iTranslated by AI
[KAKITSUBATA] Diver OSINT CTF 2024 Writeup
Overview & Rules
- June 8, 2024 (Sat) 12:00 JST - June 9 (Sun) 12:00 (JST) (24 hours)
- Jeopardy style
- Challenge descriptions in Japanese and English
- Almost all challenges were released upon answering "welcome" correctly (some sequential challenges had unlocks)
- Team competition with registration for up to 6 people per team on CTFd
- Points for each challenge varied based on the total number of correct answers across all participants
- For example, a challenge might grant 500 points while very few had solved it, but points decreased as more teams solved it
- This system ensured that teams solving more difficult challenges ranked higher
- Four difficulty levels: Introduction, easy, medium, and hard. In particular, the introduction level was designed as an entry point for OSINT CTF
- According to official reports, 842 players and 484 teams participated
Results
We formed the team "KAKITSUBATA[1]" with five members (meow_noisy, blackwasan, _roku_, kuzushiki, kn1cht) and participated.
By 11:12 on the second day, we solved all challenges (35 in total) and took 1st place.
Writeup
This article is published under kn1cht's account, but each section was written by the player who entered the flag for that specific challenge. The headings include the challenge name, difficulty, the author's name, points, and the number of teams that solved it. For challenges where multiple people contributed to the answer, multiple names may be listed.
The points shown in the headings are from after the CTF ended. Additionally, images and other materials are quoted from the challenge server.
welcome
All difficulties in this category are "welcome".
welcome [meow_noisy] - 10point 453 Solves
Welcome to the DIVER OSINT CTF!
Please find the flag on the rules page and enter it here.
You will see the other challenges when you submit the correct flag.
You must solve this to see other challenges.
The flag is listed at the very end of the rules page.
Diver24{ganbarou!}
introduction
All difficulties in this category are "introduction".
246 [blackwasan] - 100point 143 Solves
What is the name of the intersection closest to where the image was taken?
Flag format: Diver24{intersection name}
The challenge name is "246," so one might think of the famous National Route 246, but it's actually Prefectural Road 246. The image shows a white Aqua parked at a residence and a suspension bridge visible far ahead. I tried to narrow down the area by the license plate of the white Aqua, but it's slightly unreadable... Chiba?
Leaving the license plate aside for now, the fact that there's a suspension bridge suggests a somewhat rugged coastal area, so I decided to search prefectures with rias-type rias coasts or small islands (like Iwate, Mie, or the Seto Inland Sea area). It's less effort than checking all 47 prefectures.
Since the prefectural road numbers and colors are easy to see, it's easier to search using tools like Mapion.
Then I found Yamaguchi Prefectural Road 246 in the Chofu area of Shimonoseki City, Yamaguchi Prefecture, which is quite close to the "Kanmon Bridge" connecting Kyushu and Honshu. Speaking of "Kanmon Bridge," I had a somewhat glittering image of the Mojiko area, but from Chofu on the opposite side, this kind of view is also possible. I searched for the point where "turning right leads into this prefectural road" and hit the jackpot.
By the way, in this Kanmon region, a new bridge construction plan is moving towards realization (see news below), so I'd like to follow its progress.
Diver24{前田}
office [kn1cht] - 100 point 229 Solves
6Please enter the flag obtained from the file.
6Input the flag obtained from the file.
A file named mudai.odt is provided. As you can tell by the Word icon that appears when opening it in an environment with Microsoft Office, ODT files are a document format used by OpenOffice and similar software.
A classic technique for CTFs where an Office file is provided is to change the extension to ZIP and extract it to see its contents. Changing it to mudai.zip reveals the files inside.
Looking through the files, the Flag is written in Thumbnails/thumbnail.png, so I transcribed it.
Diver24{World Ocean Day}
chain [kn1cht] - 100point 110 Solves
6Answer the phone number of this restaurant.
6Flag format: Diver24{0123456789}
6Note: DO NOT MAKE ACTUAL PHONE CALL. Search on the web.
6(Hint) As the flag format shows, it should be the Japanese domestic phone number format.
6(3 attempts)
6
A photo of a sign for the Japanese yakitori chain "Torikizoku" is provided. Torikizoku apparently has over 600 stores across Japan, making it difficult to solve via brute force (actually, a teammate checked Torikizoku locations on the 4th floor one by one, but couldn't find the answer).
By the way, this photo appears to be a directory panel for a multi-tenant building, but it is unusual for everything except Torikizoku to be blank, giving it a somewhat desolate impression.
I reasoned that this building had seen a series of closures, and Torikizoku itself might have closed and no longer exists.
So, I searched for "Torikizoku closing" on X. Since the EXIF information for this image contains the date February 4, 2024, I targeted that specific period.
Several people mentioned that the Torikizoku Hiroo branch had closed, and a Google image search revealed photos of a location that looked exactly like the one in the challenge.
The phone number is also listed on this page, so entering it in the Flag format resulted in a correct answer.
Diver24{0364593392}
dream [kuzushiki] - 100point 255 Solves
6Give the postal code of the facility with the pipe organ shown in the image.
6Flag format: Diver24{123-4567}
6
6
I wanted to identify the location from the photo, so I tried using Google Lens. Google Lens is an excellent tool that allows you to search by focusing on specific parts of a photo. When I searched with the focus on the organ as shown below, Poptown Suminodo Opera Park appeared at the top of the search results.
Then, I Googled the facility name and submitted the postal code.
Diver24{574-0046}
Answering with the facility name itself would have been fine, but perhaps the postal code was used as the flag to avoid variations in formatting?
serial [kn1cht] - 100point 223 Solves
6What is the serial number of the aircraft in the background of these videos? If the serial number is 123456, the flag will be Diver24{123456}.
6
6https://www.tiktok.com/@ana_allnipponairways/video/7318648417620741377
6https://www.tiktok.com/@ana_allnipponairways/video/7338422699301145857
TikTok videos of a mascot dancing in front of an aircraft were provided. Looking closely while pausing, the registration number JA222A can be read.
JA222A itself is what is known as a registration number (commonly called "regi-ban" in Japan), and I had a feeling it wasn't the serial number, so I looked for it. On Flightradar24, the SERIAL NUMBER (MSN) field was only visible to members, but I found the Manufacturer Serial Number (MSN) listed on another site and obtained the flag.
Diver24{9580}
ad_directiare [meow_noisy] - 257 point 79 Solves
6Answer the price of the lunch this person on the business card had on a business trip to Tokyo.
6Flag format: Diver24{price}
6If it is 1000 JPY, the flag should be Diver24{1000}
6
First, I investigated the meaning of the title.
It didn't seem to have much relevance.
I searched for the information written on the business card (Yonekura Design Office, yone.jun, etc.), but no official information turned up.
Since there was a Gmail account, I reflexively ran EPIEOS.
They were posting on Google Maps. It appeared to be a fictional account created for the challenge.
I checked the posts about food. I found the price.
Flag:
Diver24{4400}
crypto
leak (easy) [kn1cht] - 100point 211 Solves
6Last month, there was a large-scale unauthorized outflow of BTC from a Japanese company.
6Identify the wallet address where the outflow went.
6Flag format: Diver24{wallet address}
This refers to the DMM Bitcoin incident, which became a major topic on the Japanese internet.
Since experts on X and other platforms were explaining it in detail, I copied and pasted the destination address.
Diver24{1B6rJRfjTXwEy36SCs5zofGMmdv2kdZw7P}
Akeome (hard) [kn1cht] - 500 point 4 solves
Find youtube channels started in 2017 by the following persons.
https://bitcointalk.org/index.php?action=profile;u=44692Flag example: Diver24{@RickAstleyYT}
(Hint) No need to investigate the transaction history of cryptocurrency
Looking at several pages from the provided Bitcoin Talk URL, I found that this person operated Bitcoin Fog, a cryptocurrency mixing service (a technology that makes tracking transactions difficult by randomly mixing them).
