Synoslabs

Nous contacter

HEXA OSINT CTF v3 – Writeup

adm_synoslabs

Reading Time: 47 minutes

, , , , , , , , , ,

The HEXA OSINT CTF v3 is the final episode of this series of CTFs.

Link to the ctfd platform: https://hexaosint.ctfd.io/

Final scoreboard (top 10):

With my team (Incompetent Detectives: kortez, bouddah, Dr.Nova and KrowZ (myself)), we managed to finish in 6th position. It was very fun and a bit stressful but we learned a lot of new techniques

During the writeup I always write "I" but in our CTF team we all participated to the challenges’ solving.

A tremendous thanks to the creators of this CTF and well played to all teams .

New case

Rules

Attachment: contestant_guide.pdf

This first challenge is there to give us rules and tips about the CTF:

  • Participants must be of legal age.
  • Communicate with the staff using our dedicated Discord team channel.
  • No flag share, no hint share with other teams.
  • Do not interference with the CTF (create similar accounts, hacking attempts, etc..)
  • Challenges are limited with a number of attempts (generally three). We can ask a reset but points for this challenge will be lost.
  • Social engineering actions are needed when we see this emoji: 👁

Flag: I accept the rules of HEXA OSINT CTF V3.

Ah shit, here we go again !

Attachment: context.pdf

This challenge tells us a lot about the story related to the CTF and the previous editions.

In this document is it mentioned that Resources used in previous CTFs will not be used in this edition.

It is important to know the context if we want to understand what we’ll do and why in this CTF. It could also help us writting the report at the end, if all challenges are solved.

Flag: Let's go

Crime Scene

Attachment: Preliminary_report.pdf

The first real challenge in which we’ll need to investigate to find the flag.

What do we learn from the preliminary report?

  • Lucilhe Dumarquais (31) died on April 10, 2024 around 14:30.
  • She was detained in Women’s Detention Facility, France.
  • Presence of an unidentified substance in the victim’s bloodstream

We have this molecule representation:

We must determine what molecule is this.

Search on Google a tool that could allow us to build this kind of representation:

https://molview.org/

Thanks to this website, we’re able to reconstruct this molecule:

As we can see, the right panel shows the exact same 3D representation.
We assume the CTF creators used this exact same website create this challenge.

From the website, there’s a tool to get information about a specific molecule:

Here’s what we see:

A quick search on Google:

We confirm this could be used as a poison.

Flag: Ricinine

Business card

Print it

Attachment:

We must find the company’s creation date from this photo of a business card.

After searching on different websites such as LinkedIn, Twitter, Instagram, we eventually found something on Facebook:
https://www.facebook.com/profile.php?id=61557320215105

The page is the one we’re looking for:

We even have an email address which could be useful later.

If we scroll down the Facebook page, we find this comment:

It was posted on March 15, 2024. So two years ago was in 2022.

Flag: 2022-03-15

Name it

We must find who’s behind this company.
Remember, from the Facebook page we gathered a protonmail email address: azlamp19@proton.me

Using Epios doesn’t show much valuable data.

But the first part of the email could be a username:

There is a Threads profile with this username. Let’s investigate further:

The person is named Alíz Lamp, seems to be Hungarian and is a "Sewing enthusiast", like the Facebook page.

We also identified an Instagram account but this is for another challenge.

Flag: Alíz Lamp

Around it

In the previous challenge, we found a Thread profile and identified another profile on Instagram:

The profile picture and the name are the same, so this is likely the same person.

There’re two highlights on this Instagram page. The first one can be omitted but the second highlight is very important.

I used this website to download the highlight on my local computer because it is easier to analyse video.

We don’t need to be connected to any Instagram account to download videos by using this website.

Here is what we can see from the video:

We identify the end of a URL and at the bottom something starting with Framas…

Let’s search on Google about that:

I registered an account and created a new calendar. Then I tried to generate a link to invite friends and it looked like that:
https://framagenda.org/apps/calendar/p/<ID>/dayGridMonth/now

This is the same structure as we can see in the Instagram highlight.

