STACK the Flags CTF Write-up — Hunt him down!

Introduction

STACK the Flags was a CTF organised by GovTech’s Cyber Security Group (CSG) over the weekend from 4th — 6th of December. I took part in this CTF in hope to hone my skills in various aspects of cyber security and the challenges in this CTF were certainly insightful. My team and I have definitely learnt a lot from this CTF. Here is the write-up for the OSINT challenge to give you some insights and hopefully allow you to take away some knowledge regarding OSINT. Let’s get started!

Challenge Name: Hunt Him down!

Challenge Description: After solving the past two incidents, COViD sent a death threat via email today. Can you help us investigate the origins of the email and identify the suspect that is working for COViD? We will need as much information as possible so that we can perform our arrest!

Challenge Category: Open Source Intelligence (OSINT)

In this OSINT challenge, we were required to find the full name, phone number and residential postal code of the culprit. We were given an email containing the death threat:

Email containing death threat by the culprit

From the email given above, I noticed that the email was sent from the domain c0v1d.cf. Hence, I decided to conduct a DNS lookup on this domain and see if I was able to find any useful information related to this domain that helps us identify the culprit. I used an online DNS lookup tool and the following result is obtained:

DNS records for c0v1d.cf

From the output, the name servers suggest that the culprit was using a service provided by Freenom for his/her domain. Hence, there will not be any useful information listed if I were to conduct a whois lookup on the name servers.

A further look at the output, the user and contact details under the TXT record caught my eyes. It seems like the culprit might be associated with the username, lionelcxy, who has an email of lionelcheng@protonmail.com.

With that piece of information, I decide to look up the email associated with the culprit on Google to see if I am able to obtain any further information.

True enough, I found a Linkedin account associated with this email. In addition, the name used in the Linkedin profile is Cheng Xiang Yi which matches the abbreviation of cxy in the user field found in the DNS record. The Linkedin profile is as shown:

Culprit’s Linkedin Profile associated with the same email found in the DNS record

Combining the name here with Lionel found in DNS record, I gathered that the full name of the culprit is Lionel Cheng Xiang Yi.

After noting that down, there isn’t much more information associated with this email address. Hence, the next step to do would be to find any account associated with the username, lionelcxy. I decide to do so as I assumed that the culprit would use the same username on other platforms, such as Instagram, Twitter etc.

My assumption was proven right when a Google search on this username revealed the Twitter and Instagram accounts:

Instagram account associated with the Instagram handle @lionelcxy
Twitter account with the Twitter handle @lionelcxy

One thing caught my attention immediately. From his only tweet in the twitter account, it shows a Carousell link. It seems to contain his phone number as well. I decided to click on the link in the tweet to confirm if that is his profile.

Carousell listing by a user with the username lionelcxy

I was excited to see that the username is indeed lionelcxy as well! This means that the mobile number 963672918 belongs to that of the culprit. Now, there are two additional details that could confirm this as well.

First of all, the challenge hinted that the mobile number contains 9 digits, which fits the mobile number shown in the Carousell post. In addition, a quick look at the user profile shows that the user has the exact same profile picture on both the Carousell and Linkedin accounts.

Carousell profile of lionelcxy with the same profile picture as the Linkedin account above

With both his full name and mobile number obtained, what is left to be uncovered is his residential postal code. After looking through his Carousell post, it does not seem to contain any information about his residential address.

Hence, I decided to take a look at his Instagram account instead and see if there are any clues regarding his residential location.

Latest post about food at Lau Pa Sat

In his latest post, we see that the culprit mentioned food is available just minutes away. Presumably, this would refer to his residential place being minutes away since the image seems to be taken late at night. Keeping this assumption in mind, let’s take a look at his second post on Instagram.

A post related to a ride completed by the culprit

It was not clear if the starting point or destination from this post is his residential location. Hence, I decided to check out his Strava profile as linked in his Instagram post:

Culprit Strava’s profile before logging into Strava

Interestingly, without an account on Strava, there are no activities listed on his profile. This was not what I was expecting since he definitely had at least one activity, which was posted on his Instagram. Besides, the distance listed on his profile was shown to be 3.7mi while that in his Instagram post is only 1.5mi.

At this point, I suspected that there might be another activity posted on his account which may point us to the right direction for his residential address. Hence, I decided to create an account on Strava to take a look at his profile. Sure enough, there were two rides shown on Lionel’s profile.

Two rides posted by Lionel on Strava

Matching the distance covered and map, we can see that what was shared in his Instagram post is titled as “My recreational trip! Part 1! Hehe”.