Furthermore, a Google search revealed that a person named Roman Sterlingov was arrested in 2021 on suspicion of money laundering as the operator of Bitcoin Fog.
The Twitter account used to promote Bitcoin Fog (@BitcoinFog) is still viewable, but searching various sources did not reveal a YouTube account claiming to be the operator of Bitcoin Fog.
Therefore, I reasoned that he might have used YouTube for personal activities unrelated to Bitcoin Fog and searched for Sterlingov's personal information on the internet. In an article about the arrest, it mentioned that investigators found the email address shormint @ hotmail.com used for registration on Bitcoin Talk.
Searching for this address led to a slide deck from the US investigation into the Bitcoin Fog case (https://ia904506.us.archive.org/34/items/gov.uscourts.dcd.232431/gov.uscourts.dcd.232431.189.1.pdf). This material explains the process by which investigators tracked down the anonymously active Bitcoin Fog operator and is interesting even outside the context of the CTF, so I highly recommend reading it.
The document mentions about six email addresses suspected to have been used by Sterlingov, such as heavydist @ gmail.com and plasma @ plasmadivision.com. Considering the possibility of finding a YouTube account from an email address, I entered each into Epieos and GHunt. However, some were merely confirmed as active Google accounts, and no YouTube information was obtained.
On the morning of the second day, June 9th, even with the whole team investigating, we saw no progress. Thinking there might be a keyword we missed, I happened to Google Case 1:21-cr-00399-RDM found at the top of the investigation slides (apparently a case number assigned to US lawsuits). A site called CourtListener, which appears high in the search results, contains many of the documents used in Sterlingov's trial, available in PDF and text formats.
I considered whether YouTube might have been mentioned in the legal proceedings and read through documents that seemed likely to contain evidence from the approximately 400 available. Then, the word "YouTube" appeared in a document titled "Supplemental MOTION for Release of Funds by ROMAN STERLINGOV."
- We ran the studio and made these videos for 2-3 years. In 2017, we started putting videos
up on YouTube under the name “Technology of Winning” @technologyofwinning8592:
https://www.voutube.eom/@technologvofwinning8592/videos
Reading the surrounding text, it was an assertion by Sterlingov reflecting on his past activities and stating they were unrelated to Bitcoin Fog.
In other words (believing this testimony to be true), this account is the answer.
Diver24{@technologvofwinning8592}
Until I noticed the court documents, I had tried various paths like email and social media investigations, making it one of the most time-consuming problems in this CTF. That made the moment of realization even more refreshing.
geo
imagetrack (easy) [blackwasan] - 100point 146 Solves
6Please provide the name of the local cuisine restaurant where the image was taken.
6Flag format: Diver24{restaurant name}
6
6
Checked the EXIF.
Entering this location into Google Maps pins a location on the north side of Sannomiya Station.
There is a restaurant nearby that calls itself a local cuisine restaurant, and checking the menu shows they serve "open air."
By the way, "open air" seems to be a local craft beer from Kobe, so I'd like to try it (looks delicious).
Open Air Minatoyama Brewery
Diver24{郷土料理 からす}
chiban (medium) [blackwasan] - 184 point 90 solves
6What is the land lot number (地番, chiban) of the road in centre of image? Answer in Japanese.
6For examle, if the address is 仙台市宮城野区二十人町 303-8, the flag should be Diver24{303-8}.
6Also, some land lot number includes not only numbers but also Kanji (Chinese characters). In that case, please answer as is in Kanji.
6
Speaking of Sundi, it's a discount supermarket in the Kansai region? (I used to rely on them because I lived in Kansai before). The text "Store No. 7" in the photo caught my attention, so I Googled it.
Apparently, Sundi numbers its stores based on the order they were opened. A job listing on Mynavi Part-time mentioned that the Futaba store (Ibaraki City, Osaka) is Store No. 7.
Checking on Google Maps, this road is shown in the photo.
I was unsure whether "the road in the center of the image" was in the background or foreground, and since the land parcels (fude) seemed complicated, I checked with the Mapple Legal Affairs Bureau Viewer (https://labs.mapple.com/mapplexml.html). This is a tool that allows you to view land registration on a map, which is handy for investigating property rights.
"Hikkai-miteitichi" (undetermined boundary land) refers to land where the boundaries have not been fixed due to various historical reasons. While the photo shows a relatively new public road, I wonder if it was originally something else.
Diver24{筆界未定地-6}
championships (medium) [kuzushiki] - 440 point 40 solves
0In October 2010, an advertisement for a competition was placed at this location. Give the nickname of the winner of that tournament.
0Flag format: Diver24{winner's nickname}.
0
The location is obviously Guang Hua Digital Plaza. Guang Hua Digital Plaza is an electronics district in Taipei, Taiwan (like Akihabara in Japan). How should I search for information about the competition?
I was curious that the challenge asked for a nickname. Since it's not a real name, I thought it might be an e-sports tournament or something similar. I searched on Google with keywords like "before:2011", "competition", and "winner," but couldn't find any relevant tournament. I also scoured video sites like YouTube for information on advertisements, but came up empty-handed.
Just when I thought I was out of options, I remembered the Google Maps "Time Machine" (Street View history) feature. I wondered if I could see ads from 10 years ago. When I checked the area, I found photos from October 2010. Below is a screenshot shared by my teammate, _roku_.
A GIGABYTE advertisement is visible in the center of the image. Investigating the competition revealed that GO OC 2010 was held in Taiwan.
I wanted to confirm the winner, but I couldn't access the URL in the article. The competition page seemed to be no longer in use.
Searching on the Wayback Machine, I was able to view the page as it was back then.
Diver24{Matose}
I was living in Taiwan in 2010, but I knew nothing about this competition. If only I had gone to see it, I could have answered this question instantly...
power (medium) [blackwasan] - 475 point 26 solves
0What is the operational transmission capacity value (unit: MW) of the transmission line on the right-hand side of the picture? Answer in whole numbers.
0Note that this photo was taken in 2024.
0Flag Format: Diver24{100}
0
0(Hint) "operational transmission capacity value" is "運用容量値" in Japanese
0(5 attempts)
0
This challenge asks for the operational transmission capacity value (an integer) of the transmission tower on the right side of the photo. The operational transmission capacity value is the upper limit of the power flow determined by general power transmission and distribution operators to stably operate each transmission line. Roughly speaking, it's the amount of electricity that can be transmitted without damaging the equipment. Since there is a limit of 5 attempts, brute-forcing the numbers is out of the question.
Setting aside the electricity topic, the train in the center is a Series 683 Thunderbird. This means the view is likely from along the JR West Kyoto Line or Kosei Line.
Since I wanted to scour the transmission lines along the railway, I used a useful tool. The Ministry of the Environment's EADAS (https://www2.env.go.jp/eiadb/ebidbs/) database has a feature that displays accurate grid maps. Although it's originally a database for renewable energy operators, it's very user-friendly. I used it to search for transmission lines running parallel to the Thunderbird route between Osaka and Shiga.
0
Grid map by EADAS
As a result, I found such locations near JR Takatsuki Station and JR Katsuragawa Station. The Street View near the latter, JR Katsuragawa Station, matched the challenge image. Come to think of it, I had a strange sense of déjà vu when I saw the photo; it's because Aeon Mall Kyoto Katsuragawa, one of the largest in Kyoto, is right behind this viewpoint, and I used to go there often when I lived in Kansai...
On the Kansai Transmission and Distribution HP's "Grid Spare Capacity Mapping Data" page, there are transmission line maps (somewhat simplified) and spare capacity information. I looked for the corresponding transmission line. The spare capacity information includes the operational transmission capacity values.
The grid diagram for Kyoto City can be viewed from the "Kyoto City [747.71KB]" link. Since the PDF is prohibited from being reprinted, please check the image yourself.
The transmission line (77kV) labeled "North 172" (北172) corresponds to the one in the photo. It seems to be called the "Saiin Line" (西院線).
I found the operational transmission capacity value (MW) in the PDF table and submitted it.
