BYUCTF 2022 – OSINT Compilation

So, we played BYU CTF 2022. There were 9 OSINT challenges. 9. It was absolutely party-time for a CTF player w/ OSINT-emphasis like me, and a tragedy for people who dislike the inherently guessy nature behind the genre. Our team managed to solve them all, so here was our (albeit flawed) thought process behind it.

Important note: Some of our lines of reasoning don’t make sense at all. That’s normal for this category, and it comes from a shit ton of brainstorming and guesswork. I’ll try my best to include wrong paths that we took, but for the sake of brevity some of it will be omitted.

Oh, also, here is a haiku to express my carnal, passionate, burning hatred for OSINT:

”Eternal Resentment”
Submerged in my tears,
I yearn for painless release.
The dreadful OSINT...
— enscribe

Thank you, and enjoy.

🐼 I don’t dream about noodles, dad

Whose signature is found beneath Po’s foot?
Flag format - byuctf{Firstname_Lastname}

I did a quick Google Lens search with my phone with the keyword “BYU” attached and this article turned up:

Jason Turner is a BYU computer science program graduate who works at DreamWorks and created all the data for Po’s character. The statue is a tribute to his success, as well as the University’s program and alumni.

Since the tribute is for Jason Turner, we can assume the signature is below his foot. The flag is byuctf{Jason_Turner}.

🌐 Oh The Vanity

The vanity and audacity of these scammers and their phishing attacks are just getting ridiculous. I read an article this month about a new way to mask phishing campaigns. They even included this photo. Find the date the article was published.
Flag format: byuctf{mm-dd-yyyy}

Reverse Google Search with “phishing” crib:

Vanity URLs Could Be Spoofed for Social Engineering Attacks by Robert Lemos, published on Dark Reading on 11 May, 2022.

The Vanity URL article was published on May 11th, 2022. The flag is byuctf{05-11-22}.

🧗‍♀️ B0uld3r1ng

I met a guy named Sam while climbing here in California. Can’t remember what it’s called though. Kinda looks like reptilian don’t you think?

Once again, I used Google Lens to figure out where the location of this image was. Turns out to be a place called the Lizard’s Mouth Rock in Santa Barbara County, California:

The image given to us is a direct screenshot of an image posted by Maps contributor Jonathan P., although that has little relevance to the challenge.

Moving on, although we have the location of the image taken the flag is in explicit format, meaning that it’s somewhere on the internet wrapped with byuctf{...}. We noticed that a guy named “Sam” was mentioned, so we guessed that we could find him leaving a review of the place on a platform.

We checked through the following platforms: Yelp, Google Reviews, TripAdvisor, AllTrails⁠—yet, we couldn’t find a recent reviewer by the name of Sam. Luckily, one of my team members searched up “Bouldering Lizard’s Mouth” (based on the challenge name) and happened to stumble across this website:

We scrolled down to the “Reviews” section and found this:

Hey, look! A Sam! Let’s check out their profile:

The flag is byuctf{ju5t_5end_1t_br0_v8bLDrg}.

💧 Squatter’s Rights

Somehow, somewhere, something in this picture has a flag, but my friend Blue Orca won’t tell me where it is!!!! Can you help me??

Hey, look! Another Google Lens problem! Although there’s a lot of blue water towers out there, I luckily stumbled across one that looked really similar in Flint, Michigan:

Going to the webpage, it mentions that this water tower is in “Genesee County. Mid Michigan.”, so with a quick Maps search I stumble across the “Wyatt P. Memorial Water Tower”:

This is where the rabbit hole begins. I looked around the reviews section of this place and found the absolute weirdest, most hilarious reviews of all time:

Robert Skouson
In all my days, I have never seen such a magnificent water tower. Being in its presence has given me powers beyond comprehension. I have mastered flight in the downward direction. I have 100% recall of events that happened to me in the last 5 minutes. I have also discovered I am completely invisible when no one is looking. This water tower has changed my view of who I am, and my ultimate potential.

This guy even claims it to be holy water:

Nicholas Martinez
This water from Wyatt P. Memorial Water tower has changed the way I see water, and drink it. Everytime I see this water tower, it makes me want quality water. Forget Poland Spring or Fiji. This is quality water! You know how in the Book of John Chapter 2, the Savior Jesus Christ turned water into wine? Well he actually turned already good wine to water from Wyatt P. Memorial Water tower.

This one might be my favorite:

McKay Lush
Professionally speaking as a water tower enthusiast, this has to be one of the best water towers that I’ve ever visited and I’ve visited thousands. The divine structure of the 10 legs leading to the plumply, robust water basin is enough to get any man excited. The satisfying twang as you bang the side wall sends shivers down even the most hardened of souls. Never before has such a feat been attempted and accomplished. Truly this should be the EIGHTIETH WONDER OF THE WORLD.

