This is my write-up for the “Human Traffickers” Hacktoria challenge.
Briefing:
Greetings, Special Agent K.
We have a very urgent matter handed to us from the joint task force, MET Police and Interpol. They have joined forces to bring down a notorious human trafficking gang. Unfortunately, their sting operation went side-ways in a big way. Somehow the gang knew about the sting and managed to clear out their operations before the teams arrived, leaving them with nothing but their dicks in their hands!
One of the task force agents did find a very battered Computer Hard Drive, that they handed to their Cyber CSI team to try and recover anything that could help with the investigation, however all they were able to recover was a password protected “Database Backup” file and a file named “message.gpg”. This is where Hacktoria comes in, I do not need to tell you how delicate and important this is, egg on face springs to mind, so let’s make some sense of this and see if you can retrieve any useful data to aid in tracking down the whereabouts of the gang.
As our best Agent at this Data Forensics stuff this falls with you.
It is the belief of the task force analysts that the gang will retreat to one of their “Safe-Houses”, re-grouping and letting the heat die down before resuming operations. We need to locate the safe house before they are in the wind for good.
As always, Special Agent K. The Contract is yours, if you choose to accept.
Materials and Answer Instruction:
I’m going to omit those as we’re provided instructions with each step of the investigation, so I’ll add those to the appropriate steps.
Also a quick disclaimer: All of the commands and inputs to wrangle and edit files were done on a Linux machine. Everything is totally doable on Windows as well, I just find it… cumbersome. If you’re passionate about OSINT/Hacking, do consider learning Linux at least in a virtual machine, bit of a curve but so worth it.
Investigation:
Step One:
1. Verify CHECKSUM of the file(s).
2. Review the files contained within and begin your investigation, geolocate the "Safe House" location.
3. Encode the answer as an MD5 hash and append to bit.ly/[MD5 HASH]
Example: bit.ly/0e5c61db18f50fcdab900de1efd6fea3
4. Visit the bit.ly URL for next step.
Note:
* All names are in English.
* All names as per Google Maps.
* Lowercase characters and hyphens only.
Example format: street-name-village
Example answer: south-st-hyanniAlright, first let’s verify checksums (they check out) and survey what’s there. Got a database file and a gpg encrypted message.
Both of them are password protected. To see if I can get an easy win, I will ask my buddy John (the ripper) to see if they’ve got weak passwords.
First I have to do some file mangling to make sure John can understand the input I’m giving. I run the following commands.
gpg2john message.gpg > messagejohn
zip2john database_backup.zip > dbbackupNow that I’ve got files that John can understand, it’s time to make some coffee while the tool does it’s job.
john messagejohn --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt && john dbbackup --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txtLucky for me, just after a few minutes each, John returns passwords for both of the files. So that part is now done. Time to investigate what it even is we’ve got here.
The database is going to likely require some deep diving so first I want to check out the message, I open it in Vim. Whoa, that’s a lot of lines. 6823 to be exact. Luckily the beginning of the file gives me all the info I need.
From joso@computer01 Sun Apr 30 09:33:00 2023
Return-path: <joso@computer01>
Envelope-to: seniha@computer01
Delivery-date: Sun, 30 Apr 2023 09:33:00 -0400
Received: from joso by computer01 with local (Exim 4.94.2)
(envelope-from <joso@computer01>)
id 1pt7Ai-0000KU-0z
for seniha@computer01; Sun, 30 Apr 2023 09:33:00 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1804289383-1682861580=:1269"
Subject: IMPORTANT!
To: <seniha@computer01>
X-Mailer: mail (GNU Mailutils 3.10)
Message-Id: <E1pt7Ai-0000KU-0z@computer01>
From: joso@computer01
Date: Sun, 30 Apr 2023 09:33:00 -0400
X-IMAPbase: 1682861587 2
Status: O
X-UID: 1
--1804289383-1682861580=:1269
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-ID: <20230430093300.1269@computer01>
In the event of any of us being apprehended by the authorities, proceed immediately to the pre-designated safe house (you all know where to find the location), and await further instructions, Joso
--1804289383-1682861580=:1269
Content-Type: application/octet-stream; name="safe-house.png"
Content-Disposition: attachment; filename="safe-house.png"
Content-Transfer-Encoding: base64
Content-ID: <20230430093300.1269.1@computer01>
[HELLA GIBBERISH]The above message is followed by a couple thousand lines of encoded data, what could the data be? A file name given in the message is “safe-house.png” and it says the data is encoded with base64. Could it be a picture? Here’s how to find that out:
I carve out only the encoded portion of the message and save it into a separate file named “b64message”, then I run the following command
base64 -d b64message > b64dec.pngThis command decodes the base64 encoding and saves the result into a png file. Time to check out if this resulted in useable data.