So I recreated the link and found Aliz’ calendar: https://framagenda.org/apps/calendar/p/diP45FriJ3LNeq5q/dayGridMonth/now

There’s a lot of information given with this calendar. For now, we’ll concentrate on the flag.

We must find where she was supposed to be during the period of the incident.

The period was given in the challenge Crime Scene inside the PDF document: April 10, 2024.

That day, Aliz was in a trip as described in her calendar:

A strange string is mentioned. It looks like a flight number:

But the date is the current day so let’s see if there’s an history:

https://www.flightaware.com/live/flight/AFR328/history/20240404/1125Z/LFPG/CYOW

We are sure she was to Ottawa that day (or at least she was supposed to be there).

Flag: Ottawa

Milk it

On April 6th, Aliz went to this place (according to his calendar):

On Google, we see this is a stadium in Kanata named Canadian Tire Centre.

To determine the event organizer we must look at the events that day:

This is a match between the Ottawa Senators and the New Jersey Devils.
These teams are both part of the National Hockey League (NHL).

So the organizer is the NHL.

The description from the calendar is the following:
Suite next to ledge, west side

We need to find a plan of the stadium:

https://www.canadiantirecentre.com/wp-content/uploads/2023/09/2023-Bowl-Map.png

The ledge is on the left but there is no "suite" around it.

If we go back to the ticketmaster website and find an event which has not already ended:


https://www.ticketmaster.ca/ottawa-senators-vs-montreal-canadiens-ottawa-ontario-04-13-2024/event/31005EF385491062?did=milkzone

Flag: NHL 450B

Move it

Now, we must locate where she went on April 8th and find the phone number related to this location.

Once again from the calendar:

There’s a string code and a Framagenda share link starting with an "s".
This is trange because all links related to calendars are starting with a "p".

So it should be something else.
In fact, Framagenda offers other services than only a calendar:

And the service starting with an "s" is the files storage.

Modify the URL to be able to access Aliz’ shared storage:
https://framagenda.org/s/YdjE5jpFn4kwSn8

Two files are accessible.

The first photo is a note with instructions written on it.
The second one is an invitation to a "Sewing Meetup".

The invitation is useless for now so we’ll let it aside for this challenge.

The note is interesting but we don’t have any starting point so far.

The weird code GC6V+39P is a Google Plus Code. It is often used to specify a location without have to put an address.

The problem is that it does not always point on the same location. It depends of our previous search.

If I search "Paris" in Google Maps and then GC6V+39P, it will point to this location:

Now the same but with "Marseille" first and then GC6V+39P:

Looking at its calendar, she has an appointment at a restaurant named "La Banquise":

Let’s find the location:

So our research must start in Montreal, Canada and then go to GC6V+39P.

Why? Because if she’s moving from 08:00 to 11:00 and then has an appointment at 12:00 she must be in the same city.

We can also specify the city following the code: GC6V+39P montreal

Now, let’s follow what the note says:

And follow the instructions on the map:

Get the phone number:

Flag: +15148494526

Jump it

We must identify someone who was with Aliz on the same moment as the tragic event in France where Lucilhe died.

If we go back to the Framagenda, on the storage, there were another file:

We should try to find this "Tafy".

With the help of https://whatsmyname.app/ we’re able to identify a Twitter account:

If we look at her posts:

https://twitter.com/tafycouture/status/1778121670818926957

"Le Houblon d’Or" is the name of the bar where Aliz and Tafy were meeting and it was also mentioned on the invitation card.

We know Tafy is the person we are looking for. Her birth date is specify in her Twitter bio:

Flag: 1986-08-05

Shake it

Tafy is a pseudonym. To identify the real person behind it, we must take a closer look at her Twitter account:

"Soon for sale on my profile" but what profile?

