By Dr Tristan Jenkinson
The CSI Linux CTF – Shake the Cobwebs
As discussed in Part One, I took part in the CSI Linux CTF event over Christmas. The CTF required writing up a report of findings, and I thought that it might be helpful to share the content of my report.
Part One covered the introduction and the first puzzle which related to the analysis of an audio file… as part of that analysis, some data apparently in Morse code was found.
Part Two dealt with the Morse code found in part one, and some related further investigation work from the CTF, including information from Die Hard (unquestionably a Christmas movie!).
In this section, I’ll cover death dates, geolocation, and the identification and investigation of an online article about RisePro malware.
The final part (Part Four) will follow soon.
Enjoy!
Death Date and Geolocation (Q4, Q5, Q6)
Q4: Death Date
Recall that at the end of part two, we were looking at the “once real-life wife” of John McClane (to which the answer was Demi Moore).
Upon submission of my answer for Q3, I received the below request for further information:
It is helpful to note that as of the time of writing, Demi Moore is still alive, so there is more to this question than first appears.
It is also helpful to refer back to the information in the hidden message recovered from Pastebin, repeated below.
Your death date info is inscribed on Rap God’s grave! But they are not whom you seek. Rather, once you have arrived, the date you seek is for the once real-life wife of John McClane.
There is a reference here to Rap God. By running a Google search for “Rap God”, you can find that this is a song by Eminem. One of the articles returned (https://www.theguardian.com/music/2014/sep/08/eminem-rap-god-new-world-record-most-words-in-a-song) reports that the track set a new world record for the most words in a song, and that the track contains an average of more than 4 words a second.
Google will supply the lyrics for the track with the search results. These include in the chorus, the line “I’m beginnin’ to feel like a rap god”. Eminem may be the “Rap God” that is being referenced in the hidden message from Pastebin.
Separately, I ran a search for death date in Google, the top result, as shown in the image below, is for the Death Date site at deathdate.info. This appears to directly match the information in the hidden message – which starts “Your death date info…” so this certainly fits.
Visiting the deathdate.info site, there are several different tabs that you can visit – including a “Celebrities” tab. Based on the information above, I was looking for the death date of Demi Moore.
Clicking on the Celebrities tab opens https://deathdate.info/s/celebrities/. The page includes links to the “death dates” of many celebrities, including Eminem (potentially the Rap God referred to), and Demi Moore.
Clicking on the link for Demi Moore takes you to https://deathdate.info/d/6f8879a683dca/RGVtaSBNb29yZQ==. The reported death date of Demi Moore is listed as 24 September 2024, as shown in the below screenshot:
The answer to Q4 therefore appears to be 24 september 2024.
Q5: First John McClane Movie
Upon submitting my solution, I received the following request:
Having seen the original film in the Die Hard series, I am aware that the first in the series was just called “Die Hard”, however, there could be other movies with a character called John McClane that predate the Die Hard films. It is therefore possible that the question refers to a film for an alternative John McClane.
Searching in IMDb.com (a well known source for movie information) I was able to find a John McClane who worked in Location Management on a short film called Unicorn Bloodbath #47 (https://www.imdb.com/name/nm11548484/), though this is after the Die Hard films, dated in 2018.
Using various searches I was not able to find reference to any other John McClane references in films outside of the Die Hard films.
I ran a Google search for all john mcclane movies release date, which resulted in a breakdown of the release dates of the various films, as shown below:
The earliest release date is 3 February 1989. Clicking on this entry, the browser displays the details for the film “Die Hard”, the first of the Die Hard films, as shown below:
The remaining release dates (in order) relate to Die Hard 2 (1990), Die Hard with a Vengeance (1995), Live Free or Die Hard (2007) and A Good Day to Die Hard (2013).
The title of the first John McClane movie is therefore die hard.
Q6: Geolocation
Upon submitting the above response, I received the below request:
Recall the original information that was provided prior to Q1 in the original information in part one, in particular stating that “… their Audio Engineer is on vacation somewhere in the Mediterranean Sea, on a sailboat, near 34.6129, 32.9742.”
Entering these coordinates into https://www.google.com/maps takes you to https://www.google.com/maps/place/34%C2%B036’46.4%22N+32%C2%B058’27.1%22E/@34.601921,32.9836332.
As you can see from the screenshot below, the lake pointed to by the supplied coordinates is Limassol Salt Lake:
The answer to the question is therefore limassol salt lake.
The Alb310 Article (Q7, Q8, Q9)
Searching for the Alb310 article
Upon submitting the above, I was supplied with the below information:
I therefore started by looking for the author of the article.
A Google search for alb310 identifies a GitHub page:
Visiting the GitHub page, you can see in the profile that this links to a website at https://projetfox.com, as shown below:
Visiting the Projet Fox website, it appears to be a site relating to OSINT and related disciplines. The content appears to be in French:
I was using the Firefox browser. To translate the page, I went to the “hamburger” in the top right and clicked on it to get the menu shown below:
I then clicked on Translate Page.
Firefox autopopulates what it believes to be the best option for translation, as shown below:
Note – Google Chrome has a similar function for translation. To access the translation in Google Chrome, you can right click on the page and at the following menu, click on Translate to English. There are variations between the translations provided by the two browsers, so it appears that they are not using the same system (or at least the same settings) for their translations features. This means that each can be used to provide some level of verification of the translation, alternatively, if a translation is not clear, the other tool can be used for an alternative. Ideally for sensitive matters an expert translator should be used.
From the translated capture shown above of the FOX Projet header, there is a section for articles. As I was searching for an article, this was a good place to start.
Clicking on the articles heading takes us to https://projetfox.com/articles/. As this is a new page, the translation is not applied, and the language returns to French. However, it is still clear that the first article listed was written by Alb310 on 29 November 2023:
After translating the page to English, I clicked on the article title, translated to “Tracking of the cyber-criminal infrastructure of the RisePro infostealer”. This opens the article, at page https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/. I than translated the page containing the article.
As I had now located the article described, I selected Found the article and ready to report.
Q7, Q8 and Q9: About the Article
Upon confirming I had found the article, I received the below response:
The answer to this is within the title of the article. As noted above this is “Tracking of the cyber-criminal infrastructure of the RisePro infostealer”. The infostealer discussed in the article is RisePro, so the response is risepro.
Upon submitting, I received the below response:
The response is therefore crowdstrike.
Upon submission, I received the below response:
As noted above, in the Firefox translation, the relevant section of text identified also includes the name of the operator that Crowdstrike were following, and it states that they named the operator ‘HermIT SPIDER”. The response is therefore hermit spider. This also fits with the image included with the query.
The eDiscovery Channel 
2 thoughts on “Shaking the Cobwebs CTF Part Three – Death Dates, Geolocation and an Article of Interest…”