It did!
Time to look in the database to see if I can find some more leads that may help me narrow down a rough idea of where this is.
Unpacking the databases returns the following files:
assets_database.sql
backout_database.sql
cells_database.sql
hermitage_database.sql
insiders_database.sql
routes_database.sql
transport_database.sqlThese are all dumps from the various databases that were found. A quick look at some of the databases shows that there’s names, vehicles, police insiders and some named countries.
Locations may be a good lead but none of the directly named locations really give any hint as to where the safehouse may be. A look at the “backout database” however already gives me a hint as to what my next step will likely be.
The database values in the respective backout and hermitage databases are all three word combinations. This tips me off that this may be related to What3Words, as I’m looking for a location. Because I’m attempting to find a hideout/safe-house, the first database I check is hermitage. But the output of that is kind of ugly and not too conducive to copy/pasting into What3Words, so let’s clean that up a little first. To do this I use the following one-liner:
grep "VALUES" hermitage_database.sql | cut -c 36- | sed 's/)/\n&/g' | tr -d "0-9();'" | cut -c 2- | sed 's/^,//' | tr "," "." > hermitage3words.txtThis command formats the database contents of the “VALUES” table into the correct format to paste into what3words and saves it as a list. This being Linux, there is likely a more efficient way of doing this, but this one worked well for me.
Now comes the time to prove true the old adage that OSINT requires saintly patience. I take each of the 3 word combinations and paste them into What3Words one by one, then open a tab for google maps for each of the locations given so I can check them each out in streetview. All but the last of the list items are duds, this being a CTF I’d be disappointed if it was that easy. But the last one brings me here:
Now this is not the safe house, obviously. But the brick pattern on the house, as well as the little triangular awnings above the doors do look like I may be on to something here. Rolling down the virtual street for a little bit, I end up here:
Gotcha. Time to encode the answer and move on to step two.
Step two:
Pulling up the bit.ly address downloads a zip folder. Unpacking this zip folder gives 5 images and a set of instructions.
1. Geolocate the 5 image locales.
2. Take the "first 4 letters" of the "Street Name" for each locale in order and combine to form a 20-character string.
3. Encode the answer as an MD5 hash and append to bit.ly/[MD5 HASH]
Example: bit.ly/0e5c61db18f50fcdab900de1efd6fea3
4. Visit the bit.ly URL for next step.
Note:
* All names are in English.
* All names as per Google Maps.
* Lowercase characters only.
Example locations:
locale-1 = 276 Prey Sa, Phnom Penh, Cambodia = prey
locale-2 = 9 New St, Swansea, Wales = news
locale-3 = 21 Cheeseman Avenue, Monrovia, Liberia = chee
locale-4 = 45 Steeler Street, Essen, Germany = stee
locale-5 = 733 Thurrock Cir, Brentwood, Tennessee, USA = thur
Example string: preynewscheesteethurLet’s see what those images are:
1:
Alright, got some Graffiti here. How to go about geolocating this?
First, off to the right hand side, the “Restricted Parking Zone” sign looks like it may be British, which is, for now a good starting lead.
Secondly, street artists are just that, artists. Which means they either publish their work or someone publishes it for them. Time to ask Uncle Google about some of the names on these tags.
First I look for SMO as it’s the most prominent/easy to read tag, may as well start with the low hanging fruit and work our way up the tree.
According to https://streetartcities.com, SMO most likely refers to the “Smile More Often” Crew, but doesn’t immediately give me a view as to where this specific wall is. Time to move on for now.
To the right of SMO I can see “KEOS”, so it’s time to google that. Jackpot, I find an instagram for “Mr. Keos” (https://www.instagram.com/mrkeos1/) that looks promising.
After a bit of rooting around I find this:
When zooming in on the sign in the original picture I wasn’t able to make out what it says, but this looks like I might get luckier, so I zoom in a bunch and voila:
Got a bridge name. Time to look at that on street-view. Why, hello there:
Our first location is New Inn Yard in London.
2:
This one is actually really straightforward thanks to google maps. The road sign on the left hand side reads “Puesta Del Sol Drive” and denotes a side road. Entering this into google maps gives me 4 suggestions
Whittier, CA
Victorville, CA
Weslaco, TX
Port Orange, FL
This is enough info for me to go on and brute force this with street-view, so I decide I’m going to look at all of them. First, going with gut feeling and copious road tripping experience in California, I pick Victorville.