In her bio:

Kijiji is an online website to sell your clothes like Vinted but in Canada:
https://www.kijiji.ca

We search for her "ugly" crimson scarf and eventually find it:

On the scarf’s page, her name is given:

https://www.kijiji.ca/v-femme-vetements-autres/shawinigan/crimson-scarf/1690018710

Flag: Gaelle Tremblay

Drop it

The "suspect" in this challenge is Aliz. She ordered goods as seens in her Threads account:

She posted the mail but we can identify the Container ID which is TCNU 657202.

Search on Google about this number:

TCNU means Triton Container.

We are on their website to search for the tracking number:

Finally:

https://tools.tritoncontainer.com/tritoncontainer/unitStatus/show/TCNU6572020?

The last container was last seen in Jakarta.

Flag: Jakarta

Technologic

This challenges is a quick recap of what we did to verify Aliz’ alibi and that she cannot be the murderer of Lucilhe.

Flag: Roger that

Lunch time

Duck sauce

Attachment:portrait.jpg

In this challenge, we are given this drawing and our goal is to investigate the drawer of this and find since when she’s been drawing.

We are also given a name: Barbara Allandes.

Go on Google and simply search for that name:

There’s only one link that redirects to a Flicker account:

We can confirm this is the same person because of the profile picture which is the same as the signature on the drawing.

Flag: 2020

Pray for me

We must identify the lake on the photo:

It can be easily done by using Google Lens to perform a reverse image search on it:

Verify with Google Street View to be sure and compare to the original:

Flag: Lac Guery

Bolt to be alive

Same as the previous challenge but now this is a bridge with a city behind:

Link to Flickr image

We are able to identify multiple elements to help us find the location of this photo:

  • French license plate (red).
  • Buildings (green).
  • Water (seems to be the sea or the ocean) (blue).
  • Vegetation (pink).
  • Bridge (yellow).

Other important element, the point of view is higher than the buildings, meaning the city is hilly.

If we download the image and focus on the license plate:

It looks like it’s finishing with a 3.
And the first number is like 0 or 8.

The department 03 is "Allier" but it is clearly not what we’re looking for:

But 83 does:

There’s also a comment on the Flicker post: Souvenir of the largest nearby city.

From the Var’s Wikipedia page:

The biggest city is Toulon. Let’s check if it is a possible solution.

On Google we search for "toulon" and find photos like this one:

All elements we identified earlier are there.

Now we must find the exact location.

We’ll use an Overpass Turbo request to find all bridges in Toulon and we focus on the ones located near a hill (since we know we are in a higer altitude than the city):

Thanks to map, we can change the layer and choose "Terrain":

Basically, there are two locations to focus (red and blue).

The red parts are way too on the left to be possible.
So we are likely in the blue area.

Let’s switch again on the Overpass result:

Only four points are still in the city, next to a hill and have bridges:

Let’s verify:

Got it!

Google Street view: link

Flag: Av Val Fleuri

Eye of the tiger

We are given this image from the Flickr account:

This one can be easily solved by performing a reverse image search with Yandex on the stone:

The Instagram account says "Ben Ledi" but is now private so we can’t get more information from there.

Let’s verify on Google images:

The crack on the stone is the same and the ground around it too.

Flag: Ben Ledi

When I see you again

The photo we need to locate is this one (still from the Flickr account):

We can’t see anything there. So we must download the file and zoom on the road sign:

Just with that, we’re able to solve this challenge.
Here are the main elements:

  • Québec city at 100km (red).
  • Road number 175 (blue).
  • Road direction (yellow), so if the road goes south, Québec is towards south, and then we are nothern of Québec.
  • Alma city at 28 (pink) (you’ll see later that this is not 28 :D).

From Google Maps, compute the 100km from Québec:

This is not absolutely accurate but we have a starting point.

The only place around the 100km is "L’Étape":

Let’s verify by using Google Street View:

We found the exact location!

PS: Alma was at 128km not 28. There was a street sign in front of it hiding the "1".

Flag: L'Etape Canada

Drop it like it’s hot

In this challenge, we must idenfify the location of this photo:

First I tried to identify the plant in the first plan using this website.

