Hacktoria | The Mona Lisa Heist CTF – Write-Up

The Mona Lisa Heist CTF created by Hacktoria is OSINT themed and can be played here: https://hacktoria.com/operations/operation-the-mona-lisa-heist/

The CTF was active in July of 2022.

Mission Briefing

from: dimitri-zechev@tiberianserpent.com
to: agent-k@tiberianserpent.com
date: July 01, 2022, 21:00 EET
subject: Briefing “The Mona Lisa Heist”

Well good evening,

As you’ve probably heard in the news recently, the Mona Lisa was stolen from the Louvre Museum in Paris. Together with a variety of other high profile heists, INTERPOL believes these are all linked to the same organization. As of now we do not know which that would be. The most prominent paintings  recently stolen, which are believed to be taken by the same organization:

Watercolors – Marc Chagall
An Allegory – Sandro Botticelli
La Bella Principessa – Leonardo da Vinci
Portrait of Alexander Mornauer – Hans Holbein
The passion – Hans Holbein
Lady with an ermine – Leonardo da Vinci
The Annunciation – Sandro Botticelli
America Windows – Marc Chagall
The School of Athens – Raffaello Sanzio da Urbino
The Starry Night – Vincent van Gogh
American Gothic – Grant Wood
The Persistence of Memory – Salvador Dali
Mona Lisa – Leonardo da Vinci

The operations undertaken to heist these paintings have a lot of similarities. Camera footage is missing or replaced with seemingly still footage. Guards did not find anything, the alarms are disabled and no forced entries from the outside. CCTV footage is still being examined to find people who entered but haven’t left. So far it is believed the criminals wear disguises, even if we find unaccounted people, it might lead nowhere.

Given the camera’s malfunction, guards incompetence and alarms not going off, we suspect inside jobs. Or at least partially. This means interrogations are ongoing with all security personnel from the involved venues. We believe the only place these painting will show up are the underground markets, either online or offline. Regular buyers will stay away from these stolen goods. This leads INTERPOL to believe they are stolen out of personal interest, or to be sold to other criminals.

For months the case has gone without any leads. However, just this week, we were able to compromise an email account. The account contained one email. Forensics into this email did not lead my team anywhere. Which is why our hope of finding anything now rests with your team. We need your OSINT magic to figure out where the next heist will take place, so we can lay a trap for the thieves. Given their global profile, it is impossible to predict where they would strike next.

Here you find the contents of the email, please let us know what you find.

Alright one of the paintings we’re going to hit has it’s description hidden in the riddle that follows from the resolution below:

0-4 PqBnrdaO75Y
0-2 CdZDXKVuMlE
0-2 D7vCxL45Jn8
2-5 1GEFhh1kxuY
0 Yykfw9eNA5s
1-4 v72zb9_dxnA
2-3 Eo4s1o-u1wU
2-5 XAH4Ovuyjxg
0 l0WKYlaqKq4
1-3 9T6HGC-m8zU
1 ipf7ifVSeDU
1 1EpuHGMn7B0
0-2 dS71chsx104

Other heist is included in the plans with images of how we’re doing that one. You will receive the details on the exact locations in another way.

/;;7:_TT)0;S3@TXt;U.\w

Best Regards,

Dimitri Zechev
Head of Red Team Operations
Tiberian Serpent HQ


Overview

I immediately noticed three potentially interesting parts in the mission briefing:

  • The list of stolen paintings
  • The riddle retrieved from a thief’s email
  • The string of special characters at the end

Since the list of paintings didn’t seem to be including any obvious sort of riddle (i. e. incorrectly spelled names or other oddities), I started by doing a quick analysis of the obvious riddle.


Riddle Text

What is the riddle text? Use only the words without any commas, separated by spaces, lower case letters only.