I actually stumbled across the person it’s named after, Wyatt Pangerl, and I was super curious as to what the hell was going on:

So I opened a ticket. Turns out, this Wyatt guy, a member of their team, managed to get the water tower named after himself after a series of divine, godlike social engineering strategies (assumedly to the county) and exploitation of the Squatter’s Rights law in California. He also claimed the location on Google Maps and put his burner phone there as well, which we called (he didn’t pick up). When I found his Facebook (will not disclose), I saw a multitude of his friends commenting hilarious crap, calling him “ICONIC” and a “LEGEND” for managing to make it happen.

Yet, there was no flag.

I continued to look around and managed to fall deeper into the rabbit hole, OSINT-ing everything between the model of Wyatt’s car, a Chrysler Crossfire 2006 (🤣) to where his parents file taxes... I even managed to get an award from a head admin for being a dumbass:

Then, while on the go, I checked the location on my phone... And look what we’ve got:

Apparently for whatever stupid, scatter-brained, vapid, moronic reason this “From the owner” section isn’t on Google Chrome. Screw you Wyatt, and your majestic, plump, baby-blue water tower. The flag is byuctf{h0w_d1d_1_st34l_4_w4t3r_t0w3r}. Once again, screw you Wyatt. I hope your taxes are messed up forevermore.

Editor’s note: The “From the owner” section can be found on the knowledge card of the main search result of “Wyatt P. Memorial Water Tower”.

💾 Okta? More like OhNah

Recently, the group known as LAPSUS$ released indications they breached Microsoft & one of the Largest SSO companies, Okta. In some of their leaks they hinted that “most of the time if you don’t do anything like ________ you won’t be detected.”.
flag: byuctf{answer_Timestamp in format: HH:MM} two word answer separated by an underscore.

Looks like a challenge regarding an infamous hacking group. Seeing that the flag asks for a timestamp and the language is pseudo-colloquial, I’d safely assume that this text mentioned somewhere came from a messaging board. I downloaded Telegram, their main method of communication with the real world, joining their announcements board, yet upon a Ctrl + F, I couldn’t find this message anywhere. Their board mentions a group chat, but it was recently purged and terminated. When the admin confirmed that this wasn’t the intended solution, I moved towards looking for screenshots surrounding the Okta leak. Our team found this tweet from John Hammond after a while:

even da big ones
[shocked pikachu] pic.twitter.com/YsvMMNQDPG

— John Hammond (@_JohnHammond) March 22, 2022

The flag is byuctf{port_scanning_11:22}.

A hint was later added to the challenge:

think screenshots! it is not on telegram but another platform with that same first letter. tweeted by a famous red head i think

Would have been easier. Love you, John Hammond.

🔪 Murder Mystery

While searching for secrets of the past, you find a scrap of paper that contains the following information:
0110111001110010011010000111000001101001011001000100110001001011110100001111
June 29, 1902
Because you’re great at OSINT, you trace this information back to a famous inscription. What is that inscription?

Flag - byuctf{inscription_with_underscores}
Note, the flag will not include the name or dates found in the inscription.

Instantly, we moved to Cyberchef for the binary conversion, and it resulted in nrhpidLKÐ. We thought it was garbage at first, until a teammate noticed “NRHP ID” within the string, which is related to the National Register of Historic Places. Since there’s a historic date also in the description, we can immediately conclude that this is the correct path to take. We isolated the last part and converted it into decimal instead - 80002319.

Following the trail for NRHP ID 80002319, we found this UpWiki Page About the “Jesse James Home Museum”, which is the location registered under this ID.

When I looked up “jesse james famous inscription”, I found a Smithsonian Magazine page that photographs Mr. Jame’s grave:

Removing the dates and names as the description specifies, the flag is byuctf{murdered_by_a_traitor_and_coward_whose_name_is_not_worthy_to_appear_here}.

🎂 Buckeye Billy Birthday

Buckeye Billy, our lovely, nutty, history loving friend, has a birthday coming up! Billy is as cryptic as can be, and we have no idea what to get him for his birthday. We did find three hints on written on his desk. Can you help us find where we should buy a gift from?
Hint 1 Hint 2 Hint 3

byuctf{storename}

I took a look at the three hints, and they were Wordle games that resulted in WATER, CALLS, and PROBE. Since we were looking for a shop (meaning a location), we immediately turned to what3words and stumbled across this location in Charlotte, Ohio:

We tried a couple of stores around the area to no avail, until an admin told us in a ticket that we were in the wrong place. By extension, we decided to try out various permutations of water, calls and probe:

Most of them were bogus except ///water.probe.calls, which was on E. McMillan St, Cincinnati, Ohio. We assumed it was correct (and admin later confirmed) because the nickname “Buckeye Billy” comes from the fact that he loves the Ohio State University Buckeyes football team. (Bonus: The Ohio Buckeye is a type of nut, and the description says that he is “nutty”). Our teammate somehow connected “history-loving” to old stores in Cincinnati, Ohio, and upon a Google search we found:

The flag is byuctf{graeters}. This was a guessy challenge, so don’t feel dumb. I felt dumb too.

