In this article, I’ll show you how I solved the OSINT Quiz 006 from Gralhix. I give myself 30 mintues to solve it. Enjoy!
Problem
Caption “BREAKING: TTPcarried out a suicide attack on a police post in Khyber city of Pakistan that killed three Pakistani police officers.“ Image
Verify the image but don’t go after the journalist
Tldr : The photo was not taken in Pakistan and it’s not a TTP attack. It’s orginally taken in Iraq.
Reflection
I restate the problem in my own language to simplify it. (Problem Restatement)
I restate the problem in the following : “There was a terrorist attack in Pakistan. A journalist claimed that the picture attached as the attack mentioned. I need to find out if the photo really was the terrorist attack mentioned (TTP attack in Pakistan)?”
Next, I have to verify it. How can I tell if it’s true? Simple, I need to find out whether it was really happening in Pakistan. Then if it’s really in Pakistan, I will dig deeper to see if it’s really the TTP attack which the post describes.
Next as usual, I use Yandex as a starting point. I noticed some results that can reveal the answers :
I noticed Cирия (Syria), but is it really in Syria though? I don’t know either but, that’s not the task.
I concluded that the photo is not a TTP attack. Besides, the photographer didn’t even take it in Pakistan at all.
During this quiz, I found out who the journalist was. I decided not to dig further however, because that’s not the task. So we’re back to the initial question.
I have answered the question, although my curiosity remains. Where was this photo taken, really?
I decided to dig further for the answer, then I found a page from Wikimedia. The Wikimedia description lists US Navy as the source with the link to US Navy official site, although the link is dead.
I suppose there is a way to find the archive, but I haven’t learned that far yet. So I decided to end this task. After this, I will attempt the next OSINT Quiz.
So that’s my Write Up for OSINT Quiz 006. I found how my little russian knowledge can help me answered this quiz.
In this article, I’ll show you how I solved the OSINT Quiz 002 from Gralhix. I give myself 30 mintues to solve it. Enjoy!
Problem
Find out the train station’s name in the image.
Measure the tallest building in the image.
Tldr : I found out that the station’s name is Flinders Street Station at Melbourne and the tallest building is the IBM Tower131m/430 ft. However, I got the second question wrong. Despite that, I will leave it as it is for lessons sake.
Reflection
Find out the train station’s name in the image
I will use Nixintel gap analysis to solve this challenge. For the first question, I need to answer the stations name. The gap analysis is shown by quote block for the sake of readability, but the result and everything else stays the same.
I can use Buildings to give more context of the station
After that, I list up what should I know to answer this.
Train station name in the picture
Finally, I can devise a plan to figure it out.
Look up Flinders Street station
Look for buildings to give more context
Result :
The station’s name is Flinders Street Station. I figured it out based on the obvious nameplate that is visible in the image and based on the visual additional visual clues provided by Wikipiedia. Clue 1 , Clue 2
Measure the tallest building in the image.
Now that I figure out the station’s name, I can answer the next question. I need to figure out what is the tallest building in the image, but I need to know what is the tallest building first. To do so, I simply looked at the image for the tallest building.
Based on the visual clues, I choose the building with the black nameplate on the right. IBM? Let’s find out. Then I found the building data on Skyscraper Center. It is IBM Australia or also known as Southgate Tower 1. However, something feels off.
The Realization
Since there is no way to tell if my answer is right like TryHackMe does, I decided to check others’ write up with the intent to correct myself, but I have locked my answer to IBM Tower131m/430 ft. I checked a write up by Johnny Gizmo on Medium. The answer is Focus Building at 166 meters tall.
OSINT Quiz 002 highlighted my problem : I jumped into conclusion. I hyper focused to the IBM tower and forgot to consider another options. Lesson learned : observe more and consider moreoptions.
Search Light CTF is a beginner level CTF made by Zewensec hosted at TryHackMe. It teaches the basics of Geolocation and Imagery intelligence. The problem is divided into nine tasks which explains the techniques & few questions to answer using the said techniques.
