From Open Sources to Answers 🔗︎
On May 9, we hosted our third Maltego Community OSINT CTF, and it delivered exactly the kind of intensity and unpredictability that makes competitive investigations so engaging. Some teams stayed near the top of the scoreboard for most of the event, but a few unexpected teams quickly moved up the rankings later on. The fight for third place was very close until the last minutes, with teams solving challenges and positions changing constantly throughout the event.
After an intense competition filled with investigative ups and downs, breakthrough discoveries, and constant scoreboard changes, the teams Lv1x, RinggitPower, and WillHackForBeer secured the top three spots.
The competition may have ended, but the discussion certainly did not. Following the CTF, our Discord community remained highly active as participants continued analyzing investigative approaches, discussing dead ends, comparing methodologies, and breaking down the tools and workflows used during each challenge. These post-CTF discussions are often where some of the most valuable learning takes place.
Capture the Flag (CTF) remains one of the most effective ways to develop investigative thinking, technical creativity, and problem-solving skills under pressure. In this walkthrough, we will break down all 26 challenges step by step, from the initial reconnaissance phase to the final flag submission, while exploring the investigative mindset, tools, and methodologies used throughout each stage.
Whether you completed the challenge successfully or found yourself stuck midway through, the purpose of this write-up is not simply to provide the answer, but to demonstrate the investigative process itself. The real value of OSINT CTFs lies in learning how to approach unfamiliar problems, adapt investigative methodologies, and build repeatable workflows that can also be applied in real-world investigations beyond the competition environment. Follow along!
Name: Account Attribution – 1 | Category: SOMINT | 11 pts 🔗︎
Challenge: We were able to intercept an email address: davidjs1@deliveryotter.com, but we do not know which social media account belongs to the suspect. Identify the associated social media profile and retrieve the flag string hidden in the account bio. Flag format: Th1s_i5_fl4g
The investigation starts with the intercepted email address: davidjs1@deliveryotter.com, from which the username ‘davidjs1’ is extracted and used for username enumeration through OSINT tools or manual dorking across platforms. This leads to a matching profile on Bluesky at https://bsky.app/profile/davidjs1.bsky.social, where the bio contains the string synt{L0h_t0g_z3}. Recognizing that synt is indicative of ROT13 encoding (which decodes flag), the entire string is decoded using ROT13 to reveal the actual flag: Y0u_g0t_m3.
Flag: Y0u_g0t_m3
Name: Account Attribution – 2 | Category: SOMINT | 5 pts 🔗︎
Challenge: Analyze the tweet thread posted by the suspect. Identify the image within the thread and determine the name of the hotel where the meeting took place (i.e., the location from which the image was captured). Flag Format: Hotel NameOfHotel
After identifying the suspect’s Bluesky profile, the next step is to analyze their activity. Within a thread discussing a meeting, a reply contains a shortened link: https://shorturl.at/b6Lpf, which redirects to an image hosting site (https://imgshare.cc/fedswxfu), containing the challenge image.
The objective is to determine the hotel name from where the image was taken. One effective approach is to perform a reverse image search, which reveals a recognizable landmark — the Hungarian Parliament Building in Budapest. Using this clue, participants can switch to map services and street view to analyze the viewing angle and approximate location from which the photo was captured, eventually narrowing it down to nearby hotels with a similar perspective.
An alternative and more OSINT-focused method involve enumerating publicly accessible webcams in the identified area. By searching platforms like EarthCam or similar webcam aggregators, participants can locate feeds matching the same view of the parliament. This leads to a specific camera hosted at Hotel Victoria, where the visual perspective aligns with the challenge image. The same webcam is also referenced on the hotel’s official website, confirming the location. Thus, the correct flag is: Hotel Victoria.
Flag: Hotel Victoria
Name: Account Attribution – 3 | Category: SOMINT | 20 pts 🔗︎
Challenge: Based on the image from the previous challenge, determine the time range during which the picture was taken. Please select the corresponding choice. A. 6:00 AM – 8:00 AM B. 8:00 AM – 10:00 AM C. 1:00 PM – 3:00 PM D. 6:00 PM – 8:00 PM Flag Format: Hotel NameOfHotel
After identifying the location in the previous step, the next objective is to determine when the image was taken. From the suspect’s Bluesky post, investigators can extract the date of the meeting, which serves as a key input for further analysis.