💬 Buckeye Billy Blabbin’

Buckeye Billy discovered social media. And probably posts too much. Try to see what you can find. for this problem and others!
Flag will be completely visible once solved! You will see byuctf{}.

Step 0 is to find his social media account, which we did by searching “Buckeye Billy” on Twitter:

We scoured his Twitter account on the Wayback Machine for it to no avail (and even found some deleted stuff from a previous internal CTF).

I slowly began to despise him... that Buckeye Billy. That stupid, perfectly circular nuthead with the even stupider BYU sombrero. We gave up on the challenge and I cried to the admin until he got annoyed and agreed to post a global hint:

the more billy tweeted about something, the more of a hint it might be. The flag is on his account someplace.

He tweeted a lot about song lyrics:

We decided it would be best to create a list of songs, in addition to counting occurrences of topics he discussed (for brainstorming purposes). We ended up with this list:

Songs:

• Boulevard of Broken Dreams
• The Sound of Silence
• 3 Words
• One Place
• Greater
• Ice Cream
• Man in the Mirror
• Magic Mirror

Places:

• BYU Creamery
• Rancherito’s Mexican Food
• Buc-ees
• Bricks Clothing

Topics:

• Pigeons (5×)/Birds (7×)
• Cats (6×)
• Michael Jackson (5×)
• Ohio State Buckeyes (5×)
• Chili/Sports Game Food (4×)
• Fortnite (3×)
• Star Wars (3×)
• Hockey (3×)
• Basketball (1×)
• BYU Cosmo (1×)

Hey, check that out in the Songs list. “3 Words”, “One Place”, “Greater”, “Ice Cream”? That sounds a lot like our previous challenge, Buckeye Billy Birthday. Looks like these were meant to be solved in tandem. By extension, “Man in the Mirror” and “Magic Mirror” were also hinted at, and we found a tweet of Billy posing in front of a mirror with a BYU hat. Uncoincidentally, this is the only mention of BYU in his entire profile (I believe):

thanks @byu_cosmo for the great hat! pic.twitter.com/IbPentkUgE

— #1 Buckeye Fan billy (@William_buckeye) April 15, 2022

My team used steganography tools on this image, and lo and behold:

The flag is byuctf{t@lk_0sinty_t0_m3}. Also an extremely guessy challenge. Screw you, Buckeye Billy. And Wyatt too, if you’re reading.

🎶 43

It’s at your fingertips!! Who made this code?
S fsu om yjr aogr 3"45
Flag format - byuctf{blank_blank}

Looks like something the DCode Cipher Identifier could figure out:

dCode’s analyzer suggests to investigate:
Keyboard Shift Cipher ■■■■■■■■■▪
Substitution Cipher   ▪
Shift Cipher          ▪
Homophonic Cipher     ▫
ROT Cipher            ▫

I threw it into their Keyboard Shift Cipher and got this:

qwerty → A day in the \ife 2:34
qwerty ← D gdi p, ukt spht 4A56
qwerty ↓↻ W va7 ln ume slf4 e:v6
qwerty ↑4 S fsu om yjr aogr 3_45
qwerty ↓4 S fsu om yjr aogr 3{45

“A Day in the Life” is a song by the Beatles (a fascinatingly good one too), and I took a look the decoded timestamp 2:34 in the music video:

Although I couldn’t find who the person in the timestamp was, someone in the comments named the individuals at timestamps:

Carl Anderson 3 weeks ago

0:20 Mick Jagger (Rolling Stones)
0:20-1:43 Marianne Faithfull (singer)
1:03 Keith Richards (Rolling Stones)
1:31 Donovan (singer)
0:48 George Martin (producer)
1:18-1:36 Pattie Boyd (model)
3:00 Marijke Koger (fashion designer)
3:31 Michael Nesmith (Monkees)

166 likes, 4 replies

The guy at 3:31 is the same as the guy at 2:34, so it’s Michael Nesmith from the Monkees.

Looking up “Monkees 43” on Google, we discover that there’s actually an old website called monkeesrule43.com.

This is where you guess all the names of the Monkees. Not sure of the logical thought process yet. Flag is byuctf{micky_dolenz}.

Solvers

• 🐼 I don’t dream about noodles, dad: enscribe
• 🌐 Oh The Vanity: sahuang
• 🧗‍♀️ B0uld3r1ng: sahuang, enscribe, Battlemonger
• 💧 Squatter’s Rights: enscribe, sahuang
• 💾 Okta? More like OhNah: Battlemonger, enscribe
• 🔪 Murder Mystery: Battlemonger
• 🎂 Buckeye Billy Birthday: Battlemonger, sahuang, enscribe
• 💬 Buckeye Billy Blabbin’: Battlemonger, enscribe
• 🎶 43: Battlemonger, neil, enscribe

Thanks Battlemonger for carry!