Diver24{84}
island (medium) [kn1cht] - 479 point 24 solves
6「四方ぎり島」という名前の島における、最高地点の標高を整数(メートル)で答えよ。
6Answer the highest elevation of the island named "四方ぎり島" in integer and metric.
6Flag例 / Flag example: Diver24{3776}
6(5 attempts)
Searching for "四方ぎり島" on Google reveals that the specified island is in Antarctica. The reading is "Yomogiri Zima".
Opening the PDF file titled "Report of the Antarctic Place-names Committee of Japan" (https://nipr.repo.nii.ac.jp/record/8622/files/KJ00000139872.pdf), the coordinates are recorded as 69°43'02"S 38°58'23"E.
Japan conducts Antarctic observations and performs topographical surveys and mapping. The results are summarized on, for example, the Geospatial Information Authority of Japan's (GSI) "Antarctic Geospatial Information" page.
I searched for a while while cross-referencing the coordinates with the map (since it's a bit far from Syowa Station, the base for the Japanese observation team, I needed to look at a small-scale map).
Then, I found something called "1/25,000 Imaging Data (New)," and as I continued searching while keeping a close eye on the coordinates, I found "1:25,000 Antarctic Topographic Map 222 Einstøingen."
The elevations for various points on Yomogiri Zima are listed, and the highest one is the Flag.
Diver24{18}
Additionally, according to other players, it seems that it can also be displayed by skillfully using the web version of GSI Maps (Geospatial Information Authority of Japan).
construction (hard) [blackwasan] - 496 point 12 solves
One analyst found that a new facility was built in the vicinity of 37.669, 120.691. Give the name of this facility (in the local official language).
For example, if the answer is "Cheongwadae" in South Korea, the Flag is Diver24{청와대} using the local language notation.
Search work by meow_noisy:
Checking these coordinates pins a location in a farming area in Penglai, Shandong Province, China. At least on Google Maps satellite imagery, nothing is visible.
Who is this analyst in the first place? A military analyst?
There is no particular information on Baidu Maps, a Chinese search site.
Checking with "Sentinel Hub EO Browser," a satellite imagery browser provided by the European Space Agency (ESA), I confirmed something like a runway.
At this point, kn1cht found a list map of Chinese airbases and civil airports.
All Chinese Airports & Airbases
However, there was no pin at the location in question.
From here, blackwasan:
Since a runway was visible, I figured it was a newly built airport or airbase, so I searched on Baidu using various local terms that came to mind. Searching for "Penglai City construction airport" (蓬莱市 建造 机场) hit the image below. The shape looks exactly like what was shown on Sentinel.
The title on the right says "Penglai General Airport" (蓬莱通用机场), and this was the Flag.
Diver24{蓬莱通用机场}
public_service (hard) [blackwasan] - 497 point 10 solves
One man said, "I once complained to the city about this intersection, 20 years ago, I think it was November. The administration is terrible these days, but those were good days."
He asked, "What did he contact them about? Answer the reason exactly as it is stated in the documents."
Flag Format: Diver24{Something happened}
Note: The first half includes a lot of help from teammates, thank you!
The location is an intersection in New York. It appears to be the intersection where 46th Avenue and 111th Street meet.
Google Maps
Street View
Searching for ""111th Street" newyork" led to the following file. It's a document describing improvement plans for 111th Street, but it's from 2015, which is a bit too recent. I skimmed through it just in case, but found no mention of "complaining in 2004."
On the official NYC government website (nyc.gov), there are several pages like "XX Complaint," and while further exploring the site, I found something called a "Complaint Statistical Report." It lists the dates complaints were received and the category IDs, so I thought this might be the key. However, this report has only been published since 2015, so that wasn't it either.
There is also a "CIVILIAN COMPLAINT REVIEW BOARD (CCRB)," which has its own website.
I found an archive site for this as well.
I checked through it, but found no useful information... or rather, it was for complaints against police officers. Something felt wrong, so I looked up the role of the CCRB and found it's an organization that investigates police misconduct. It seemed that searching the CCRB wouldn't lead to the flag.
Returning to square one, I searched for "new york complaint database 2004" and found a service that displays historical complaint records for New York City.
There are about 1.1 million records for 2004, and looking through them 100 at a time would be agonizing. There is an "Action" button in the upper right of the page from which the entire dataset can be downloaded as a CSV (approx. 532MB). This data records the date the inquiry was created (CreatedDate), the target location (Street name), and the content of the complaint (Descriptor), but since visual inspection is impossible, I tried using grep.
I wanted to extract records where "CrossStreet1" and "CrossStreet2" or "Intersection Street1" and "Intersection Street2" were "46 AVENUE" and "111 STREET" respectively.
$ cat 311_Service_Requests_for_2004_20240609.csv | grep "46 AVENUE,111 STREET" > grep.csv
Three records appeared, but their recording dates were not in November. I tried the flags just in case, but they were Incorrect. So, I decided to be more flexible and look for records where "46 AVENUE" and "111 STREET" simply appeared anywhere in the record.
$ cat 311_Service_Requests_for_2004_20240609.csv | grep "46 AVENUE" | grep "111 STREET" > grep2.csv
Then, in the record with Unique ID: "1219841," I found a complaint regarding 111th Street and 46th Avenue filed on 2004/11/15.
Diver24{Street Light Out}
history
promoter (easy) [meow_noisy] - 184 point 90 solves
Give the date of death of the father of the person who initiated the development of the pond shown in the image.
Flag format: Diver24{yyyy/MM/dd}The pond in the image was cultivated by a certain person who initiated the development in 1628 (Kan'ei 5, 寛永5年). Give the date of death of this person's father.
Flag Format: Diver24{yyyy/MM/dd}
Note: "Kan'ei" (寛永) is one of Japanese era name. (wikipedia)
Checked EXIF -> No clues found.
Google Lens
Meijimura (Aichi Prefecture) was suggested. After verification through blogs showing similar scenery and the spherical object (a tent) in the center, I confirmed it was Meijimura.
The pond is apparently named Iruka Pond (入鹿池).
Failed approach:
I found the name "Jinkuro" on the Wikipedia page for Iruka Pond, so I entered the date of death for his father, Sakuma Nobumori, but it was incorrect.
Correct approach:
Searching for "入鹿池 開拓" (Iruka Pond development) leads to the following source:
According to it:
The proposal was made by a group of six local gentry (Sengoku ronin) including Ezaki Zenzaemon.
There are six people, but first I investigated Ezaki Zenzaemon.
Father: Ezaki Zenzaemon Munetomo (享禄3 (1530) - 寛永4 (1627))
The year is written.
Searching for "江崎善左衛門 宗度 1627" revealed the following document, which provided the month and day.
Died of illness on November 13, Kan'ei 4 (1627).
Diver24{1627/11/13}
paddy (medium) [meow_noisy] - 494 point 14 solves
The area has undergone two large-scale man-made alterations to the terrain. What is the name of the person involved in this as a local governor (郡司)?
Answer in Japanese (Kanji).
Flag format: Diver24{person's name}[For non-Japanese speakers]
・Japanese text can be written either vertically or horizontally.
・Historical Japanese is written either horizontally from right to left or vertically. Some old characters (旧字体, Kyūjitai) are also used.(Hint) Monument speaks.
roku identified the area. It is around Ishinomaki City. The nearest station is "Kageyama" Station.
blackwasan speculated that based on the hint "Monument speaks," it would be good to find and read a monument symbol on the map. They looked for commemorative monuments or natural disaster transmission monuments and found one near "Kageyama" Station.
However, no image of the monument could be found.
Meow_noisy joined the investigation. I wanted to find out the name of the region shown in the photo.
However, even checking Google satellite imagery, there seemed to be no clearly defined section.
To see if it was mentioned in other map services, I checked place names by switching maps using OpenSwitchMaps Web.
In "Konjaku Map" (Past and Present Map), I found that this area used to have a name.
