ASCWG CTF Qualification 2025 - Operation Spare Clue Challenge

Hello Everyone, I am Ahmed (aka Pizza Steve), and I will walk you through Operation Spare Clue OSINT challenge.

Before starting, I want to thank all authors especially Eng. Mohamed Gamal for the OSINT challenges and all organizing team for their great efforts throughout the past period.

Without further ado, let's begin!

Operation Spare Clue -Phase 1: Ground Recon

In the first phase, we are given a photo and asked to determine the exact location of the scene. First thing I try to do is reverse search the image as sometimes it reveals the location. However, this time it didn't. I took a closer look and found two important clues: two businesses, Berlin Parts and Beauty Studio. I first tried to search for the Berlin Parts store, but I got many results. So, I tried to narrow the scope by identifying the language used above the Beauty Studio store.

The language was Georgian, which indicated that the Berlin store is located in Georgia. Using this information, I found the store on Google Maps.

After finding the exact location, we were asked to get the phone number of a supermarket located across the street. Using Google Maps' Street view option, we identified two possible options.

I was initially stuck trying to determine which supermarket we were looking for as both were supermarkets, and their phone number are provided. However, the blue one was the answer, and its number is in the sale ad 597 57 49 57.

Back to the task image, we notice a QR code on a van, which after scanning leads us to a PGP key. We are required to unmask the true identity behind the key.

Pretty Good Privacy (PGP) is a data encryption and decryption program that provides cryptographic privacy and authentication for data communication. It's widely used for securing emails and files. Its structure refers to how PGP handles data encryption, key management, and digital signatures.

After saving the signature file, we can use GPG tool to analyze it and extract the Key Id.

$ gpg --list-packets sig.asc

# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid F40F570ADCE20B18
        version 4, created 1607893776, md5len 0, sigclass 0x01
        digest algo 8, begin of digest 3b df
        hashed subpkt 33 len 21 (issuer fpr v4 788D73CA29B56D65676D468FF40F570ADCE20B18)
        hashed subpkt 2 len 4 (sig created 2020-12-13)
        subpkt 16 len 8 (issuer key ID F40F570ADCE20B18)
        data: [4095bits]

Taking the keyid (F40F570ADCE20B18), we search it here to find the owner.

The search lefts us with a uid YosemiteGhostWrite.

Phase 2: Social Deep Dive

In phase 2 description, we are giving a hint that "the subject has left a trace on social media - a selfie taken in front of a mirror. Within this reflection lies the name of a shop".

Therefore, we use Sherlock tool to find all accounts associated with the uid YosemiteGhostWrite.

$ sherlock YosemiteGhostWrite
[*] Checking username YosemiteGhostWrite on:

[+] Freelance.habr: https://freelance.habr.com/freelancers/YosemiteGhostWrite
[+] GNOME VCS: https://gitlab.gnome.org/YosemiteGhostWrite
[+] HackenProof (Hackers): https://hackenproof.com/hackers/YosemiteGhostWrite
[+] kaskus: https://www.kaskus.co.id/@YosemiteGhostWrite
[+] LibraryThing: https://www.librarything.com/profile/YosemiteGhostWrite
[+] Mydramalist: https://www.mydramalist.com/profile/YosemiteGhostWrite
[+] NationStates Nation: https://nationstates.net/nation=YosemiteGhostWrite
[+] NationStates Region: https://nationstates.net/region=YosemiteGhostWrite
[+] Reddit: https://www.reddit.com/user/YosemiteGhostWrite
[+] Telegram: https://t.me/YosemiteGhostWrite
[+] Weblate: https://hosted.weblate.org/user/YosemiteGhostWrite/
[+] YandexMusic: https://music.yandex/users/YosemiteGhostWrite/playlists
[+] svidbook: https://www.svidbook.ru/user/YosemiteGhostWrite
[+] threads: https://www.threads.net/@YosemiteGhostWrite

[*] Search completed with 14 results

The description directed us to search for social media account, so we check the Telegram link, leading to this guy.

Looking through his photos, we found one that exactly matched the description we were given earlier.

Phase 3: Final Lock

Now, we are required to locate the physical location of this shop and obtain Facebook Page ID of the associated restaurant, so it's a restaurant :D. Honestly, I got stuck looking for the Hokkaido restaurant, especially not being sure of which supermarket was the correct one earlier in phase 1.

However, I had a game changing idea late at night:searching for the restaurant on social media and matching the interior found in the task picture. I also narrowed down the search area by assuming, based on his pictures, that he did not get out of Europe. Fortunately, I found the restaurant while going through the pictures on maps.

Visting the restaurant website, I found a link to its Facebook page. From there, I was able to retrieve the Facebook Page ID: 132037800183249.

ASCWG{597574957_132037800183249}