palliative

Feb 22, 2021

10 min read

ASPIRE #2 OSINT WRITE-UP

INTRODUCTION

On 17th February 2021, e-Kraal released OSINT challenges as part of their Aspire weekly CTF. dark_mendes22 and I decided to hop on the challenge to refresh our OSINT skills, here’s our write-up.

Resources used:

1. Exiftools

2. Social media (Facebook, twitter)

3. https://www.blockchain.com/explorer

4. https://www.walletexplorer.com/

5. https://www.bitcoinabuse.com/

6. Yandex reverse image search

7. https://tenders.go.ke/website

SOLUTIONS

1. IN THE NEWS — 1. (100 pts)

This challenge aims at narrowing down to when the article was published. Searching the title (in quotes as shown above), on a web browser returns several results. The original article was posted by Nation Media Group but since it requires a subscription, we resorted to using a free identical article posted in the URL below:

Reference: https://receive.news/10/14/2019/nmk-mum-as-strange-monument-crops-up-at-historic-site/

As shown above, the article was published on October 14th, 2019.

Flag format: Aspire{14–10–2019}

2. In the news — 2. Monument (50pts)

Still, in the same article, it is stated the controversial monument was built at Olorgesailie prehistoric site.

Flag format: Aspire{olorgesailie}

3. In the news — 3. Affiliation (50pts)

The article states that the organization behind the project is Organization for Promoting Geoversal Civilization

Flag: Aspire{ORGANISATION_FOR_PROMOTING_GEOVERSAL_CIVILISATION}

4. In the news — 4. Event (50pts)

The name of the event that the two organizations were involved in is highlighted below:

Flag format: Aspire{FIFTH_WORLD_CONGRESS_OF_THE_GEOVERSAL_CIVILISATION}

5. In the news — 5. Venue (50pts)

Then the venue of the event was held at Kenyatta International Convention Centre (KICC).

Flag format:

Aspire{KENYATTA_INTERNATIONAL_CONVENTION_CENTRE}

6. COINS — 1 … (50 pts)

A quick search of this bitcoin address on search engines and social media points to the popular business engineer and Tesla’s CEO Elon Musk. He has gained massive popularity and his opinion has been making lots of influence on the internet. For instance, more engagement in bitcoins and signal app.

This enabled scammers to mask his image and put-up an Elon Musk “giveaway” scam.

Reference: https://twitter.com/malwrhunterteam/status/1361355410335289352

Flag format: Aspire{ELON_MUSK}

7. COINS — 2. Landing Page (50pts)

There are various tools that can be of aid in the OSINT investigations for cryptocurrencies such as Bitcoin, Ethereum, etc.

More reference https://www.aware-online.com/en/osint-tools/cryptocurrency-tools/

To solve this, we use https://www.bitcoinabuse.com/ and the report of abuse points to https://musk-club.com as the abuser’s website. Note that the challenge needs the flag in the name of the domain, not url.

Flag format: Aspire{musk-club.com}

8. Coins — 3. Wallet (100pts)

We can find this with the help of https://www.walletexplorer.com/ to see the analysis of transactions regards to this BTC address.

The wallet name is displayed here.

Flag format: Aspire{32bec965a6}

9. Coins — 4. Timeline (100pts)

This can be found by browsing the logs of the bitcoin address on https://www.blockchain.com/btc/address/1BdAqLhjjdwAz3mA11ix7ejLpoE5fxZGcX?page=18

To view when the first transaction was received.

Flag format Aspire{2021–02–15–17–21}

10. Coins — 5. Activity (50pts)

To view the transactions of this BTC address, we use https://www.walletexplorer.com/ again.

In the list of transactions performed, those marked in red are the money sent out to other BTC addresses. As of February 16th, 2021, this address sent money three times as shown on the screenshot above. Hence, the flag will be as below:

Flag format: Aspire{three}

11. Coins — 6. Sum (50pts)

To solve this, we make use of https://www.blockchain.com/ Upon searching on this BTC address, we see the total amount sent is 6.10493955 BTC.

However, this also includes the amount that was sent on 17th February.

