HACKTORIA’S CTF GALAXIOS Walkthrough

This article is related to my walk-through to the completed Capture The Flag from Hacktoria’s Operation Galaxios. Many thanks to the organizers about their incredible job with the organization of these Capture The Flags contests, totally for free, a very rare pearl of beauty and opportunity to learn something having fun especially in the field of GEOSINT, which is the acronym for geospatial intelligence related to information derived from an analysis of images and data associated with a particular location, but this time also on how to decrypt audio files. Their Capture The Flags are strongly suggested not only to who want to test their cyber investigation skills, but also with who want to try their analytical skills, because requires a lot of what is called “thinking outside the box” soft skill.

Introduction

The briefing mission is fully provided in the above link and to sum-up it is related to an alien search, who is a good friend of mankind, having established a trusted and long friendship and cooperation. His name is Klumgongyn and when he was searching some soil’s sample his ship impacted Earth. Hopefully Klumgongyn is still alive but he need our help to be located before the villains, the Order of Hades, capture him for their evil scopes.

The rules of the challenge was indicated as follow:

  • A new step for this CTF will be announced on Twitter every three days on the Hacktoria Twitter account, using the hashtag #klumgongyn2022 . There will be a total of 7 steps.
  • The description of the steps will be added to this page.
  • Answer sheet for the 7 answers will be posted on this page, on the day of the last step being released.
  • Players have a total of 3 attempts at submitting their answers.

Step 1

We received additional communication in the form of scanned writings. Unfortunately there is no way to ask for a translation because outside the alien’s mother ship is out of the communication range“. This was the image of the scanned writing:

Step 1 – Scanned writings from Klumgongyn

About the image I was not able to find any of interest. Analyzing the EXIFF data it emerged the following details with the use of Exiftool cmdline:

Exiff metadata from the downloaded picture

So nothing special. Even reverse image search focusing on some topics related to Aliens like “alien writing” OR “alien blog” with Google dorking does not get me any clue.
I have tried write down each words of the message, using paper and pen. Reading many times the message it seemed to me that some letter could be the “upside down” of original letter as it follows:

First letter of the scanned writing

This I guessed that could be an ‘H‘. We have two letters of this type.

Another letter of the scanned writing

This clearly seemed to me the reverse of an E. We have 4 letters of this type.

This is a rotation of the ‘L‘. We have 2 letters of this type.

This a kind of rotation of the ‘A‘, which lost some piece in someway… We have three letters of this type.

This a rotation of the italics ‘S‘. We have two letters of this type.

This a rotation of the ‘U‘. We have two letters of this type.

This was harsh to figure out but it is a rotation of the ‘M‘. I reached this solution thanks to the fact that at this point the message became to be readable.

This is a rotation of the P. We have three letters of this type.

Basically I moved forward the process continuing rotating some other letter and when this was not possible I figured out the translation thanks to the fact that at a certain moment the message became pretty clear:

Final translation of the scanned writing

Kudos to the organizers for their imagination which lead me to revival some sort of Star Trek’s adventure, feeling me like a Klyngon lost in another planet:

?!?!?

Answer Step 1: “Humans help me escape your planet“.

Step 2

After three days was released the next step: “Great, now we know that Klumgongyn is alive, we were able to intercept another message. Our comms technician has written it down. We believe it will give information about where Klumgongyn might be. See if you can again translate the message and locate Klumgongyn., with the following new scanned writing:

Step 2 – Scanned writing

Again no EXIFF at all. To figure it out I continued the process of translation, relying on the approach established in the previous step with new letters also remembering the others I got from the first translation. A part from some of them the process of translation was definitely easy:

Full translation of the scanned writing

So I have to find the location of our friend Klumgongyn. How to do it? Where in the second part of the translation there are some hints:

  • stuck in a cave with paintings of my ancestors;
  • in the vast land;
  • all the creatures try to kill me.

So I have to find a place, where it is located a cave with paintings of possible figures which was assessed by the experts as strange, weird or maybe alien creatures. This cave is located in a vast land and so this has to be a very wide place, probably a continent. The biggest continent in the world is Asia, but re-reading the plot it was indicated that Klumgongyn was looking for “soil samples and gathering some local wildlife as snacks”. This indicated that possibly he was doing some sort of safari and I have started thinking to the African continent. Furthermore watching the video of Galaxios CTF at one point there is a frame of Egyptian Pyramids.
I have started digging up on different web search engine using a combination of dorks, like “CAVE WITH PAINTINGS” AND “ALIEN” AND “AFRICA”. With the use of DuckDuckGo browser I have found a very interesting piece of information at this link. The article statues “Tassili n’Ajjer (Arabic: plateau of the rivers) seems like an endless stretch of unforgiving desert to the modern traveler. It’s a dry and visually harsh looking area, located in south-east Algeria at the borders of Libya, Niger and Mali. However, that initial analysis is somewhat deceiving. Covering more than 28,000 square miles of the Sahara desert and mainly composed of sandstone, Tassili n’Ajjer holds many secrets which have enamored both the scientific community and alien enthusiasts alike. For hidden in the many caves and crevices in the crumbling rock, is a treasure trove of ancient cave paintings and rock art” and there is also an image what has to be assessed an alien figure:

