Skip to content

Diver CTF 2025

  • Date: 2025-06-07 - 2023-06-08
  • CTF Format: OSINT, Jeopady
  • Ranking: 155/668

Introduction

bx

Give the coordinates of the "BX" signboard visible in this picture.

alt text

Did a reverse image search on the part of the image containing the sign and the buildings around.

Found a Flickr album: https://www.flickr.com/photos/126086948@N06/albums/72157666817741301/

According to the album, the church is called Ueno Catholic Church of St. Bernadette, which is located near the Tokyo National Museum:

alt text

Confirmed the location with Street View:

docs/writeups/ctf/2025/diverctf/Screenshot 2025-06-07 091655.png

The coordinates are: 35.71830808253218, 139.78103243345

finding_my_way

Answer the Way number in OpenStreetMap of the building located at 34.735639, 138.994950.

Located the building on OpenStreetMap:

alt text

Right-clicking and selecting Query Features lists the building number as #568613762.

hidden_service

See the attached file and capture the flag!

The attached file is a .onion address:

alt text

Found the flag by navigating to the address in a Tor browser session:

alt text

ship

This is a vessel operated by a some organisation. Answer the number that would remain the same if this vessel were to be sold to a foreign country in the future.

alt text

According to the writing on the side of the ship, it belongs to the Tokyo University of Marine Science and Technology. By searching for ships operated by the university, the following can be found:

alt text (https://upload.wikimedia.org/wikipedia/commons/f/f1/Side_view_of_Shinyo-Maru_IV_the_training_vessel_of_Tokyo_University_of_Marine_Science_and_Technology.jpg)

The ship's name is Shinyo Maru.

Found the following page with more details about the vessel, including its IMO number: https://www.wikidata.org/wiki/Q28691249

The IMO number is 9767675. Combined with the Japanese name for the ship, gives the flag Diver25{神鷹丸_9767675}.

flight_from

Answer with the ICAO code (4 letter code) of the airfield from which this helicopter departed.

alt text

At first glance it appears the flight departed from OKO/RJTY, but this doesn't match with the flight path on the image. Looking closer at the origin of the flight path, it appears it originated from Tachikawa Airfield.

Flag: Diver25{RJTC}

document

The US Navy Commander Fleet Activities Yokosuka (CFAY) operates a shuttle bus service between Haneda airport/Narita airport and the base for US military personnel. Answer the name of the person who created the document about the boarding location of the bus in 2023.

Searched for shuttle bus service between Haneda airport/Narita airport and the base for US military personnel and found the following page: https://cnrj.cnic.navy.mil/Installations/CFA-Yokosuka/About/Installation-Guide/Airport-Shuttles/

One of the documents (CFAY Bus Schedule) lists the name of the PDF author in the document properties:

alt text

Author name redacted for privacy.

louvre

Answer the vendor of one of the Louvre's public Wi-Fi access points that meets the following criteria.

  • Information was collected on 28 February 2025. This can be accessed via online.
  • Determine the vendor according to the BSSID.

A quick search on Google reveals that the public WiFi SSID in the Louvre is called Louvre_Wifi_Gratuit.

The BSSID of one of the APs hosting that network can be found using an online database of WiFi hotspots such as Wigle. Searching for the SSID and the date of interest returns a sigle MAC address: 50:60:28:4E:17:E0.

Using a MAC address lookup service, the manufacturer was found to be Xirrus Inc..

Flag: Diver25{Xirrus Inc.}

Recon

00_engineer

An software engineer's nameplate was picked up near Tokyo Station. This should be a lost item. Answer the URL of the website (index page) of the company where this engineer works.

alt text

A search for the username kodai_sn on IDCrawl produced a possible match for a GitHub page: https://kodai-sn.github.io/

alt text

The skills listed on the page are a good match with what's listed on the name badge. According to the GitHub page, they are currently working at Magneight.

Flag: Diver25{https://magneight.com}

01_recon

Answer the asset number of the smartphone owned by the CEO of the company found in the "00_engineer" challenge.

The CEO's name (Mizuki Sekozaki) is listed on the About page on the Magneight website. Searching for the name on IDCrawl reveals an Instagram profile under the username mizuki1206edelweiss. In one of the photos, a phone with an asset tag can be seen:

alt text

Flag: Diver25{MN24-P113}.

Transportation

36_years_ago

Answer the transponder Mode S code assigned to the aircraft shown in this news video as of August 1989 in hexadecimal notation. https://www.youtube.com/watch?v=OvR2O_Vpwc0

The news report is from an accident at Semine Airfield on October 27th 2024. There is a short clip in the report showing the aircraft landing just before the accident. In it, the tail number JA4098 can be clearly seen.

There is an article on the accident on the Aviation Safety Network website.

The task is to find what the aircraft transponder ID was in August 1989, which suggests that it was re-registered at some point. Searching for JA4098 cessna 172 brought up the following page: https://airport-data.com/aircraft/JA4098.html:

alt text

The aircraft was originally registered as N9768L. The link on the page points to the original registration in which the transponder ID is listed:

alt text

Flag: Diver25{AD9D6A}.

Geo

Where were the photographs in this article taken?

The photo in question:

alt text

While the photo can be found in numerous news articles, none of them mention exactly where the photo was taken. One article featuring a photo at the same location mentions that it's taken in St. Petersburg.

Going off the signs in the photo, it looks like there is a Burger King around 150 m further up the street as well as a local restaurant chain called Tokyo City.

By looking for locations in St. Petersburg where the two restaurants are near each other, it looks like the photo was taken near the Vasileostrovskaya metro station in St. Petersburg:

alt text

The exact location is on the far side of the metro station.

Hole

Where was this hole located?

alt text

A reverse image search on the photo reveals that it originates from an ad for BYD Yangwang U9. The video starts with an overview shot of an air field:

alt text

The title card says Datong, Shanxi. While there is a domestic airport in Datong, it doesn't look like the one in the video.

Looking over the Datong region on Google Maps, several unmarked airfields can be found. One airfield in particular (Lingqiu Airfield) in the south of the region stands out as remarkably similar to the one in the video. The exact placement of the hole can be found by comparing the layout of the airfield with what's shown in the video:

alt text