Since Puesta Del Sol is a side road, I’m looking for streets that connect to it and have a traffic light by a patch of desert. Village Drive looks good in that regard, I explore a bit and find this:
Making our second location Village Drive in Victorville, CA
3:
Two things that immediately stand out to me are that I can read the street signs, making this whole thing trivial, and the Australian flag to the right of the pole holding the signs, making it even more trivial.
In google maps I enter ‘Woburn & Parkfield’ and get one suggestion back. That suggestion is Kelmscott in Western Australia, looks promising. I move to check it out on street view and here it is:
Thus, the third location is Parkfield Road in Kelmscott, Western Australia
4:
I’ve got a house with some trees off to the right and some more houses around/above it. Aside from the real estate sign to the left, there’s not too much to go off of here. So at first I latch on to the info from the sign.
Lee Ivans, cross referenced with the phone number, is a real estate agent in Kelowna, British Columbia. This gives me a rough location. But I still don’t have a lot to go on. Checking every house in every suburban area with trees would take me all week. So how do I narrow this down a bit? Spoiler: I don’t.
First thing I do is try to see if I can find past listings sold by Lee Ivans. I go through his agency’s homepage, facebook and various other listing sources but come up empty. I may not have been looking thoroughly enough but many of the listings had either no photos that were easy to find or turned up not being that location. The house number visible in the reference is “601”, so that’s the range of house numbers I’m looking for. Most of what I could find was 4 digits so those addresses were immediately ruled out.
Next thing, I attempted to craft an Overpass Turbo query but looking up places with ‘“addr:housenumber”=”601"’ and the various other queries I tried turned up nothing but duds. Now this may still work but I’m an Overpass noob and definitely don’t possess the amount of skill to make it do exactly what I want yet, so results may vary with experience. This whole process took me somewhere around 2 hours and made me want to scream into all the pillows. So I decided to play with the cats to quell my frustration a bit and come back to it after. My next step was clear, I’m going to do some virtual driving.
When undertaking an exploration with this possible magnitude, it’s important to be systematic about it. So I started on the south side of the map. Before entering street view, I zoomed maps in enough to see house numbers, attempting to find 3 digit numbers. I went square by square for about another half hour, before I ended up here:
The street at the bottom, the way it ends and has the driveway right where it turns into vegetation, looks really promising. Zooming in I see this and, in celebration, inadvertently let even my neighbors know that I’ve finally found it:
This was torture. But the location is Horn Crescent, Kelowna, British Columbia.
5:
Seeing this fills me with elation because the amount of info this picture gives me makes this so much easier than the previous one.
I’ve got a roofing van on the left and the first three letters of a street name on the right. That’s, I think, all the info I need.
First, I check out the van. Zooming into the picture allows me to see “Pro Roofers”, but on google all roofers are pros and thanks to area based suggestions just that term is really not that helpful.
I can, however, faintly make out a phone number on the van. It’s hard to read but it seems to be 0800 31 ROOF. 0800 numbers are free to call numbers that businesses in the UK/former British colonies use, so that’s already a hint. But that number doesn’t turn up anything. The only number in that phone number that I’m not sure of is the “3” so I decide to try a few different numbers in it’s place. 0800 21 ROOF is the correct number and leads me to https://www.nocowboys.co.nz/businesses/Pro-Roofing. “Nocowboys” seems to basically be Kiwi Yelp so that helps me narrow down the location quite a bit. The roofing company also has a link to their website: https://www.proroofing.co.nz/
Looking around on their website a bit, I find this picture:
With all this I can pretty confidently say that I’m looking in Auckland, New Zealand. That gives me a rough outline, now time to find the actual street.
Google suggestions isn’t the best if all you’ve got is a house number, but the first three letters of a street? Can be helpful but I do want a list if I can have one.
After a bit of inspired googling, I find this link https://new-zealand-streets.openalfa.com/auckland/streetdir/b?pg=3
Which gives me a handy list of streets that start with “BEA”. Now, from what I found, Auckland has either green street signs or blue street signs. The blue ones are what I’m focusing on here. There are two flavors of small blue street signs that I was able to find, one has a skinny arrow and the other has the fat kind of arrow that’s shown in the reference picture. Armed with this info, I google my way down the list and narrow down by streets that have the kind of sign I’m looking for. Eventually I end up here:
The last location is Beaconsfield Street in Auckland, New Zealand.
Time to craft the MD5 hash according to the instructions and finally move on to step three!
