SnakeCTF — OSINT
SnakeCTF was created and hosted by MadrHacks. This CTF had 180 teams that scored at least 50 points — which, as any creator can tell you, is great! While my team and I couldn’t spend too much time on all of the challenges due to our own courseload, I took a stab at their OSINT and solved a few of them.
Challenge 1: flightyflightflight
This challenge provided very little to go off at face value. We’re given the name of the challenge, a very brief description, the flag format, and a video.
The video was taken from a window seat (lucky!) as an airplane is taking off from a very foggy airport. We can see a plane landing, and some others sitting on the tarmac. Beyond that, not much else is visible.
Steps to solve:
Build your case:
First, as with any CTF challenge, build your case. What are we looking for? Well, thankfully the developer here was straight forward: the IATA code and the ICAO code. If you’re not familiar with those, then start Googling — which I had to do. To save you time, it means we’re looking at the three letter airport code (Like JFK, LGA, LAX, or… VCE) and the 4 letter airport code which normally starts with a letter to designate the region, a letter for the country, and then two other letters given in an order.
Examine the evidence:
We were given an video. Does this video have any metadata on it that could be useful? Open this up in exiftool and you’ll see that the answer is: No. Not this time, the geolocation was scrubbed.
Alright — so metadata won’t give us the answer and this won’t be as simple as that. What do we do next? Well, watch the actual video.
Here are the key parts:
First, we have a Volotea plane either landing or taking off. Probably landing. This will limit the amount of airports we should check.
The next key was the Turkish Airlines plane to the left. I wasn’t familiar with this tail, or their version of their logo, but a simple search online for plane logos that were red and white helped me narrow that down. Unfortunately I could not solve the plane on the right, but it also wasn’t necessary.
From here know two key facts: Volotea services this airport AND Turksih Airlines services this airport. I used FlightConnections to crossreference where these two airlines serve and found that there was very little crossover. Most importantly, however, I found the airport closest to the University of Udine — where MadrHacks hails from. This is serviced by both Turkish AIrlines and Volotea. This is the biggest clue.
Test Your Theory
With our biggest hunch set — that this was the Marco Polo Airport in Venice (a mere 75 miles or 122KM from the university) — we had to check. We could just submit the flag after getting the codes, but google earth exists so why not give it a shot?
From Google Earth we can see what looks like a PS2 screenshot of the airport — a low profile building with a single main tower.
And here we can compare it to the same general angle — matching the singular tower and low profile terminal, I feel confident that we have a match.
Input your solution:
Now that we know Marco Polo was the right airport, we just need their codes (VCE and LIPZ).
Solution: snakeCTF{VCE_LIPZ}
Snake Finder
I was the second person to solve snake finder… but I’m not mad about it. Only two ever did! We’re given a fun riddle to start us off.
Build your case
What do we need to find? It looks like the flag will be in a plaintext location related to MadrHacks/SnakeCTF. Not much else, and since formatting isn’t given I can assume it’s snakeCTF{} or will appear already wrapped in the flag wrapper.
Examine the evidence
Verse one tells us we must go where serpents reside online AND where people may… exaggerate their abilities. Well, this is snakeCTF, so I can assume we’re looking for a place related to MadrHacks online. I can also assume they might lie on a resume, so LinkedIn was the best option here. Other options to check would have been Instagram, Twitter, Facebook, or maybe Reddit.
Verse two was nice, but pointless to the challenge. I appreciate the craftsmanship though!
Verse three tells us again we are looking for the “serpent’s lair” — so where they hang out, and “where the past does transpire”. Great, so wherever we find, use the wayback machine. Got it!
Verse four reiterated that this was in the past. It will not show up unless you check online.
Test your theory
Well, given the information we gathered, I assume it’s on LinkedIn and we’ll need to use the WayBack machine. So I head over to LinkedIn and check for their account. There it was — right in plain sight.
Submit the answer:
Of course, the flag was in plain text. Solution: snakeCTF{now-we-are-linked-in-haha-you-get-it?}
First Hunt
The last challenge I solved was first hunt — and we were the 8th team to solve this.