For the write-up of the riddle, I would like to quote Sherlock Holmes first: “It was easier to know it than to explain why I know it.” (A Study in Scarlet)

So most of my thought processes were not really conscious but went kind of like this:

The riddle is presented in a list with two columns and 13 entries. The list of stolen paintings also has 13 entries. The left column contains one to two digits separated by a dash if it’s two digits. The second digit is always greater than the first digit. No digit is negative, and no digit is greater than 5. These digits could represent ranges of some sort where the length of a range can be just one, too. There are no ranges of no length because a range of no length – if it would make sense at all – would most likely be represented with a 0, but since some entries have two digits with a leading 0 (e.g., 0-2), I assume 0 is the starting index of any range (like in most programming languages) and there are no ranges of no length.

The ranges are most likely corresponding with the right column, so for example we could take a range of characters from each entry and then put those parts together into a new string of characters. But I obviously also counted the number of characters of each entry, which is 11, and I noticed the range of possible characters of an entry (i.e. the alphabet of the code): They consist of letters (lowercase and uppercase), digits, and the two special characters dash (-) and underscore (_), i. e. base-64. With a sample size of 13 entries, I assumed this could be exhaustive, and there would be no possible other special characters in this alphabet. At the same time, I remembered a video by Tom Scott: https://www.youtube.com/watch?v=gocwRvLhDf8 So I did a quick check for the first entry: https://www.youtube.com/watch?v=PqBnrdaO75Y Indeed, this is a valid YouTube id (Edit: Or it was a valid YouTube id back when I solved this riddle. New code is “maUjVifKaNU”.). Could this be a coincidence? Yes, in theory, it could, but if you watched Tom Scott’s video, you know it’s possible but improbable. By checking the other entries, too, I realized they are, in fact, all valid YouTube ids. That surely couldn’t be a coincidence. If those codes did not seem so similar to YouTube ids, I would have assumed the riddle list and the list of stolen paintings were related, but thankfully, they were not.

I won’t go into detail about all the videos, but some thoughts: They seemed pretty random. Various channels, upload dates from way back in 2011 up until just some weeks ago, various genres (although mostly music), and also different languages/cultures. The videos could have been Red Herrings and the digit ranges would have to be used with the character strings themselves, but I didn’t see how the corresponding parts of the string (i.e. “PqBnr” for the first line) would result in anything that’s more useful than the strings as they are. Also, since I assumed I was just looking for something that presents itself in a range that can be retrieved from the videos, my first idea was to just copy the words from the titles of the videos, which didn’t seem to be too much of an investment even if it was not correct. So for example, the first video (PqBnrdaO75Y) is titled “I am the god of war”. With a range of 0-4, that would result in “I am the god of”. I made sure my YouTube language was set to English so no titles would be translated to German, and then went through all titles one by one, slowly uncovering a little description of someone or something. It was actually pretty fun when it reached “accompanied by my son, whom I” – me in my head: “whom I what? What’s the next word going to be?” – “DESPISE”. Welp, poor son.

0-4PqBnrdaO75YI am the god of
0-2CdZDXKVuMlEWhat is relative
0-2D7vCxL45Jn8moving in circles
2-51GEFhh1kxuYThrough the Solar System
0Yykfw9eNA5sCaptured
1-4v72zb9_dxnAat an Obscure Time
2-3Eo4s1o-u1wUaccompanied by
2-5XAH4OvuyjxgMY SON, WHOM I
0l0WKYlaqKq4DESPISE
1-39T6HGC-m8zUStored in a
1ipf7ifVSeDUmeadow
11EpuHGMn7B0of
0-2dS71chsx104A King’s Land

The text made sense syntactically and semantically (well, to a certain degree) and the range was never greater than the length of a title would have allowed. So yeah, this seemed to be correct.

Answer: i am the god of what is relative moving in circles through the solar system captured at an obscure time accompanied by my son whom i despise stored in a meadow of a kings land


Name of the Painting

What is the name of the painting described in the riddle? Either in English or original language.

Since the riddle is pretty wordy, I thought about it in chunks:

“i am the god of what is relative moving in circles through the solar system” -> Something that is moving through the solar system could be a planet, especially since the planets of our solar system are named after Roman gods, i. e. connecting “gods” and “solar system”: https://en.wikipedia.org/wiki/Planets_in_astrology#Planetary_symbolism

“what is relative” could then be time, i.e. Cronus, i.e. Saturn: https://en.wikipedia.org/wiki/Cronus

I know it’s kind of a stretch because Cronus and Chronos are not the same entity (https://en.wikipedia.org/wiki/Chronos), but they are similar enough that I got them confused at first and just went with it, because “what is relative” immediately made me think of time and apparently, Saturn means “Father Time”.

