Image of Brno, courtesy of Ignat Arapov at Pexels

OSINT Walkthrough - The Seint's Christmas CTF, 2022

I am a bit late to The Seint’s now annual OSINT CTF, but that’s probably a good thing as this series will contain spoilers. You can follow along in the posts ahead, or you can always have a go yourself at this repo. You will also find the 2021 CTF on GitHub.

Rather than provide a simple show-and-tell, I will also try to share any learning I picked up along the way. This assumes I even complete the challenge, of course!

We start off with a password-protected Zip file (2022.zip), which contains all the puzzles nested inside each other. The password to the next step is always the MD5 hash made of the current step’s answer written in lower case.

Care! Please don’t open random Zip files downloaded from the internet without testing them! There’s no reason to be distrustful of The Seint, but good file hygiene should be standard practice.

We’re told that the first password, to get us going, is the MD5 hash of the word “summer” (without quotes), so let’s head off to CyberChef.

Spoiler Warning

This is a walkthrough, so you will find spoilers below and in the subsequent posts in this series. Do try and solve the puzzles on your own before reading ahead!

Creating an MD5 Hash in CyberChef

If you’ve never used CyberChef before, it can be a bit intimidating, but it’s really very straightforward. There are operations on the left, which can be combined in order to create a recipe in the centre (you can simply drag the operations over). The recipe takes one ingredient (Input, top right), and hopefully bakes a nice Output (bottom right). There are lots of operations you can perform in CyberChef, but we’re only interested in one for now.

Using either the Search function or by browsing in the section titled Hashing, find MD5 and drag it into the recipe. Type “summer” in the Input field and watch the hash magically appear in the Output field:

Screenshot of CyberChef

You can now unzip the archive and see what files we’ve got for Stage 1:

step1.txt
step1 - hint 1.txt
step1 - hint 2.txt
step2.zip

Try and avoid the hints if you possibly can; they’re there for if you really get stuck!

Last year, The Seint started us off fairly gently, so let’s see if we’re getting the same treatment this year. Here’s step1.txt:

This summer, I got a message from my friend. I knew she was planning to visit Europe, but didn't have any clue where she was going. The message said: "I came to a city that welcomed me with a puzzle. While sightseeing I was tricked to go to the train station an hour earlier. And that's all because of the cathedral bells ringing noon not at the time you'd expect them to. While I ran down from the hill along a little street named after a president, just behind that cathedral I noticed a skull painted by a gate. Just behing that gate somebody left a piece of cloth. Its color is the password that will let you find my next exact location."

Make a hash of the color name to uncover the next step.

This is a really good scenario for highlighting something The Seint says in the introduction to this CTF: Remember that the tools aren’t enough. Use your open mind and try not to fall in the mind traps.

It’s tempting to rely on tools in the OSINT world, but occasionally you just have to charm Google or Bing with the right search term (much like we’re all learning how to craft prompts to get the most out of our new AI tools). So let’s try and find a European city whose cathedral bells ring noon an hour early. It took several iterations before I found the answer with: "europe cathedral ringing noon at 11"

Which led to a promising result:

Google search results

The ‘little street named after a president’ turns out to be too little to find on an overhead view in Google Maps, so I ended up doing what I often do in CTFs, which is simply to have a good hunt around ‘on foot’, i.e., in Street View. Eventually, I found the skull on an alley named after the first president of the Czech Repulic:

Image of alley behind Brno Cathedral. Source: Google Maps

True enough, on the other side of that gate is a large piece of cloth in a fairly distinctive colour. (The relevant image was taken in 2017, so if it’s replaced with a more recent image before you try this CTF, you might need to use the Street View Timeline to go back to 2017) Hashing the cloth’s colour allows us to open step2.zip, and you can see how I get on with that step in the next post!

I’m stuck!

If you can’t find the gate by plodding around Brno cathedral, you’re welcome to click on the spoiler below. This will take you to the location of the gate in Google Maps, and you should be able to find the cloth fairly easily.

SpoilerGoogle Maps

Takeaway

Sometimes, there’s no substitute for simply spending a bit of time trying lots of variations of search terms (and search engines), or wandering around aimlessly in Google Street View. There aren’t always magic shortcuts in OSINT, despite whatever tools come along!