It is a Dasylirion serratifolium and is mainly present in southern France:

Run a reverse image search in parallel:

All the images correspond to the same location:

This matches with what we found from the plant identification website.

We are able to find the same point of view from which the same plant appears:

Flag: Jardin Exotique Eze

Welcome to the jungle

We are given a photo of a kangaroo:

We don’t have a lot of information from this photo.

Run a reverse image search on it using Google Lens:

We identify the same fence as in the original photo.

This links to a Facebook account named "Pizza à bord":

We are then redirected to another Instagram account:

Fortunately for us, someone did our job by asking where was this park:

To be sure, verify the photos posted by people on Google Maps:

Link

Flag: Le Jardin Des Kangourous La Possonnière

Santiano

This is the last challenge of this category.
We must find the location described in this poem:

Here is the text version:

Paris Sleeping

Great southern network
I was there to work

My map is in my hand
Headlamp through unknown land

chilling sanctuary
sprawling ossuary

Noon you go
Well you know

South is the way
Irons on the way

Left when its due
Danger left no clue

We know this is in Paris because of the title and usually Paris is the city you go when you want to find a job.

"Headlamp through unknown land": When you need a headlamp, you are basically reaching difficult spots where you cannot afford to hold a torch.

But the main element in this poem is "sprawling ossuary":

This gives us the indication of the Paris catacombs.

on Reddit, someone shared this very detailed map:

And here is the legend:

"Ossuary" once again. Let’s find it on the map:

If we zoom in, we can confirm the location. Now we need to follow the instructions given in the poem.

Here is the complete path:

We’ll see together each element:

  • "Noon you go": In French, noon is midi, so we follow the "Diagonale du midi"
  • "Well you know": Here it is a reference to the thing containing water. There is a well at the end of the "diagonale du midi".
  • "South is the way": Go south.
  • "Irons on the way": There are iron bars so we continue.
  • "Left when its due": When we are able to turn on the left, go for it.
  • "Danger left no clue": We encounter collapses which are dangerous so we go left and find a maintenance well (according to the legend) from where we can get out of the catacombs.

On Google Maps we are here:

The closest bus stop is Denfert-Rochereau – Froidevaux

Flag: Denfert-Rochereau - Froidevaux

Little party never kill nobody

Thanks to our investigation, we found out that Barbara Allandes is an ideal suspect.

But we need to dig deeper.

Flag: Roger that

Phone

Supply…

Attachment: message1.png

The following screenshot is provided with the challenge:

We need to search for a company that invented something (so maybe there’s a patent related to it) before 2013 in the department of Loire-Atlantique, France about honeycomb.

As it is in french, we must translate "honeycomb":

In France the organism responsible for patents is "Institut national de la propriété industrielle" (INPI):

We can perform an advanced search as we already have a lot of information from the screenshot:

  • "Mots-clés" (keywords): abeille
  • "Pays" (country): France
  • "Departement": 44 - Loire-Atlantique
  • "Date de publication" (publishing date, until): Jusqu'au 01/01/2013

Here is the query result:

Among all the results, SYNGAS is the only company with a SIRET number:

Link to Pappers

Flag: 45366810500027

…her

Attachment: message2.png

Once again, we are provided a screenshot of a text message with a patent number. We must find the name of the patent filer:

On Google look for a patent database:

Then type the patent number and run the query:

Select the patent and search it, select "Original Document" and the patent filer name is shown.

Link to the result

Flag: BERNARD RICHARD PALUCH

Paint her

Attachment: Capture.PNG

A basic reverse image search is enough to give us the image we want:

The image come from this website:

We also found another name with an "s" at the end of "Cuesta".

Flag: Jesus con la Cruz a Cuesta

Connect her

The notes of this challenge send us to this address: 263 Rue de Châteaugiron, 35000 Rennes, France

This is a datacenter and we must find the OSM node of the fiber concentration point.

We can either run an Overpass Turbo query or find an open database with this information in it.