To estimate the time, a chronolocation approach is used, analyzing the position of the sun and resulting shadows in the image. Since the image clearly shows the Hungarian Parliament Building in Budapest, it can serve as a reference point. By inputting the location (either coordinates or place name) and the known date into tools like SunCalc, participants can simulate the sun’s position throughout the day.
To refine the estimate, the shadow length and direction visible in the image are compared against the simulated outputs. The approximate height of the Parliament building (around 95–100 meters, easily obtainable via a quick search) helps in judging how shadows would fall at different times. By adjusting the sun position in the tool and matching the observed shadow angle and length, the most accurate time window can be determined.
Through this analysis, the image aligns with a morning timeframe, specifically between 8:00 AM and 10:00 AM.
Flag: B. 8:00 AM – 10:00 AM
Name: From the archives | Category: Cyber Threat Intel | 10 pts 🔗︎
Challenge: A suspicious outbound connection was detected during malware traffic analysis. Network telemetry revealed repeated communication with the following IP address: 47.96.17[.]237. Your task is to identify the ZIP archive associated with network activity involving the IP. Flag Format: filename.zip
The investigation begins with the provided IP address 47.96.17[.]237. The first step is to search the IP within VirusTotal to gather intelligence related to its infrastructure, communications, and associated artifacts. Once the IP intelligence page is opened, navigate to the Relations tab, which contains linked indicators such as communicating files, contacted URLs, domains, and behavioral associations.
Within the Relations section, review the list of files that have historically communicated with or been associated with the IP address. Among the listed artifacts, you will find a ZIP archive named Microsoft.AppRuntime.5017.214.zip. This file appears as a communicating artifact tied directly to the IP infrastructure, making it the required answer for the challenge.
Since the objective is to identify the ZIP file communicating with the provided IP, the discovered archive name becomes the final flag.
Flag: Microsoft.AppRuntime.5017.214.zip
Want to join our next OSINT challenge? Our Discord community is where the real action happens: challenge announcements, CTF prep, team discussions, memes, post-CTF analysis, and hands-on learning sessions. It’s also a space to exchange OSINT techniques, investigative workflows, and learn from other investigators. \[Join the community now!
Name: Whose Signature Is This? | Category: Cyber Threat Intel | 20 pts 🔗︎
The investigation begins with the provided domain reverse.wcsset[.]com, which is suspected to host a reverse proxy tool. The first step is to analyze the domain using threat intelligence platforms, malware reports, or Indicator of Compromise (IoC) analysis sources to gather contextual information about the hosted infrastructure. By searching for the IoC across public intelligence repositories and security reports, you can uncover references tied to the domain and the services operating behind it.
During the analysis, reports linked to the domain reveal that the hosted tool is identified as SOC.MOD, a suspicious reverse proxy utility commonly discussed in threat research. Reviewing the associated report in detail provides additional attribution data related to the binary or hosted component. Within the report, it is specifically mentioned that the suspicious tool was digitally signed by the Qisheng Information Technology Service Department. Since the challenge throws light on the company that signed the certificate associated with the reverse proxy tool, the identified organization becomes the final answer.
Flag: Qisheng Information Technology Service Department
Name: Domain Pivot | Category: Cyber Threat Intel | 15 pts 🔗︎
Challenge: Threat analysts recovered the following file hash during an investigation into an active malware campaign: 40df05b4f04ad093b31c9ca07a559be56a700e49f6051b5cb7462db5f85be8c3. Intelligence reports indicate that one of the most recent domains linked to the malware also hosted a malicious ZIP archive associated with the same campaign. Determine the name of the malicious zip. Flag Format: Samplefile.zip
The investigation begins with the provided file hash: 40df05b4f04ad093b31c9ca07a559be56a700e49f6051b5cb7462db5f85be8c3. The first step is to analyze the hash using VirusTotal. Search for the hash to access the malware intelligence page containing behavioral indicators, communication infrastructure, and associated relationships.
