Skip to main content

Back on The SEINT's trail - 2023 OSINT Challenge

 


Last year, I had a lot of fun working through The SEINT's 2021 OSINT challenge, which you can read about here. Then, via Sector035, I heard that The SEINT had published a new challenge, which you can find on this GitHub repo. The challenge simply involves opening a nested series of zipped files, with the password for each zip being an MD5 hash of the answer to the previous level.

In order to get us going, The SEINT says that the password for the first zip is the MD5 hash of the word dive. As we are going to be hashing a number of words, it is worth keeping a browser tab open with CyberChef running in it. 

SPOILER ALERT!

If you want to have a go at solving The SEINT's puzzle yourself, please DON'T read on here, as this is obviously heavily spoilered. 

Yes, some images still have Metadata!

The first level of the zip file contains four files. One of these is the password-protected zip for the next level, and one is a hint; we will be trying not to use hints.

We are then left with an image file, and a text clue:

step1.txt: Let's go on a trip again! But where shall we start? I found this postcard from long ago and the view looks promising. But where was this photo taken? Can you help me geolocate the place? In the nearby town, there was a really big event several decades ago. This event had a logo with something very special to the surrounding area on it.

The key to the next step is the MD5 hash of the latin name (written in lowercase without spaces) of this special thing, depicted on the logo.

With the source of so many of our OSINT images being social media tools that strip metadata, it can be tempting to skip this step when trying to find where an image was taken. Also, with the advent of AI tools, it is becoming much easier to determine where images were taken. For example, GeoSpy, a tool currently in beta, made a pretty good guess from The SEINT's admittedly blurry image above, at least getting the country right: Norway.

Unfortunately, that's not close enough to progress the clue, but The SEINT kindly left EXIF data in the image, which can be uncovered with a number of online tools; I used this one at jimpl.com. This helpfully provides the GPS co-ordinates where the photo was taken: 61° 5' 39.57" N, 10° 26' 6.47" E.

This puts us on Lake Mjosa in Norway, opposite a town called Lillehammer. If you're not an old-timer like me, you may need a little Googling to determine that Lillehammer was the host of the Winter Olympics in 1994. I'm not aware of a Latin name for the Olympic rings, so I wondered if there was a bit more to this clue. I did know that each Olympic event has its own emblem and mascot(s), and a bit of searching got me to the official Olympics page for the Lillehammer event, where the special emblem can be seen:

It wasn't immediately obvious what the symbol meant, but thankfully it's explained on the official page:

[The emblem] is composed of a stylised aurora borealis (Northern lights), the five Olympic rings, snow crystals and the title, "Lillehammer '94". The emblem is a development of the aurora borealis symbol used during the candidature phase. It was inspired by contact with nature, the sky and snow. The aurora borealis is a natural phenomenon due to the northerly position of Norway. It has associations of power, great tension and dramatic spectacle. The main colours of the emblem are cobalt blue and white.

Aurora Borealis is already Latin, so paying attention to the instructions for what to hash, I soon had the zip for step 2 open...

Step 2

Here's what The SEINT has for us next:

So you found the location of the Norwegian town, good. But where to next? 

Let's see, what is this strange code here: 4KDB1677355222? Is it a database of 4K images? Or a date? Or something else? Where can it lead us?

Once you can link this code to a certain place, I will be waiting for you in the nearby café and having the best squares in the world. 

As strange as it may sound, you task is to find out what are my squares made of. To uncover the next step, make a hash of the name of the ingredient, written in lowercase.

Bon appetit!

I'm afraid I'm a bit in the dark on this one. A Google search of the term 4KDB1677355222 simply takes us to Rarotonga Airport in the Cook Islands, but I couldn't tell you why. Even Bard doesn't seem to recognise the format, and it was a Google result that got me to Rarotonga! Maybe this is mystery for The SEINT to clear up?

Anyway, a Google search of rarotonga airport café squares gives us a nice snippet about Café Jireh that answers the question. The Cook Islands seem a long way to go for custard squares, so they must be fantastic!

Step 3

Here's the next clue:

Those custard squares were the best! Now it's time for a giant leap over the water and some historical lookup. On October 13th, 2012, something really big happened. It was so big, that it took two days to move it. There was also a strong car involved in the movement. 

Can you find out the make and model of this car?

The answer, that will lead you to the next step, is the hash of the make and model of the car, written in lowercase without a space, like this: chevroletcorvette

Don't forget to make a hash of it.

For some reason, I seemed to remember that Wikipedia has a page of notable events for every(?) day in history, including October 13th, 2012 (I just Googled wikipedia October 13th, 2012). Halfway down the page, this looked promising:

The BBC article referenced on Wikipedia doesn't mention the make and model of the vehicle, but searching for vehicle that towed Endeavour was very helpful!

Not surprisingly, Toyota have featured the event in their marketing material, and the make and model were enough to help me move forward!

Step 4

Ah, this was an enormous endeavour! So now we will need some rest. It won't be far from the last spot. Let's go to see a sign with four missing letters nearby. We have to be there on the same day and month, on which the first photo of the first writeup for my 2022 CTF was last modified (in case it's not available, look at the first hint).

Stand on the last remaining letter of the big sign exactly at the time, mentioned in the song, that Mick and Keith wrote and released in 1997. Then, look in the direction the sun is currently shining from. In the distance, about 700 meters from you, there is a very important animal, a guardian of the vicinity.

The name given to that animal (not the species, but his first name), written in lowercase and turned into a hash, is the key to the next step.

This is a fairly 'chunky' clue, so let's break it down into chunks!

We know from our previous clue that we're in Los Angeles. The most obvious 'sign' in Los Angeles is the "HOLLYWOOD" sign, and when it was first installed, it was called "HOLLYWOODLAND":

The above image comes from the Wikipedia article on the Hollywood sign.

I was unable to work out when the first image on the first write-up of The SEINT's 2022 CTF was updated (I'm not registered on GitLab for one thing), so I had to rely on my first hint, in step4-hint.txt: "In case the first writeup is not available, the date is: December 28th, 2022."

So now I had my date, what about the time?

'Mick and Keith' is a reference to the Rolling Stones, and a search for rolling stones discography 1997 leads you to the album Bridges to Babylon, which only had one single released, Anybody Seen My Baby? The lyrics to this include a time in the refrain:

Close my eyes
It's three in the afternoon
Then I, I realize
That she's really gone for good

So, now all we need to know is what direction the sun is at 1500hrs on 28th December 2022! Luckily, there is a tool for that, Suncalc! this site will show you the location of the sun and moon for any date and time, at any location on earth, and following this link will show you how the correct location, date and time:

About 700 metres away, in the direction of the sun, is the Innsdale Trailhead, where we find our guardian animal, whose name can just about be made out...

Hashing that name opens Step 5, which I'll begin with in my next post!