I searched for "沼縁廣" but got no hits. Remembering the supplemental explanation in the English problem description about reading from right to left, I searched for "廣淵沼" (Hirobuchinuma).
I found a source titled "History of Hirobuchinuma in Miyagi Prefecture" (宮城縣廣淵沼沿革史).
Searching for "郡司" (Gunji/Local Governor) within the book revealed the name of the governor and mentions of how they had worked on the site once and then overhauled it a second time.
I submitted the name of the governor and it was correct.
Diver24{山崎平太左衛門}
protest (hard) [kuzushiki] - 499 point 8 solves
What is the current road ID of the road where the 23-year-old ecologist was killed?
Flag Format: Diver24{road ID}
Warning: Graphic content related to the killing would be appeared in this challenge.
This challenge had very little information, with no attached images. Guessing it was an overseas event, I searched with keywords like "23 years old" and "protest," and found the following article:
In Iran, a 23-year-old man was executed following protests. However, the following points did not match the challenge description:
- It was a democratization demo, not environmental conservation.
- Since the question asks for the "current" road ID, it was expected to be a much older event, but this incident was recent (2022).
Searching for other candidates with similar terms led to the following article:
The summary of the article is as follows:
A work produced in memory of Gladys del Estal Ferreño, a young 23-year-old ecologist from San Sebastian killed by the Civil Guard in Tudela during an anti-nuclear demonstration on 3 June 1979. During the International Day of Action against Nuclear Energy, the anti-nuclear committees of the southern Basque Country organized actions in Tudela (Navarre) against the National Energy Plan and the construction of the Bardenas shooting range, and to stop Lemoniz. Just over two months earlier, on 28 March 1979, reactor 2 at the Three Mile Island nuclear power plant near Harrisburg had suffered the most serious accident in the history of nuclear energy in the USA. (Translated with DeepL)
This matches the challenge description. Next, I wanted to investigate the location of the incident. According to Wikipedia, there is a pedestrian bridge named after her (Gladys del Estal Bridge), so I checked the location.
Since there was no limit on the number of attempts for this challenge, I submitted road IDs from the vicinity, but they were all incorrect. Since it was definitely in Spain, I briefly considered brute-forcing Spanish road IDs, but that seemed inelegant, so I investigated the location properly. I found the following site:
It turned out the incident took place in Tudela. Submitting the road IDs from that area worked.
Diver24{NA-8703}
transportation
youtuber (medium) [blackwasan] - 211 point 86 Solves
2023年、あるYouTuberが日本で無賃乗車や無銭飲食を行い、その様子を投稿したことで問題となった。
彼は日本である列車に無賃乗車をしていたところ、九州地方のある駅で一度捕まったが、そのまま逃走して別の列車に再び無賃乗車をした。
彼が捕まった駅と、乗り継いだ列車の列車番号を教えてほしい。なお、列車番号は時刻表に掲載されている形式で回答せよ。
Flag形式: Diver24{駅名_列車番号}
例えば、折尾駅で捕まり、456Mという列車に乗り換えた場合、Diver24{折尾_456M} となる。In 2023, a YouTuber became a problem when he posted a video of himself and his mates riding for free and eating for free in Japan.
He was once caught riding a train in Japan without paying at a station in the Kyushu region, but he escaped and ride another train without paying again.
I would like to know the station where he was caught and the number of the train to which he changed. Please answer with the train number (列車番号) in the format shown on the timetable (時刻表).
Flag Format: Diver24{station name_train number}
For example, if he was caught at Orio Station and ride 456M train, the flag should be Diver24{Orio_456M}.
(Hint) 列車番号を正規表現で表すと次の通りである / Regex of train numbers : \d{1,4}[A-Z]
Investigation by meow_noisy and others:
Many people might have seen this incident in the media. First, we looked into this YouTuber. This led to several articles.
"Traveling across Japan for free" Foreign YouTuber video goes viral, deleted for guideline violations; Outrage over fare-evading on Shinkansen and dining and dashing at hotels
What is the channel name of Fidias Panayiotou, the foreign YouTuber who posted a video of fare-evading on JR Kyushu Shinkansen "Traveling all over Japan for free"?
It turns out that the video was by a person named Fidias.
Although his original video has been deleted, a re-uploaded version can be found on YouTube.
A scene where he is caught by a station attendant at a conventional line station (from 3:24) is shown, followed by him attempting to escape via Shinkansen while shaking off the attendant's restraint (from 4:26).
Follow-up by blackwasan from here:
Looking closely at this scene, you can see that the Shinkansen used for the escape was the Sakura 572 bound for Shin-Osaka. The train number for that vehicle is 572A, so all that's left is to narrow down the station name.
In the scene where he is caught by the station attendant, the platform information display is briefly shown (3:49).
At this time, Fidias is attempting to get off the JR Kyushu conventional line limited express "Relay Kamome," so the station must be either Hakata or Shin-Tosu, which are the stations where this limited express and the Kyushu Shinkansen can be transferred. From the video, the scale is clearly not Hakata Station, so the answer is Shin-Tosu Station. (Thinking about it further, the Sakura's information display says "Next: Hakata," so you can also narrow it down from the stop before that).
Diver24{新鳥栖_572A}
accident (medium) [blackwasan] - 471 point 28 Solves
Please find the time and location of a 2023 accident involving a sightseeing bus similar to the one shown in the image.
Flag format: Diver24{Time_Location}Time: In the format 2000-01-23 01:23:45, with a 3-second margin of error allowed (local time).
Location: In the format 40.689N74.044E, expressed by truncating to the fourth decimal place.
Note that the time refers to when the bus came to a complete stop after the accident.
Flag example:
Diver24{2000-01-23 01:23:45_40.689N74.044E}
Caution: This challenge contains information related to traffic accidents.Find the time and location of the accident in 2023 caused by a tourist bus similar to the bus model shown in the image.
Flag format is Diver24{Time_Location} .Time: it is in the form 2000-01-23 01:23:45 with a margin of error of 3 seconds allowed (local time).
Location: it is in the form 40.689N74.044E, rounded down to the fourth decimal place.
Note that the time refers to the time when the bus comes to a complete stop after the accident.
Flag example:
Diver24{2000-01-23 01:23:45_40.689N74.044E}
Warning: This challenge contains information relating to road accidents.
Inference by roku:
The sign says "愛爾麗集團" (Aierli Group), which looks like Taiwan, but one shouldn't be overconfident. The traffic light looks like a Taiwanese one.
Investigating similar buses, I found that buses from English Tour Bus Co., Ltd. (英倫交通公司, http://inlandbus.com.tw/) have a livery like the one in the photo, so Taiwan seems right.
blackwasan:
In the Chinese-speaking world with well over a billion people, the annual number of bus accidents must be on a completely different scale, so I was glad the bus company was identified!
While searching, I found an article about an accident (October 2023) that seemed to involve the same type of bus.
This accident apparently resulted in 4 deaths and 22 injuries. The photo shows a wrecked car and a green bus (the characteristic roof shape also matches), so there is no doubt it's this case.
Further investigation revealed several news videos of the accident uploaded by local media on YouTube. In the example below, footage from what looks like a road surveillance camera capturing the accident at the time is shown.
雲林國道重大車禍! 遊覽車小客車碰撞4人無呼吸心跳 國3南下斗六段遊覽車.小客車相撞! 醸5傷4命危│記者 張峻棟 廖宜德│【LIVE大現場】20231021│三立新聞台 (Major Highway Accident in Yunlin! Tour Bus and Passenger Car Collision, 4 with No Vital Signs, Southbound Highway 3 Douliu Section Tour Bus/Car Collision! 5 Injured, 4 Critical | Reporter Zhang Jundong, Liao Yide | [LIVE Grand Scene] 20231021 | SET News)
Since the video only showed the state after the accident, I was certain that an archive of the road surveillance camera capturing the "probable" moment of the accident must be somewhere.