Search Light CTF is the part of my submission for OSINT Dojo Student rank requirements. To make this CTF more challenging, I decided to add my own rule : finish the questions within 30 minute. If I failed to finish it in 30 minute, the score will be zero, and I have to move on to the next question.
Search Light CTF Write Up
Task 1
Task 1 explains what the CTF is and what should you do and asks you if you understand it by the end of the section. I instantly typed “yes” but I was wrong, then I typed few more times and still got it wrong until I lost my calm. After that, I decided to take a break and read it again, carefully. Guess what, I just have to type sl{ready}. We haven’t started the quiz yet, but there goes the first lesson, read carefully.
Task 2
Material
The first question explains more about geolocation challenges. It tells you the list of questions that you can use to get started with answering the challenges (Benjamin Strick):
Any obvious data in the image that can reveal the location? (Street & store signs)
Can you identify the region of the image? (Driving side, language, architect)
Do you recognize the environment? (Road sign, nature, motor brands)
What is the quality of the environment? (Paved or gravel roads)
Is there any unique landmark? (Building, bridges, statues)
Problem
What is the name of the street that was taken?
Reflection
I Instantly asked myself, “Any obvious data in the image that can reveal the location?”, and yes there is. The “Welcome to Carnaby Street” sign, so the answer is Carnaby Street.
Task 3
Material
The next task explains about Google search engine operators which also known as Google Dorks. I have been using Google Dorks long before I get into CTFs, but this is the first time I see them being used for geolocation.
Problem
Which city is the station located in?
Which tube station do these stairs lead to?
Which year did this station open?
How many platforms are there in this station?
Reflection
To solve this problem, I need to figure out what’s the station’s name first. How could I find it? I noticed a covered letter “*lly Circus Station”, so I decided to look it up with Duckduckgo and found out that the station’s name was “Picadilly Circus Station” in London. Ater that, I looked up when the station was opened (1906) and the numbers of platforms (4) through Wikipedia and London Underground site.
Task 4
Problem
Building this photo taken in
Country of this building
The name of the city
Reflection
I notice the “yvr.ca” letter in the image, thus it must be somewhere in Canada, but where to be precise? Then I decided to visit the web and read what it is, the Vancouver International Airport website so the building is Vancouver International Airport. Last question was the city which I typed “Vancouver” and got it wrong. Apparently Vancouver isn’t a city name, but Richmond is.
Task 5
Problem
Coffee shop, city
Coffee shop, street name
Coffee shop, phone number
Coffee shop, email address
Coffee shop, owner’s surname
Reflection
This one is the trickiest by far. No obvious clues like the previous images. I decided to manually bruteforce the city name by using the list of cities in Scotland but didn’t get anything.
So decided to read again, closely. Here are the clues I gathered :
Scotland
Coffee shop
The best lunch
Edinburgh Woollen Mill
The building’s physical features
I looked up what Edinburgh Woollen mill is. Luckily, I found an article with photo identical to the task’s image here which shows Blairgowrie as the location. Thus, I can narrow it down to the Edinburgh Woollen Mill at the city and found out the Coffee Shop through google maps.
After that, I dug the info on Wee Coffee shop at Allan Street from the phone number (+447878 839128), to email (theweecoffeeshop@aol.com) and the owners names are David and Debbie Cochrane according to this website.
Task 6
Material
This task introduces Reverse image search to “extract” information from an image by using the image as the search’s term. Sometimes it does not go well so Aric Toler adviced us to do these things :
Search engine priority : Yandex > Bing > Google
Images from Central & South America, Africa, and Asia are much harder to locate.
Methods to improve image search :
Increase the resolution
Crop or pixelate certain elements
Mirror, filter, clone tools can work too
Consider using specialized search engines or databases.
Problem
The restaurant name in the photo (famous nickname)
Bon Appetit editor who took this image (located in a youtube video)
Reflection
I used Yandex reverse image search to do look up which restaurant it was taken. The first result showed the Insider news with its nickname (Katz’s Deli). After that, I looked for Bonnapetit article using Duckduckgo and found out that it was written by Andrew Knowlton.
