HACK'OSINT CTF 2025

Date: 2025-05-23 - 2023-05-25
CTF Format: OSINT, Jeopady
Ranking: 65/186

Welcome Back !

Interview

The previous document suggests that the interview given by Charlotte is a good starting point.

Can you find out when this interview was conducted?

The mission document mentions Charlotte's X handle (@CN_CumSpe). Her profile is available at https://x.com/CN_CumSpe.

There is a post from February 2nd 2025 where she mentions an interview:

alt text

The interview was conducted on 02/02/2025.

Qui es-tu ?

In this interview, Charlotte mentions the name of a person who behaved suspiciously towards her.

Would you be able to identify this person for us?

There is another post on Charlotte's X aaccount regarding the interview in which she mentions who conducted the interview:

alt text

Mr. Steiner is only mentioned by his last name and there is no link to the actual interview.

In another post on X, Charlotte mentions problems with her Medium account:

alt text

The URL to her Medium page is truncated, but there is enough of the URL remaining to guess that the page is at https://medium.com/@charlotte.nectoux.

There are no posts on the Medium page, but she is following 24 people, one of which is Marc Steiner (https://medium.com/@marcsteinerdailynews) who describes himself as "PDG du journal numérique Daily News".

On April 30th, Steiner made a post on his Medium page with the interview with Charlotte: https://medium.com/@marcsteinerdailynews/cybers%C3%A9curit%C3%A9-le-pi%C3%A8ge-du-phishing-et-la-chute-du-groupe-509-60db7eab364e. In the interview, Charlotte mentions a Nicolas de Richelieu, who contacted her a few days before the attack.

Pseudonyme

This Nicolas seems very active on social media. Can you find out what username he goes by ?

There doesn't seem to be any direct connection between Charlotte and Nicolas. The task mentions that he is very active on social media, and searching for the name Nicolas de Richelieu on Facebook turns up the following profile:

alt text

As the last post mentions, Nicolas seems to have deleted all his posts, except a small album named Gamer.

In one of the photos in the Gamer album, there is a t-shirt with the text Xnicolasht, which looks suspiciously like a username or nickname:

alt text

Nicolas de Richelieu goes by the username xnicolasht.

Première approche

While investigating this pseudonym, you uncover a place filled with secrets that was meant to remain confidential.

Can you determine exactly when Nicolas began communicating (a former member of APT-509 arrested in 2024) ?

There is a Bluesky account registered under the username xnicolasht (https://bsky.app/profile/xnicolasht.bsky.social) where Nicolas appears to be posting regularly. The posts are mostly cryptic and of little interest, except for the following:

alt text

The image above includes a part of an URL to a cloud storage service. The service in question and remainder of the URL can be found by looking through the list of accounts that Nicolas is following:

alt text

Cryptpad is a service that provides online storage, and is the only service with a .fr TLD. By transcribing the URL from the photo, the cloud drive can be accessed at: https://cryptpad.fr/drive/#/2/drive/view/f3YGBpPsdLVDxwpvH+PfWsHBS2nNHpOgLwGr-VP9cHI.

Folder of interest containing screenshots: Drive/Perso/509/F-memory-2023-2024

Found the screenshot with the earlies conversation date with hugolecomte377:

alt text

Date: 07/09/2023.

Hotel

Vacances entre amis

While analyzing the conversation between X and Foxtrot (Hugo Lecomte), one exchange catches your attention.

Can you find out where Foxtrot went on vacation last year, as well as the number of his outbound flight?

Screenshot with a photo of a restaurant interior:

alt text