Within the analysis results, review the network communication details and related indicators. Among the communicating infrastructure, the top associated domain identified is: 7051.gsm.360safe.company.
The next step is to pivot into the discovered domain by searching 7051.gsm.360safe.company inside VirusTotal. Once the domain page loads, navigate to the Relations tab to inspect linked artifacts and communicating files. In this section, you can identify a ZIP archive named IPanyVPNsetup.zip, which appears as a communicating file associated with the domain.
We don’t stop here. To further validate the finding, you can cross-reference threat intelligence reporting related to the PlushDaemon campaign. Reports discussing the campaign mention the same ZIP archive in connection with the identified domain, confirming the infrastructure relationship. Since the challenge asks for the malicious communicating ZIP file linked to the campaign, the identified archive becomes the final answer.
Flag: IPanyVPNsetup.zip
Name: Sail Away | Category: Geolocation | 15 pts 🔗︎
Image Link: https://imgshare.cc/q3gfepxc.
Flag Format: Port of ABC
The goal of this challenge is to identify the port from which the image was taken using visual OSINT techniques. At first glance, the image appears to show a harbor area with a vessel docked near a waterfront. A close inspection of the image reveals an important clue: the name ‘FRAM’ is visible on the ship.
The term ‘FRAM’ is a strong starting point for investigation. Searching for the vessel name leads to the ferry and tourism operations connected to western Norway, particularly routes operating around the Fjord regions. This significantly narrows the geographic search area. After identifying the likely operating region, the next step is to examine port cities where these vessels commonly appear. Since multiple ports exist in the region, additional visual clues became important.
Looking closely at the right side of the image reveals a bakery (“bakeri”) shop sign along with a recognizable storefront logo. Scandinavian architecture, waterfront layout, and bridge positioning provides additional geolocation indicators. Therefore, the correct flag is: Port of Ålesund (Port of Aalesund).
Flag: Port of Ålesund
Name: Showboarting – 1 | Category: Maritime | 10 pts 🔗︎
Challenge: As part of the investigation, the agency has provided an image of the yacht. Your task is to determine who captured the photograph. Only use their first name. Image Link: https://imgshare.cc/uekuibfl.
Flag Format: John
A reverse image search of the provided yacht image reveals that the vessel is called the Dilbar. Once the yacht’s name has been identified, the next step is to investigate maritime records to obtain the associated International Maritime Organization (IMO) number. This identifier becomes useful for pivoting into ship photography databases and historical vessel records.
Using the IMO number, searching on Shipspotting.com helps locate matching images of the yacht. By reviewing the indexed results and comparing the exact image, you can find the original upload page containing additional metadata such as photographer credits, upload details, and vessel information.
Another approach is to search directly using keywords related to the yacht and image source, such as ‘Dilbar Shipspotting’ or by combining reverse image search results with maritime photography websites. This leads to the exact image record, where the photographer attribution identifies the person who captured the photo. The final answer is Daniel F., which can also be accepted as Daniel.
Flag: Daniel
Name: Showboarting – 2 | Category: Maritime | 10 pts 🔗︎
Once the yacht’s IMO number has been identified through the image investigation, the next step is to determine the Maritime Mobile Service Identity (MMSI) associated with the vessel. This can be done by checking AIS-based maritime databases, where vessel identifiers such as the IMO and MMSI, along with historical ship records, are commonly linked.
To find the historical MMSI specifically for the 2015–2016 period, one effective approach is to use Global Fishing Watch. Search for the yacht using its IMO number, which will display historical vessel information along with associated MMSI numbers and name records over time.
By reviewing the timeline and matching the correct date range, you can identify the MMSI linked to the vessel during 2015–2016. The historical record shows that the correct MMSI for that period is 211708190.
