Skip to main content
A blog about stuff I do
  1. Posts/

THCon 2025 CTF - Gunnar s Vacation, geoINT Writeup

·834 words·4 mins
Lacroix Raphaël (Chepycou)
Author
Lacroix Raphaël (Chepycou)
I’m Raphaël LACROIX, a French computer scientist developping various applications in my free time ranging from definitely useless to somewhat usefull. I also do quite a lot of Capture the flag and cybersecurity challenges.
Table of Contents

What’s that about ?
#

The THCon (Toulouse Hacking convention), is a French cybersecurity conference that brings together hobbyists, professionals and researchers every year at Toulouse in April.

This edition (2024), I was one of the challenge creators and created a 6-part geoINT challenge, a few steganography challenges, as well as making all challenges lore-accurate.

Note : in the case the CTFd is not up anymore, if you did not participate, or you don’t remember the challenges you can take a look at https://ctftime.org/event/2660/tasks/ although not all of them may be listed sadly :/

Let’s get to the writeups
#

alt text

Easy
#

These first challenges were meant to be very accessible.

Search for a hotel
#

The first chall involved you getting the name of the Hôtel in which Gunnar had been staying. No real issue there, the shape of the road enables you to get the exact location.

Reverse search an island
#

The second chall needed you to do a basic reverse search to get the name of the place (Capo Testa in Sardinia). From there looking at the place the picture was taken from you can see the photograph was on a rocky promontory. From there you either think smart and pick the place marked on Open Street Maps as a viewpoint Or you just try the few big rocks in the vicinity (and get roasted by gl4d0s a few times in the process).

Medium
#

These challenges were meant to be very doable with basic OSINT tools.

Over the misty mountains
#

The third challenge. We see that we are on the coast, probably the coast of France or Italy since Gunnar’s vacations seem to be revolving around the mediterranean sea. We are near a harbor but reverse searches are not that great with this one. After some search we find that the particularly shaped hills behind the bay can be reserse searched. After that, all we need to do is to get a reference of the shape of the houses to perfectly allign.

Follow the tramway engine
#

The fourth challenge was a two-step one. You see there is a nexity (a French real estate agency) but you don’t know where it is (and there are a lot of them in France !). The way to go was first to pinpoint which city you were in by reverse searching the tramway engine. Its shape tells you we are in Marseille, in which there are only 3 nexity :)

Hard
#

These ones are the real interesting challenges (except for the group that randomly clicked on the map and “Oh that’s it”).

Overpass this !
#

The fifth challenge was a picture of a city on the coast with a Spar near the seaside. The quality being quite low it was hard (though not impossible) to get a reverse search.

One way to solve this one was to look for spars near a beach with overpass turbo. There is a lot of them, but the very jagged coastline can help us filter out a lot of them since we know the shape of the creek we are looking for.

Here is a request that a participant did to narrow it even further :

[out:json][timeout:800];

// Define France area
area["name"="France"][admin_level=2]->.fr;

// Find roundabouts in France
(
  node["junction"="roundabout"](area.fr);
  way["junction"="roundabout"](area.fr);
)->.roundabouts;

// Find beaches in France
(
  way["natural"="beach"](area.fr);
  relation["natural"="beach"](area.fr);
)->.beaches;

// Find Spar supermarkets
(
  node["shop"="supermarket"]["brand"="Spar"](area.fr);
  way["shop"="supermarket"]["brand"="Spar"](area.fr);
)->.spar;

// Filter Spar shops near roundabouts (300m)
(
  node.spar(around.roundabouts:300);
  way.spar(around.roundabouts:300);
)->.spar_near_roundabout;

// Filter Spar shops near beaches (100m)
(
  node.spar_near_roundabout(around.beaches:100);
  way.spar_near_roundabout(around.beaches:100);
);

// Output result
out center;

Here is the output : https://overpass-turbo.eu/s/22lE

Isoplethes 4 the win
#

The sixth challenge involved triangulation, but due to the fact that some roads are nation roads, and others are very rural roads, a crow-distance would not help that much (the point that matches the distance is in the middle of the sea).

One should take the isoplethes of distance (also called isodistances) : I used the tool https://www.smappen.com/app/ which his free online, but you could also script that using OSM data.

alt text

There are very few points where these cross, and we can check that using street view (or panoramax which yields the exact picture)

A brief word on the platform we developed.
#

Together with Baptiste Rébillard (another member of my CTF team) we made the following interface :

alt text
Here is a scaled-down version of the interface with only one map and a hard-coded answer (of course in the real CTF the coordinates were in the back-end and not available on the front-end). I also reduced the number of passive-aggressive gl4d0s lines. Please note that in the real CTF you had to be within 20m to have the flag. In the scaled-down version if you click 100m away it will still count as good due to me being lazy (I just took a rounding of the lat/long values instead of comuputing the distance) but at least you can get roasted by Gl4d0s and that’s already something :)