Relying on the news footage above, I Googled "國3 南 斗六段" (National Highway 3, South, Douliu Section), which I thought indicated the location of the surveillance camera, and found the following Facebook post (Warning: graphic accident footage).
From the video, the time it came to a complete stop can be estimated as 2023-10-21 09:43:02.
The accident site is a location called "Douliu Road Section" (斗六路段) near the 263K post on National Highway No. 3 in Douliu City, Yunlin County, Taiwan (23.702N, 120.603E).
Street View (captured in 2024) still shows vivid brake marks, and the outer wall and median strip remain damaged.
Diver24{2023-10-21 09:43:02_23.702N120.603E}
italy (medium) [roku] - 481 point 23 solves
Considering the challenge description, this is a FlightRadar-type problem. Since I needed to check information from last year (October 2023), I was wondering which tool to use when I checked the "inner voice" meow-san left in our team's working notes.
I decided to simply learn how to use https://globe.adsbexchange.com/. I figured I could manage as long as I knew how to use the Playback feature. With advice from my teammates, I discovered that the bottom-most icon on the right edge of the map is for Playback.
Preparing for Playback. Although a student identifying an aircraft by looking up would likely be limited to daylight hours, I didn't want to risk having to do it twice by narrowing the range too much, so I started Playback from 0:00 JST.
- Location: Niigata University campus (Ikarashi Campus)
- Date/Time: Considering JST 2023/10/27, set it to 10/26 15:00 UTC
- 244x speed (max)
After that, I just stared at the sky over Niigata University. Since a helicopter's shadow crossed between 4:45 and 4:46 on 10/27, I slowed down the Playback to check the details. It matched the information about an Italian aircraft.
The time was 13:45:40 JST, and the barometric altitude was 1600ft. All that was left was to find the owner (company name). I searched for "I-LIDI AW-169" from the aircraft information to look up the owner.
I obtained information that the owner was "Alidaunia," so I linked the information found so far to get the Flag.
Diver24{Alidaunia_13:45:40_1600}
container (medium) [meow_noisy] - 496 point 12 solves
これらの画像の撮影日と時間帯(午前か午後か)を答えてください。
フラグ形式はDiver24{YYYY-MM-DD-[AP]M}です。たとえば、2024年6月9日午前ならば、Diver24{2024-06-09-AM}となります。
Specify the date and time (morning or afternoon) when these images were taken.
Flag format: Diver24{YYYY-MM-DD-[AP]M}
Flag Example: Morning of June 9, 2024 -> Diver24{2024-06-09-AM}
(3 attempts)
| png.jpg | png2.jpg |
|---|---|
 |
 |
This was the last challenge our team solved. In fact, while we had reached the Flag on the night of the first day (June 8), we held off on submitting it until the very last minute because we weren't fully confident for several reasons. During that time, the entire team searched for all possible evidence.
Two photos of trucks loaded with containers were provided. While the locations seemed easy to identify given the amount of information in the photos, knowing the location alone wasn't enough, as the challenge asked for the date and time of the shoot.
Actually, for maritime containers, if you know the container number, you can find the movement history on tracking websites. This technique was also used in the HEXA OSINT CTF v3 "Drop it" challenge held in April.
Location Identification
First, we identified the shooting locations. In the first image (png.jpg), there is a banner that says "Katori Shrine Katsuya Festival." Searching for this revealed the area to be Kameido. In the second image (png2.jpg), there is an intersection sign that says "...bashi Minamizume," and by comparing the scenery with Google Street View, we identified it as the Gonohashi Minamizume intersection.
As seen in the photos, the Katori Shrine Katsuya Festival is held every year on May 5th. This can be used later to narrow down the time period.
Container Tracking
Both photos are clear, and the container numbers (4 letters + 7 digits) are easily readable.
Note that while container tracking terminology varies by site, you just need to imagine the general flow: it starts in an empty state (Gate out empty), is loaded with cargo, arrives at the port, and is then loaded onto a ship.
The orange container in the first photo is HLBU1173129.
- 2024-05-22 13:20: Gate out empty at Shimizu (Shimizu Port)
- 2024-05-24 09:08: Arrival in at Shimizu (Shimizu Port)
- 2024-06-08 23:59: Loaded at Shimizu (Shimizu Port)
- The ship then headed for Singapore
The blue container in the second photo is APZU2108462.
- 19 Apr 2024 15:25: Empty to shipper in Tokyo
- 22 Apr 2024 13:18: Ready to be loaded in Tokyo
- 30 Apr 2024 11:24: Loaded on board in Tokyo
- 30 Apr 2024 16:36: Vessel Departure from Tokyo
- The ship then headed for Sihanoukville, Cambodia
As you can see by comparing them, the movement dates currently viewable are for different periods. However, as mentioned earlier, the festival ends on May 5th, and assuming the banners were removed afterward, the shooting period is likely between April 19th and 22nd, when APZU2108462 was moving outside the port.
Checking the Weather
We narrowed it down to about 4 days, but more information was needed to answer. Looking closely at the photos again, the ground appears slightly wet. Could it have rained?
So, we checked the weather for April 2024 in Kameido (Tokyo) on the Japan Meteorological Agency website.
It seems it rained on the 21st and 22nd. Since these two days were suspicious, we also checked the hourly precipitation, which showed rain from the evening of the 21st until after noon on the 22nd. We suspected it was either 2024-04-21-PM, 2024-04-22-AM, or 2024-04-22-PM.
Since the photo doesn't look like evening, the afternoon of the 21st was unlikely, and since the container entered the port around 13:00 on the 22nd, the afternoon of the 22nd was also improbable. Therefore, we reasoned that 2024-04-22-AM was the most likely candidate.
Anxiety
However, even after repeated discussions, we could not bring ourselves to submit the flag for the container challenge.
While our reasoning seemed sound, we were concerned that we hadn't utilized the history of the first container (HLBU1173129) at all. Since two photos were provided, we wondered if we actually needed to use information from both containers to solve it and if we were missing something (Note: this was a misunderstanding).
Furthermore, this question had a 3-attempt limit, and we feared that making a mistake might prevent us from getting any points.
Straying
The entire team searched for information on the HLBU container, but we couldn't track down where it was in April (it wasn't available on various archive sites).
In an attempt to gather even a little more evidence and gain confidence, we started looking for information that was actually unnecessary.
- Elections: During this period, a House of Representatives by-election was being held in Tokyo's 15th district. On the evening of April 21st, shortly after 7:00 PM, an incident occurred where a man disrupted candidate Hirotada Ototake's speech in front of Kameido Station and assaulted staff members. In SNS footage from that time, it appeared that almost no rain was falling yet.
- Pedestrian Zone: In front of Kameido Station, a pedestrian zone is implemented every Sunday from 12:00 to 17:00, closing the section from the Kameido Station North Exit to Kameido 4-chome to vehicles. Although the shooting location was not part of the closure, large trucks might have avoided the Kameido area on Sunday (21st) afternoon.
- Bakery: Looking at the photos, an illuminated shop is visible in the background of the first one. Checking the map, it's a bakery. However, the shop has irregular holidays, and we couldn't get definitive information even after trying to determine its business days from Instagram posts.
A diagram of us searching for unnecessary evidence because we over-analyzed the problem.
Even after gathering all this information, there was still no stronger evidence than the blue container's tracking and the weather. We stopped our investigation one hour before the CTF ended, submitted it, and got it right.
Diver24{2024-04-22-AM}
I feel like we overthought the intent of the question; despite being a medium difficulty, we did a hard-level investigation. At least we became very familiar with the local situation in Kameido.
After the CTF ended, kn1cht visited the site.
misc
number (easy) [kuzushiki] - 100point 176 Solves
I would like to contact the owner of this vehicle. Could you find out their phone number?
Flag format: Diver24{0123456789}Note: DO NOT make an actual phone call.
I would like to contact the administrator of this vehicle. Could you please find out their telephone number?
Flag Format: Diver24{0123456789}CAUTION: DO NOT MAKE AN ACTUAL PHONECALL
(Hint) It is not a mobile phone. It is a landline phone.