Flag: 211708190
Name: Gone fishing – 1 | Category: Maritime | 20 pts 🔗︎
Challenge: Intelligence reports suggest that the vessel, ‘Jing Yuan 626’, is involved in suspicious activity, and you have been tasked with investigating the movements. According to available reports, the vessel displayed unusual movement patterns during a specific time period. Your objective is to determine the port where the vessel was located between 07/18/2024 and 07/19/2024(MM/DD/YYYY). Challenge Format: Port of ABC
Once the name of the vessel, Jing Yuan 626, is identified, the first step is to gather its maritime identifiers, specifically the IMO and MMSI numbers. These identifiers are essential for tracking historical vessel activity across multiple maritime intelligence platforms. Searching public ship registries or AIS-linked databases helps establish the vessel’s identity before pivoting into timeline analysis.
To investigate activity during a specific period, historical AIS data is required. Many public tracking platforms, such as MarineTraffic or VesselFinder, provide only limited historical access under free accounts, making deeper timeline analysis difficult. A more effective approach is to use Global Fishing Watch, which maintains long-term historical movement data and event-based reporting.
After searching the vessel using its IMO number on Global Fishing Watch, open the vessel activity timeline and review the reported events. Under the Activity by Type section, navigate to Port Visits and match the timeframe provided in the challenge. By correlating the reported dates with the vessel’s movement history, the port associated with that timeline can be identified as the Port of Busan.
Flag: Port of Busan
Name: Gone fishing – 2 | Category: Maritime | 18 pts 🔗︎
To investigate the encounter event, the first step is to open Global Fishing Watch and review the Encountered Events section for the vessel. Since the challenge provides a specific timeline—12/17/2025—you can filter or navigate directly to that date within the activity timeline to locate the relevant encounter.
Once the event is identified, the encounter record reveals the second vessel involved. In this case, the ship encountered by Jing Yuan 626 is Lurongyuanyuyun177. Initial event details may only display limited information, such as the MMSI number, requiring an additional pivot to gather full vessel intelligence.
The next step is to search the vessel name or MMSI across maritime databases and AIS-linked sources to obtain its registry information. By correlating the vessel identity with public ship records, the associated IMO number can be identified. The investigation confirms that the IMO number for Lurongyuanyuyun177 is 9860130.
Flag: 9860130
Name: Gone fishing – 3 | Category: Maritime | 15 pts 🔗︎
Challenge: As part of the continued investigation into the activities of Jing Yuan 626, analysts reported a loitering event on 15 June 2025, lasting approximately 4 hours. Following this event, the vessel resumed movement. Your task is to determine the next port visited by the vessel after the reported loitering activity. Flag Format: Port of ABC
To investigate the reported loitering activity, the first step is to use Global Fishing Watch, which provides historical event-based vessel tracking data. Within the vessel’s activity timeline, navigate to the Loitering Events section to review all recorded instances of suspicious stationary or slow-moving behavior.
The challenge specifies a date of 15 June 2025, which helps narrow the search to events occurring on that day. Multiple loitering events may appear in the timeline, so the second clue for a 4-hour duration becomes important for identifying the correct record. By filtering or reviewing the listed events for matching timestamps and duration, the exact loitering activity can be isolated.
Once the correct event is identified, the associated metadata reveals the nearby port or location connected to the vessel’s movement after the event. The matching record indicates that the vessel was linked to the port of Iquique. Therefore, the correct answer is Iquique (Chile) or Iquique. So the flag is the Port of Iquique.
Flag: Port of Iquique
Name: Crude Oil – Port of Inspection | Category: Maritime | 20 pts 🔗︎
Challenge: MMSI number is 273257030. Your task is to analyze the vessel’s historical activity and determine the port of inspection associated with the vessel on 24/11/2015. Flag Format: Port of ABC
Once the MMSI number of the vessel is provided, the first step is to identify the ship’s name and IMO number. Using public maritime databases or a simple search query, the MMSI can be linked to the vessel KRASNOYARSK, with IMO number 9312896. These identifiers are important because most inspection and registry databases are indexed by IMO rather than MMSI.
After obtaining the IMO number, the next step is to investigate inspection records. One of the most useful resources for this is Equasis. Access to the platform requires a free account, after which you can search directly using the vessel’s IMO number.
