new ctf writeup

_posts/2024-07-09-DownUnderCTF_2024.md

@@ -0,0 +1,278 @@
+---
+title: "DownUnderCTF 2024 Writeup (feat. OSINT)"
+date: 2024-07-09
+description: DownUnderCTF 2024 Writeup
+tags: ['CTF']
+mathjax: yes
+toc: yes
+last_modified_at: 2024-09-06
+---
+
+<script type="text/javascript" async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.3/MathJax.js?config=TeX-MML-AM_CHTML">
+    MathJax.Hub.Config({
+        tex2jax: {
+            inlineMath: [["$", "$"], ["\\(", "\\)"]],
+            processEscapes: true
+        }
+    });
+</script>
+
+<font size="4">
+<p> 
+I played DownUnderCTF with b01lers. I joined late because I was busy with my internship. By the time I was able to jump in, all the low-hanging fruits were taken by my teammates. Then I noticed that no one was actively working on OSINT challenges, so I decided to "try something new" just for the fun of it: be the OSINT guy for the team for this CTF. 
+</p>
+
+
+<p>It looks like the <a href="https://play.duc.tf/">CTF website</a> has been taken down. <a href="https://ctftime.org/event/2284">Click this</a> for the CTFTime event page. </p>
+
+
+</font>
+
+##### cityviews
+
+<blockquote>
+<font size="3">
+<p>After having to go on the run, I've had to bunker down. Which building did I capture this picture from? NOTE: Flag is case-insensitive and requires placing inside DUCTF{}! e.g DUCTF{building_name}</p>
+</font>
+</blockquote>
+
+<details>
+<summary><font size="4"><code>cityviews.jpeg</code> (Click to expand)</font></summary>
+<center>
+<img src="/image/downunder_2024/cityviews.jpeg" width="100%" height="100%">
+<p></p>
+</center>
+</details>
+
+<font size="4">
+<p></p>
+<p>Behind this building, there is this billboard which seems to be put up by a broadcasting service. </p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/cityviews/1.png" width="70%" height="70%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>Using Google image search, I was able to identify that this is from a radio broadcaster in Australia called 3AW Melbourne. </p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/cityviews/2.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>There are LOTS and lots of buildings around 3AW Melbourne apparently. For simplicity, I assumed that the billboard is located right on top of the 3AW Melbourne building. Based on the direction of the picture taken and (rough estimation of) the distance to the building, it is likely that the picture was taken somewhere around these spots. </p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/cityviews/3.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>The bottom circle is a more plausible option because the building on the left looks like the building that was right in front of the billboard (in the original picture).</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/cityviews/4.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>Even more convincingly, on the right, we see exactly the same type of windows and signs as the one on the original picture:</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/cityviews/5.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>And the building in front of that building is:</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/cityviews/6.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>... Hotel Indigo!</p>
+</font>
+
+<center>
+<iframe src="https://www.google.com/maps/embed?pb=!4v1725610776118!6m8!1m7!1si-0FWAkpINClhzgGPIkdUA!2m2!1d-37.82007383841248!2d144.9547022501021!3f353.36775164366975!4f32.978446624891774!5f0.7820865974627469" width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy" referrerpolicy="no-referrer-when-downgrade"></iframe>
+</center>
+
+<font size="4">
+  <p><b>Flag: <code>DUCTF{Hotel_Indigo}</code></b></p>
+</font>
+
+
+##### bridget lives
+
+<blockquote>
+<font size="3">
+<p>After dropping numerous 0days last year Bridget has flown the coop. This is the last picture she posted before going dark. Where was this photo taken from? NOTE: Flag is case-insensitive and requires placing inside DUCTF{}! e.g. DUCTF{name_of_building}</p>
+</font>
+</blockquote>
+
+<details>
+<summary><font size="4"><code>bridget.png</code> (Click to expand)</font></summary>
+<center>
+<img src="/image/downunder_2024/bridget.png" width="100%" height="100%">
+<p></p>
+</center>
+</details>
+
+<font size="4">
+<p></p>
+<p>Since this bridge is the main character here, we do Google image search on this bridge. It turns out this is a bridge in Singapore name either Jiak Kim or Robertson. Checking both of them manually, Robertson bridge looks much closer to the bridge in the picture.</p>
+</font>
+
+<center>
+<iframe src="https://www.google.com/maps/embed?pb=!1m14!1m8!1m3!1d546.1217425017994!2d103.83578061442327!3d1.2921885137556175!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x31da199d9c10e219%3A0xa072367212286f4f!2sJiak%20Kim%20Bridge!5e1!3m2!1sen!2sus!4v1725610681925!5m2!1sen!2sus" width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy" referrerpolicy="no-referrer-when-downgrade"></iframe>
+</center>
+
+<center>
+<iframe src="https://www.google.com/maps/embed?pb=!1m14!1m8!1m3!1d442.7679863790809!2d103.83645427712824!3d1.2899483568500871!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x31da199cf1158809%3A0x81101a379374cae9!2sRobertson%20Bridge!5e1!3m2!1sen!2sus!4v1725610633300!5m2!1sen!2sus" width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy" referrerpolicy="no-referrer-when-downgrade"></iframe>
