jrb

jeudi 10 mars 2022

OSINT quiz 2020 - Sector035

J'explore la communauté OSINT depuis quelques années. J'ai (re)découvert les quiz de @Sector035 cette année, et j'ai décidé de compléter l'édition de 2020. Voir ce tweet pour le contexte.

J'avais déjà commencé l'édition précédente ([email protected]). J'ai le souvenir que les questions étaient particulièrement difficiles. Cette nouvelle édition 2020 est vraiment plus simple et permet de faire un survol de plusieurs des outils de bases à la recherche OSINT.

Spoiler alert! Je donne pratiquement toutes les réponses au quiz de 2020 ci-dessous! Si vous voulez participer, je vous conseille de ne pas trop lire attentivement ;)

Qu'est-ce que c'est?

Un peu comme dans un escape game, les quiz OSINT demandent de trouver une solution à une question pour passer au niveau suivant. On procède en récupérant des indices et en fouillant sur le web. Les questions concernent de l'information publiquement accessible sur Internet, mais demandent aussi un peu de réflexion et d'analyse.

Comment participer ?

La procédure pour participer est très simple:

How to start the 2020 OSINT Quiz?
Just write an email to: [email protected]

  • The subject should say "start" and nothing else
  • Be patient, the instructions should come in within a minute
  • Read the email and make sure you understand how to send in the answer

On reçoit ensuite les instructions et questions du quiz par courriel. Pour passer au niveau suivant, il faut envoyer la réponse en hash MD5 dans l'objet d'un nouveau courriel.

Si le hash MD5 envoyé correspond à la bonne réponse, on reçoit automatiquement les instructions pour le niveau suivant.

start

On March 28, 2018 I (sector035) sent out a tweet, quoting a geolocation challenge by someone else. But what is the display name of the Twitter account that sent out this quiz?

Une recherche Google (March 28, 2018 sector035) permet de trouver rapidement le Tweet en question. Le display name du compte qui a posté le challenge est Rickey Gevers.

01

Julia Bayer started the whole Quiztime geolocation movement back in 2017. She started out with the hashtag #MondayQuiz. But can you tell me what the last text was that she tweeted in 2017, while using the hashtag #MondayQuiz? Only take the text. No unicode characters, emoticons, hashtags or anything else.

Recherche sur Twitter qui permet de trouver le dernier tweet de 2017: from:bayer_julia #MondayQuiz until:2017-12-31

02

Quiztime crew member @twone2 posted an image on Instagram on November 24, 2018. In the URL you see the unique identifier of the post (called a 'shortcode' by Instagram), which consists of a bunch of lowercase and uppercase letters and numbers. But there is also an 'id', which can be found in the source or JSON output. This one only contains numbers. Can you find this number?

La publication en question: https://www.instagram.com/p/Bqj00zHAsgK/

Avec l'URL suivant, on peut récupérer les infos de la publication: https://api.instagram.com/oembed/?url=http://www.instagram.com/p/Bqj00zHAsgK/

La réponse n'est pas le media_id complet, mais seulement la première partie (avant _).

03

In September 2019 someone posted in an aviation forum a quote that explained how Christiaan Triebert has used shadows, that were cast by towers around a launch pad, as sun dials. What is the username of the account that posted this? When you found the name, make sure it's all in lower case, calculate the MD5 hash and send it in.

Une recherche Google permet de trouver facilement la réponse: aviation forum "Christiaan Triebert" sept 2019 sun dials

04

A little Dutch touch in this question. There's a weird artwork in Indianapolis that has its own Wikipedia entry here: https://en.wikipedia.org/wiki/Funky_Bones
The photo on the Wikipedia page can be found all over the internet, but one of the oldest uploads out there is a stock photo site. Are you able to find this stock photo? Then grab the original filename and calculate the MD5 hash. No need to convert anything to lower case, just calculate the MD5 hash of this exact filename that you found on the stock photo website.

