byu/osint: OSINT Compilation

Banner

Intro

So, we played BYU CTF 2022. There were 9 OSINT challenges. 9. It was absolutely party-time for a CTF player w/ OSINT-emphasis like me, and a tragedy for people who dislike the inherently guessy nature behind the genre. Our team managed to solve them all, so here was our (albeit flawed) thought process behind it.

Important note: Some of our lines of reasoning don’t make sense at all. That’s normal for this category, and it comes from a shit ton of brainstorming and guesswork. I’ll try my best to include wrong paths that we took, but for the sake of brevity some of it will be omitted.

Oh, also, here is a haiku to express my carnal, passionate, burning hatred for OSINT:

“Eternal Resentment”
Submerged in my tears,
I yearn for painless release.
The dreadful OSINT…

-enscribe

Thank you, and enjoy.


I don't dream about noodles, dad 🐼

solver: enscribe
genre: osint
points: 100
files: po.png
Whose signature is found beneath Po's foot?
Flag format: byuctf{Firstname_Lastname}

Po from Kung Fu Panda
po.png

I did a quick Google Lens search with my phone with the keyword “BYU” attached and this article turned up:

The Daily Universe

Credit to The Daily Universe

Jason Turner is a BYU computer science program graduate who works at DreamWorks and created all the data for Po’s character. The statue is a tribute to his success, as well as the University’s program and alumni.

Since the tribute is for Jason Turner, we can assume the signature is below his foot. The flag is byuctf{Jason_Turner}.


Oh The Vanity 🌐

solver: sahuang
genre: osint
points: 100
files: sharky.png
The vanity and audacity of these scammers and their phishing attacks are just getting ridiculous. I read an article this month about a new way to mask phishing campaigns. They even included this photo. Find the date the article was published.
Flag format: byuctf{mm-dd-yyyy}

sharky.png
sharky.png

Reverse Google Search with a “phishing” crib:

Sharky Google Search

The Vanity URL on darkreading.com was published on May 11th, 2022.
The flag is byuctf{05-11-22}.


B0uld3r1ng 🧗

solvers:
- sahuang
- enscribe
- Battlemonger
genre: osint
points: 416
files: b0uld3r1ng.png
I met a guy named Sam while climbing here in California. Can't remember what it's called though. Kinda looks like reptilian don't you think?

b0uld3r1ng.png
b0uld3r1ng.png

Once again, I used Google Lens to figure out where the location of this image was. Turns out to be a place called the Lizard's Mouth Rock in Santa Barbara County, California:

Lizard's Mouth

The image given to us is a direct screenshot of an image posted by Maps contributor Jonathan P., although that has little relevance to the challenge.

Moving on, although we have the location of the image taken the flag is in explicit format, meaning that it’s somewhere on the internet wrapped with byuctf{...}. We noticed that a guy named “Sam” was mentioned, so we guessed that we could find him leaving a review of the place on a platform.

We checked through the following platforms: Yelp, Google Reviews, TripAdvisor, AllTrails⁠—yet, we couldn’t find a recent reviewer by the name of Sam. Luckily, one of my team members searched up “Bouldering Lizard’s Mouth” (based on the challenge name) and happened to stumble across this website:

Bouldering Website

The Lizard's Mouth on Mountain Project

We scrolled down to the “Reviews” section and found this:

Bouldering Comments

Hey, look! A Sam! Let’s check out their profile:

Samuel Profile

The flag is byuctf{ju5t_5end_1t_br0_v8bLDrg}.


Squatter's Rights 💦

solvers:
- enscribe
- sahuang
genre: osint
points: 489
files: geoguesser.png
Somehow, somewhere, something in this picture has a flag, but my friend Blue Orca won’t tell me where it is!!!! Can you help me??

geoguesser.png

Hey, look! Another Google Lens problem! Although there’s a lot of blue water towers out there, I luckily stumbled across one that looked really similar in Flint, Michigan:

Going to the webpage, it mentions that this water tower is in “Genesee County. Mid Michigan.”, so with a quick Maps search I stumble across the “Wyatt P. Memorial Water Tower”:

This is where the rabbit hole begins. I looked around the reviews section of this place and found the absolute weirdest, most hilarious reviews of all time:

In all my days, I have never seen such a magnificent water tower. Being in its presence has given me powers beyond comprehension. I have mastered flight in the downward direction. I have 100% recall of events that happened to me in the last 5 minutes. I have also discovered I am completely invisible when no one is looking. This water tower has changed my view of who I am, and my ultimate potential.

- Robert Skouson

This guy even claims it to be holy water:

This water from Wyatt P. Memorial Water tower has changed the way I see water, and drink it. Every time I see this water tower, it makes me want quality water. Forget Poland Spring or Fiji. This is quality water! You know how in the Book of John Chapter 2, the Savior Jesus Christ turned water into wine? Well he actually turned already good wine to water from Wyatt P. Memorial Water tower.