Tassily n’Ajjer strange cave paintings

The image triggered me for two distinct reason:

  • in the nice video shared from the organizers Klumgongyn is a bipedal creature with a human being form (two legs, two arms and so on – an humanoid – );
  • in the lower part there is an animal probably a gazelle (antilope) very tiny respect to the alien, just like is getting used as a snack.

The article continues with the following phrase at paragraph named “The Big Picture Analysis”: “Ancient cave drawings give modern humans a peek into how our ancestors lived” and there is an other very important picture of one of the paintings:

Details of the cave’s paintings

I have looked thoroughly this picture and the left part of it took my biggest attention. I have tried to zoom in and then I have found some incredibly juicy to determine the location of Klumgongyn:

Other details

This strange effects on the cave paintings with these black spots and what I would assess as a consequence of the erosion of the cave’s wall looked at me incredibly similar to the background of the images provided with written the scanned message received from Klumgongyn.

Furthermore the article, and being not expert in the archeology science I didn’t know if I could assess it as reliable, describes the nature of the relationship between the ancient inhabitants of Tassili as a friendly, adding that extraterrestrial beings had regular contact with them.
An other interesting elements I found regarding the hints from Klumgongyn is that the national park encompasses an area of 28,000 square miles (72,519 sq km) so it has to be considered a vast land definitely.

At the time of writing this article, I could say that hopefully I was not totally convinced or biased by myself and I still continued to search something different to the location described. Indeed I have found others cave with paintings in:

  • Val Camonica, Italy;
  • Seo Canyon Utah, United States;
  • Itolo, Tanzania (the third more interesting and Tanzania is also the country of Serengeti Park a place which has to be full of wildlife);
  • Cave of Perch Merle, France;
  • The Kimberly’s, North West Australia (the second more interesting due to the fact Australia is famous to be the country where there are some of the most dangerous wildlife of the world like heavy poisonous snakes and also the paintings, even though not giving me the same feelings of Tassili n’Ajeer, were pretty interesting depicting also a certain friendship and a cooperation between ancient alien species and human ancestors);
  • Chharttisgargh, India (the fourth more interesting out of Tassili).

First Answer:
National Park of Tassili n’Ajjer Sahara Desert – Algeria. (Lat 25°48’26.31″N, Lon 8°11’19.88″E). But I later on discovered that it was wrong about my biased analysis, although I thought that the hints was pretty vague to have the entire vision of what’s going on. So I moved to my Australia looked a place with more wildlife so it could be more realistic that “all the creatures will try to kill me“.

Second Answer: The Kimberly’s, North West AustraliaCorrect!

Step 3

Again after three days it was released a new step: “Great work on finding Klumgongyn! We sent in the BTRU (Borderless Tactical Response Unit) to rescue our alien friend. Unfortunately the Order of Hades beat us to the location and has taken Klumgongyn. During a further sweep of the area, we received a transmission. Using an alien version of a smartwatch, our friend managed to draw their current surroundings. The geolocation functionality of this watch is not usuable on our planet, luckily Klumgongyn is an amazing artist. This image should help to locate the group“:

Amazing drawing made by Klumgongyn

First all big shout out for the Hacktoria’s staff for this amazing drawings.

Let’s start to analyze the image. It is a group of drawn figures, 5 in precision:

  • Three different types of trees or just one;
  • a possible bush or something else;
  • a lake or the enter of another cave.