First, let’s try with Overpass Turbo.
Here is the code and the link to the request:

[out:json][timeout:25];
nwr["telecom:medium"="fibre"]({{bbox}});
out geom;

The result is he following:

There’s only one fiber concentration point near this address.

Otherwise, with this Google request, we can find an OpenStreetMap dataset containing the information we want:

Go on it: https://magosm.magellium.com/portail/#/carte

And look at the corresponding address:

This is the same point. It validates our assumption.

Flag: 6376633470

Propel her

We only have a description of the plane:

  • Military aircraft
  • Dual propellers
  • Three landing gears (one beneath the nose)
  • Wings affixed midpoint
  • Horizontal stabilizer attached to rear fuselage
  • Unique vertical stabilizer
  • Over 30 meters in length

To solve this challenge, we used an incredibly useful tool to specify elements of an airplane:

Link

So we specified all the elements we know from the description:

Only 8 aircrafts are shown:

Among all of them, only the first one is at least 30 meters long:

Flag: Breguet Br 1150 Atlantic

Drive her

Attachment: car_trip.mp4

This is the first challenge of this CTF in which we must analyze video data.

During the whole video, the only remarkable element is the road sign on the right with a number and a distance:

Looking for this highway on Google:

It is 428km long and we are at 357 in the video. But where does it start. It is numbered 0 at the top or bottom?

From the A20 Wikipedia page, we see that the couting start at the north:

Se we’re closer to the south part of the highway.

After some time moving along the highway, we eventually find the location:

During the video a japanese man is saying something. We used this website to translate it:

Even if the translation isn’t perfect, we understand that he wants to stop at the next rest area because he’s hungry.

To be sure to know in what direction the car goes, we can use Google Street View to check the compass:

Let’s see what are the restaurants along the A20: https://ulys.vinci-autoroutes.com/autoroute/a20/?prestations=restaurant&services=

We know we go north so it could only be the next rest area:

And the phone number associated with it:

Flag: +33565300222

Sum her

Attachment: picture.png

The text is written in Spanish so I tried to search in Spain, on the east coast:

if we translate the Spanish text to English we find this:

between the sea at 150m
and death at 60m
wait for the target at the post office box 10 meters away

What’s the "death"?

We tried to find any place containing that name with Overpass Turbo but nothing came out.

So, we tried to look at all the cemeteries near the sea by using this request:

[out:json];
way["natural"="coastline"](around:300,{{bbox}});
(._;>;);
way["landuse"="cemetery"](around:300);
(._;>;);
out meta;

There’s only one cemetery around the sea (300 meters max):

Calculate the distance between the hotel, the cemetery and the sea, we got the same data as given in the image:

Look around the hotel to find the post box:

Street View link

Flag: Hotel RH Corona del Mar

Lead her

Flag: Roger that

The entity

Kermit

There’s a lot of text but all the two first paragraphs are only lore.
What’s important here to solve this challenge is between the double quotes.

Basically, we have two pieces of information:

  • GPS coordinates: 50.095239, 6.7509299
  • Football association based at this location.

We’ll see later that the football thing is a bait and we don’t even need that but for now, let’s see what we can gather about this organization.

We convert the coordinates to an address by using Google Maps:

This is located in a small village in Germany: Auf’m Stamp 9, 54531 Meerfeld, Germany

Ok and now what? Some football organization was mentioned in the briefing so let’s find more about them:

There are traces of the FC Meerfeld, the local football team. In one of those websites, we find there official website: https://www.fcmeerfeld.de/

But no mention of the address.

On this website (found with Google after the few links shown in a previous screenshot) we have a name: Adolf Schmitz

Unfortunately this was a dead end and we didn’t find anything very useful related to this individual.

As we only have coordinates, we tried to check if there was something on Wigle.net. Wigle is a website with billion of wifi and bluetooth devices mapped around the world. Anyone can contribute and add the SSIDs and data they find during their journey.

Here is what we can see when we look at the given coordinates:

Only one WiFi access point is found around that location. Looking the data with the map:

This is exactly where the house is.