- Nicholas Martinez

This one might be my favorite:

Professionally speaking as a water tower enthusiast, this has to be one of the best water towers that I’ve ever visited and I’ve visited thousands. The divine structure of the 10 legs leading to the plumply, robust water basin is enough to get any man excited. The satisfying twang as you bang the side wall sends shivers down even the most hardened of souls. Never before has such a feat been attempted and accomplished. Truly this should be the EIGHTIETH WONDER OF THE WORLD.

- McKay Lush

I actually stumbled across the person it’s named after, Wyatt Pangerl, and I was super curious as to what the hell was going on:

Wyatt

So I opened a ticket. Turns out, this Wyatt guy, a member of their team, managed to get the water tower named after himself after a series of divine, godlike social engineering strategies (assumedly to the county) and exploitation of the Squatter’s Rights law in California. He also claimed the location on Google Maps and put his burner phone there as well, which we called (he didn’t pick up). When I found his Facebook (will not disclose), I saw a multitude of his friends commenting hilarious crap, calling him “ICONIC.” and a “LEGEND.” for managing to make it happen.

Yet, there was no flag.

I continued to look around and managed to fall deeper into the rabbit hole, OSINTing everything between the model of Wyatt’s car, a Chrysler Crossfire 2006 (🤣) to where his parents file taxes… I even managed to get an award from a head admin for being a dumbass:

Award

Then, while on the go, I checked the location on my phone… And look what we’ve got:

Apparently for whatever stupid, scatter-brained, vapid, moronic reason this “From the owner” section isn’t on Google Chrome. Screw you Wyatt, and your majestic, plump, baby-blue water tower. The flag is byuctf{h0w_d1d_1_st34l_4_w4t3r_t0w3r}. Once again, screw you Wyatt. I hope your taxes are messed up forevermore.

Edit (06/02/22): This “From the owner” section is available on Desktop Google Chrome, but only accessible if the knowledge panel is visible, which wasn’t the case for me.


Okta? More like OhNah 💾

solvers:
- Battlemonger
- enscribe
genre: osint
points: 490
Recently, the group known as LAPSUS$ released indications they breached Microsoft & one of the Largest SSO companies, Okta. In some of their leaks they hinted that "most of the time if you don't do anything like __, you won't be detected".
Flag format: byuctf{answer:timestamp in format HH:MM}, two word answer seperated by an underscore.

Looks like a challenge regarding an infamous hacking group. Seeing that the flag asks for a timestamp and the language is pseudo-colloquial, I’d safely assume that this text mentioned somewhere came from a messaging board. I downloaded Telegram, their main method of communication with the real world, joining their announcements board, yet upon a Ctrl + F I couldn’t find this message anywhere. Their board mentions a group chat, but it was recently purged and terminated. When the admin confirmed that this wasn’t the intended solution, I moved towards looking for screenshots surrounding the Okta leak. Our team found this tweet from John Hammond after a while:

The flag is byuctf{port_scanning_11:22}.

A hint was later added to the challenge:

think screenshots! it is not on telegram but another platform with that same first letter. tweeted by a famous red head i think

Would have been easier. Love you, John Hammond.


Murder Mystery 🧢

solver: Battlemonger
genre: osint
points: 499
While searching for secrets of the past, you find a scrap of paper that contains the following information:

0110111001110010011010000111000001101001011001000100110001001011110100001111
June 29, 1902

Because you’re great at OSINT, you trace this information back to a famous inscription. What is that inscription?
Flag: byuctf{inscription_with_underscores}
Note: the flag will not include the name or dates found in the inscription.

Instantly, we moved to Cyberchef for the binary conversion, and it resulted in nrhpidLKÐ. We thought it was garbage at first, until a teammate noticed “NRHP ID” within the string, which is related to the National Register of Historic Places. Since there’s a historic date also in the description, we can immediately conclude that this is the correct path to take. We isolated the last part and converted it into decimal instead - 80002319.

Following the trail for NRHP ID 80002319, we found this UpWiki Page About the “Jesse James Home Museum”, which is the location registered under this ID.

When we looked up “jesse james famous inscription”, we found a Smithsonian Magazine page that photographs Mr. James’ grave:

Removing the dates and names as the description specifies, the flag is byuctf{murdered_by_a_traitor_and_coward_whose_name_is_not_worthy_to_appear_here}.