The Challenge:
We were given an email message and a brief description: “Hey! We intercepted this strange message. I think we finally found them. Let me know if you find something.”
The email in question, in plain text:
MIME-Version: 1.0
Date: Fri, 1 Dec 2023 15:19:23 +0100
Message-ID: <CAK3zLhWOnqxy3TAE8=8YAfP3NDruBxPRB46LwYUye=joUzfJKw@mail.gmail.com>
Subject: info
From: Pippo Balordo <mailacasissimopippo@gmail.com>
To: wazzujf2@slimy.lol
Content-Type: multipart/alternative; boundary=”00000000000066b4b6060b7374d3"— 00000000000066b4b6060b7374d3
Content-Type: text/plain; charset=”UTF-8"
Content-Transfer-Encoding: base64c2VydmljZSBpbmZvcm1hdGlvbjoNCg0KwrDCsMKwwrDCsMKwwrDCsMKwwrDCsMKwwrDCsMKwwrDC
sMKwwrDCsMKwwrB0aGUgdXN1YWwgbGluayBoYXMgY2hhbmdlZA0KDQpwYXN0ZSBpdCBzb21ld2hl
cmUgYW5kIGRlbGV0ZSB0aGlzIG1haWwgYWZ0ZXIuDQo=
— 00000000000066b4b6060b7374d3
Content-Type: text/html; charset=”UTF-8"
Content-Transfer-Encoding: base64PGRpdiBkaXI9Imx0ciI+c2VydmljZSBpbmZvcm1hdGlvbjo8YnI+PGJyPsKwwrDCsMKwwrDCsMKw
wrDCsMKwwrDCsMKwwrDCsMKwwrDCsMKwwrDCsMKwdGhlIHVzdWFsIGxpbmsgaGFzIGNoYW5nZWQ8
YnI+PGJyPnBhc3RlIGl0IHNvbWV3aGVyZSBhbmQgZGVsZXRlIHRoaXMgbWFpbCBhZnRlci48YnI+
PC9kaXY+DQo=
— 00000000000066b4b6060b7374d3 —
Build your case:
It wasn’t exactly clear what we needed. Like the previous challenge, no format was given so I knew (or hoped) I’d find the flag in plaintext somewhere. But… where?
Examine the Evidence:
The email had to be the biggest clue. You could throw it into any email analyzer, but opening it in Notepad was easiest. We can see an email being sent between two users: wazzujf2 and mailacasissimopippo / Pippo Balordo.
We also see that information was encoded in base64. Decrypted, this results in:
service information: °°°°°°°°°°°°°°°°°°°°°°the usual link has changed paste it somewhere and delete this mail after.
The only thing that sticks out to me is paste. This was clearly a unique word to choose and, despite being an Italian CTF, I can assume their English is better than many people I know. This was intentional.
When thinking of “pasting” something somewhere, I always think pastebin. And while I never have luck going and searching for users, you can go straight to their page:
Since we knew wazzujf2 was who had to paste it, it had to be their account.
Inside of this, without a password, we see this paste:
For my favourite shop!!!!!!! -> https://e2ueln4vgn6qj2q4vwkcntkeg3ftinizb3ewjkahd2aoior33dbts3qd.onion user: wazzujf2@slimy.lol pass: hYpYxWRvHvKBzDes (i hope this is secure enough) todo: burn this!
Test your theory:
Now my case has legs, and it’s time to take it for a walk. I found an onion site, so I’d need a tor browser. I also could assume I’d have to find the flag on this site.
I loaded up the browser and attempted to access the link… and it worked!
We just needed to log in using the supplied credentials.
Once we did that, we would find the flag in plain text, as expected.
Submit your answer:
Now that we found what was clearly the flag, we just had to submit it.
Solution: snakeCTF{h1dd3n_s3rv1ce5_4re_fuN_t0_bu1ld}
We solved a few other minor challenges, but didn’t have time to explore more, unfortunately.
Overall snakeCTF was great. This was a well put together CTF, with good challenges that were solvable and written clearly. Kudos to the MadrHacks team.