Ce challenge m'a demandé un peu plus de temps (la question me semblait drôlement formulée). Une recherche d'image inversée sur Yandex m'a permis de trouver l'upload sur Gettyimage.

Il fallait ensuite déterminer quelle métadonnée correspondait au "original filename", avec ou sans l'extension de fichier. J'ai fini par trouver ;)

05

For this question I'm going to feature the awesome Dutch OSINT Guy Nico. And we'll be looking at YouTube videos, and some online tools that are designed for them. Using a tool that can investigate YouTube content, can you tell me what the exact timestamp of the following video is?
Link to the video: https://www.youtube.com/watch?v=kUVFeXSdkO8
Extract the exact date and time from the timestamp of the video, and convert it as follows: yyyymmddhhmmss
Then calculate the MD5 hash and send it in.

Très facile avec cet outil: https://mattw.io/youtube-metadata/

06

Time to have a crack at the following image: https://drive.google.com/file/d/1ZhwLFYh2bYD4EhrB5_Lzj1WToovC_psB/view
Provide the name of the person who initially uploaded it to a 'wiki' platform. I want the full name, so the first and last name, all in lowercase and no spaces. Then calculate the MD5 hash and send in your answer.

Une recherche dans Yandex sort rapidement le résultat sur le domaine wiki2.org.

07

It's been some time since that https://osintcurio.us was launched, and somewhere in December 2018 someone posted the link to this website for the first time on a Reddit subforum. Find the forum, find the post, and then exact the timestamp of this post. If you're logged in at Reddit, you can find it in the following format: yyyy-mm-ddThh:mm:ss+00:00
Don't change anything! This time you don't convert to lower case or anything, just grab that timestamp and calculate the MD5 hash!
But whether you are logged in or not, somewhere in the page the date and time of the post is also visible as a Unix timestamp. Never heard of that? Read about it over here. Just dive into the page, find the timestamp, convert it to MD5 and send in your answer!

Une recherche Google permet de trouver la publication sur Reddit en 2018: osintcurio.us reddit 2018.

En ajoutant about.json à la fin de l'URL, on obtient les données associées à la publication en JSON. La réponse est en Unix timestamp.

08

For this question, we'll be looking at a scan of the website https://osintcurio.us that was performed by urlscan.io in early 2019. Open the following link and click around to have a look at all the information that is stored. But the question can only be answered by opening up the JSON output and have a good look at how much more information is in there, compared to the web interface: https://urlscan.io/result/2d8a4cdb-6c43-4925-a9f9-d99750cf3f8b/
When this scan was made, the webserver sent out slightly different headers than it does nowadays. Please provide the exact text that was sent in the "X-Hacker" header.

Visiter l'URL et aller à la section API permet de trouver la réponse.

09

For this question, we'll be looking at some more JSON output, just to give you some extra practice. You'll only your browser and the developer tools again, like last time. Open the following site, and answer the question: http://www.virtualradar.nl/virtualradar/desktop.html
By looking at the traffic between your browser and the website, and looking at the JSON, can you deduct the name of the variable that shows the total amount of airplanes currently tracked within the view you've selected?

En analysant les requêtes, on peut voir dans AircraftList.json que la variable totalAc semble être utilisée pour le nombre total des avions.

10

Fiete Stegers tweeted a photo from his new workplace some time ago, as a Quiztime geolocation challenge. Nowadays a lot of social media remove most metadata of images or videos, but especially when you download something from a website, it sometimes pays off to check the metadata or EXIF information in a file. With the photo given here, it should be possible to find out exactly where this building is. The photo was placed inside a ZIP file, since Google Drive actually strips certain EXIF information, which would break this quiz: https://drive.google.com/file/d/1bbic7xP7nM0drsICb7e4bm1zkDTbSAF4/view
To answer the question: Don't bother geolocating the building itself, that would be too easy. Simply find the GPS coordinates, and calculate the MD5 hash, after you wrote the coordinates in the following format: latitude,longitude

Après avoir téléchargé le fichier, on peut extraire les métadonnées avec exiftool:

exiftool hamburg.jpg
...
GPS Latitude : 53 deg 33' 23.91"
GPS Longitude : 10 deg 1' 19.48"

Pour convertir en degrés décimaux: https://www.latlong.net/degrees-minutes-seconds-to-decimal-degrees

53.5566,10.0220

11

One of the Quiztime crew members is Philipp Dudek, and he works for HHLab. It's time to look at his profile photo on the website. But... Are you able to find out who the person is that probably edited his photo?
Calculate the name after you converted it to lowercase!