Let’s start to figure out the trees: I was searching for the most iconic trees online with a simple Google search and I have found this link. Looking at the picture n. 10 I have found that this was incredibly similar to the drawing. The picture is of a Dragon blood tree (Dracaena cinnabari):

Dragon Blood tree

Dracaena cinnabari is a dragon tree native to the Soqotra archipelago in the Indian Ocean. It is fairly widespread, but has a fragmented distribution with different sub-populations showing varying degrees of vigor. Common and often abundant on the granite of the Haggeher mountains and adjacent limestone plateaus (for instance at Diksam, Reyged, Rewgid and Firmihin). There are also important outliers at Homhil and Hamaderoh and Igliso in the east. Over much of the eastern and southern limestone plateaus it is less common occurring as small relict populations or as isolated trees. It is completely absent from the western end of the island and sparsely distributed or even absent from large areas of the eastern Haggeher. It is likely that D. cinnabari was, in the past, widely distributed over large parts of Soqotra.
So highly likely Klumgongyn was taken to the Island of Soqotra, in Yemen.
After understanding the first drawing are just another representation of the Dragon Tree Blood from different perspectives, it remained only the following picture to get the precise location of Klimgongyn in the isle of Soqotra:

Strange drawing

At the first glance is an irregular image which looks like the enter of a place. I have started very soon thinking that it could be another cave and I became more suspicious from the upper part of the drawing which represents probably a formation of stalactites.
So I have started searching for caves in Soqotra and I have found that this particular isle has many caves, indeed more than 50 (Samha, Qa’ra, Motol Gharba, Asra Election, De hasie, De Gizaigiz, Saba’ Jamjahm, Gailah, Dagub…) but one of the biggest and the most famous is Hoq cave.
On this link Hoq cave is indicated being characterized of an overwhelming beauty and variety of crystal decorations, like the huge hundreds of thousand year old speleo-thems (stalagmites, stalactites, calcite floors, etc…). To conserve the cave for future generations a pathway has been constructed that leads to a nice water basin.
So I got two very interesting information to get the precise location of Klumgongyn:

  • the presence of stalagmites and this a picture to confront it with the drawing:
Hoq’s cave stalagmites
  • the presence of a nice water basin. I was thinking about that the irregular lines was a representation of a water in some shape to describe better the place to find Klumgongyn.

Thanks this I became pretty confident that the location of step 3 is Hoq Cave, Socotra, Yemen.

Answer: Hoq Cave, Socotra, Yemen ( 12°35’36.97″N, 54°22’13.94″E) – Correct!

Step 4

The BTRU is finally on their way to the island, though given the size of the place, finding Klumgongyn might be difficult. While waiting for their arrival, we’ve received another message from our Klumgongyn. Find out what it means, it seems like our friend needs help. If my memory serves me well, Klumgongyn started a blog last time when visiting earth, maybe that has something to do with this“:

Step 4 – message from Klumgongyn

The translation of the message after the other steps was quite easy:

I ESCAPED I AM INJURED NEED SOME TO HEAL FIND RECIPE OF HUMAN INTERNET VERIFICATION CODE KLUMO

The message indicates that our friend was escaped from The Order of Hades but it is injured and need something to heal.
He asks for a recipe of human internet, followed by an other message of verification code. Really tricky and vague this part I thought at the very beginning. Another hint was released later on and it indicated that Klumgongyn started a blog last time when visiting Earth and maybe the message has something to do with it.

I would be honest. I have spent hours digging up and surfing back and forth the internet exploiting all of my resources and tools and especially the OSINT Framework blog’s section, without finding any of interest. Finally I got the answer trying not the verification code itself as the name of the blog but simply using the name of Klumgongyn before wordpress.com, probably the most famous platform to setup your personal blog:

Klumgongyn’s blog

When I reached the solution I would have slapped myself for have wasted so long time overthinking. Hopefully reading the Hacktoria’s Discord server comments I realized being in good company…

Answer: https://klumgongyn.wordpress.com/ – Correct!

Step 5

Great, it seems Klumgongyn is still alive! The island was far too big to find any trace of our guest, luckily Klumgongyn is hyper intelligent and was able to sneak us another message. Our communication specialist wrote it down again. Find out where they’re taking Klumgongyn again, we have to catch up to these people soon! The Alien ship is also nearing comms range, I’m sure they will be very displeased with the Order of Hades, maybe this can work in our favor if we bring back Klumgongyn alive and well.”

Step 5 – Klumgongyn’s message

Let’s translate this new message from our friend:

THEY TOOK ME ON A BOAT THEN A CAR TO AN AIRPLANE BUILD(i)NG HAD FLAGS IN BLUE WHITE AND GREEN AND RED STAR TAKING ME TO PLACE WHERE I MAKE PARTICLES GO FASTER IN THE SKY WILL PRETEND TO POOP AND TELEPORT OUT OF HERE IN THE TOILET STALL

I have realized very soon the meaning of message with Klumgongyn was taken to Djibouti a country which has a flag with green, blue and white with a red star:

Djibouti’s flag

From Google Earth (pictures uploaded from the users) I got that in the airport of Djibouti there also an airplane building:

Djibouti city airport

The message from Klumgongyn describes that he took a boat and then a car to arrive to an airplane building. About the “particles go faster” reference I thought about the Large Hadron Collidron of Geneva:

Details from the LHC functioning

a place where scientists a few years ago discovered the existence of the Higgs Boson, the most elementary particle in the Standard Model:

Theoretical representation of Higgs Boson

Yes I know I am pretty a nerd, but I love also The Big Bang Theories Series so I love Sheldon’ character when he has been talking about physics.

