STACK the Flags CTF Write-up — Hunt him down!
Introduction
STACK the Flags was a CTF organised by GovTech’s Cyber Security Group (CSG) over the weekend from 4th — 6th of December. I took part in this CTF in hope to hone my skills in various aspects of cyber security and the challenges in this CTF were certainly insightful. My team and I have definitely learnt a lot from this CTF. Here is the write-up for the OSINT challenge to give you some insights and hopefully allow you to take away some knowledge regarding OSINT. Let’s get started!
Challenge Name: Hunt Him down!
Challenge Description: After solving the past two incidents, COViD sent a death threat via email today. Can you help us investigate the origins of the email and identify the suspect that is working for COViD? We will need as much information as possible so that we can perform our arrest!
Challenge Category: Open Source Intelligence (OSINT)
In this OSINT challenge, we were required to find the full name, phone number and residential postal code of the culprit. We were given an email containing the death threat:
From the email given above, I noticed that the email was sent from the domain c0v1d.cf. Hence, I decided to conduct a DNS lookup on this domain and see if I was able to find any useful information related to this domain that helps us identify the culprit. I used an online DNS lookup tool and the following result is obtained:
From the output, the name servers suggest that the culprit was using a service provided by Freenom for his/her domain. Hence, there will not be any useful information listed if I were to conduct a whois lookup on the name servers.
A further look at the output, the user and contact details under the TXT record caught my eyes. It seems like the culprit might be associated with the username, lionelcxy, who has an email of lionelcheng@protonmail.com.
With that piece of information, I decide to look up the email associated with the culprit on Google to see if I am able to obtain any further information.
True enough, I found a Linkedin account associated with this email. In addition, the name used in the Linkedin profile is Cheng Xiang Yi which matches the abbreviation of cxy in the user field found in the DNS record. The Linkedin profile is as shown:
Combining the name here with Lionel found in DNS record, I gathered that the full name of the culprit is Lionel Cheng Xiang Yi.
After noting that down, there isn’t much more information associated with this email address. Hence, the next step to do would be to find any account associated with the username, lionelcxy. I decide to do so as I assumed that the culprit would use the same username on other platforms, such as Instagram, Twitter etc.
My assumption was proven right when a Google search on this username revealed the Twitter and Instagram accounts:
One thing caught my attention immediately. From his only tweet in the twitter account, it shows a Carousell link. It seems to contain his phone number as well. I decided to click on the link in the tweet to confirm if that is his profile.
I was excited to see that the username is indeed lionelcxy as well! This means that the mobile number 963672918 belongs to that of the culprit. Now, there are two additional details that could confirm this as well.
First of all, the challenge hinted that the mobile number contains 9 digits, which fits the mobile number shown in the Carousell post. In addition, a quick look at the user profile shows that the user has the exact same profile picture on both the Carousell and Linkedin accounts.
With both his full name and mobile number obtained, what is left to be uncovered is his residential postal code. After looking through his Carousell post, it does not seem to contain any information about his residential address.
Hence, I decided to take a look at his Instagram account instead and see if there are any clues regarding his residential location.
In his latest post, we see that the culprit mentioned food is available just minutes away. Presumably, this would refer to his residential place being minutes away since the image seems to be taken late at night. Keeping this assumption in mind, let’s take a look at his second post on Instagram.
It was not clear if the starting point or destination from this post is his residential location. Hence, I decided to check out his Strava profile as linked in his Instagram post:
Interestingly, without an account on Strava, there are no activities listed on his profile. This was not what I was expecting since he definitely had at least one activity, which was posted on his Instagram. Besides, the distance listed on his profile was shown to be 3.7mi while that in his Instagram post is only 1.5mi.
At this point, I suspected that there might be another activity posted on his account which may point us to the right direction for his residential address. Hence, I decided to create an account on Strava to take a look at his profile. Sure enough, there were two rides shown on Lionel’s profile.
Matching the distance covered and map, we can see that what was shared in his Instagram post is titled as “My recreational trip! Part 1! Hehe”.
The second post is also posted on the same day albeit at a later time. This is similar to his/her Instagram posts, where there is another post after the recreational trip post.
What caught my attention was the word home in his post. I decide to check out the exact route posted in that post to determine his residential postal code.
Here, we see a definite clue. The culprit posted that “Social Space closes so early. It was just at my block”. From here, it is clear that the culprit stays at the same block where Social Space operates. Hence, I decided to take a look at Social Space on the Google Map.
Now, it seems like there are two places with the name The Social Place as shown below:
As a result, I was a bit stumped as to which Social Space outlet was the culprit referring to. Therefore, I decide to take a look at the Street View on Google Map for both outlets and see if either of the cafe is located in a residential block.
By comparing both street views, it was clear that The Social Space cafe at Marina One was in a Residential Block. This can be seen from the cafe’s address as well:
5 Straits View, #01–03 (Garden Tower), Marina One Residences Opposite Marina Bay MRT, 018935
Now, for the outlet at Kreta Ayer Road, Block 333 where the cafe is situated at does not seem to be a residential block. Most spaces on the first and second floors seems to be shops instead of residential flats.
To confirm my assumption, I remembered that the Instagram post mentioned Lau Pa Sat being minutes away from presumably the culprit’s residential place.
From his Strava’s post and his Instagram’s post, I figured out that perhaps the culprit had first completed a recreational ride. Following which, the culprit decided to go to Lau Pa Sat to fill his hunger while riding back home at the end of his/her recreational ride!
This can be confirmed by looking at the destination in the Strava’s post mentioning he/she could not stand his/her hunger:
From the above comparison, it is clear that the destination for the second Strava’s post was Lau Pa Sat.
As a result, I decided to map out the route from both cafe outlets to Lau Pa Sat and I see an interesting result:
First of all, the distance from the Marina One outlet is shorter than that of the Kreta Ayer outlet. Instinctively, I confirmed The Social Space at the Marina One outlet to be the residential address of the culprit. This was in addition to previous finding mentioned above where the Marina One outlet is located in a residential block while the Kreta Ayer outlet may not be.
To confirm this intuitive guess, I tried to compare the route taken in Strava’s post and the Google Map suggested route to go from The Social Place to Lau Pa Sat for both outlets.
It is clear from this comparison that definitely, the culprit stayed at Marina One since the route from The Social Place at Marina One outlet matches very closely to that in Strava’s post! Hence, the residential postal code of the culprit would be that of The Social Place at Marina One, which is 018935.
Conclusion
After obtaining the full name, mobile number and residential postal code of the culprit, it is time to piece these information together to obtain the flag!
Full name: Lionel Cheng Xiang Yi
Mobile Number: 963672918
Residential Postal Code: 018935
Flag:
govtech-csg{LionelChengXiangYi_963672918_018935}
This challenge was very fun for me personally! Kudos to the challenge creators for putting up such a challenging and insightful OSINT challenge in this CTF! 😄