Tree Man

OSINT[300Pts] Given Information: I’m so glad we’ve got you on the team; I don’t think we’d have manged to get that last one if it weren’t for you. We’ve been watching the account, and the target just posted another image. This guy really doesn’t learn. We don’t think he’s left Spain yet, but we really need this one pinpointed exactly. Can you work where he took this?

The map here should be accurate to 50 meters.


First thing is to Reverse Image search for any clues. Key search words are Spain Tree Man.

Copyright: (c) Blitzy |

Found an exact copy of the “Tree Man.” Note the tags are: Park Portaventura and Entrance. So we now have an exact location.

We can now see where the entrance is from this map given by the Port Aventura website.

Matching it to Google Maps, then using the link to locate the exact location to the challenge.

Correct Flag

Dead Man

OSINT[350Pts] Given Information: Aargh! They gave us the slip again. We got another image from their Twitter, but it doesn’t look like they’re in the same country anymore. Are you able to track them down again for us and tell us the town they’re in? You’re our best man at this point, so we’re expecting great things.

Our map here should be accurate to 500 meters.

Right way the language was a dead give away at Thai or some Southeast Asian Language.

Educated Guess it was Thai
Christian Cemetery

Christianity is not very big in Southeast Asia. Searching for a Christianity Cemeteries yielded:

One of the more interesting results were the Kanchanaburi War Cemetery

Kanchanaburi War Cemetery, Thailand

The three noticeable features are the same cross, cemetery pattern, and with similar buildings in the background.

Submitted Flag Location(Correct)

Suspended Belief

OSINT[350Pts] Given Information: Amazing work with that last image! We dispatched a team right away, but it seems our target was one step ahead of us. We’re not sure what they’re planning, but we managed to download one final image off the Instagram account until they locked it down.

Can you work out where this picture was taken? One of the guys thought it might have been Queensferry crossing, but that doesn’t look right. You’ll have to be accurate to within 2 kilometres.

Doing a basic Google search of the username yielding someone from of Chinese origin.

Could just be a coincidence, but checking for suspended bridges in the Chinese area. I found one in Hong Kong called “Tsing Ma Bridge”

Tsing Ma Bridge from Google Search

Tried the location of the Tsing Ma Bridge

Flag was found when submitting the location.


[OSINT?? 200 pts]

This 200 point “OSINT” problem kind of strange. I would classify this as more of a Forensics problem, since I generally think that they way you solve this one is forensics based… right?

Part of the description reads: ‘Agent. We found a target posting strange images of boarding passes to his Instagram. None of the guys at base can figure it out, but we think he’s been using the images to exfiltrate data.’

An interesting title for an OSINT problem, but whatever.

Everything looks normal, except instead of a map locator like the 5 others, this one had the standard text Flag format

So right away we know we are looking for an actual flag.
Lets take a look at the attached image.

Immediately I began searching for the details on the flier, but found nothing. RAirway does not seem to be any reference to anything, and the flight numbers and details don’t reveal anything. I spent about 15 minutes searching for a way ti solve this using typical OSINT techniques.

I kept on looking at the Enigma code book under the flier, and the numbers and the barcode and the letters, and my mind kept thinking of forensics and cryptography techniques I might be able to use to extract data from the image – but I kept reminding myself, “No no no, this is a OSINT problem – I’m not gonna be able to extract any data that’s hidden under layers of the image.” So I just left it at that.

After thinking for a while, I thought, ‘hmm I might as well check out that barcode anyway’. and so I did. I opened it in Gimp and turned it into a computer-readable barcode.

rotating the image
cropping the image

Now I went to an online reader, selected the type of barcode this is (it appears to match the PDF417 type), uploaded the image, and let it process it.

However, it detected no barcode. Strange, I thought – until I realized that the colors of the barcode may be different.

Comparing this stock PDF417 barcode to ours, it looks like the the color scheme is inverted.

This image has an empty alt attribute; its file name is image-36.png

White-on-Black background ^ instead of Black-on-White background.

This was easily fixable with Gimp’s color-invert function:

After uploading that to the online barcode-reading site, we get the flag.

…Yep, I solved the OSINT problem using standard Forensic tactics…
(In not sure how Open Source Intelligence was supposed to be used to solve this problem, because I sure didn’t use any)

Flag: ractf{B0ard1ngP4ssD4t4}

Remote Retreat

OSINT [250 pts]

This is the first OSINT (Open Source INTelligence) challenge I have done in a while. While I sometimes find these extremely frustrating, I also find them pretty worthwhile to do anyway.

The problem opens up telling us we are to find the location this photo was taken.

To solve the flag is pretty easy – you just have to click somewhere on the map and if its within 500 meters of the correct location, its correct.

Okay, lets get hunting. Right away we can see that there is a sign:

To me that looks like “tbe HAKA ba*” (the last letter was cut off) with the words “créperie snack” in caps below it.

First, I googled “créperie snack” and found some links to tripadvisor, but they pointed to france by the seaside. I entered in that as the flag but it was wrong, as I had figured.

I then started to google tbe HAKA ba, but to no avail. I then googled “HAKA créperie snack” and some somthing promising.

The TripAdvisor link led me to a collection of photos of a snack shop in France.

Taking a look through them, one photo caught my eye.

The HAKA Bar. That may be what I am looking for. His head covers the word, but I believe it also says CREPES, or something along those lines. The rest of the photos look similar too, the area and landscape look very similar to what we saw in the initial ctf image.

So now we just have to figure out where this shop is. Since these photos were taken in Morzine, France, I added that into the search terms.

This could be it, let me open it in google maps.

WIth this, I simply copied the link, and entered it into the location tool in the CTF page. I clicked in the general location of the bar, hit sumbit flag, and it worked.

Brick by Brick

OSINT [ 400 pts]

The ‘toughest’ OSINT problem at 400pts, didn’t turn out to be too tough.

It appears the story continues, and the man is still on the run. After intercepting an email, we get another photo.

It asks to find the town this is located at. Sounds fair enough, lets get searching.

First off, the red sign on the gate has some text.

I had a lot of guesses as to what it said, but my first original guess was that it said “Portal del Possi” Perhaps “Polsi”. However, this and variants of it resulted in nothing in my google searches.

Taking another look at the photograph, I noticed some flags. This may bring me a clue.

I did not recognize the flag immediately, but after a search I found out it was the flag of “Estelada”

I ended up not clicking the Wikipedia link and simply googled the flag name again, and resulted in this:

My eyes glanced at this particular word, “Països”

Perhaps that is the unidentifiable word on the sign? I thought I would give it a try.

This image has an empty alt attribute; its file name is image-27.png

However, this turned out to be a dead end.

I searched once more for a more detailed description of the image we got, and I included the word “bridge” alongside the search term.

scrolling down, my eyes stumbled across one particular image…

This image is 100% the exact same image and bridge just at a different angle!

Luckily, Wikipedia always has good sources for their images.

After a google maps search, I found the location of this bridge

and put the link into the RACTF maps locator. It was correct.