For full text search please use the '?' prefix. e.g. ? Onboarding

Spectrum

Scenario

Scotland yard have intercepted information about one of the biggest drug deals to go down in the city of London. Someone we believe is linked to the deal was arrested. The only item they had in their possession was a USB thumb drive. Unfortunately, one of our junior analysts was unable to find anything of interest. Before we let this suspect go, we would like one of our DF experts to see if they can find anything about the deal before it goes down. Can you find out where and when the deal is expected to go down?

Note: Once you have the coordinates, you can use https://www.gps-coordinates.net/ to view the location.

Solution

  1. What time is the meeting happening? (4 points)

    First I mount the image.dd file to the /mnt directory:

    sudo mount -o loop image.dd /mnt

    This gives us a photos folder and an archive named noise_samples.zip. Running exiftool on the photos gives us the following information of interest:

    $ exiftool photos/Millenium\ Bridge.jpg
Location : name of the challenge
$ exiftool photos/london_bridge.jpeg
Artist : steghide password: cheese on toast

    The password is cheese on toast. Running steghide to extract the hidden information didn't work with that password on any of the three images, nor did an empty password.

    Instead of focusing on the images, I decided to look into the audio files. The archive is password protected, but we are able to break the encryption using fcrackzip:

    sudo apt install fcrackzip
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt noise_samples.zip

    The found password is garfield. Trying on the various audio files landed a hit with white.wav, extracting data to a file named stardate.txt. The file contains what appears to be an encoded string: 56inrkS7AcAXatqrFM. Using CyberChef with various encodings yielded a time with Base58:

    15:01:00
emit

    This didn't work, and the "emit" portion was strange anyways. Adding a reverse transformation got us the true time of the meeting:

    time
00:10:51

  2. What are the supposed coordinates for the deal? (4 points)

    Decoding the Morse code in the location.wav file with morsecode.world gives us a dead end:

    N I C E T R Y N O T H I N G T O H E A R H E R E !

    We do have one clue, which is the name of the challenge from earlier. At first I thought Spectrum was a place, since that was the location, but then I realized that it was likely in reference to the spectrum of the audio files.

    Clicking the track name of the white.wav file then selecting "Spectogram" gives us some interesting results:

    Coordinates

    So we have the coordinates: 51.505278° N, 0.055278° W.

  3. Looking into these coordinates, what is the name of this location? (2 points)

    We can search the coordinates on the given site, and "London City Airport" is returned.

Tags

  1. stego (Private)
  2. 10 points (Private)
  3. easy (Private)