It looks like the name given to the SSID is a company denomination: Bioregened Europe

But the flag is the concatenation of the company’s name and its legal status. We only have one of the two required information.

Nothing on social media, company registers…

We tried to "guess" their website with "bioregened.de", "bioregened.com" and eventually found "bioregened.eu"

At the bottom of the main page, there’s a copyright with the legal status and the name of the company:

Flag: Bioregened e.V.

This is where the fun begins

On the website we found in the previous challenge, there’s a blog page with five articles about different subjects. Our goal is to read them and find if there’s an anomaly or a fake information in it.

If the article is correct, we put the letter A (accurate), else F (fake).

There’s no mistake in this article (A). The few affirmations are correct:

Thus, “ecology” literally translates to “the study of home”

Found here

Since its inception in 1971, the 3.2 million volunteers of Greenpeace has been at the forefront of the fight for environmental justice

This is false (F). There are only 34.000 volunteers.


Wikipedia link

But with an total emission of 240 639kt just in agriculture (according to IEA)

Once again, the number is incorrect (F). They mention IEA, so let’s verify what they say. The article was posted in December, 2023:

IEA Report 2023

The report says that "only" 142 Mt methane is about agriculture.

This article is correct (A). Seabirds species are threatened with extinction and a lot of other articles are available on the Internet:

Unfortunately, we weren’t able to find the exact article or file with the information about the 7 species threatened in Shark Bay (hence our 2/2 attempts 👀). If you find it please ut know!

According to the Global Carbon Budget, China’s year-on-year change in CO₂ emissions is 7,53%, a figure that continues to climb unabated.

According to the Global Carbon Budget, China’s year-on-year change in CO₂ emissions is NOT (F) 7.53% but "only" 4.0% as seen in the following screenshot:

Flag: AFFAF

No. I’m your father

We must identify another individual under a different pseudonym. The briefing says (stay passive) so maybe there is something to find on the same website as we found earlier: https://bioregened.eu

We tried to look at the calls made by the website to a specific resource but nothing.
In the source code there’s no subdomain or whatever.

But, in the source coude there’s still something valuable. Only one javascript file is loaded: https://bioregened.eu/wp-content/uploads/custom-css-js/104.js?v=9057

And it contains the following code:

Check if this subdomain is working and it does!

https://combo.bioregened.eu/

Searching around this website, we find another page with crucial information: https://combo.bioregened.eu/bioregened.html

We identified the responsible: Azure Scout

Flag: Azure Scout

Comlink

In this challenge our goal is to find an email address.

On the main page of the wordpress website, there’s a button to become a member of the organization but inscriptions are closed and it redirects us to the same website:

Nothing on Wayback Machine but… there are other archiving websites than the wayback machine. Archive Today is one of them: https://archive.ph/pIlsr

The capture was made on April 9, 2024 and at that time, the memberships were open:

The button shows an email address to contact the website owner (or at least the recruiter).

There’s an eye emoji next to the email address so we’ll have to perform social engineering in order to retrieve the information we want.
(This specific rule with the eye was explained before the CTF by the admins).

Flag: join892849@bioregened.eu

Fulcrum

We can now try to contact the organization with their email address.
If we only send a message to become a member we get a response saying the membership is closed and won’t open until 2025.

The only condition to receive the correct email is to say that you are a friend or you know Azure Scout.

We obtain a wallet address, the flag and the pseudonym of the sender:

Flag: Coal factory sabotage

At least we will have revenge

What’s the first thing you do with a wallet address?
Searching on Google 😀

It seams that the wallet is linked to the AVAX (Avalanche) blockchain. Let’s investigate further with Snowtrace:

The person behind this wallt bought a NFT on OpenSea.
This is the path to follow: https://opensea.io/0x6f1Ad25C8cde35b647446b4D776adb735C75BD37

A profile exists with this address.
The profile picture are the letters G and F (maybe part of the pseudo).

We learn that he/she is a spatial room creator and a recruiter.

