finxol.io / blog
Personal blog finxol.io
blog
fork atom
blog / content / posts / writeup-midnightflag-osint-will-the-big-wheel.md
at main 3.8 kB view raw view rendered
1--- 2title: MidnightFlag CTF Write-Up Will the big wheel 3description: Write-up for the OSINT challenge "Will the big wheel" @ 404CTF 2022 4image: /blog/infektionctf.png 5date: 2022-04-24 6authors: 7 - name: finxol 8tags: 9 - writeup 10 - MidnightFlagCTF 11published: true 12--- 13 14## 404CTF 15 16The [MidnightFlag CTF](https://midnightflag.fr/) is a CTF organised by students from [ESNA](https://www.esna.bzh/) 17 18### Description 19 20Our intelligence services have just received a message from one of our agents in the USSR and according to the first elements, 21we must quickly find him to exfiltrate him. 22Your mission is to decode his message and return the extraction location to us. 23 24![Message Recover](/posts/writeup-midnightflag-osint-will-the-big-wheel/MessageRecover.png) 25 26Author: **A0d3n** 27 28## Solution 29 30First of all, let's check the metadata from the image we were given. 31With a simple `exiftool MessageRecover.png`, we get the following information *(some information was removed for clarity)* : 32 33``` 34ExifTool Version Number : 12.38 35File Name : MessageRecover.png 36Directory : . 37File Size : 23 KiB 38MIME Type : image/png 39Image Width : 532 40Image Height : 284 41Bit Depth : 8 42Color Type : RGB with Alpha 43Compression : Deflate/Inflate 44Filter : Adaptive 45Resolution Unit : inches 46Y Cb Cr Positioning : Centered 47Copyright : MidnightFlag 48Exif Version : 0232 49Components Configuration : Y, Cb, Cr, - 50User Comment : WzUxLjQwMzA5LCAzMC4wNDQwMXw1MS40MDc4OSwgMzAuMDU1NjR8NTEuNDAwODksIDMwLjA2NDA4XSwgSSB3SUxsIHdBSXQgWW9VIGFUIHRIZSBjRW50RVIu 51Flashpix Version : 0100 52Owner Name : A0d3n 53Image Size : 532x284 54``` 55 56One line that catches our eye is the "User Comment". 57This looks like it could be some base64-encoded text. 58Let's try to decode it with 59```sh 60echo -n "WzUxLjQwMzA5LCAzMC4wNDQwMXw1MS40MDc4OSwgMzAuMDU1NjR8NTEuNDAwODksIDMwLjA2NDA4XSwgSSB3SUxsIHdBSXQgWW9VIGFUIHRIZSBjRW50RVIu" | base64 --decode 61``` 62 63And we get 64 65``` 66[51.40309, 30.04401|51.40789, 30.05564|51.40089, 30.06408], I wILl wAIt YoU aT tHe cEntER. 67``` 68 69These look like coordinates. 70The first one seems to be in the north of Ukraine, and the other ones are close by. 71 72![First GPS Coordinate](/posts/writeup-midnightflag-osint-will-the-big-wheel/first_gps_point.png) 73 74The decoded message also says "I will wait you at the center". 75We can assume from this sentence that the agent will be waiting at center of these three coordinates. 76 77With a quick search about averaging GPS coordinates, we land a javascript programme [on Github Gist](https://gist.github.com/tlhunter/0ea604b77775b3e7d7d25ea0f70a23eb). 78We can then tweak an example case to match our coordinates, and we get a result! 79 80![Calculating the average coordinate](/posts/writeup-midnightflag-osint-will-the-big-wheel/average_coord.png) 81 82By plotting these coordinates on a map, we land [near the amusement park](https://www.google.com/maps/place/Pripyat+amusement+park/@51.4053954,30.0488085,2337m/data=!3m1!1e3!4m13!1m7!3m6!1s0x0:0x8b035e1594d47a36!2zNTHCsDI0JzE0LjMiTiAzMMKwMDMnMTYuNSJF!3b1!8m2!3d51.403957!4d30.0545768!3m4!1s0x472a7c5de9f5c0fb:0x87aa178315dd0d18!8m2!3d51.4078925!4d30.055647) 83where the wheel in the picture can be found. 84 85We then look at the nearest point of interest, and we find **Чорнобиль**, which means Tchernobyl. 86 87![Average coordinate on a map](/posts/writeup-midnightflag-osint-will-the-big-wheel/flag.png) 88 89We then format the word with `echo -n "Чорнобиль" | md5sum` and get the flag `MCTF{3687016d7a89edc046069933f208e8c8}`.