+</center>
+
+<font size="4">
+<p></p>
+<p>It is pretty clear that the picture was taken from this tall building at the bottom of this map.</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/bridget/2.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>You are now about to have hard time choosing what to eat for lunch. There are so many restaurants in this building, but at least based on this picture, Four Points Eatery seems to be the only one facing the bridge. And that was indeed the answer!</p>
+</font>
+
+
+<font size="4">
+  <p><b>Flag: <code>DUCTF{Four_Points}</code></b></p>
+</font>
+
+<font size="4">
+<p></p>
+<p>IIRC it was not accepting <code>DUCTF{Four_Points_Eatery}</code> as the correct answer, for some reason.</p>
+</font>
+
+
+##### they're making decoys
+
+<blockquote>
+<font size="3">
+<p>The Sergeant from Clarence asked one of the Corporals to patrol for Emus to keep the our fresh troops on their toes and maybe scare some discipline into them. They headed out to an area with lots of sightings reported though they never made it back. Some of the last images uploaded showed what looked to be the enemy, though it turned out to be decoys. These broom heads are getting clever. I'm guessing we're not getting the camera equipment back... Find the location (lattitude, longitude) of this area rounded to 4 decimal places and wrap it in DUCTF{}, e.g. DUCTF{-25.3445,131.0354}</p>
+</font>
+</blockquote>
+
+<details>
+<summary><font size="4"><code>decoys.png</code> (Click to expand)</font></summary>
+<center>
+<img src="/image/downunder_2024/decoys.png" width="100%" height="100%">
+<p></p>
+</center>
+</details>
+
+<font size="4">
+<p></p>
+<p>This problem was the problem that made me wanted to make this writeup, actually. It took me a long time, TBH it was pretty annoying but was also quite interesting to solve. </p>
+</font>
+
+<font size="4">
+<p></p>
+<p>Using the same technique as the previous two problems (Google image searching the interesting part) will not get you anywhere for this one; if you don't trust me, you are more than welcome to waste your own time by trying it yourself.</p>
+
+<p>The challenge description says <i>Sergeant from Clarence</i>. This gives a little bit of a red herring because this led me to spend an hour 'investigating' the town Clarence, NSW on Google Maps. It actually was meant to lead you to Google search "Clarence emu" which returns the "<a href="https://www.clarenceconversations.com.au/coastalemus/maps/coastal-emu-sightings-map">Coastal Emu Sightings Map</a>" by "Clarence Conversations."</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/decoys/1.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>Challenge description says "<i>lots of sightings reported</i>" so our attention should be at the region where "lots of sightings" were reported, literally.</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/decoys/2.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>And it looks like the most sightings were at around Taloumbi, along Brooms Head Rd. That is a pretty long road to recon on your own. Let's take a look at the original picture given as a part of the challenge.</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/decoys/3.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>That is a pretty large region to recon on your own. But don't get desolate too fast. Let's take a look at the original picture given as a part of the challenge.</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/decoys.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>Our desired location is right next to the road, most likely Brooms Head Rd, and is somewhere where there is a thin line of trees, which is a-large-field-of-grass apart from a forest. Based on this, we can narrow the regions down:</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/decoys/4.png" width="100%" height="100%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>(I have no clue whose "Home Sweet Home" that is, but if you are reading this: congratulations, you are being advertised for free on my blog.)</p>
+<p>Also, take a look at this part of the challenge picture:</p>
+</font>
+
+<center>
+<img src="/image/downunder_2024/decoys/5.png" width="40%" height="40%">
+<p></p>
+</center>
+
+<font size="4">
+<p></p>
+<p>Unless you believe a tree can levitate itself and/or branches can be totally disconnected from the trunk, it looks like this picture was made by combining two discontinuous pictures together. Hence, to me this was a sign that this picture was taken directly from Google Street View. This gave me a hope that going through all these regions manually should worth it in the end. And it turns out (albeit painful) I was right! It was actually within the fifth circled region (the closest one from the "Home Sweet Home").</p>
+</font>
+
+<center>
+<iframe src="https://www.google.com/maps/embed?pb=!4v1725610416244!6m8!1m7!1snW02AeqGuTEngxlC1zlXUA!2m2!1d-29.55058871274417!2d153.2776739907438!3f177.08744573775834!4f-1.9241737287706115!5f0.7820865974627469" width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy" referrerpolicy="no-referrer-when-downgrade"></iframe>
+</center>
+
+<font size="4">
+<p></p>
+<p>The coordinate is (-29.5505887,153.277674), which we can round it up as (-29.5506, 153.2777).</p>
+</font>
+
+
+
+<font size="4">
+  <p><b>Flag: <code>DUCTF{-29.5506,153.2777}</code></b></p>
+</font>