Grade: 9
Flag: ABOH23{Charizard_VSTAR,Narrow_Miscut,9}

5. Sky Full of … Cables (?) (Hard)


Time for an actual geo OSINT challenge, state the name of the 2 stations this vehicle is between in this image!
notion image
Flag format: ABOH23{Station_Name1,Station_Name2}
 
To test for formatting locally, the MD5 of the flag is 91217ee7ddec3f2f30d9509d27c77ffa

Solution


Narrowing the Country

A quick google search on “what countries has so many overhead cables” or anything similar will tell show a few results based on my observations.
notion image
The countries that are frequently on the list will be:
  1. Japan
  1. Thailand
  1. US
Let’s try to do the method of elimination! The amount of “MANY” overhead cables in each country are a bit different in their own ways. Let’s check on Japan first.
notion image
Japan has overhead cables, but its quite tidy, not as messy and in clumps as the one in the picture. So, it’s definitely not Japan.
 
Let’s look at Thailand:
notion image
Yep, matches the picture alright.
 
But just in case, let’s check on US’s overhead cables too:
notion image
US has overhead cables, although it looks a bit messy, but it is not in clumps as the one in the picture. So, it’s definitely not the US as well.
 
Hence, the country in the picture should be in Thailand!

Narrowing the Location

Let’s look at what are the transportation modes in Thailand, especially those on higher ground, as seen from the perspective in that photo. A quick google will lead you to a guide on Thailand’s transport modes:
notion image
 
Based on the link (https://www.holidify.com/pages/transportation-in-thailand-2709.html), the only transportation mode that matches the picture is the Bangkok BTS Skytrain (Bangkok MRT Subway is underground, and planes are … ya know, planes).
 
A quick lookup on the BTS Skytrain network will show that there are a few lines available:
notion image
 
From now onwards, there can be a lot of different approaches to finding which line the photo was taken from:
  • Looking at Google Maps and comparing in street view for the different lines (I find this way easier lol, less guessing)
  • Identifying nearby tall buildings / distinct features (e.g. the bridge)
  • Pray that a reverse image search gives you a very lucky and similar photo
  • You went to the place before and know it by heart
 
So I’ll just skip to the exact location, which is here (388 Charoen Nakhon Rd)
notion image
You can deduce from the route that this is the Gold Line.

The Stations

The Gold Line actually has 3 stations only:
notion image
 
By marking these stations on the map and the location found earlier, you can deduce which 2 stations are near it (Or you know, just brute force it, it’s only 3 stations).
notion image
Flag: ABOH23{Krung_Thon_Buri,Charoen_Nakhon}