DUCTF - 2022 | OSINT

DUCTF - 2022 | OSINT

The Down Under CTF is one of Australia's premier capture the flag events. Running every year for the past 3 years, giving away thousands of dollars in both cash and prizes, it is aimed at Australian tertiary education students but open to everyone world wide.

There are many categories in this jeopardy style event, most of which require some cyber or programming skills. One category that doesn't is OSINT which is short for Open Source INTelligence and is the collection and analysis of information from sources that are overt and openly available through sources like social media and Google. Lets jump in to some challenges.


HONK HONK

I'm shocking when it comes to remembering when my car's CTP is up...can you let me know the exact date (DD/MM/YYYY) when it's due? My rego is 23HONK.

Flag format: DUCTF{DD/MM/YYYY}

From my time in the automotive trade, I know that a publicly available database exists for Victorian registered vehicles. I head here where I am presented with a 'Record not found' message. A quick Google shows that most states in Australia have a similar database also publicly available. The flag comes from the NSW version found here.

Flag: DUCTF{19/07/2023}


Does It Fit My CTF?

Cheers for that, I'm assuming you've worked out that I'm YouTuber... What's my channel name?

Note: This challenge assumes you have solved "Honk Honk" before attempting.

Flag format: Channel Name with no spaces, case insensitive

Let's head over to Google, searching the phrase "23honk number plate" and heading to images leads to half a dozen images of the car and the owner. Some poking around tells us this is Marty Mulholland from Mighty Car Mods.

Flag: DUCTF{mightycarmods}


Bird's eye view!

What a nice spot to have a picnic, EXAMINE the image and discover where this was taken.

Flag format: The name of the area with no spaces, case insensitive

First thing to do in any OSINT challenge is look at the image and gather as much information from what you can see as possible. This image however only shows trees that look Australian and some signs too small to view. Step two is pull the EXIF data, this contains things like camera model, lens used, settings, colour mapping, GPS location and many more details. We can use command line tools like 'exiftool' or a tool like CyberChef. In this case, we found:

GPSLatitude: -27.46852433333333
GPSLongitude: 152.96947113888888

The coordinates take us to the Hoop Pine picnic area just outside of Brisbane.

Flag: DUCTF{hooppine}


Bridget Returns!

Bridget is back, she's asked me to meet her at: download.pausing.counterparts

What is the name of the bridge she's meeting me on?

Flag format: The name of the bridge with no spaces, case insensitive

After participating in enough events like this, you learn about different formats or ways to portray information. We can see that download.pausing.counterparts is likely a way to portray a coordinate or location. There is a project called What 3 Words that dissects the globe in 3m squares and assigns the 3 words to that location and is displayed the same way as in the hint.

Flag: DUCTF{tedsmoutmemorialbridge}


Pre-Kebab Competition

Where was the photo taken from?

Flag format: Building name with no spaces, case insensitive

The image is fairly low resolution and not much can been seen at first glance but EXIF contains no information. We will have to take many small hard to distinguish details to find this one! The architecture feels South Australian or Queenslandian. The bottom middle sign shows "Weekend breakfast in <unable to read>". The bottom right has an orange and black sign shows a drive thru for a company that appears to be "Super Cellars". Their website shows what looks to be over 100 locations along the eastern third of Australia.

I started looking at each location but then a discord notification pinged.

Amita (MQU) posted that this location is like a second home to them, knowing that this CTF is aimed at tertiary students, MQU sounds like it may be a university. The closest Super Cellars it is at the The Epping Hotel. Is this cheating? I don't believe so, I used OSINT to solve the challenge.

Flag: DUCTF{eppinghotel}


This Takes Me Back

After a very successful DUCTF 2021, the DUCTF team met up for a few at a Sydney local on the 29th of September to celebrate. We all got kicked out at midnight on-the-dot, what song was playing on Triple J at the time?

Flag format: Song name, no spaces, case insensitive

EDIT (24/9/2022): We were more drunk than we realised. We previously stated it was 28th... It was actually the 29th.

This one had a lot of controversy surrounding it, our team found 2 ways to find this flag and apparently even though both confirmed what was playing, it wasn't correct. The organizer suggest an overworked Twitter API wasn't working correctly and JavaScript in our browser that may be causing an incorrect time zone. Here is what we initially found:

Twitter source
LastFM source

We tried to account for an incorrect date given but the Triple J Plays twitter bot showed this as the last song the next night with the next one starting well after midnight:

We tried the Wayback Machine and found a capture just before midnight. Still not right:

But finally, the organisers realised their mistake, removed the Twitter and JavaScript notes, updated the date to the 29th of September 2021 and bingo LastFm had what we needed (it did however contridict the Twitter bot):

flag: DUCTF{aintitfun}


That's how we solved all the OSINT challenges, speacial mention to our best friend during any CTF, caffiene! It was a fun but challenging CTF event, we learnt a lot from the other challenges. OSINT is a fantastic entry point in to capture the flag events, most jeopardy style events have some of these challenges and most can be done with no cyber or programming skills.

No spam, just cyber.