(A photo of a car with a license plate "外-4906" is provided)
I will refrain from posting the photo as it contains private information, but a photo of the vehicle was provided. The goal is likely to identify the owner from the license plate.
The number is distinctive and includes the character "外" (Gai). While I initially thought it might refer to a specific region, I found from a blog that it is a diplomatic license plate. It indicates a vehicle used by diplomats such as foreign ambassadors or consuls.
So, which country's ambassador is it? While researching diplomatic plates, I found an article stating that the country can be identified by the first two digits.
In my haste to answer, I somehow misread the article and focused on the last two digits. I submitted the phone number for that embassy, which was of course incorrect since the country was different. I tried a few more phone numbers for related parties in a panic, but none worked.
As I dug deeper into diplomatic plates, I discovered that these numbers are also used for presidential transport vehicles. I thought I'd give it a shot, but the president obviously hasn't made a direct phone number public, so that investigation led nowhere.
At this point, I calmed down and re-read the article on diplomatic plates. I realized that the country is identified by the first two digits, not the last two. When I submitted the phone number for the embassy of that country, it was accepted.
Diver24{0334550361}
label (medium) [blackwasan] - 352 point 62 Solves
Please tell me the postal code of the facility as a likely destination for this package.
If it is the US embassy in Japan, the flag will be Diver24{107-8420}.
Reading the QR code in the bottom right corner only revealed that it corresponded to the tracking number on the left.
Next, I wanted to read the long, horizontal QR-like code. This is a standard called rMQR, recently developed by DENSO WAVE.
There is an official reading app, so I downloaded it and read the code.
This resulted in the following string:
SHIPMENT ADDRESS:
Baba-cho 14-1, Tsuruoka City, Yamagata, Japan
This turns out to be the address for the Keio University Tsuruoka Town Campus. Thus, 997-0035 is the Flag.
Diver24{997-0035}
wumpus (medium) [kn1cht] - 356 point 61 Solves
The Flag has been posted on a Discord server!
Only for this challenge, it is okay to attempt to contact the target.
A photo showing a Discord screen with a server named "flag" is provided.
Typing the URL manually and attempting to access it results in the expected denial since I wasn't a member of the server.
It seemed I needed to find a way to join the server or ask a member for information.
Looking into how Discord URLs work, the first number is the Server ID and the second is the Channel ID.
I tried searching Google for "1244302408402735114", which led me to a service that lists public Discord servers.
There was a "Join" button in the top right. After clicking it and authenticating, I was invited to the flag server. A QR code posted in the #general channel revealed the Flag string.
You could use any tool to read the QR code, but I prefer using "クルクル (QRQR)" created by DENSO.
Diver24{Discord_1s_m0s7_u5efu1_t001}
timestamp (easy) [kuzushiki] - 404 point 50 solves
Answer the date and time the photograph of the aircraft painted “53” was taken.
https://twitter.com/jointstaffpa/status/1767515646286549226
Flag format: Diver24{YYYY-MM-DDThh:mm}
For example, if the photo was taken at 13:45 on 1 April 2024, the flag should be Diver24{2024-04-01T13:45}.(Hint) You don't need to convert time zones.
(5 attempts)
This challenge asks for the capture date and time of the aircraft mentioned in the following tweet.
Since it was taken in the sky, there was no information like weather that could serve as a clue for the time. I checked the image metadata as well, but no useful information was obtained.
Thinking this image might be published in other materials, I searched for keywords like "H-6 bomber" and "March 12," and found a document in PDF format.
I consulted with my teammates about whether we could extract the image from this PDF. kn1cht extracted it quickly and informed me that in the original image data, a timestamp was hidden behind the text "Captured by the Air Self-Defense Force" (航空自衛隊撮影).
(Note from kn1cht) There are several ways to extract images from a PDF file (it seems some teams used copy or edit in Adobe Acrobat). Since there was a possibility that the information was in the image's metadata, I used a "PDF image extraction tool" that allows for extracting the raw data. The time is included in the bottom right of the image data extracted by the tool (likely via a camera imprint function).
Diver24{2024-03-12T15:33}
howmany (hard) [kuzushiki] - 497 point 10 solves
As shown in the image, there are two manholes. As of 2024/05/30 23:46 (JST), how many red bicycles could have been returned between these two manholes? Also, what is the ID of this return point?
Flag format: Diver24{Count_ID}
For example, if 10 red bicycles could be returned and the ID for that location was a10012b, the Flag would be Diver24{10_a10012b}.(Hint) location.png is a north-up map.
(5 attempts)
Three images are provided.
Identifying the Manhole Locations
The question asks about the number of bicycles, but I thought I couldn't do anything without knowing the locations of the manholes first. Since the number in the first image was clear, I assumed the location could be identified using it. In fact, I found scattered information saying it could be identified and discovered a site that seemed capable of doing so.
However, entering the manhole number (62-01-3F-08) resulted in an error saying "The designation of the character cap (cover) is incorrect." I tried searching for other sites but found nothing useful. While looking into various things, I noticed that letters like "I" and "S" are used in these numbers. I wondered, "Could it be 'I' instead of '1'?" and searching for "62-0I-3F-08" revealed it was a manhole in Kabukicho. Since I often work with hexadecimal, I had an assumption it would be hex.
I planned to identify the second manhole in the same way... but the number in the second image was unreadable. Regaining my composure and turning to the third image, I saw that the first manhole was at a T-junction. By combining all the hints so far, I was able to estimate the manhole's location.
- Within the blue frame in the image above
- At a T-junction
- Near a bikeshare station
Gathering Bikeshare Information
Next, I wanted information on the bikeshare. I reasoned that there might be an API since it was asking for counts. I found the following site:
I identified the station ID (00010184) from the following endpoint.
{
"lat": 35.693602,
"lon": 139.703229,
"name": "D6-01. Shinjuku Ward Office Main Building",
"capacity": 48,
"region_id": "5",
"station_id": "00010184"
},
The number of returnable bikes can also be found from the following endpoint. However, since only the latest data is available, I couldn't get the information for May 30, 2024, which was needed for the flag.
I wondered if I could specify parameters, but found no such information. Thinking that past data might be stored somewhere, I checked archive.today and found data for 2024/05/30 23:46 (actually 14:46 in UTC).
{
"is_renting": true,
"station_id": "00010184",
"is_installed": true,
"is_returning": true,
"last_reported": 1717080364,
"num_bikes_available": 4,
"num_docks_available": 41
}
Submitting the Flag
Since num_bikes_available was 4, I thought 4 bikes had been returned and joyfully submitted the flag, but it was incorrect. Re-reading the question, it said, "how many red bicycles could have been returned." I realized it was asking for the number of bikes that could have been returned. I tried submitting 44 (Capacity of 48 - 4 bikes), but that was also incorrect. At this point, I had 3 attempts left.
Reading the second JSON closely, there is data for num_docks_available. The documentation states "the number of functional docks that can accept return vehicles," so this must be it.
Capacity is 48, available bikes is 4, yet the returnable capacity is 41...? The inconsistency bothered me, but 41 was the correct answer.
Diver24{41_00010184}
After missing twice, I started to worry if the manhole location was even right and consulted my teammates about whether I should go to Shinjuku to check the manholes in person. I'm really glad I got it right on the third try.
military
osprey1 (easy) [meow_noisy] - 100 point 203 Solves
2023年11月29日、アメリカ軍のオスプレイ(V-22)が日本の屋久島沖で墜落した。この機体の番号と、墜落時のコールサインは何か。
Flag形式: Diver24{XX-XXXX_CALLSIGN}
たとえば機体登録番号が01-2345、コールサインがCALL01の場合、Flagは Diver24{01-2345_CALL01} となる。この事故に関する問題は本CTFにおいて3問あります。正解することで1問ずつアンロックされます。
On 29 November 2023, a US military Osprey (V-22) crashed off Yakushima Island, Japan. What is the number of this aircraft and what was its call sign at the time of the crash?
