Solution to some CTF challenges from https://investigator.cybersoc.wales
A few months ago I participated in the CTF of https://investigator.cybersoc.wales/. The truth is that they were challenges like I had never seen before.
I decided to keep the solutions of these challenges for 6 months or more and not share them, this in order that whoever was doing it could have an optimal process without clues or help on the internet. now I have decided to share with you some of the challenges I solved and how I managed to do it, the process and reasoning that led me to their solution.
Challenge name: thermalentry
Points: 200
One of our undercover officers has been following a suspected financial crime kingpin and they keep visiting a lockup in a secluded area of London — we have no idea what is in there.
A couple of nights ago, the officer noticed that there is a digital PIN pad used to open the lockup door, and shortly after the suspect entered and closed the door behind them, our officer promtly approached the PIN pad and took a photograph of the keys with a thermal camera.
Research into the PIN pad reveals that it only accepts four digit codes, so that should make things easier.
What is the PIN code for the lockup? It will be much easier for us to make a subdued entry to find out what is in there without compromising our investigation through forcing our way in
This challenge allows us to analyze the temperature level, the redder the hotter, therefore the redder and bigger are the last buttons typed.
In this case the smallest, therefore the first to type is the 4, followed by the 1 which is a little bigger the 5 which is almost as big as the 8 and finally the 8, as a result gives us the key 4158.
— — — — — — — — — — — — — -
Challenge name: nightclub
Points: 300
We’ve been monitoring the movements of a few somewhat well-known club DJs-for-hire with sketchy pasts.
A couple of days ago, we parked one of our investigators outside a nightclub which previous checks suggest is linked to a drug-related money laundering scheme. We also happen to know that each of the DJs we’ve been following use Spotify for their music at venues.
Unfortunately, the DJ for the evening must have used another entrance as our suveillance team didn’t spot anyone matching the profile of any of our suspects that night.
It would be useful for us to know the name of the song that is playing in the attached recording, as this will enable us to scrape the listening histories of our suspects and match the two up to identify who was there at the time.
We’re hoping to recruit this particular DJ and leverage the likely trust that has been established with the club management to utilise them as an informant.
This will help us to infiltrate the drug gang running the nightclub and move us closer to dismantling their operation.
Expected flag format: XXXXXXXXX
Answer
For this case I used the service of https://aha-music.com/identify-songs-music-recognition-online and once I analyzed it, it gave me the name of the artist.
Challenge name: gonemissing
Points: 400
We’ve recently been made aware of the existence of several terrabytes CCTV footage from across London that were previously presumed lost in a backup failure and have been investigating the value of this to established investigations.
I’ve been handed a cold case about a body found in a bush in Hackney, London in December 2015. I’ve not worked a missing persons’ case before but I’m told that it has a case reference number of 15–007500.
Could you find out the brand of the jacket that they were wearing at the time of their dissappearance? This will help me spot them when I’m checking the CCTV clips recorded by cameras around where they were discovered; hopefully we’ll find out how they ended up dead in the bushes!
Note: You have 5 attempts here so avoid guessing.
Expected flag format: brandOfJacket
Answer:
For this challenge the search for the UK missing persons unit is performed, the following link is found and the case is accessed https://www.missingpersons.police.uk/en-gb/case/15-007500.
In the description of the clothes you can see the brand of the jacket.
Challenge name: personalbanker
Points: 500
We’ve been granted authorisation for a wiretap on a phone belonging to a kidnapping victim; no calls have been made since they disappeared however just recently, there was a call made to a bank where the caller inputted a debit card number.
Can you find out the 16 digit card number so that we can trace the spending activity associated with this card? This will be very helpful in our effort to locate who may be a potential suspect in this case.
Expected flag format: ################
Answer:
Basically they give us an audio with which we hear the tones of a telephone keypad, the objective of this challenge I consider is to understand the danger of typing the card number by phone, after studying and asking a little to friends is DTMF later I found an online service that helps to perform the analysis online, there I uploaded the audio file
http://dialabc.com/sound/detect/index.html and finally I managed to know the numbers typed that belonged to a debit card.
Challenge name: foreigntransmission
Points: 400
Our signals intelligence team has captured a transmission originating from Western China and we have reason to believe that it may provide us with some kind of code that might be meant for a field operative of theirs. We’d like to know what it is.
The translation team is not available for us to utilise at the moment, so I’m wondering if you can use any of your digital tricks to work out what the code in the recording I’ve attached is?
Expected flag format: ###############
For this challenge they give us an audio, when we listen to it it sounds like Japanese, I proceed to look for a tool to help me convert the audio to text, I found the one from https://cloud.google.com/speech-to-text/
After trying several times I found that the Mandarin language from mainland China would give me the best results with the Google cloud service.
Finally it generates a text in madarin and some numbers
Translating it confirms to me that it is the access code:
Finally I remove the spaces and the hyphen and get the flag.