This greatly affects the answer since the correct one is as of 16th February 2021. To solve this, we subtract the amount sent on 17th February (0.45453144 BTC) from the total sent highlighted above. The difference is the flag. (Note that the Total sent would be the flag if the challenge was solved before the final transaction was made on 17th February)

Flag format: Aspire{5.64926}

12. Coins -7 Paper Trail 50 Points

As earlier stated, this BTC address sent money to three other BTC addresses as of 16th February 2021. We go back to the transaction records of this BTC address using wallet explorer — https://www.walletexplorer.com/wallet/32bec965a6ec17ba?from_address=1BdAqLhjjdwAz3mA11ix7ejLpoE5fxZGcX

Click on each of the transaction IDs to see the addresses to which this BTC address sent money.

The order of the addresses if from the latest address to the earliest one. Hence the flag format is as below:

Flag format: Aspire{bc1q2k0822fr77l5f045nvyktuae3n0dphp788g6xd_17VGTTtgKTfua9zBDEsD8H2jpZtwJMsAsG_1E7FQXAwqsi3uNuub5PcHB5hVzGxoKMJ8a}

13. Memory Lane — 1 … (200pts)

The who_is_well_read_and_rich.png picture displayed the image of Nairobi city before the 1980s.

Finding similar images by use of reverse image search engines such as Yandex led to multiple clues to solve this challenge:

https://yandex.com/images/search?rpt=imageview&url=https%3A%2F%2Favatars.mds.yandex.net%2Fget-images-cbir%2F4489938%2FVJMOjIoLw32gVUAgKYZNJg6469%2Forig&cbir_id=4489938%2FVJMOjIoLw32gVUAgKYZNJg6469

Reference https://www.facebook.com/KenyaHistory101/photos/kenya-bus-services-no152-seen-in-a-kenyan-field-in-1973no152-was-a-guy-arab-iv-w/1251410094871964/

http://www.brindale.co.uk/ach/prv_site/site_index/prv_site_frames.htm?http://www.brindale.co.uk/ach/prv_site/guy_arab.htm

Flag format: Aspire{GUY_ARAB}

14. Memory Lane — 2. Street (50pts)

The street pictured above is the current Moi Avenue, following the lead from Yandex reverse image search in: https://yandex.com/images/search?rpt=imageview&url=https%3A%2F%2Favatars.mds.yandex.net%2Fget-images-cbir%2F4489938%2FVJMOjIoLw32gVUAgKYZNJg6469%2Forig&cbir_id=4489938%2FVJMOjIoLw32gVUAgKYZNJg6469

Reference https://twitter.com/KResearcher/status/1168202751588933632

Flag format: Aspire{MOI_AVENUE}

15. Memory Lane — 3. Rename (50pts)

The street was formerly known as the government road, after following leads from yandex https://yandex.com/images/search?rpt=imageview&url=https%3A%2F%2Favatars.mds.yandex.net%2Fget-images-cbir%2F4489938%2FVJMOjIoLw32gVUAgKYZNJg6469%2Forig&cbir_id=4489938%2FVJMOjIoLw32gVUAgKYZNJg6469

References: https://twitter.com/KResearcher/status/1168202751588933632

https://en.wikipedia.org/wiki/Moi_Avenue_(Nairobi)

Flag format: Aspire{GOVERNMENT_ROAD}

16. Memory Lane — 4. Building (50pts)

The building in reference is marked “1” in the picture

The building is seen to be the current Kenya national archives after following leads from the previous Yandex reverse image search results on

https://yandex.com/images/search?rpt=imageview&url=https%3A%2F%2Favatars.mds.yandex.net%2Fget-images-cbir%2F4489938%2FVJMOjIoLw32gVUAgKYZNJg6469%2Forig&cbir_id=4489938%2FVJMOjIoLw32gVUAgKYZNJg6469

Reference https://twitter.com/theogstud/status/1249116571680804865

Flag format: Aspire{KENYA_NATIONAL_ARCHIVES_AND_DOCUMENTATION_SERVICE}

17. Memory Lane — 5. Builder (50pts)

The building in reference is marked “1” in the same downloaded picture in use for this challenge.