But what a "spatial room creator" consists in?
Welcome to the metaverse 😮

Spatial.io is a website on which you can create rooms on a blockchain and interact with other users.

What is the other information we got from the email?
A pseudonym: combo, which is also the subdomain name (combo.bioregened.eu).

We search a room with that name and find this one:

The first "O" of "combo" is the same symbol as on the website and the creator name is Grey_Forager which matches the "GF" letters on the opensea profile picture.

Flag: Grey_Forager

I am the senate

Let’s discover this awesome (or not) world of the metaverse by exploring the room.

There’s a lot of different pictures all around the room. We can interact with these paintings and for each of them, there is a weird code associated.

The room’s description gives us the key:

t.me is the domain for Telegram.
Basically, two keywords catch the eye:

  • hive
  • science

All the paintings can be grouped in different themes: destruction, death, forest, hive, science…

When we land in the room, in front of us, there’s a red arrow to indicate the direction in which we must start:

Starting from this arrow, if we follow the path and check for every picture related to a hive or science, we identify these four images:



If we concatenate all the strings we find this code: +rNb7gqtPXwNiZDI0

Insert the domain for Telegram before and we obtain this URL: https://t.me/+rNb7gqtPXwNiZDI0

Access it in the browser, it asks us to open the link in the Telegram Desktop application:

Once the channel joined, we identify multiple pseudonym and among them: Indigo Queen

Given its name and by reading all the messages we understand that this person is the head of this organization.

Flag: Indigo Queen

Look sir, droids!

At the end of the discussion, "Scarlet Scout" talks about a "more secure channel" so it must be another application, but which one?

We asked our friend ChatGPT:

We tried some of them and finally find something interesting on Keybase.
"Scarlet Scout" is the pseudonym we can find on Keybase:

https://keybase.io/scarletscout

She mentions the "hive" so we know this is an account linked to our investigation and the logo is the same as for combo. She’s part of a group named "meetwithmarine"

This is an open team so we can join it. We found the "more secure channel".

Flag: https://keybase.io/team/meetwithmarine

I’m just a simple man trying to make my way in the universe

Once inside the group, we’re able to read the discussion between Marine and Scarlet:

They should meet in at unknown location. All we know so far is that Scarlet leaves Paris and that the train consumption if 1.327kg of CO2.

On Google we can easily find this information:

https://www.data.gouv.fr/en/datasets/emissions-de-co2e-sur-les-liaisons-tgv/

Download the CVS file and look into it. We find only one destination from Paris with this CO2 emission:

In the next message, Scarlet says to "exit the national road at Castorama", "find a parking spot" and then "catch the bus. You’ll get off 11 stops later".

This is enough for us to get the correct location.
Identify Castorama in Vannes:

There are only two bus stop close by:

In her first message, Marine writes about sunday 15:00.
If we look at the bus lines in Vannes, only three of them are working on sundays:


https://www.kiceo.fr/lignes-urbaines-kiceo/

And only one bus line passes through this bus stop: D2

https://storage.googleapis.com/is-wp-26-prod/uploads-prod/2024/01/D2.pdf

Flag: Le Port

I’m no hero

In this final challenge we must identify people who meet somewhere near "Le Port" bus stop. Which is also located on the port of Vannes.

Fortunately, there’s a webcam running 24/24 and showing images of the port:

With the messages from the Keybase team group, we know the appointment is set to be at noon.

The live cam is running on Youtube, so we’re able to rewind the player and go to 12:00.

We see a man sitting down on a bench, waiting a few minutes and then another man coming and meeting him:

The second man has a yellow scarf. They exchange the briefcase and go away:

Shout out to "Les mercenaires d’Oz" for kindly allowing me to use their screenshot (the last one) for this final challenge (when I wrote this writeup then livestream wasn’t available anymore)

Flag: yellow scarf

Do or do not. There is no try

Once all the challenges were solved, we could have sent our report to the CTF admin team to gain more points.

Flag: Report sent