Flag format: Diver24{XX-XXXX_CALLSIGN}
For example, if the aircraft registration number is 01-2345 and the callsign is CALL01, the flag should be Diver24{01-2345_CALL01}.There are three challenges on this accident in this CTF. Each challenges is unlocked by answering it correctly.
This incident refers to the US military Osprey crash off Yakushima.
Blackwasan suggested, "(The author) ryo-a might be tweeting about it on Twitter, right?" so we decided to proceed with that approach—a so-called "author meta-reasoning."
Checked for posts on Twitter using the following search query:
"from:geo_vitya since:2023-11-28 until:2023-11-30"
The approach partially hit the mark.
I'm fairly certain it's 12-0065. I'll reconfirm tonight.
Searching for "Yakushima CV-22 callsign" on Google revealed it was GUNDAM22.
Flag:
Diver24{12-0065_GUNDAM22}
I think ryo-a expected that players would use author meta-reasoning.
osprey2 (easy) [kn1cht / meow_noisy] - 100 point 114 Solves
2024年2月15日、ある米軍基地でこの事故に関する追悼式典が実施された。16:46:37ごろ、その式典はどこで実施されていたか。
OpenStreetMapのWay番号で答えよ。
Flag例: Diver24{123456789}On 15 February 2024, a memorial service concerning this accident was held at a US military base. At approximately 16:46:37, where was the ceremony taking place?
OpenStreetMap of Way number.
Flag example: Diver24{123456789}(Hint) 基地全体ではなく、基地内の特定の区画・地点を示してください。 / Not an entire air base. Plase designate the specific area/point in the airbase
Following the previous challenge, this is a question about the memorial service for the Yakushima US military Osprey crash.
Searching for "osprey memorial service" turned up news reports of the ceremony.
‘Profound bond’: Hundreds gather at Tokyo air base to remember fallen Osprey aircrew | Stars and Stripes
Regarding the location of the ceremony, the article states "the athletic field outside Yokota’s Samurai Fitness Center," so looking up Samurai Fitness Center on Google Maps reveals an athletic field called Yokota Training Field on its north side.
To obtain the Way number for the answer, I investigated features on OpenStreetMap and found Way #810021666 (ground) and #810021665 (running track) at that location.
After meow_noisy struggled because answering with the latter didn't work, kn1cht took over the challenge at this stage and correctly answered by reasoning that #810021666 was a better fit for "athletic field."
Diver24{810021666}
osprey3 (medium) [kn1cht] - 479 point 24 Solves
The crashed aircraft was apparently parked at some airport on the night of 15 November 2018. Give the elevation (in feet and integer) of that point. You can consider there are no discrepancies in the times of the various data sources. Also you can refer the latest information about the airport (no need to use data as of 2018).
Flag example: Diver24{250}This "osprey3" is the last challenges about the Osprey crash in this CTF.
(Hint) Not an altitude of entire airport but an altitude of parking spot.
(Hint) No need to convert, round and so on. You will see an obvious number which matches the statement.
(5 attempts)
This challenge seemed to be difficult, as the number of hints increased during the CTF. To find where an aircraft was in the past, records from airplane spotters (people who take photos and track aircraft as a hobby) are very helpful. I searched for the registration number 12-0065 found in osprey1, and found a photo from 15 November 2018 on the photo-sharing site JetPhotos.
(This photo was so cool that I was screaming during the CTF)
I found the location to be Kraków John Paul II Balice Int'l - EPKK, Poland. According to Wikipedia, the airport's elevation is 791 ft, but the hint suggested that the specific parking spot's elevation needed to be identified. Comparing the photo with satellite imagery, I could estimate the approximate shooting position from the positional relationship with the control tower and the warehouses in the background.
Searching for things like "EPKK airport charts" to check the airport charts (maps showing airport information for aviation personnel) revealed that this parking area is called "MIL APRON 3".
Since I couldn't find the elevation of MIL APRON 3 from the chart, I searched for EPKK "MIL APRON 3" and found a document about airport construction that listed the elevation of this location in feet.
Diver24{774}
satellite (hard) [kn1cht] - 489 point 18 Solves
In November 2023, North Korea launched a reconnaissance satellite. At 2024-06-07T05:01:07Z, which military airfield was closest to this satellite?
Also, what is the altitude (unit: kilometer) of this satellite at that time.
Flag format: Diver24{airbase name_altitude}In answering the challenge, use the data which is issued at 2024-06-06T04:41:45.620Z.
The airbase name should be answered with the local language name which can be seen on Google Maps or Wikipedia. For altitude, answer the value rounded down to the nearest whole number.
For example, if the Inzilik Air Base in Turkey is the closest position and the altitude at that time is 613.65 km, the flag should be Diver24{İncirlik Hava Üssü_613}.(Hint) Not a civil airport or airfield
The North Korean reconnaissance satellite launched in 2023 refers to MALLIGYONG-1.
Artificial satellites have their orbits constantly monitored, and searching for the name or identification number usually reveals their approximate current position quickly.
However, looking at the challenge description:
- Need to answer the past position at 2024-06-07T05:01:07Z
- Use data issued at 2024-06-06T04:41:45.620Z
- Altitude also needs to be answered in km
These are quite specific instructions. I predicted this was a problem where I needed to calculate the position from the satellite's orbital data. Satellite orbits change constantly, and if the orbital data is old, the correct position cannot be calculated. In fact, according to Professor Sahara of Tokyo Metropolitan University, who posts information about North Korean satellites on X, MALLIGYONG-1 had just corrected its orbit a few days earlier, so old information would likely be useless.
Searching around led to information on programs that calculate position from satellite orbital data (Two-line element set; TLE). I installed the Python library Skyfield and executed the code while referring to the documentation.
from skyfield.api import load, wgs84, EarthSatellite
tle = [
'1 58400U 23179A 24159.97159215 .00006581 00000+0 30025-3 0 9991',
'2 58400 97.4051 46.9797 0001572 158.6830 201.4471 15.20948569 30329'
]
ts = load.timescale()
satellite = EarthSatellite(*tle, 'MALLIGYONG-1', ts)
print(satellite)
geocentric = satellite.at(ts.utc(2024, 6, 7, 5, 1, 7))
lat, lon = wgs84.latlon_of(geocentric)
print('Latitude:', lat)
print('Longitude:', lon)
print('Altitude (km):', wgs84.height_of(geocentric).km)
Result:
MALLIGYONG-1 catalog #58400 epoch 2024-06-07 23:19:06 UTC
Latitude: 31deg 51' 55.4"
Longitude: -100deg 31' 53.6"
Altitude (km): 506.16102972003506
Looking at the output, the TLE epoch is 2024-06-07 23:19:06 UTC, which seems to have been updated since 2024-06-06T04:41:45.620Z. I was concerned about this and tried to find the previous TLE (which miraculously remained in Google search results), but in the end, using a TLE from a few hours off did not affect the answer.
Finally, I just needed to look up the name of the airbase near 31° 51' 55.4" -100° 31' 53.6" (near the town of San Angelo, Texas, USA) and combine it with the altitude of 506 km.
Diver24{Goodfellow Air Force Base_506}
investigation_request
Only this category consists of a series of challenges about a certain (fictional) person. However, the challenge named "mapper" turned out to be unexpectedly difficult, and only two teams progressed through this category during the event.
mapper (easy) [kn1cht] - 500 point 2 Solves
You have extremely high investigation skills. We are sorry that we cannot reveal our identities, but we would like to ask you for an investigation.
We are in pursuit of a man.
We were having trouble finding information, but we found a photograph he took and uploaded. We need you to identify when it was taken in local time.Flag format: Diver24{yyyy-MM-dd HH:mm}
For example, if it is 3:14 pm on 5 June 2024, the flag should be Diver24{2024-06-05 15:14}.If you answer this challenge correctly, two new challenges will be added.
A legendary challenge that became a hot topic because no one could solve it until near the end, despite being labeled "Easy."