Within the vessel profile, navigate to the Inspection section and review the historical inspection timeline. Matching the provided date, 24 November 2015, reveals the corresponding inspection location. The inspection record shows that the vessel was inspected at Whitegate, located in Ireland. Therefore, the correct answer is Whitegate, Ireland. So the flag would be Port of Whitegate.
Flag: Port of Whtiegate
Name: Crude Oil – Managing Logistics | Category: Maritime | 22 pts 🔗︎
Challenge: MMSI number is 273257030. Analysts require additional historical context regarding operational activity. Your task is to identify the company responsible for managing the logistics for the vessel on 20 April 2024. Flag Format: Do not add the type of company. For example, if the answer is ‘Maltego Technologies GmbH,’ put ‘Maltego Technologies.’
To identify the company responsible for managing logistics, the investigation again pivots to Equasis using the vessel’s IMO number. After searching for the vessel profile, navigate to the Ship History section, which contains historical ownership, management, and company association records.
Within the Ship History tab, review the Company section and focus on the specific date provided in the challenge. Historical records often show changes in management, operators, and logistics responsibilities over time, so matching the exact date is important.
By locating the entry corresponding to 20 April 2024, the listed role under Ship Manager / Commercial Manager identifies the company responsible during that period. The historical record shows that the company responsible was Sun Ship Management.
Flag: Sun Ship Management
Name: Crude Oil – Inmarsat | Category: Maritime | 20 pts 🔗︎
Challenge: MMSI number is 273257030. You are to determine the Inmarsat satellite number associated with the vessel. Flag Format: 123456789
This challenge requires pivoting from the vessel identifiers already gathered during earlier steps. Once the vessel name, IMO number, and MMSI are known, the next step is to investigate its communication and radio registration records. These details are often stored in international maritime communication databases rather than standard AIS platforms.
A useful source for this is the International Telecommunication Union maritime ship station database. By searching the vessel’s details through the ITU Ship Station search portal, you can retrieve communication-related information tied to the vessel’s registration. After querying the database using the vessel identifiers, the results page displays satellite communication records, including the associated Inmarsat satellite numbers. In this case, the entry appears as 427315325-26, indicating a range. This means the vessel is associated with two satellite numbers: 427315325 and 427315326.
Flag: 427315325 and 427315326
Name: Crude Oil – EPIRB Hex ID | Category: Maritime | 20 pts 🔗︎
Challenge: MMSI number is 273257030. Your objective is to identify the EPIRB Hex ID associated with the vessel. Flag Format: 12345A67BCDEFGH (15-character long string).
Subsequently, within the vessel’s registration details, additional identifiers related to onboard safety equipment are displayed. One of these fields includes the Emergency Position Indicating Radio Beacon (EPIRB) Hex ID, which is used for distress signaling and emergency identification. By examining the ITU ship station record, the associated EPIRB Hex IDs for the vessel can be identified as 22247D80DEFFBFF and A229905C35034D1.
Flag: 22247D80DEFFBFF and A229905C35034D1
Subsequently, within the vessel’s registration details, additional identifiers related to onboard safety equipment are displayed. One of these fields includes the Emergency Position Indicating Radio Beacon (EPIRB) Hex ID, which is used for distress signaling and emergency identification. By examining the ITU ship station record, the associated EPIRB Hex IDs for the vessel can be identified as 22247D80DEFFBFF and A229905C35034D1.
Name: Unknown Flight – 1 | Category: Aviation | 20 pts 🔗︎
Challenge: We intercepted this audio. Your task is to analyze and decode the audio and identify the flight number. The flag is the flight number. The link to the audio file: https://drive.google.com/file/d/1Nh1DosJfKGDj1DsMRvNehr89Jpw78of_/view?usp=sharing Flag Format: 6-alphanumerical characters
Once the WAV file is downloaded, listening to the audio reveals that it contains Morse code. You can then use a Morse code decoder to extract the hidden data from the audio. After uploading the audio file, you can obtain the following string: 8DAA8499213B7DF74C182003F0F9. As described in the challenge, we need to investigate aviation-related data. The extracted string is an ADS-B frame with CRC coding. We can decode it using an ADS-B decoder to retrieve the embedded aircraft information, including the registration number. After decoding the packet, the identification field reveals: N777SA.
