0xL4ugh CTF v5 - Delicious Meeting & Dune OSINT Challenges

Hey Everyone, I am Ahmed (aka Pizza Steve), and that is my write-up for both Delicious Meeting & Dune OSINT Challenges.

Firstly, I want to thank the incredible team for the amazing effort put into creating these challenges and for being available to support us whenever needed.

Challenge 1: Delicious Meeting

Description:
Willow1124 is planning to meet Ken to enjoy their favorite food. The uploaded files include a picture of Willow1124's hometown. Use Google Maps at all times.

Your task is to figure out the email address of the place where they met.

Flag Format: 0xL4ugh{0xL4ugh@gmail.com}
Author: Zwique

and we were given the following image:

I initially started by examining the EXIF data for the image; however, it was stripped out. Then I tried to reverse search it and managed to identify that the country is Sweden, and the city is Stockholm, all because of that parking sign. But how?

• "Avgift" is Swedish -> Sweden
• "Boende" means residential permit parking
• "Boende + zone name" on a separate white plate is how Stockholm labels resident parking zones

However, this would get us nowhere, as we had no information that led us to the restaurant where they would meet.

After reading the challenge description carefully, I noticed that Willow1124 might actually be a username that hides something behind it. So, I tried to Sherlock it, and in fact it returned a valuable result, a blog!

# sherlock Willow1124
Update available! 0.15.0 --> 0.16.0
https://github.com/sherlock-project/sherlock/releases/tag/v0.16.0
[*] Checking username Willow1124 on:

[+] 1337x: https://www.1337x.to/user/Willow1124/
[+] Archive.org: https://archive.org/details/@Willow1124
[+] ArtStation: https://www.artstation.com/Willow1124
[+] Blogger: https://Willow1124.blogspot.com

Reading through the blog, it revealed all the clues needed to solve the challenge:

I was meeting Ken to eat sushi.
I'd gotten off one stop too early.
The name of the place we're meeting up at consists of four parts.

The image provided in the blog is supposed to be the arrival station. After reversing it, it turns out to be Stockholm Central Station. However, as mentioned, he got off one stop early.

Within this area, we can search for nearby sushi restaurants that match the clues we were given. Doing so, we find a match: Soyokafe Sushi and Ramen. Visiting their website, we find their email in the Contact Us section.

**Flag:**0xL4ugh{kafe@soyokaze.se}

Challenge 2: Dune

In the world of Dune everything has two faces depending on who you are. A Fremen can be a trustedally to House Atreides... or a nightmare to House Harkonnen.

In the last cycles, our largest automation colony, Arrakis-colony, was hit by a so-called Sand Worm. The harvesters stalled, telemetry went wild and, worst of all, Secrets were stolen.

Your mission is to help us understand what really happened - and recover what was taken.

Find our official Presence on the Open Web.

From there, track down where we keep our harvesters' Source Code. Somewhere in those spice Packages you will see what the sand beast did to us.

Rumours say that someone has already seen a piece of our secrets and left traces of it behind. We need you to confirm or deny this, and follow the trail as it moves across dunes.

Be aware of the Many Fakes, If you read the signs correctly and follow every breadcrumb, you'll uncover all stolen fragments.

Flag format: 0xL4ugh{part1_part2_part3}
(no spaces).
Author: 0xOsama

This challenge I enjoyed the most, especially because I am a big Dune fan, but warning, it is full of fake flags!

Part1 - Footprints in the Spice:

At the start, we need to find the official presence on the open web. Searching for Arrakis-colony lands us on a pages.dev website.

Scrolling down the page, we find some interesting links, and the footer saying Crafted by 0xOsama for the sake of 0xL4ugh secrets confirms we are on the right path.

Since Part 1 talks about source code, the first link we should check is GitHub.

Looking through the repositories, we find nothing interesting except arrakis-spice-connector. One of its files includes this juicy information:

const { execSync } = require("child_process");

function log(msg) {
  console.log("[Spice-Telemetry] " + msg);
}

function main() {
  log("Initializing background spice telemetry module...");
  log("Sampling CI environment dunes for melange traces...");
  log("Preparing shipment to the deep desert sietch archive.");
  log("Archive route: github.com/arrakis-flows/sietch-secrets-archive");
  log("Echo hint: second dream of Arrakis.");
}

main();

When we check the archived route link, we find that the page no longer exists, hinting at the use of the Wayback Machine to see what was previously there.

Unfortunately, I found no snapshot for this repository on Wayback Machine, so I tried other alternatives like archive.today.

Initial search with the repo link yielded no useful results. However, by using * as a URL prefix, more results showed up.

There, we find a Base64 encoded string labeled potential high-value secret. Decoding it using CyberChef gives us the first part of the flag.

**FLAG PART 1:**SHA1_HULUD

**Part2 -**Whispers of a Stolen Secret:

Now let's check the second link we found earlier. It leads to a LinkedIn profile with an interesting post. Reading through it, the following information stood out:

we've posted a short comment on our regular forum [you know it, right? "the Reddit of the dark web"] under the "Hello everyone and welcome to /Malware again!" thread, meet us there.

I googled the Reddit of the dark web, which turned out to be Dread Forums. I used this HTB blog to know more about it.

Since it exists on the dark web, we need to use the Tor Browser.

After some searching, we encounter the mentioned post. By its end, we find an interesting cipher. It turns out to be double Base64 encoded, followed by ROT13.

Reversing it gives us the second part of the flag.

FLAG PART 2:_w4s_4n_1mp0st3r

Part3 - Unmasking the Sand Worm:

The Dread forum post we found earlier also includes another interesting hash labeled Part3, hinting at the final piece.

I used Malware Bazaar to search for the hash. It was reported by 0xOsama, who is the challenge author, confirming that we are on the right path.

After checking its behavioral analysis, I noticed this registry entry. After its creation, a value of:

VTFsT1ZDMHRRMDVGUnkwek9pQmZhakZuZFY5ek5IZ3pYM28wZVdvMFpUTmZaekF3

is stored in the buffer under the name \Part-3\Value, suggesting that this is what we are looking for.

Decoding it gives us the final part of the flag.

FLAG PART 3:_w1th_f4k3_m4lw4r3_t00

So, the final flag becomes:

0xL4ugh{SHA1_HULUD_w4s_4n_1mp0st3r_w1th_f4k3_m4lw4r3_t00}