This is a walkthrough of an OSINT CTF set by The SEINT in a GitHub repo you can find here. Unless there are any surprises later on, each stage is nested inside a zip archive that is unlocked by solving the previous stage (like a matryoshka doll, hence the cover image). Each layer is password protected, the password being an MD5 hash of the previous stage's answer. You can see how we solved Step 1 in my previous post.
WARNING: Obviously there are spoilers in this series; they are a walkthrough after all!
STEP 2 - The Day The Music Died
Opening step2.zip, we find two text files:
- step2.txt
- step2 - hint.txt
- step2.txt
- step2 - hint.txt
Let's see how we get on without the hint, shall we?
Opening step2.txt, we find a 'treasure hunt' style of clue:
---
The name of the place from the previous task is a name of a song by American singer and songwriter. The lyrics mention something that happened several years before the song was released. In the place the lyrics refer to, there is a little structure made of three similar elements. What are the second and third word mentioned on that particular part of the monument, as well as on a pole standing nearby, a little to the right of that monument?
The password to the next step is the MD5 hash of the answer (use small letters only and separate the words with a space before making the hash).
The password to the next step is the MD5 hash of the answer (use small letters only and separate the words with a space before making the hash).
---
The first step of the clue is solved with either general knowledge, a browse through your Spotify library if you're as old as me, or a simple Google search like "American Pie song lyrics". Without getting into Copyright issues and republishing the lyrics here, it's clear the song is about "the day the music died". What event could that possibly be?
The first step of the clue is solved with either general knowledge, a browse through your Spotify library if you're as old as me, or a simple Google search like "American Pie song lyrics". Without getting into Copyright issues and republishing the lyrics here, it's clear the song is about "the day the music died". What event could that possibly be?
Google to the rescue once more, and we soon end up at a Wikipedia article that explains that "the day the music died" is the day in February 1959 that Buddy Holly, Ritchie Valens, and "The Big Bopper" J. P. Richardson were killed in the same plane crash, along with their pilot.
Our clue goes on to tell us we need to find a monument at the spot of the crash, made of three similar elements. Here again, we're in Google, this time with an image search:
The circled image elements are clearly what the clue is referring to, and thankfully there are a couple of images that are large enough to zoom in on the relevant disc ("the second and third word"):
So we appear to have our answer, "Peggy Sue". However, an important part of OSINT is verification. The internet is full of stories of suspects being misidentified by over-eager amateur sleuths who don't take the trouble to verify their theories. The SEINT has given us a way to verify the answer (besides simply trying the hash), which is to see if the name is also found "a pole standing nearby, a little to the right of that monument".
Sadly (but handily from a research point of view), "Buddy Holly crash site" is a named place on Google Maps, and we have a recent Street View 360 of the memorial. Sure enough, a pole can be seen to the right of the monument, and we can zoom in on that (tip: Zoom in and out of Street View images with your mouse wheel):
Sure enough, we've got our confirmation:
Sure enough, hashing 'peggy sue' gets us our password for Step 3!
STEP 3 - Hawaii
Opening step3.zip, we find a familiar format...:
- step3.txt
- step3 - hint.txt
- step3.txt
- step3 - hint.txt
Once again, let's try not to use the hint. Opening step3.txt, we find a 'treasure hunt' style of clue:
---
The word written on the monument from the previous step - Coral - was the same as the name of the organisms that can be found in Hawaii for example. Among these islands there is a luxury resort named after the wife of a mythical Hawaiian fisherman and navigator. In the northern side of that resort there is a part of a beach which has its own name. On that beach, there is a large warning sign with different kinds of Cautions and warnings. What kind of animal is the first caution phrase warning about? What is its Latin scientific name?
The password to the next step is the MD5 hash of the answer (use small letters only before making the hash).
---
Once again we're off to Google. It's worth breaking down, at least mentally, what the distinct elements are, as searching on the whole paragraph isn't going to get us anywhere. Here's how I broke it down, and the order I searched:
Once again we're off to Google. It's worth breaking down, at least mentally, what the distinct elements are, as searching on the whole paragraph isn't going to get us anywhere. Here's how I broke it down, and the order I searched:
The word written on the monument from the previous step - Coral - was the same as the name of the organisms that can be found in Hawaii for example. Among these islands there is a (3) luxury resort named after (2) the wife of a (1) mythical Hawaiian fisherman and navigator. In the (4) northern side of that resort there is a (5) part of a beach which has its own name. On that beach, there is a (6) large warning sign with different kinds of Cautions and warnings. What kind of animal is the first caution phrase warning about? What is its Latin scientific name?
Search 1 got me to Hawaiʻiloa, and "wife of Hawaiʻiloa" returned Hualalai. Searching for "Hualalai resort" was a hit, and Google kindly provided the following map card on page one of the results:
Could we have got lucky? North of the resort is a beach named Kumukea Beach, so let's see if Google has any images of a sign in Google Maps. Sure enough, we're soon at the following:
And zooming in on the sign, we find the first animal we're warned about:
As we all know (yeah, I looked it up), the Man-O-War is a jellyfish, whose Latin name is Physalia Physalis. So it's off to CyberChef again, and we have our hash for Step 4!
What have we learned so far?
In the first three steps, all we've done in terms of OSINT relates to images and search. Regarding images, the two main initial approaches to an image are to try a reverse image search, and examine its metadata. There are lots of other things we can do to extract information from images, but these are the bread-and-butter. You can find a good introduction to those approaches here. And OSINT Framework maintains links to image search and metadata tools:
The other tool we have used so far is search. It is key to OSINT to be able to use search engines well, and there are dozens of tutorials on advanced search which you can find by, er, searching. Or you could start with one of these:
A key thing to remember, especially when we're searching for something a little more difficult than the puzzles we've had so far (no offence), is that not all search engines provide the same results. So it's well worth repeating searches on more than one search engine, or using a meta search engine like Carrot². And the information you're looking for may not be on Page 1 of the results; patient digging is often needed!
Cover Image courtesy cottonbro from Pexels