Skip to content

Commit c3f8666

Browse files
SlavetomintsSlavetomints
committed
enhance(post): finished diver25 posts
1 parent 04c8fae commit c3f8666

14 files changed

+141
-0
lines changed

_posts/2025-10-16-diver-osint-ctf-2025-00-engineer.md

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
---
2+
title: 00_engineer
3+
date: 2025-10-16
4+
categories:
5+
- Capture The Flags
6+
- Diver OSINT CTF 2025
7+
tags:
8+
- ctf
9+
- diver osint ctf 2025
10+
- osint
11+
- writeups
12+
description: Diver OSINT CTF 2025 00_engineer Challenge
13+
image:
14+
path: /assets/img/diver25/engineer/engineer.jpg
15+
alt: a picture of an access badge for a conference
16+
post: false
17+
---
18+
19+
20+
> Challenge description:
21+
>
22+
>An software engineer's nameplate was picked up near Tokyo Station. This should be a lost item.
23+
Answer the URL of the website (index page) of the company where this engineer works.
24+
Flag Format: Diver25{https://google.com}
25+
{: .prompt-info }
26+
27+
Okay, so lets take a look at the photo that's provided:
28+
29+
![a picture of an access badge for a conference](/assets/img/diver25/engineer/engineer.jpg)
30+
31+
Hmm, well this looks like a classic lanyard and badge for a conference. I bet the name on the badge is actually the person's username on sites like GitHub. Checking there does in fact reveal a GitHub account for one `kodai-sn`.
32+
33+
![the github acount](/assets/img/diver25/engineer/github.png)
34+
35+
Even better, it looks like there a repository named `kodai-sn.github.io`. That's a special repository on GitHub. If you create a website using GitHub pages, it shows up at `username.github.io/repository-name`. However, if the name of the repository is just `username.github.io`, it uses the base URL for the site, making it a good place for a personal website. This blog is served off of [`Slavetomints/slavetomints.github.io`](https://github.com/slavetomints/slavetomints.github.io), and simply uses a custom domain. If you went to [https://slavetomints.github.io](https://slavetomints.github.io) you would also appear here. Neat right?
36+
37+
Anyways, lets check out the website there.
38+
39+
![the personal website](/assets/img/diver25/engineer/personal-website.png)
40+
41+
The part I'm most interested in is the Career section, where they say they've been working for `Magneight Software`. This is probably the company who's website we have to find.
42+
43+
A quick lookup later reveals `magneight.com` to us, and with it the solution
44+
45+
![the company website](/assets/img/diver25/engineer/company-website.png)
46+
47+
FLAG: `Diver25{https://magneight.com/}`

_posts/2025-10-17-diver-osint-ctf-2025-document.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
---
2+
title: document
3+
date: 2025-10-17
4+
categories: [Capture The Flags, Diver OSINT CTF 2025]
5+
tags: [ctf, diver osint ctf 2025, osint, writeups]
6+
description: Diver OSINT CTF 2025 document Challenge
7+
---
8+
9+
10+
> Challenge description:
11+
>
12+
>The US Navy Commander Fleet Activities Yokosuka (CFAY) operates a shuttle bus service between Haneda airport/Narita airport and the base for US military personnel. Answer the name of the person who created the document about the boarding location of the bus in 2023.
13+
>
14+
>Flag Format: Diver25{George Washington}
15+
>
16+
> https://cnrj.cnic.navy.mil/Portals/80/CFA_Yokosuka/FAQs.pdf?ver=9xaFCoTG0-tMupFtJFmcrQ%3d%3d
17+
{: .prompt-info }
18+
19+
Okay, quick and easy challenge, my favorite. One thing you might not know about the documents you create is that it generally saves metadata about the document, including the author.
20+
21+
A simple tool to check a file for metadata is `exiftool`. Let's use it here
22+
23+
```terminal
24+
❯ exiftool FAQs.pdf
25+
ExifTool Version Number : 13.36
26+
File Name : FAQs.pdf
27+
Directory : .
28+
File Size : 512 kB
29+
File Modification Date/Time : 2023:06:11 23:38:56-05:00
30+
File Access Date/Time : 2025:08:27 15:46:53-05:00
31+
File Inode Change Date/Time : 2025:06:12 21:04:03-05:00
32+
File Permissions : -rw-r--r--
33+
File Type : PDF
34+
File Type Extension : pdf
35+
MIME Type : application/pdf
36+
PDF Version : 1.7
37+
Linearized : No
38+
Author : Mitchell.Donovan
39+
Create Date : 2023:06:09 14:02:37+09:00
40+
Modify Date : 2023:06:09 14:02:37+09:00
41+
Producer : Microsoft: Print To PDF
42+
Title : Microsoft Word - FAQs
43+
Page Count : 1
44+
```
45+
46+
And look at that, right where we hoped for it to be, the author's name.
47+
48+
FLAG: `Diver25{Mitchell.Donovan}`

