DEV Community

Cover image for CTF Writeup: 1337UP CTF 2022

Posted on

CTF Writeup: 1337UP CTF 2022

This weekend I participated in Intigriti 1337UP CTF 2022 between 3/12(Sat) 00:00 ~ 3/13(Sun) 00:00 GMT+9, and it was awesome! Here, I will be doing a writeup for Blink's Secret under the OSINT category.

The challenge is the following,
Figure 1

Two files are given in this challenge, which are note.txt and meme.jpeg.

note.txt shows the following text:

a big fire accident in mr.Blinking man’s house, we managed to collect a note with a meme with his own image on it. The note says as follows:

missed a secret which was posted on his social media. I want to find that secret but I don't know where it is. I have some hints regarding where the secret is..

The user name is 15 letters long

user name comprises of my name and zip code of my current residence


the name is thomas mueller then write the name as ThomasMueller
Enter fullscreen mode Exit fullscreen mode

And meme.jpeg shows the following image:

Figure 2

From note.txt, we can see that the man in meme.jpeg is the missing person as it mentions a meme with his own image on it.

By doing a Google Reverse Image search of meme.jpeg, the name of the meme comes up, which is "First Guy To meme". Results from Know Your Meme shows us the name of the man in the meme, which is Drew Scanlon. Therefore, the missing man's name is Drew Scanlon.

Figure 3

Also from note.txt, we know that the username is 15 letters long and has the form Name_zipcode, so we know the username would look something like DrewScanlon_XXX.

We now have his name, so we can try to find his area of residence on Google. I searched up drew scanlon area of residence and this website came up.

Figure 4

From this, we can see that Drew Scanlon lives in San Francisco.

I wasn't too familiar with the zip code system in the US, and doing a quick Google search revealed that it had a 5-digit convention. However, the username can only be 15 letters long, and DrewScanlon already occupies 12 letters, so this meant that the zip code can only be 3 digits long.

By looking up the zip code of San Francisco, we can see that they are all 5 digits long.

Figure 5

However, all these zip codes had 941 in common, so I assumed this first 3 digits of the zip code will be used in the username. Therefore, I guessed the username would be DrewScanlon_941. Searching up this name on Twitter will reveal this account,

Figure 6

Drew Scanlon has posted "Wait What happened to my previous tweets??", which hints to a deleted tweet.

To see deleted tweets, Internet Archive Wayback Machine could be used. So I inputted Drew Scanlon's twitter link on the Wayback Machine, which revealed that there was a capture on Feburary 5, 2022 and showed the following tweet:

Figure 8

The deleted tweet was

Wow!! What a wonderful day !!! І wish I could eхtend this day as
much as possible...
Enter fullscreen mode Exit fullscreen mode

This mixture of full width and half width characters looked pretty suspicious and assumed this was some kind of steganography. However, I wasn't too sure what steganography it was using, so I decided to investigate the Unicode types first using Babel Stone

Figure 9

I tried looking up half width and full width characters steganography but nothing useful came up. So I searched twitter steganography and this website came up.

Figure 10

I inputted the deleted tweet to the Twitter Secret Messages decoder, and got the flag, which was flcgy0u_f0und_7p3_q:u
Figure 11

My original writeup and the corresponding files can be found on my Github.

Discussion (0)