This weekend I participated in Intigriti 1337UP CTF 2022 between 3/12(Sat) 00:00 ～ 3/13(Sun) 00:00 GMT+9, and it was awesome! Here, I will be doing a writeup for Blink's Secret under the OSINT category.
note.txt shows the following text:
a big fire accident in mr.Blinking manâ€™s house, we managed to collect a note with a meme with his own image on it. The note says as follows:
missed a secret which was posted on his social media. I want to find that secret but I don't know where it is. I have some hints regarding where the secret is..
The user name is 15 letters long
user name comprises of my name and zip code of my current residence
the name is thomas mueller then write the name as ThomasMueller
And meme.jpeg shows the following image:
By doing a Google Reverse Image search of meme.jpeg, the name of the meme comes up, which is "First Guy To meme". Results from Know Your Meme shows us the name of the man in the meme, which is Drew Scanlon. Therefore, the missing man's name is
Also from note.txt, we know that the username is 15 letters long and has the form
Name_zipcode, so we know the username would look something like
We now have his name, so we can try to find his area of residence on Google. I searched up
drew scanlon area of residence and this website came up.
From this, we can see that Drew Scanlon lives in San Francisco.
I wasn't too familiar with the zip code system in the US, and doing a quick Google search revealed that it had a 5-digit convention. However, the username can only be 15 letters long, and
DrewScanlon already occupies 12 letters, so this meant that the zip code can only be 3 digits long.
By looking up the zip code of San Francisco, we can see that they are all 5 digits long.
However, all these zip codes had
941 in common, so I assumed this first 3 digits of the zip code will be used in the username. Therefore, I guessed the username would be
DrewScanlon_941. Searching up this name on Twitter will reveal this account,
Drew Scanlon has posted "Wait What happened to my previous tweets??", which hints to a deleted tweet.
To see deleted tweets, Internet Archive Wayback Machine could be used. So I inputted Drew Scanlon's twitter link on the Wayback Machine, which revealed that there was a capture on Feburary 5, 2022 and showed the following tweet:
The deleted tweet was
Woｗ！! What a ｗｏｎdeｒｆul ｄaｙ ！！! І ｗｉsｈ I cｏulｄ eхtenｄ thｉｓ dａｙ as
ｍｕｃh ａs pｏｓｓｉbｌe．..
This mixture of full width and half width characters looked pretty suspicious and assumed this was some kind of steganography. However, I wasn't too sure what steganography it was using, so I decided to investigate the Unicode types first using Babel Stone
I tried looking up
half width and full width characters steganography but nothing useful came up. So I searched
twitter steganography and this website came up.
My original writeup and the corresponding files can be found on my Github.