_posts/2025-10-17-diver-osint-ctf-2025-louvre.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
---
2+
title: louvre
3+
date: 2025-10-17
4+
categories: [Capture The Flags, Diver OSINT CTF 2025]
5+
tags: [ctf, diver osint ctf 2025, osint, writeups]
6+
description: Diver OSINT CTF 2025 louvre Challenge
7+
image:
8+
path: /assets/img/diver25/louvre/wigle.png
9+
alt: list of mac addresses for the SSID Louvre_Wifi_Gratuit
10+
post: false
11+
---
12+
13+
14+
> Challenge description:
15+
>
16+
>Answer the vendor of one of the Louvre's public Wi-Fi access points that meets the following criteria.
17+
>
18+
> - Information was collected on 28 February 2025. This can be accessed via online.
19+
> - Determine the vendor according to the BSSID.
20+
>
21+
> Flag format: Diver25{Company Name} (e.g. If the company is Apple Inc., the flag should be Diver25{Apple Inc.}.)
22+
{: .prompt-info }
23+
24+
Alrighty, first order of business is figuring out what the public Wi-Fi is for the Louvre. Thankfully, they make that easy for us on their website
25+
26+
>The ‘Louvre_Wifi_Gratuit’ network is available under the Pyramid and in the exhibition rooms. The free Wi-Fi connection last one hour and can be renewed as many times as needed.
27+
>
28+
>\- [Do you offer Wi-Fi? - Louvre Website](https://contact.louvre.fr/hc/en-gb/articles/12853523479453-Do-you-offer-WiFi)
29+
30+
Okay okay okay, noow with that out of the way, its time to figure out what the vendor is. The reason we figured out the SSID (name) for the Wi-Fi network is that there are public databases of Wireless Networks. We will be using a site called [wigle.net](https://wigle.net). In order to access the site you need to have an account, but let's see what our search reveals.
31+
32+
![search results](/assets/img/diver25/louvre/wigle.png)
33+
34+
Now, for those of you who don't know, the things on the left most column are whats called MAC addresses. Every single Network Interface Card (NIIC) has one. Every single one is unique, and it consists of two parts. The entire address is 6 pairs of Hexadecimal digits. The first three pairs identify the manufacturer of the device, and the last three pairs identify the unique device.
35+
36+
Thankfully, we can also look that up as well. However, we have two to search for, both `48:C0:93` and `50:60:28`. For this you can use any site of your liking, but I'll use [maclookup.app](https://maclookup.app) this time. Let's see the results for the first one now:
37+
38+
![first mac](/assets/img/diver25/louvre/1-mac.png)
39+
40+
And the second one:
41+
42+
![second mac](/assets/img/diver25/louvre/2-mac.png)
43+
44+
Well wouldya look at that, both MACs are the same vendor, so lets get that flag turned i n!
45+
46+
FLAG: `Diver25{Xirrus, Inc.}`

assets/img/diver25/afghanistan/basketball.png

-33 Bytes
Loading

assets/img/diver25/afghanistan/getty-images.png

18 Bytes
Loading

assets/img/diver25/engineer/company-website.png

743 KB
Loading

assets/img/diver25/engineer/engineer.jpg

1.26 MB
Loading

assets/img/diver25/engineer/github.png

158 KB
Loading

assets/img/diver25/engineer/personal-website.png

61.5 KB
Loading

assets/img/diver25/hidden-service/flag.png

-33 Bytes
Loading

0 commit comments

Comments
 (0)