To solve this challenge, we use this article –

https://www.businessdailyafrica.com/bd/lifestyle/society/iconic-national-archives-rise-from-hosting-banks-to-global-research-centre-2120508

The highlighted line below shows the institution which built the building.

Flag format: Aspire{NATIONAL_BANK_OF_INDIA}

18. Memory Lane — 6. Evolution (50pts)

We refer to the same image with the building marked “1”.

Again, we use the same article to solve this challenge.

https://www.businessdailyafrica.com/bd/lifestyle/society/iconic-national-archives-rise-from-hosting-banks-to-global-research-centre-2120508

Below is a section from the article that indicates that The National Bank of India evolved to The Kenya National Bank.

Flag format: Aspire{KENYA_COMMERCIAL_BANK}

19. Traveler — 1… (50pts)

We can know where the picture was taken with the help of https://www.verexif.com/en/ which is a website that works like the EXIF command-line tool but has the option of removing the metadata, in case you want to share the photo without compromising on privacy.

Click “View Exif” to see all details of the picture, view a larger map to spot the exact place the picture was taken.

Flag format: Aspire{enashipai}

20. Traveler — 2. Device (50pts)

To solve this challenge, we use http://metapicz.com/ It shows both EXIF data and ICC profile — this block of data describes the color space used to encode pixel colors. It is from the ICC profile that we can know when the device was released.

Flag format: Aspire{2016}

21. Traveler — 3. Time (50pts)

Exif tools come in handy when extracting metadata from files and images. Pictures taken by digital cameras mask data such as time, date, and type of cameras used. Older devices may add GPS co-ordinates, leaving one traceable just by a shared image.

Reference: https://null-byte.wonderhowto.com/how-to/obtain-valuable-data-from-images-using-exif-extractors-0195471/

To find the time e_rocks_2.jpg was taken, we again use the EXIF tool from a Linux terminal as follows:

The time is displayed as shown below.

Flag format: Aspire{18:11:41}

22. Billboard (150pts)

The first step is to get the GPS data of the image to find the location of the billboard. Let us use the EXIF tool again.

The GPS location of the billboard 0° 45' 32.12" S, 36° 28' 45.49" E as shown below:

We key in this data on the Google Maps Search field

Then we activate street view

The geo-location of the billboard is as provided below:

On double-clicking the pinned location of the billboard shown earlier, we get the billboard.

Flag format: Aspire{summit}

23. Jurisdiction — 1… (100pts)

The image in reference is shown below:

We make use of reverse image search engines to find similar full pictures; Yandex to be specific.

https://yandex.com/images/search?rpt=imageview&source=collections&cbir_page=similar&url=https%3A%2F%2Favatars.mds.yandex.net%2Fget-images-cbir%2F4856899%2FWx4SSPqqDFLYwozAk8AwoA6594%2Forig&cbir_id=4856899%2FWx4SSPqqDFLYwozAk8AwoA6594

It returns the full picture shown below with the area of jurisdiction:

Flag format: Aspire{marsabit}

24. Jurisdiction — 2. Tenders (100pts)

To solve this challenge, we make use of the following resource to view details of tenders in Kenya:

https://tenders.go.ke/

To view tenders within this area of jurisdiction, we filter results for Marsabit as shown below for both open and expired tenders notices:

From the results, tenders set to close by February 2021 are just three.

Therefore, flag format: Aspire{three}

25. Jurisdiction — 3. Economy (50pts)

We refer to the screenshot that was earlier taken.

We can see they are associated with fishing activities, and closed on 16th February 2021.

Therefore, flag format: Aspire{fishing}

26. Jurisdiction — 4. Telco (100pts)

After Safaricom PLC, Airtel Kenya ltd is the second largest telecommunications provider in Kenya. Reference: https://en.wikipedia.org/wiki/Airtel_Kenya.

Referring to the https://tenders.go.ke/website/contracts/suppliers website, a list of all registered suppliers is accessible, upon filtering the results to Airtel ltd, we are supplied with the company information, list of directors as well as number of contracts, which are eighteen in total. Reference: https://tenders.go.ke/website/Suppliers/SupplierDetails/4335

Therefore, flag format: Aspire{eighteen}

Photo by Muhannad Ajjan on Unsplash

that’s all folks, until next time, happy learning:)