Taking that after step 5 he was located to Hoq Caves in the isle of Socotra, it was moved from Socotra Port to Djibouti Port and then driving to Djibouti Airport not so far from there (a bit more of 10 km by car). Normally from Socotra they depart only ships to Mukalla’s port in Yemen. The only way to get for the public to Socotra to Djibouti is by flight. I guessed that The Order of Hades has the availability of some military ship to move Klumgongyn. There is also to consider that according to information from the ports, the journey takes 2–3 days and the service is used mostly for cargo.

I made up my mind realizing at this point the starting city and the ending city.

Answer: Socotra Port – Djibouti Airport – Not correct!

I then reconsidered my starting city. Socotra probably it was just related to the step 4 and enough. I was totally confident with my finding of Djibouti. But I thought about where I was wrong and I came back reading the message of Klumgongyn.
I thought again about the message regarding the reference to “I MAKE PARTICLES GO FASTER IN THE SKY” and then I supposed that probably this could be not just merely a joke or something else, which I supposed to be at the beginning, but an hint for the real location. The same I was thinking at the beginning….

Second Answer:
Djibouty Aiport – Genevra (Switzerland) – Large Hadron Collider. Correct!

Step 6

We have new communication from Klumgongyn, this time already translated. The mothership is within our comms range, but not close enough to locate Klumgongyn. It seems that when teleporting out of the airplane, our guest managed to teleport to a wrong location. Find out where Klumgongyn is and where the Obelisk is that our alien friend needs to go. This Obelisk has an emergency beacon built in, once activated Klumgongyn will be able to extract.”

  • Located in the Al-Matarriyah district of Cairo, Egypt
  • Largest surviving monument from Heliopolis
  • Oldest obelisk in existence
  • Was part of a temple of Re-Atum constructed by Pharaoh Senusret 1
  • Stands at 69 feet high and weight 120 tons
  • There is an eagle glyph at the top of the obelisk

Current Location:

Step 6: current location

Question: What location did Klumgongyn end up in? And what is the location of the Obelisk?

In this step I had many hints available:

  • Al-Matarriyah district of Cairo, Egypt:
Google Maps: Al Matarriyyah

Just looking on Google Maps I got the location of the obelisk which is in The El Masalla district which contains the ancient Masalla Obelisk or Misalla one of the Pharaonic era obelisks that still remain in Egypt. The obelisk is 68 ft (20.73 m) tall red granite obelisk weighs 120 tons—240,000 pounds (110,000 kg).

Regarding the Klumgongyn’s location at very beginning I thought strange figures has to be removed before to run a reverse image search. To do this I have used the tool MagicEraser but was not useful to retrieve an interesting location after the clean up. Later or I ran an image search on the original image with the weird creatures included and I have found that they are the “mascote fennec foxes” a caricature of a real species mostly located in southern Tunisia. The mascot took the name of Labib and they were erected in each town of Tunisia, especially on streets named ‘Boulevard of the Environment’. It was also used in several awareness campaigns in schools, on television and on the radio. They are no longer present in Tunisia due to the fact in 2012 the Government decided to remove it.
I then tried again with Dessant tool using TinEye option and I got the image I was looking for:

TinEye results

To get the location I tried to open the two links but they were no longer available:

Error 404 page not available
Error 403: access forbidden

At this point I decided to use the Wayback machine to make a travel time with the two links.
For the link about Panoramio which was a service no longer available but very useful for GEOSINT a few years ago, still listed on the osintframework, I had to remove the ‘static’ sub-domain from the URL and then the Wayback re-direct me to another link:

Wayback machine results

It was a capture of the October 2016, the same image but still not getting the location associated.
I have tried to use again the Wayback but this time with the other link. I noticed at the first glance that there was no capture for the entire URL, so I removed the admin folder path and I tried to search for the fully qualified domain adding ‘tn’, which I guessed was for Tunisia. I got many snapshots and I open that from 03.11.2016.
At this point I begun digging many hours through all the landmarks present in the snapshot of the page:

Wayback machine results

So I spent many hours hovering the links to get the answer, and I admit it was very tiring got me exhausted incredibly. My idea was that the administrators of the Worldmapz site took the Panoramio picture for their Tunisie location representation. I continued digging a lot again and again and I have noticed that the picture was not present anywhere. I then tried to look also for the link which was not charging the image and suddenly I found what I was looking for:

Wayback machine. HTML page analysis

Analyzing the HTML page with the Inspector function I noticed that the link La Marsa Soukra was the same I was looking for, got from the TinEye reverse image search.