Flag: N777SA
Name: Unknown Flight – 2 | Category: Aviation | 10 pts 🔗︎
Once we identify the flight registration number as N777SA, we can begin investigating its flight history. Aviation tracking platforms maintain historical flight records, and one useful source is FlightAware. You can review the aircraft’s historical flight activity.
Search through the flight records for 15 April 2026. Locate the flight entry that traveled from Ted Stevens Anchorage International Airport to Cincinnati/Northern Kentucky International Airport. From the record, the origin airport is identified as: Anchorage Intl with the ICAO Code, PANC.
Flag: PANC
Name: Signal Decoding | Category: Aviation | 20 pts 🔗︎
Challenge: While intercepting a signal during an investigation, the following frame was captured: /QUKAXBA.ADS.G-VIIM07253457F7124540C8751F9C84. Analyze the frame and identify the Mode S hexadecimal code associated with it. Flag Format: 123456
The intercepted stream of data is an ACARS/VDL Mode 2 transmission. By analyzing the frame structure, we can identify the aircraft registration number embedded within the message. From the frame, the registration number is: G-VIIM.
Once we have the registration number, we can search aviation tracking platforms such as Flightradar24 or other ADS-B data sources to gather additional aircraft details. By reviewing the aircraft information, we can identify the associated Mode S hexadecimal code: 400685.
Flag: 400685
Name: Lemon | Category: Vehicle | 10 pts 🔗︎
Challenge: Analyze the image provided and identify the seller’s name associated with the listing. The flag is the seller’s name. Image link: https://imgshare.cc/4eb5gl6f Flag Format: Do not add the type of company. For example, if the answer is ‘Maltego Technologies GmbH,’ put ‘Maltego Technologies.’
For the provided image, perform a reverse image search to identify where the image appears online. The results lead to a salvage or vehicle auction listing containing the same image. The matching listing can be found here: https://bid.cars/en/lot/0-43894600/2022-Mercedes-Benz-GLE-350-4JGFB4JB0NA578981. On the listing page, the seller’s information is displayed. The seller’s name shown is: Progressive Casualty Insurance.
Flag: Progressive Casualty Insurance
Name: A Bird’s Eye View – 1 | Category: GEOINT | 20 pts 🔗︎
Challenge: You are an analyst, and intelligence in the form of satellite imagery has been provided to you. Your task is to determine the exact coordinates of the location shown in the imagery, accurate to one decimal place. The flag is the coordinate pair. Image link: https://imgshare.cc/44tkjqmk Flag format: 12.7, 24.1
For the provided image, the first step is to determine the source of the imagery. The red hotspot blocks concentrated in a specific area indicate that the image originates from NASA FIRMS thermal mapping data.
By closely analyzing the image and performing a reverse image search, we can narrow down the geography. The visible coastline and waterway patterns suggest the location is near the Strait of Hormuz, close to Oman.
Next, navigate to the NASA FIRMS global map and select the date March 18th, 2026. In the same geographic area, the thermal activity dots visible on the map match the hotspots shown in the challenge image. By hovering over the matching hotspot location, the coordinates can be identified as: 26.4, 56.4.
Flag: 26.4, 56.4.
Name: A Bird’s Eye View – 2 | Category: GEOINT | 15 pts 🔗︎
The key clue in this challenge is the reference to the ‘March 4th incident.’ This indicates that the investigation should focus on maritime incidents that occurred during the Iran–US/Israel conflict around that date.