A photo of a street corner is provided. From information such as signs, it is easy to determine that it is a main street in front of Gifu Station, but to find the time it was taken, it seems necessary to find information from when "he uploaded it."
In the metadata of this photo, there is a string FBMD0a000a7101000044a8000099ef01008ffd0100bc0f02002c080400a0c3060003e806000c0407003b250700bb9a0b00, which turns out to be metadata that Facebook adds to uploaded photos.
As a result, many teams, including ours, spent their time frantically scouring posts related to Gifu Station on SNS platforms like Facebook, Instagram, and Threads. However, this was a misunderstanding; you cannot reach the correct answer by searching SNS.
It seems the organizers didn't place much emphasis on this metadata, but it acted as an unexpected red herring.
Since the challenge title was "mapper" (a mapmaker) and the description stated that the target had uploaded the photo (if it were SNS, the term "posted" would likely be used), I came up with the possibility that the photo might be found on a map-related service rather than SNS.
Still, the photo didn't appear on major sites like Google Maps, OpenStreetMap, or Wikimedia Commons. Finally, while looking through search results for "map image upload" or "mapper image upload," I discovered a street-level imagery platform called Mapillary.
Opening the web app and zooming in near Gifu Station, I found that the exact same photo had been uploaded near this location by an account named mori_mune24.
The time it was likely taken is listed, so entering that down to the minute gives the Flag.
️Diver24{2023-02-06 09:46}
The Discord server buzzed with excitement when mapper, which no one had solved even by nightfall, was finally cracked.
In my personal opinion, it might have been solved a bit more smoothly if the problem description had better conveyed that a map-related investigation would be fruitful, even without meta-reading the title.
venue (easy) [_roku_] - 500 point 2 Solves
6It turns out that the person we are tracking seems to have organised an event in May 2024. We are thinking of querying their booking history.
6Could you identify the venue for this event?
6Flag format: Diver24{URL of the venue}
By performing a horizontal investigation of the Mapillary account name "mori_mune24," I was able to confirm an X (formerly Twitter) account with the same name.
Checking the posted content, I found a post mentioning a planned event, which shared a link to a Google Doc related to that event.
Checking the contents confirmed that the event was planned for May. From the event name and the name "Morikawa," I felt a slight homage to a certain CTF in Japan where people give security talks while drinking alcohol.
I checked to see if I could get any information from the Google Form, but nothing was available. I also downloaded it and opened it in Word, but no useful information was found. While talking with my teammates, we discussed that there were comments in the document. Upon checking, I found comments like "deleted the link," but I didn't know the destination.
Suddenly, I noticed an expand button. When I opened it, a URL was listed.
The obtained URL was for a rental meeting room. Since it was likely that the event was held in this room, I entered this URL as the Flag.
Diver24{https://www.instabase.jp/space/8039340260}
Side note:
While solving the problem, I accidentally manipulated a comment. To be safe, I asked the management team if I had broken the challenge. At that point, Mune Mori-san himself appeared in the Google Doc.
The man himself appeared
uploader (medium) [meow_noisy] - 500 point 2 Solves
6The person we are pursuing appears to have posted a video of a cat somewhere. Can you determine the upload time of that video?
6Flag format: Diver24{upload time in unix time(UTC+0)}
6For example, if the video was uploaded at 12:34:56(UTC+0) on 1st Jan 2000, the flag should be Diver24{946730096}.
The task was to find where the video was uploaded, but since mori_mune24's social media activity had a lot of noise, our team of five struggled despite our best efforts. For example, he had an Instagram account, a Gmail address could be extracted from a public Google Doc using xeuledoc, and there were hints of him having a LINE account.
It was past 2 AM JST, so we decided to pause the investigation and go to bed. Among us, only _roku_ seemed to be investigating while lying down. He installed TikTok on his smartphone and opened the following post by mori_mune24.
When he did, the following screen appeared. This popup does not appear when opening it in a PC browser.
This occurs because account information is included when generating a share link for a video—an unintended risk of sensitive information leakage when using TikTok.
Since we found that one video had been uploaded, we just needed to check the posting time.
Searching for "tiktok upload date" led to the following tool, which revealed the time.
Execution result:
Uploaded on: Sat, 20 Apr 2024 04:59:58 GMT (UTC)
All that was left was to convert it to Unix time.
Flag:
Diver24{1713589198}
(Note from kn1cht)
An alternative method for the TikTok part found while retracing the solution:
view-source:https://www.tiktok.com/@mmrrkkww0615/video/7359809566856449281
Open the source code and search for createTime. You can get the Unix Time directly, which is a bit easier.
"createTime":"1713589240"
Final Words
kn1cht
It was a CTF with many difficult challenges, but I rarely felt completely stuck, and I felt that many were well-designed problems where I could feel my investigation progressing. In particular, satellite, container, and Akeome were my favorites because the investigation process itself was enjoyable.
roku
The word "Torikizoku" almost underwent semantic satiation (Gestalt collapse) due to the brute-forcing. Although the number of challenges I submitted was small, I was able to participate in and spend time thinking about each problem, which I thoroughly enjoyed (thank you to the organizers!!). The "container" challenge, which remained until the end, is a memorable one that we solved after much discussion among all teammates.
kuzushiki
I've been working on OSINT CTFs for several years now, but I still feel that my solving speed is slow. In this CTF, I tried to focus on speed, but that led to several silly mistakes. However, since the team won, all's well that ends well. It was encouraging to fight alongside members of 40548F, a top-tier domestic OSINT team.
blackwasan
Since ryo-a, who usually participates in OSINT as part of team 40548F, was on the organizing side this time, I was invited by meow_noisy to "join forces" and participate as team KAKITSUBATA.
I mainly focused on geo challenges, and I got the impression that many problems clearly reflected the organizers' intent on how they should be solved. I think it was a tournament that both beginners and regulars could enjoy with its wide range of difficulty levels.
I often find myself stuck after solving the problems I can usually handle, but this time many problems were being solved while I was napping or eating, so I really felt the tenacity of my teammates. The excitement when the door to "mapper" was opened after midnight and the exhilaration when our final answer, "container," was accepted are fond memories.
Thank you to the organizers for the fun challenges. Great job!
meow_noisy
First, I'd like to thank the members who readily accepted the invitation to the team. We were able to achieve a good result thanks to the cooperation of people with diverse backgrounds, advanced investigation skills, and above all, a love for solving OSINT problems. In the second half of the CTF, someone would pick up the progress of another's investigation and repeat the process, struggling together until everyone contributed to seizing the flag. This kind of teamwork, unique to team competitions, was truly enjoyable.
And I express my great respect to the management. I believe it must have taken an immense amount of time to create challenges of this caliber. I could vividly imagine the scene of creators using all their resources to put their hearts and souls into the problems, even having to tearfully scrap them when they were solved too quickly or when issues were discovered later, all in an effort to make even better challenges. I believe you have accomplished the very difficult and painful task of providing cross-verification to ensure that correct answers are definitively correct, making challenges solvable for players without specialized knowledge, and ensuring fairness for international players. As a result, I believe DIVER OSINT CTF has been recognized as a top-class OSINT CTF where international players can compete. It has also significantly impacted the awareness of OSINT CTF among those other than traditional players. I've never seen so many writeups written for an OSINT CTF before. I believe you have made a great contribution to revitalizing the community, which seems to be the underlying theme. I felt a deep passion for OSINT CTF throughout the event. Thank you again.
Finally, on behalf of all members of Team KAKITSUBATA, we would like to thank the DIVER OSINT CTF team. Thank you for hosting a wonderful OSINT CTF! 🤿
-
Regarding the origin of the team name: Since it was a Japanese CTF, we wanted a name with a Japanese ring to it. As the CTF took place in midsummer, we chose Kakitsubata (Iris laevigata), which is a kigo (seasonal word) for midsummer and has the auspicious flower language of "happiness will surely come." ↩︎
Discussion