The second post is also posted on the same day albeit at a later time. This is similar to his/her Instagram posts, where there is another post after the recreational trip post.

What caught my attention was the word home in his post. I decide to check out the exact route posted in that post to determine his residential postal code.

Route that potentially contains the culprit’s residential address

Here, we see a definite clue. The culprit posted that “Social Space closes so early. It was just at my block”. From here, it is clear that the culprit stays at the same block where Social Space operates. Hence, I decided to take a look at Social Space on the Google Map.

Now, it seems like there are two places with the name The Social Place as shown below:

Two locations for The Social Space cafe

As a result, I was a bit stumped as to which Social Space outlet was the culprit referring to. Therefore, I decide to take a look at the Street View on Google Map for both outlets and see if either of the cafe is located in a residential block.

Street View of The Social Space cafe at Kreta Ayer Road
Street View of The Social Space cafe at Marina One

By comparing both street views, it was clear that The Social Space cafe at Marina One was in a Residential Block. This can be seen from the cafe’s address as well:

5 Straits View, #01–03 (Garden Tower), Marina One Residences Opposite Marina Bay MRT, 018935

Now, for the outlet at Kreta Ayer Road, Block 333 where the cafe is situated at does not seem to be a residential block. Most spaces on the first and second floors seems to be shops instead of residential flats.

To confirm my assumption, I remembered that the Instagram post mentioned Lau Pa Sat being minutes away from presumably the culprit’s residential place.

From his Strava’s post and his Instagram’s post, I figured out that perhaps the culprit had first completed a recreational ride. Following which, the culprit decided to go to Lau Pa Sat to fill his hunger while riding back home at the end of his/her recreational ride!

This can be confirmed by looking at the destination in the Strava’s post mentioning he/she could not stand his/her hunger:

Comparison of satellite view on Strava’s route and Lau Pa Sat on Google Map

From the above comparison, it is clear that the destination for the second Strava’s post was Lau Pa Sat.

As a result, I decided to map out the route from both cafe outlets to Lau Pa Sat and I see an interesting result:

Route the culprit has to take from The Social Space at Kreta Ayer outlet to Lau Pa Sat
Route the culprit has to take from The Social Space at Marina One outlet to Lau Pa Sat

First of all, the distance from the Marina One outlet is shorter than that of the Kreta Ayer outlet. Instinctively, I confirmed The Social Space at the Marina One outlet to be the residential address of the culprit. This was in addition to previous finding mentioned above where the Marina One outlet is located in a residential block while the Kreta Ayer outlet may not be.

To confirm this intuitive guess, I tried to compare the route taken in Strava’s post and the Google Map suggested route to go from The Social Place to Lau Pa Sat for both outlets.

It is clear from this comparison that definitely, the culprit stayed at Marina One since the route from The Social Place at Marina One outlet matches very closely to that in Strava’s post! Hence, the residential postal code of the culprit would be that of The Social Place at Marina One, which is 018935.

Conclusion

After obtaining the full name, mobile number and residential postal code of the culprit, it is time to piece these information together to obtain the flag!

Full name: Lionel Cheng Xiang Yi

Mobile Number: 963672918

Residential Postal Code: 018935

Flag:

govtech-csg{LionelChengXiangYi_963672918_018935}

This challenge was very fun for me personally! Kudos to the challenge creators for putting up such a challenging and insightful OSINT challenge in this CTF! 😄

--

--

--

Enjoys tinkering with new technologies, spends her free time taking part in CTFs and developing new applications

Love podcasts or audiobooks? Learn on the go with our new app.

ChangeNOW Solution For User’s Security

Quick Tips on Staying Safe in a Protest

Flash Stock Firmware on Samsung Galaxy S8+ SM-G955W

Flash Stock Rom on Samsung Galaxy

AXES METAVERSE: CHEST OPENING TEST

Conquering the Security+

COVID-19, Fake News and Cyber Threats: The Top Five Focuses You Need to Know for Cybersecurity and…

… and the necessary bit of seasoning that you might not have noticed on your most critical logic…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Toh Yu Ting

Toh Yu Ting

Enjoys tinkering with new technologies, spends her free time taking part in CTFs and developing new applications

More from Medium

Vulnhub BreakOut — A Detailed Walkthrough.

Hack the Box: Active Write-Up

can you recon??

CVE-2022–29333 Privilege Escalation Power Director 14 — Exploiting GUI Weakness