I have tried to verify the location with Google Earth but It was complicated due to the fact probably the Phennec Fox Labib are no longer available but I was confident at this point of my findings.

Answers: Masalla Obelisk or Misalla – La Marsa Soukra (Tunisie)

Step 7

And finally the last step: “Excellent work! Klumgongyn is almost ready for extraction. Our guest is currently disguised as a human and loitering around the Obelisk. To safely extract, Klumgongyn needs to activate an ancient form of MFA. On the Obelisk, there is code that needs to be tapped on one of the stones. This will verify it’s the right person being extracted. Klumgongyn forgot the MFA codes, so the alien ship has sent us a recovery code via audio message“. The organizers provide a file to download:

Filename: step-07.wav;
Size: 7.094.326 byte
Filetype: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, 3 channels 44100 Hz
Hash: 5ab1a5feb35f64588242cbde6716844c

To get the recovery code, being the audio file a strange stream of indecipherable and background sounds, I opened it with a Hex Viewer and scrolling to trailer of the file (the final part) I got the answer:

To get the recovery code, being the audio file a strange stream of indecipherable and background sounds, I opened it with a Hex Viewer and scrolling to trailer of the file (the final part) I got what at the beginning I supposed to be the answer:

Hex view for the step7.wav file

The recovery code I supposed to be: SPACE009950TXXX.

The answer resulted to be wrong. I cannot understand why because I was pretty sure that this was the recovery code. I move in other data offset still not getting any of interest.
I then tried to download an utility for Linux, qmmp v. 1.5.1 and then I opened the file. I switched the stereo mode and then I got another message again related to metadata of the file:

Track’s name

I started to think that the file itself was just not a play around with hex digging but something more advanced maybe with the use of some sort of steganography, which is the practice of concealing a file, message, image, or video within another file, message, image, or video. So in the order I have tried:

  • Exiftool to look better on the metadata file:

No particular findings.

  • LinuxFu with strings + awk to get interesting string patterns:
strings combined with awk

Again nothing special.

  • binwalk to decode hidden text or message within the file:
Binwalk search

I then started realizing that maybe something there was to do with the audio file itself. I am not an expert of audio files but I knew that it is possible, just like with the images, to embed text or even images within an audio file.
With the use of Audacity I tried to use Spectogram tool to dig deeper within tracks and maybe reveal an hidden message within it:

Spectogram’s results with Audacity

The spectogram function did not help me but instead gave me the possibility to look for something suspicious within the tracks. There was a strange third track and muting the others it was just like hearing a repetition of ‘bips’ of different length. Maybe Morse code? Basically Morse code is a repetition of electronic pulses of two types, short and longer, represented by dots and dashes.

Let’s try it!
.-… . .- — — . ..- .–. … -.-. — – – -.–

The above representation is the result of hearing different dots and dashes. At this point I then used Cyberchef to decode it and:

Cyberchef results

At the beginning due to the fact I was too concentrated on Morse code decoding, I have not understood the clear reference. But later on I got the famous catchphrase of Star Trek’s Captain Kirk: # Beam me up, Scotty

New answer: BEAM ME UP SCOTTY

Final Consideration

The CTF took me the whole month due also to the fact that I stopped at Easter and also for many backlogs at work. The challenge was very fun but also fascinating for the steps itself which required me also to leverage my analytical skills and not relying upon only on the technical ones.

I was biased at some point and badly I have underestimated Step 7 sending a futile answer. Also at Step 5 I did not get what probably I had figured out at the beginning about the Large Hadron Collidron, probably too much focused on misunderstanding distances between location and not catching up on juicer hints released from the authors and also by the Hacktoria’s community.

I would also say thank you to the members of Hacktoria’s community for fair and honest discussions when I was stuck at some point and also to the members on the channel groups which triggered my analytical skills getting new and interesting hints I have not taken at first glance.

Kudos to CyberVikingUK for the winning!

Finally I really improved my OSINT and analytical skills and I cannot wait for next challenges, about what I strongly suggest to participate.

Awarding

I hope that you found this article insightful and thank you for reading.

~Renato


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s