Je télécharge la photo et analyse les métadonnées:

exiftool Philipp.png

Dans le champ History, on peut voir qu'un certain Marc a travaillé sur le fichier:
C:\Users\Marc\AppData\Roaming\Adobe\Adobe Photoshop CC

12

Time to dive one more time into the EXIF data with an easy question... Open the following site and extract the EXIF information from the image of the typewriter. You might not be able to download this image right away, so you could use the developer tools to find the direct URL to download it. Go have a look at the abundance of information inside the EXIF data: https://www.behance.net/gallery/11820853/Type-Investigation

The answer is the "Legacy IPTC Digest". And even though it's a hash, just convert the value you've found to an MD5 hash, that's your answer.

On peut télécharger l'image en allant dans les outils de développement, onglet Network, filtrer par images pour récupérer le fichier original.

Comme pour les deux niveaux précédents, exiftool permet d'extraire la réponse et de trouver le Legacy IPTC Digest.

13

The website of the OSINT Curious Project (link http://osintcurio.us/) was launched end of 2018. Back in the early days, inside the "robots.txt" that you can find in the root (or top folder) of most webservers, there was a date mentioned. Time for you to dive into history and find this exact date! Grab the date and time mentioned in that file, and create the MD5 hash of the following format: yyyymmddhhmmss

Avec la Wayback Machine, on peut retrouver le fichier robots.txt original: https://web.archive.org/web/20181214143755/http://osintcurio.us/robots.txt

14

Marco Bereth is one of the people that sends out quizzes for the Quiztime Twitter account. Back in 2013 his Twitter bio was quite different than today. But what was the very first word in his profile back in July 2013?
Grab that word, convert it to lower case, and calculate the MD5 hash!

Avec https://archive.is ou https://web.archive.org, on peut retrouver la bio du compte en 2013.

15

Using the website Elephind, you'll be searching for articles that are mentioning the term "OSINT" or "open source intelligence" in any of the indexed newspapers.
Using Elephind, try to find a newspaper from October 29, 2007. The term is mentioned in a calendar of some kind, on page 2 of that particular newspaper. Find that calendar item and find the name of the person that is mentioned. Strip the spaces in that name, convert it to lower case, and calculate the MD5 hash.

Une recherche sur Elephing permet de trouver l'édition du journal en question. La réponse est à la page 2, dans la section du calendrier.

16

This statue can be found somewhere in the world, and even has his own 'square'. Are you able to find out where this statue is, and find the name of the 'square' it can be found?
https://drive.google.com/file/d/1W8jhuubkP2-E2Ike2MsedPQfxdNYxpgg/view

Grab the name of the 'square' (in its original lanugage), convert it to lower space and remove anything that isn't a letter. No dashes, spaces, or such. Calculate the MD5 and send in the answer.

Cette dernière question m'a donné du fil à retordre. La photo contient deux indices intéressants que j'ai tenté d'explorer pour trouver la solution:

  1. Le véhicule sur la photo est un camion de pompier (et non pas une ambulance comme j'ai d'abord cru). La mention Feuerwehr, pompiers en allemand, le confirme.
  2. La place où se trouve la statue est bordée d'escaliers ou de passages piétonniers (derrière le camion de pompiers).

C'est plutôt une recherche par images sur Yandex qui m'a permis d'avancer. J'ai repéré une photo de la même statue - on reconnait l'arrière de la tête, et le passage piétonniers en face (ici sur Flickr). La description de la photo contient le nom de la place à Düsseldorf.