CyberSoc | Cyber Detective CTF Write Up — Evidence Investigation
Cyber Detective CTF is an OSINT-focused CTF created by the Cyber Society at Cardiff University. There are 40 challenges across 3 categories: General Knowledge, Life Online and Evidence Investigation.
Evidence Investigation Progress: 18/18 — Fully Complete
Let’s start1
Question 1 — dvla
Here is the image,
That’s definitely a Ford Focus or KA
Well, since I already know the Brand and Model of the car. I started searching the plate. I googled the plate and clicked the first site.
Yey, I guessed the Ford Kar part :)
Answer: Ford June
Question 2 — connectionrefused
So I tried opening the site, but it failed, so since it says it was accessible 4 years ago, let’s go to web.archive.org . Here there were multiple snap-shots, so I checked them all. One of them leads to the answer.
 |  |
Doctor Who?
Answer: IceCTF{Th3y’11_n3v4r_f1 |d_m4h_fl3g_1n_th3_p45t}
Question 3 — chemtrails
Here is the image,
Cool
Simply search online barcode scanner/orc opened the first link, and boom.
Nice
Answer: SEAT NUMBER: 22B
Question 4 — bigbrother
So, the IP doesn’t work, or it was not active when I checked it. Because of this found an old write up and took the image to solve it :(
I wished I could see it myself.
It’s definitely Europe. I was going to crop the image but got lazy and started reverse image search.
](/blog/images/2022CyberSoc1/zUenrfWtgB_IPkTpKZpcaQ.png)
Thanks, Yandex
Answer: Belgium
Question 5 — balencethebooks
As a non-British person, this was very weird to solve. I searched TECHNOLOGY SERVICES LIMITED and started clicking all the links. Then found this bizarre site . Fake Government site? I don’t know. find-and-update.company-information.service.gov.uk Just look at that domain. Wow
Hmm
Anyhow, at this point, I’m still aimlessly clicking things…. Then I saw “Filing History”, huh. Okay, that could be nice.
Nice
So, again started clicking on all the links that sad “full accounts” Here’s a peek.
Cool stuff
Then, I started trying all the numbers that were labelled “Cash at Bank” Eventually, I got it right, but I have no know idea which document or column ı used :(
Answer: Cash at Bank
Question 6 — readyfortakeoff
Here is the Image that they gave,
Bornholm Airport
So, I solved this purely by chance. My original idea was to find a free, archival flight history site. But all the free sites let you search a couple of months back. So I figured since these flight times should be mostly the same on different dates. I simply tried every first flight time of arrival at destination. The sites I used were,
- https://airportinfo.live/arrivals/rnn/airport-ronne-bornholm-ronne
- https://www.radarbox.com/data/airports/EKRN?tab=departures
- https://www.flightstats.com/v2/flight-tracker/departures/RNN/?year=2022&month=1&date=25&hour=6
And I found the answer on my 4th try, the earliest departure time I saw was 06:15, and according to that flight data, it arrived at its intended destination at 06:55, which was the answer.
Answer: 06:55
Question 7 — inplainsight
Firstly the link doesn’t work, so I have to find my own tool for this. I used my trusted site for this one https://aperisolve.fr/ but couldn’t find the text, so I skipped this question.
Question 8— gunpowder
The link doesn’t work, sadly, so here is the image,
Nice
So the first thing I checked wasn’t the loft name but that tower silhouette. I opened a random blog about the most famous towers in the world. And found that CN Tower seems like a close match. So let’s search Toronto.
Cool
So there are a few weird results, but result s 1, 2, 5 and 8 are on the same road. Which is Birchmount Rd. this is our answer.
Cool
Answer: Birchmount Rd
Question 9 — sos
Here is the text,
Well, that’s just Morse code (used dCode )
Answer: GOLDENEAGLE
Question 10 — rollingeyes, Wow that’s long
Here is the image,
That’s probably Britain
I simply searched Poppy-n-pals pet care service, and the first result was correct.
yey
I don’t get how we are supposed to solve this one, but my thought process was this: Check the rode in the dead centre of the image. And that road is Amherst Cres,
Pure Luck
The first random place I picked has this dude, and I immediately tried it, and it worked.
Answer: Amherst Cres
Question 11 — proofinthesignal
Well, I already knew about Wifi mapping sites, so I just used Wiggle ,
 |  |
Wiggle -> Bristol
From the map on the right, we can find two “jammy” markers on St Marks Road.
Answer: jammy
Question 12 — undercover
I’m going to be honest this was the dumbest question yet, or I’m very dumb can’t decide. I tried lots of tools to analyze this given blank pdf file.
Can be seen here,
NOT EMPTY lol
After a while got bored and started randomly clicking on the blank page until something was selected.
White text inside the PDF
The text was Lock Code: 956445
Answer: 956445
Question 13 — defrauded, So long wow
Here is the given pdf file,
Hmm
Well, this one is probably the most straightforward question yet. Z-Zip said the file was modified in 2012, but the pdf said it was 2020. So I just used 13/05/2012, and it worked.
yey 7-Zip
Answer: 13/05/2012
Question 14 — photophile
This question is about EXIF, using my trusted EXIF site . We can see a Motorola Moto G3 Camera took this photo.
Nice
Answer: Motorola Moto G3
Question 15 — xorrelase, Cool Question
So, as an engineer, I know what XOR is, and since I also know how to use CyberChef , this was an easy question.
XOR Brute Force Panel
This XOR panel brute forces XOR combinations and give a list.
Key=1c
As you can see, the answer is MyStrongWiFi54.
Answer: MyStrongWiFi54
Question 16 — mothertongue, Cool question
Here is the given text,
Arabic maybe?
Well, It’s not Arabic. It’s Pashto. Very interesting. But that’s not the answer. Hmm, weird. Then, I saw multiple different texts. Here are some,
 |  |
 |  |
Nice
After this, I figured there must be some special word for the answer. After painfully removing Pashto, these 6 sentences were left, and the last one is the answer. It translates to Clouds.
These ones
Answer: Clouds
Question 17— hostiletakeover, So long
Here is the given PDF file,
Hmm
Well, after googling Land Registry, I came to this site
Hmm
It wasn’t really helpful, or I couldn’t use it, I don’t know. After this, I found this other page from the sites search function.
Hmm
That site leads to this search engine,
Here I set the amount paid to £20.000.00, don’t ask why. And set the dates to match the date given in the Bank Statement (1 month before is September), but I couldn’t be sure if this would be correct so, I set the end date as 31 October just to be sure. In the end, this gave me about 70 answers.
Time to learn Welsh city names, I guess. I’ll skip this part, but in the end, there were two possible answers, so I tried them both. Tesco was the answer.
 |  |
Cool Site
I have to say. This question was very hard.
Answer: Tesco
The last question
Question 18 — bitcoinbuster, Longest Question
Here is the given HTML file,
Cool
So let’s open all the links and set the dates to 1st Feb 2020. Here is one as an example ,
Buy High, Sell Low :)
Note: the site uses the same query so just copied this query for every currency xxxxxxxxxx/history?period1=1580515200&period2=1580515200&interval=1d&filter=history&frequency=1d&includeAdjustedClose=true
Now, multiply every currency’s Open price with 3.581074451254057 to see if it makes any nice numbers :)
Yey
AUD (Australian Dollar)was the answer, as seen above.
Answer: Australia
Well, that was the end of Cyber Detective CTF. Completion 39/40
Thank you, Cyber Society of Cardiff University, for this amazing CTF. Since I finished this one, I’ll be doing Cyber Investigator CTF in the future.