Step three:
Unpacking the zip from the bit.ly link from the last step gives me more instructions, another checksum file and a zip file with what appears to be a password vault. First, after verifying the checksum, I read the instructions.
1. Verify CHECKSUM of the 7z file(s).
2. Analyse the file(s) and locate the whereabouts of the gang member currently in the wind.
3. Encode the answer as an MD5 hash and append to bit.ly/[MD5 HASH]
Example: bit.ly/0e5c61db18f50fcdab900de1efd6fea3
4. Visit the bit.ly URL for next step.
Note:
* All names are in English.
* All names as per Google Maps.
* Lowercase characters and hyphens only.
Location format: country-name-some-town-name
Location example: new-zealand-te-puna-westAlright, time to analyse away! Unpacking the password vault zip file gives me… a keepass password vault!
As keepass vaults go this one is *drum roll* password protected! So John gets to shine again, here’s the commands in order:
keepass2john Password_Vault.kdbx > PVault
john PVault --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txtYou’d think the human traffickers would at least crosscheck their passwords against the most popular word lists. Lucky for me, they don’t. OpSec’s for losers, right?
After letting John run for a little while, I get a password. With it, I can log in to the password vault and find quite a few password entries. Checking them out, and making Proton-mail angry at me in the process, I find.. not much. In the notes I find a few social media URLs and a veiled hint at something being saved in the Wayback machine. Aside from a Twitter link in the notes, all other links don’t work and don’t show anything on Wayback either. Twitter gives me this:
Not too much to work with looking only at the picture. The twitter profile, however, also gives “SA” as the location. My guy doesn’t verify passwords and gives a good hint at their location? Tsk tsk.
Good for me, though. “SA” could denote South America, South Africa or South Australia.
Looking at the picture I can see a partial shop sign on the left hand side. One of the words on there looks like “table” so I’m, at least for now, going to work off the assumption that I’m looking for an English speaking country. The arrows on the ground of the parking lot also seem to indicate that this is a country where you drive on the left side of the road. SA’s most popular meaning is South Africa, so that’s going to be my starting point. Looking at the shop sign again, I also see the number “210” and the partial “*enton”. This makes me even more confident that I’m looking for English because “ton” is a popular suffix for English named towns.
After a bit of looking around the South African coast line, I come across “Brenton on Sea” and check it’s coastline, but to no avail. Time to keep going, I’m likely still on to something. A few minutes of scrolling along the coastline later, I find “Kenton on Sea” and repeat the process, checking the beach and seeing if there’s anything that looks promising. And, right by “Middle Beach” it does:
Turns out the “shop” is the Round Table 210 Clubhouse and the location is Kenton on Sea, South Africa
Encoding this to MD5 and putting it in bit.ly gives me one more zip file, so on to step four!
Step four:
1. Read the Ransom Note.
2. Geolocate the building where the captives are being held.
3. Use the answer to unlock the flagfile.
Note:
* All names are in English.
* All names as per Google Maps.
* Lowercase characters and hyphens only.
Example format: country-name-city-name-street-name
Example answer: costa-rica-santa-ana-condominio-aracariReading the ransom note doesn’t really give me that much relevant info as to the geolocation of the target, so instead I focus on the picture and the info it can give me:
As to the rough location I’m going to make the semi-educated guess that it’s still in South Africa. I doubt our guy is going continent-hopping with us hot on their heels, doesn’t leave a lot of time to take hostages and all that.
So first I cruise South Africa looking for “Factory shops” on google maps but the amount of data available to me is too (damn) much to sift through unless I absolutely have to. So I try to narrow my filter a bit further. There’s a logo in the right hand side of the picture that looks as if it could be a brand logo, maybe that will help me a bit. Yandex to the rescue!
After uploading the picture to Yandex reverse image search, I crop the search field tightly to the logo and quickly find this:
Fashion Fusion is a South African clothing store, that looks like a very workable lead.
Pulling up some of the stores on google maps and checking them on street view doesn’t give me quite as much as I’d like it to, but one of the stores that come up on google maps has this as it’s picture:
This threw me off a bit because the building the pin is on, is actually near the building we’re looking for, but it’s not the store. However, zooming in on the photo, it shows “Brickfield Rd” on a street sign, so I look a little bit further to the left and there’s Brickfield Road. Switching to street-view shows me this:
And as sure the dog’s name is Bingo, the last location is Brickfield Road in Cape Town.
Entering that while unzipping the flag file gives me another one of these cool collectible cards! Totally worth the multiple aneurysms I had solving this.
This write-up was brought to you by: Irregular sleep patterns