Buckeye Billy Birthday 🎂

solvers:
- Battlemonger
- sahuang
- enscribe
genre: osint
points: 500
Buckeye Billy, our lovely, nutty, history loving friend, has a birthday coming up! Billy is as cryptic as can be, and we have no idea what to get him for his birthday. We did find three hints on written on his desk. Can you help us find where we should buy a gift from?
Hint 1 Hint 2 Hint 3
format: byuctf{storename}

I took a look at the three hints, and they were Wordle games that resulted in WATER, CALLS, and PROBE. Since we were looking for a shop (meaning a location), we immediately turned to what3words and stumbled across this location in Charlotte, Ohio:

Water Calls Probe

We tried a couple of stores around the area to no avail, until an admin told us in a ticket that we were in the wrong place. By extension, we decided to try out various permutations of water, calls and probe:

what3word address Location
///water.calls.probe Charlotte, North Carolina
///calls.water.probe Detroit, Michigan
///probe.water.calls Houston, Texas
///water.probe.calls Cincinnati, Ohio
///calls.probe.water Albuquerque, New Mexico
///probe.calls.water Eastbourne, London

Most of them were bogus except ///water.probe.calls, which was on E. McMillan St, Cincinnati, Ohio. We assumed it was correct (and admin later confirmed) because the nickname “Buckeye Billy” comes from the fact that he loves the Ohio State University Buckeyes football team. (Bonus: The Ohio Buckeye is a type of nut, and the description says that he is “nutty”). Our teammate somehow connected “history-loving” to old stores in Cincinnati, Ohio, and upon a Google search we found:

Graeters Google Search

The flag is byuctf{graeters}. This was a guessy challenge, so don’t feel dumb. I felt dumb too.


Buckeye Billy Blabbin' 💬

solvers:
- Battlemonger
- enscribe
genre: osint
points: 500
Buckeye Billy discovered social media. And probably posts too much. Try to see what you can find. for this problem and others!
Flag will be completely visible once solved! You will see byuctf{}.

Step 0 is to find his social media account, which we did by searching “Buckeye Billy” on Twitter:

Buckeye Twitter

We scoured his Twitter account on the Wayback Machine for it to no avail (and even found some deleted stuff from a previous internal CTF).

I slowly began to despise him… that Buckeye Billy. That stupid, perfectly circular nuthead with the even stupider BYU sombrero. We gave up on the challenge and I cried to the admin until he got annoyed and agreed to post a global hint:

the more billy tweeted about something, the more of a hint it might be. The flag is on his account someplace.

He tweeted a lot about song lyrics:

We decided it would be best to create a list of songs, in addition to counting occurrences of topics he discussed (for brainstorming purposes). We ended up with this list:

Occurrences List

Hey, check that out in the Songs list. “3 Words”, “One Place”, “Greater”, “Ice Cream”? That sounds a lot like our previous challenge, Buckeye Billy Birthday. Looks like these were meant to be solved in tandem. By extension, “Man in the Mirror” and “Magic Mirror” were also hinted at, and we found a tweet of Billy posing in front of a mirror with a BYU hat. Uncoincidentally, this is the only mention of BYU in his entire profile (I believe):

My team used steganography tools on this image, and lo and behold:

Flag in Steganography Analysis

The flag is byuctf{[email protected]_0sinty_t0_m3}. Also an extremely guessy challenge. Screw you, Buckeye Billy. And Wyatt too, if you’re reading.


43 🎼

solvers:
- Battlemonger
- enscribe
- neil
genre: osint
points: 500
It’s at your fingertips!! Who made this code?
S fsu om yjr aogr 3"45`
format: byuctf{blank_blank}

Looks like something the DCode Cipher Identifier could figure out:

dCode's analyzer suggests to investigate:
Keyboard Shift Cipher ■■■■■■■■■▪
Substitution Cipher ▪
Shift Cipher ▪
Homophonic Cipher ▫
ROT Cipher ▫

I threw it into their Keyboard Shift Cipher and got this:

qwerty → A day in the \ife 2:34
qwerty ← D gdi p, ukt spht 4A56
qwerty ↓↻ W va7 ln ume slf4 e:v6
qwerty ↑4 S fsu om yjr aogr 3_45
qwerty ↓4 S fsu om yjr aogr 3{45

“A Day in the Life” is a song by the Beatles (a fascinatingly good one too), and I took a look the decoded timestamp 2:34 in the music video:

Beatles video

Although I couldn’t find who the person in the timestamp was, someone in the comments named the individuals at timestamps:

Comments

Nesmith

The guy at 3:31 is the same as the guy at 2:34, so it’s Michael Nesmith from the Monkees.

Looking up “Monkees 43” on Google, we discover that there’s actually an old website called monkeesrule43.com.

This is where you guess all the names of the Monkees. Not sure of the logical thought process yet. Flag is byuctf{micky_dolenz}.

Edit (06/02/22): The intended solve was to look at monkeesrule43.com. In their FAQ page, Question 13 asks:

13.) What does the weird writing on Micky’s page of the Monkees’ 2001 summer tourbook mean?
-Micky’s page is written in a computer keyboard code. Each letter written stands for the letter to the left of it on a computer keyboard. For example, “Zovlu” means Micky & “Jo!” means Hi!

Damn you, Micky.