Lost Down Under Writeup

VEEXH
The Sleuth Sheet
Published in
6 min readDec 1, 2022

Sometimes it’s hard to connect the dots.

Lost Down Under via Hacktoria.com

MISSION BRIEFING

Greetings Special Agent K. We need your assistance in an urgent matter. Our client, the Australian Secret Intelligence Agency, ASIS for short, has requested our help to uncover a terrorist organization.

This group, who’s name is yet to be uncovered, has shown intent on bombing several locations around Australia. Their origins are confirmed to be domestic, with money coming in from Chinese non-government actors.

Several hours ago, one of our Red Teams was able to breach one of the terrorist groups’ email accounts. There was a single email, containing a cryptic looking text and a total of seven images.

We need you to figure out what these seven images and text mean. Are they connected? Is this a rabbit hole? With our current information, we have reason to believe these images are directly related to the suspected plans for bombings.

The answer from the text and images leads to the password for unlocking the flagfile. Which contains your contract card.

As always. Special Agent K, the contract is yours, if you choose to accept.

METHODOLOGY

You are first tasked with the process of decrypting an encoded message.

Base32 Encryption

STEPS

  • Convert Base32 To ASCII
  • Convert ASCII to HEX
  • Convert HEX to Human Readable

Decrypted text:
transmission number 458964983 needs multiplication with the answer to unlock the file. We will start operation kangaroo once all bombs are in place.

Location 1

Location 1

The markings on top of the building indicate that this is a Buddhist temple to locate image 1. I searched for Buddhist Temples in the Melbourne Victoria area of Australia because all the images are within the area of Victoria.

99 Furlong Rd, Cairnlea VIC 3023, Australia

Location 2

Location 2
Distinctive marking for Location 2

The second location has a distinctive marking that immediately stands out, almost certainly giving away the correct location. “St Martins De Porres Parish school”. A catholic school which once inputted into google maps takes you to the correct location.

158 Military Rd, Avondale Heights VIC 3034, Australia

Location 3

Location 3

Location number three’s photo was altered during the course of the CTF to make it easier to identify. However, I was one of the individuals who did manage to locate the third location before it’s change. The blue and white sign to the right in the picture is titled as “Vinnies” who are a network of volunteers. Searching all the Vinnies within the Victoria area is how I was able to locate the third location but the street that the Vinnies is located at is not the correct answer it’s the building directly across the street facing the Vinnies that allows for a correct calculation of the password file.

45 Dickson St, Sunshine VIC 3020, Australia

Location 4

Location 4

During my investigation of all of these locations I thought that there might have been some link between the organizations and I was not wrong. I was able to find this location due to prior information from the third location.

https://www.vinnies.org.au/page/Get_Involved/Become_a_corporate_partner/National_Partners/IGA_Partnership/ I found this link which shows that Vinnies and IGA have a partnership, so I was able to figure out what kind of company the IGA logo represented. Then I typed “IGA warehouse victoria Australia” into Google and found the location.

Google Results
79 Fitzgerald Rd Laverton, VICTORIA, 3028 Australia

Location 5

Location 5

Perhaps the most difficult location to find was number five because initially google lens didn’t work, bing image search didn’t work and yandex wasn’t coming to the correct conclusion. Although it was through bing image search that I did find the location, it was not easy to pinpoint. Bing image search brings up a link with a picture familiar to the one in the photo. https://www.flickr.com/photos/40262251@N03/6087650865

Bing image search results

The link mentions that this mock Tudor Villa is within the suburb of Essendon. I searched Essendon 3040 on https://www.ratemyagent.com.au
and found updated pictures of the house.

20A Buckley St, Essendon, VIC, 3040

Location 6

Location 6

Location number six was really a random find that I came across because I was browsing google street view until I came across a house that was familiar and this took some time but my efforts paid off.

314 Williamstown Rd Port Melbourne, Victoria

Location 7

Location 7

Location 7 was found via collaborative efforts between myself and 7069Wrk who really just handed me the details because I was super tired from work. However, here are the steps it took to find this location.

Input image into Google Lens

Google lens will ultimately lead to https://www.lemonchickenporfavor.com.au/murals which host information about the artists and the art location.

Normanby Ave, Thornbury VIC 3071, Australia

Location 8

Location 8

Now number eight was a bit confusing and took some really high level deduction to locate. The beginning subtitle of the writeup is titled “Sometimes it’s hard to connect the dots.” Which is a play on words on how to officially solve this contract challenge. On google maps, I connected the dots of all the previous locations and taught to myself that it would only make sense to land a point in the Richmond area of Victoria.

Connecting the dots

Searching for distinctive markings in the Richmond area on Google Street View can lead you to the correct location.

Richmond Street View
309 Lennox St, Richmond VIC 3121, Australia

CONNECT THE DOTS

Remember what I said about connecting the dots? Well, that’s the most important aspect of this challenge that should have been taken seriously besides all the geolocation.

As stated in the decryption process at the onset of the challenge, transmission number 458964983 needs multiplication with the **geolocation** answer to unlock the file. **add the first three letters of all streetnames in order at the end of the numbers**. we will start operation kangaroo once all bombs are in place.

The password format is ############abcabcabcabcabcabcabcabc

Original connect the dots

The original connect the dots is good for locating number eight, but two lines have to be removed in order to find the correct number needed for multiplying and unlocking the contract card. Shout out to myself and 7069Wrk because we really worked together on this part to figure out the correct number.

Two lines removed — number revealed

The number that is revealed is 711 so 711 * 458964983 is 326324102913 and connecting that with the first three letters of all the locations reveals the password which is 326324102913furmildicfitbucwilnorlen

Contract Card

Agent, when you’re ready to test your skills at solving real-world problems checkout.

https://eumostwanted.eu/gameover

--

--

The Sleuth Sheet
The Sleuth Sheet

Published in The Sleuth Sheet

🔍 The Sleuth Sheet: Your favorite All Source Intel resource! Explore curated tools, tips, & captivating CTFs to help you excel in the intelligence field. MULTI-INT strategies that boost your skills to keep you ahead in the intel game! 🌐🏆

VEEXH
VEEXH

Written by VEEXH

I analyze how technology and systematic approaches can address complex global challenges and educate you as best as possible.

No responses yet