By searching news reports related to maritime attacks in the region during early March 2026, we can identify vessels involved in incidents near the Strait of Hormuz. Recent reports show that the container ship Safeen Prestige was struck on March 4th and later appeared to have been hit again around March 18th during the escalation of attacks in the region. (Source: SAFETY4SEA)
By correlating the timeline mentioned in the challenge with the incident reports and imagery, we can determine that the ship involved is Safeen Prestige
Flag: Safeen Prestige
Name: Warning States | Category: GEOINT | 15 pts 🔗︎
Image link: https://imgshare.cc/tybzfye8
Flag format: 12.345, 67.890
With the provided image, begin by performing a reverse image search to identify the location shown. The results indicate that the image is associated with the Natanz Nuclear Facility in Iran. Once the location is identified, use mapping platforms such as Google Maps or satellite imagery tools to inspect the facility in detail. The red box in the challenge image highlights one of the buildings within the complex that was reportedly damaged.
By placing a marker directly on the highlighted structure and reading the coordinates, the exact location can be determined as: 32.728, 51.723. These coordinates align with the broader location of the Natanz nuclear complex in Isfahan Province.
Flag: 32.728, 51.723
Name: Bad Manners – 1 | Category: Vehicle | 30 pts 🔗︎
Challenge: You have been provided with a new case to investigate. The only input available is the following: 4T1BF1FK1DU676960. Your task is to determine the type of violation that was charged on 23 March 2023. Flag format: Violation Type
In the first challenge, we are provided with the sequence: 4T1BF1FK1DU676960. This is a Vehicle Identification Number (VIN). Decoding the VIN alone will not directly reveal the violation information, since VIN records are not always publicly linked to traffic citations. The first step is to search the VIN online to identify additional vehicle details. By doing so, we can locate auction or public vehicle records that associate the VIN with a registration plate and state. One useful source is the auction listing document from the New York City Department of Finance.
After matching the VIN to its corresponding registration number and state, the next step is to search for public violation records, using the recovered registration number and state information. This returns a list of recorded violations associated with the vehicle. By filtering the records for the specified date, 23 March 2023, we can identify the matching violation entry. The violation type listed for that date is: Obstruction Driveway.
Flag: Obstruction Driveway
Name: Bad Manners – 2 | Category: Vehicle | 15 pts 🔗︎
Challenge: Using the previously identified violation record, determine the exact location where the incident occurred. The flag is the location of the violation. Flag format: street number, street name, city name.
Using the same violation record database from the previous challenge, continue reviewing the entry associated with the recovered registration number and the specified violation date. Within the violation details, the incident location is listed alongside the charge information. The location recorded for the violation is: 346, 39th Street, Brooklyn.
Flag: 346, 39th Street, Brooklyn
Name: Major Tom | Category: Aviation | 25 pts 🔗︎
Challenge: You have been selected for a special orbital mission. As part of the investigation, you are provided with a PDF file containing satellite data that is not immediately readable. Your task is to analyze the data and determine the maximum EPS sensor temperature recorded by the satellite on 21 April 2026. The flag is the EPS temperature value. Image link: https://drive.google.com/file/d/1OdyHfyGrCSTMP20eazMsa2bcjq6CRg98/view?usp=drive_link Flag Format: 12.3
In this challenge, you are provided with a PDF file containing unreadable data. Upon closer inspection, the embedded content is revealed to be Morse code. The first step is to decode the Morse code using an online translator such as a DNS Checker Morse Code Translator.
After decoding, the extracted content reveals TLE (Two-Line Element) satellite data. By carefully reviewing the TLE information, we can identify the NORAD catalog number associated with the satellite. The extracted NORAD ID is: 41789. Next, use the identifier to search the satellite database maintained by SatNOGS. satellite’s sensor, battery, and telemetry data. From the telemetry dashboard:
- Select the date range for 2026-04-21
- Review the EPS temperature data panel
- Locate the reading corresponding to the required timeframe
The maximum EPS temperature value shown for the selected period is: 26.7
Flag: 26.7
Conclusion 🔗︎
That wraps up this walkthrough. Hopefully this gave you not only the solution, but also insight into the thought process and investigative techniques used along the way.
If you approached the challenge differently, found alternative paths, or discovered additional artifacts, share them with our Discord community! Different perspectives are what make CTFs valuable learning experiences.
More challenges, tips & tricks, and weekly OSINT exercises are coming soon. If you have any questions, reach out to community@marketing.com. Until then, stay curious, document your findings, and trust your investigative process.