Task 7
Material
No new material but it reminds us to scan for visual clues, reverse image search, use search operators and be patient. It should be easy.
Problem
The name of the statue
The photographer
Reflection
As usual, reverse image search with Yandex reveal its location, Tjuvholmen Sculpture Park (Oslo) but nothing reveals the statue’s name so far. I visited the park’s information from Wikipedia, Trip Advisor, and Astrup Fearnley Museet but nothing shows up.
I decided to tap hint but it does not make sense at all. What’s even that supposed to mean? Even google translate does not make any sense.
At this point I was losing my calm and felt like hitting the laptop screen but that won’t get me anything either. I managed to calm down and looked again. A page from Wikimedia showed up and further scroll revealed that it is “Rudolph the Chrome Nosed Reindeer“
There’s five minute left but I haven’t answered the 2nd question at all. I noticed a write up made by someone else with the answer and that triggered a “moral conflict”.
“Why don’t you just copy someone’s answer? I mean, that’s OSINT too right, the info is already public.”
Yeah I know, but I don’t feel right about this. Ethics is part of the investigation. How can I stick to ethics if that’s what I do?
“Come on, it’s just a game.”
Yeah it’s just a game, but doesn’t a game prohibit you from cheating? If you cheat, you suck, but I’m not.
“Think practical. What if the requirement is to 100% the CTF?”
Find another ctf and 100% it then.
“But you are wasting more time.”
No, time is wasted if you enjoy it.I decided to left it blank for honesty. That won’t give me any score but I don’t care.
This is the toughest task. I feel so stupid for not being able to solve this. Should I just give up already?
Task 8
No I didn’t give up. I’m back for another quiz. Hopefully it won’t be so hard.
Material
The material is a video by Amy Herman which explains how observing arts can change how you think. Honestly I don’t understand what is being said yet, but I believe that I need to be more patient.
Problem
The name of the character
Location of the statue
Opposite building name
Reflection
Yandex reverse image search returns Фемида (Femida). What is this? Apparently it’s Themis in russian, but Themis returns incorrect answer. I figured out that the statue’s name is Lady Justice after a few tries.
The statues name is the Lady Justice, but there should be many of such statues around the world. I need to be specific. Another article from Ria Novosti presents the statue with США, which is USA in russian. So we need to look up “Lady Justice statue in USA”.
The search returns The Verge article featuring the same image of the statue, then I looked up the link of the image which reveals to be Gettyimages source. I figured out that the statue was located at Albert V Bryan Courthouse in Alexandria, Virginia where its opposite location isThe Westin Aexandria Old Town.
Task 9
Material
The last task is a bit different.While the previous tasks were about geolocating images, this one focuses on gelocating video instead. I don’t put the video file here because it’s too big for the website.
The steps are almost the same, but with an additional addition, we use FFMPEG to turn video’s frames into images. After that, we can analyze it as usual.
Problem
The name of the hotel which the recording took place.
Reflection
I decided to challenge myself by not using FFMPEG, instead I looked at the video myself and took screenshots. The landscape looks like Singapore, but I need more context.
Then I noticed “Riverside Point” at the right of the hotel. After that, I checked Google Map and look around for the hotel. I tried to guess the hotel’s name. To narrow my guesses, i take notes of the answer format “4 words, 7-9-6-4 characters each”. Novotel Singapore Clarke Quay was the answer.
Conclusion
So that’s how my Search Light CTF went. While it’s cliche, this CTF taught me to be patient and read carefully, even though I don’t lack those qualities. That aside, this CTF showed me that I’m afraid of failure more than I admit it. On the more practical side, I really need an efficient way to manage my files and keep my notes.
This CTF also taught me the importance of languages. By the time of writing this, I’m learning Spanish already with familiarity in Arabic & Russian. My little Russian knowledge helped me to narrow down the location as the Task 8 shown, meanwhile Task 7 gave me headache as I have to scroll through Norwegian sites. Sure we have advanced translators now but I’d rather master the language myself.
,_Astrup_Fearnley_Museet_(Renzo_Piano),_Oslo_-_Norway.jpg){kind=link}