OSINT

did not manage to hold top10 Only top 10 for 2 days..huhuh

Farewell

Confession Letter

For this challenge, we got a farewell letter for Nur Syahirah. In that letter we see there is a number from her secret admire. Lets we stalk the number.

getcontact logo

To stalk the number first, we will download Getcontact app from the Playstore or Appstore. After that, we need to insert the number we want to search. For this case we will insert the secret admire number which is "+601136740073".

Name save under the number.

After we search that number we found that number is under a name 'Hamizan Azmi'.

Then after that, we touch the tag area and scroll down a little bit and found the flag.

EG{g3t_3xpOs3d}

Broken Man

BrokenFlag

Next challenge is Broken Man. With hint given in this challenge which is "@theniceguy4485 1 year ago". We need to go to the YouTube and find the video with exact duration which is 3:29.

For those who don't know who is he, you guys can use reverse search which using image search by google image. It will show the result "peaky blinders zaten kirik". Then, after that all we need to do is to search on YouTube.

looks same

This video duration look same with challenge image.

looks familiar

After scroll down a little bit at comment section we found that there is username "the nice guy" 1 year ago. It looks the same as the hint given by the challenge. Let's take a look at the replied comment under this username.

Base64 encoded.

After scrolling at replied comment section we found Base64 encoded which is could be our flag. Let's decode it using online tools at Google. Just search "base64 decoder"

Flagssssss

After we decode it using online tools, then we got the flag.

EG{K33P_GR1ND1NG}

Octopus

code.jpg

Next challenge is Octopus. We have been given this image named "code.jpg". First lets try do reverse search using google image.

result doing reverse search

After doing reverse search, we found that this image is related to GitHub. So maybe we need to find a GitHub account. But how are we going to find it? Let's check the hex for this image, maybe we find something.

Blesss.

To check hex for an image, you guys can use software like HeX editor for windows. But in this case I'm using bless which is one of the hex editor for Kali Linux. To run bless tools, just simply type "bless <image name file>.

base64 code

From here, we will inspect the header and footer of the image. It is because usually hidden message or code will be hiding at those sections. After scrolling down at footer images, I found there is base64 encode. At first, I thought it was a flag, but it's not.

0hanif0/EGCTF2023

After decode the base64, it gives this. For a while I was like 'huh??' but after remember at the first information we get which is GitHub account so this is may the GitHub account we need to find.

0hanif0.github

After randomly search '0hanif0' I found a link call raw.githubusercontent.com. This link list, a lot of GitHub user account. Then I try to search an account 0hanif0 and i found the link account. Then let's go through that account.

same information after decode base64

After stalking a little bit at this GitHub account, I found a repo "0hanif0/EGCTF2023". It is similar with decoded base64. Let's take a look at this repo.

flaggggg

After click that repo, found a new folder, then i click the new folder then it come out new folder again.hahaha... you need to click the new folder until found upside down flag. Really test my patience this challenge.

EG{G1THUB_15_FUN}

Oldest Historical Tree

memories.jpg

Next challenge is the oldest historical tree. This challenge give you an image name memories.jpg. Let's try to do reverse search.

Dataran KTM Ipoh

Reverse search didn't do anything. Then let's manual search. https://www.caridestinasi.com/tempat-menarik-ipoh/. With the link given by the challenge, I try to google one by one until this one place which KTM Ipoh. After search it in Google Maps, I found a near place named Dataran KTM Ipoh. The map pattern looks familiar to the Pokémon Go map.

After click at the pinpoint and look at the map image on latest section, I found this. This challenge creator is Xion nice challenge by the way. There is a Facebook link at the image. let's go the Facebook page.

That Facebook link redirect us to the eliteghost Facebook pages. After we see a comment at recent post, you found a Pikachu Facebook account.

old tress

Then after we're stalking Pikachu account, we found this at Pikachu post. You can found this comment at one of the Pikachu post. After inspect a little bit at the photo, you can found a sentence at left corner of tree image.

Old Krytan

Old Krytan

This could be our flag. This sentence is written using Old Krytan, let's translate it. Let's decode it by search Old Krytan. By using that image, manage to extract the flag.

EG{L0T5_0F_M3M0R135}

Thirsty

Files

In this challenge we are given 3 files which are Menu.zip, Place.zip and Pokémon.jpg. From the info we get from the challenge:

• Pikachu is at Ipoh

• Saw Starbucks store

• Pikachu love frappucinos.

starbuck store near ipoh

From that info, I search startbuck near Ipoh at Google map. let's take a look one by one and compare the map pattern with Pokémon Go pattern.

Map Pattern

After a few searches, I found that Starbucks Medan Gopeng map pattern is quite the same with Pokémon Go pattern. i take a look at review section and image nothing found. Stuck a while.

file content in places.zip

After that try unlock the zip file Places with Starbuck Medan Gopeng and its work. Then we stalk the IG account by search it at like in eliteghostm post.

password for menu.zip

After that, found an account with a same profile picture, then found this. this could be a password for other file. Lets try it.

after unzip

book chiper

lyric

flagss

line number

Yes it works. After unzip the menu.zip, it gives us this file. It was a book chiper. In order to get the message in book chiper let's do it with this tool https://www.boxentriq.com/code-breaking/book-cipher. We just need to copy the lyric in Book text section, then fill the codes section. After that you need to setting the line number, word number and character number. After that we get the flag.

EG{REST_WITH_COFFEE}

SixSenses

flag.png

Next challenge is sixsense. In this challenge, they're given PNG file. It looks like that in PNG file. It was hand sign language. We can decode it using this link, https://www.dcode.fr/american-sign-language. After decode it, it gives us a link which is https://eliteghost.tech/lalala.mp3. After hearing that song, i heard it say something like this, "Ai_man...EG.....follower". Then after that I try to find username aiman in IG eliteghost Malaysia.

aimantinoo22

After stalking eliteghost follower, I found this account that related to aiman. aimantinoo22.

first post.

After look at first post image and caption. I found "R4" in the picture and a "+++" language. After a little research, it was a brainfuck language. Let's decode it using dcode.fr. after decode it, it shows like this:...it could be a part of the flag. Let's take a look at the second post.

R4R3}

second post

Nothing special at second post, but the caption is look like the half flag. Next let's take a look at highlight.

_S3NS3

hint to the flag.

At this highlight story I found this, it may lead to the flag. After go around into aimontino22 account, I forgot to stalk his follower.

izzkhamalia ig

After stalking into aimantinoo22 follower, I found this account. Looks at the highlight story.

sweet sour salty bitter

Found a tongue picture that have symbol. We need to decrypt it again.

ancient egypt hieroglyphs

After a little research, it was an Ancient Egypt hieroglyphs. So we need to decode it according to the symbol. After we decrypt it came out to this

IS_SO

After combine, it according to the highlight story in aimantinoo22 ig, we get the flag.

EG{S1X_S3NS3_IS_SO_R4R3}