“accompanied by my son whom I despise” made me do a quick search on Cronus to see if he had any sons and if he despised at least one of them. He did have sons, and as usual with these gods and whatnot, their family dynamic is complicated. So instead of manually deciding the correct son, I simply googled “painting saturn cronus son” hoping there wouldn’t be too many paintings matching that description. The first result was this link: https://en.wikipedia.org/wiki/Saturn_Devouring_His_Son

Even though I didn’t specifically search for “despise”, I think devouring someone would require at least a bit of despise towards them. The article describes the following: “It depicts the Greek myth of the Titan Cronus (known as Saturn in Roman mythology)”. So if my assumptions of “relative –> time –> Cronus” was correct, then there was a valid link to Saturn and a despised son.

For confirmation: “captured at an obscure time” could reference the dark theme, the dark background, or just the fact that there is no exact date and time for the creation of the painting. It was painted c. 1819–1823. However, there is another painting with the same name, so this might not be the intended interpretation of the hint. The same is true for “stored in a meadow of a king’s land”, which could reference where the painting was created, depending on which painting is meant.

To be fair, I didn’t really know what to do with some bits of the riddle but was pretty sure I got the correct painting name since there aren’t that many paintings of “planets” showing their despise towards their sons. I did check it, though, by googling “painting mars son” and “painting jupiter son”, and those actually only really showed me the painting of Saturn devouring his son, too.

Answer: Saturn Devouring His Son


Code

What is the link leading to the floor plans of the next heist?

At the end of the mission briefing, we got this string of characters: /;;7:_TT)0;S3@TXt;U.\w

Obviously, I immediately assumed it would be a code, but at the same time, I was a bit worried about the length. With such a short code, it can be very difficult to even know the kind of cipher, let alone the correct key.

From just looking at the code, I assumed it would be no simple ROT cipher because of the special characters. I also want to point out that I try to solve these CTFs without looking at the questions first, so I didn’t know I was looking for a link/URL.

Anyways, as I often do, I used CyberChef’s magic function to try to get something, which didn’t result in anything, and then tried a Cipher Identifier: https://www.dcode.fr/cipher-identifier

It was pretty certain this could be an ASCII Shift Cipher.

Following this lead with a basic brute force attempt didn’t really show any clear results:

I did, however, notice the “HTTPS” part for the +103 shift. The corresponding decoded text was not a valid URL though and it ended with an unknown character. But at least I was now pretty confident this could really be a shift cipher since it would be a huge coincidence having exactly those 5 letters at the beginning of a string all being uppercase followed by something that is not an uppercase letter. So I used CyberChef’s ROT47 function to easily rotate through and see if I can find a correct alignment: For a rotation key of 25, I got “HTTPSxmmBITlLYmq/TnGu2”, same as with dcode.fr. However, ROT47 differentiates lowercase and uppercase, so I tried a few more keys until I reached 57 with a decoded text of “https://bit.ly/3Ot0g7R”. Following that link confirmed its correctness.

Answer: https://bit.ly/3Ot0g7R


Heist Plans

What is the name of the museum from the heist plans/floor plans? Use the native language of the museum for the name.

Upon opening the link I was led to a dropbox with 12 images:

Naturally, I downloaded all of them. Not knowing what to do from here on out, this was the first time I looked at the actual questions of the CTF.

So to find the name of the museum, I reverse searched the escape-route.jpg image. It was a bit of a hassle because of the angle and the text box overlay, but using some different croppings, I found something.

According to that site (https://www.alamy.com/wien-luftbild-naturhistorisches-museum), this is the “Naturhistorisches Museum” in Vienna. However, thinking about it for a second, I noticed it should be an art museum instead of a museum for natural history. I assumed the website was referring to the building on the top left corner of the image, while the escape route clearly marks the building on the lower right. Doing a quick check on Google Maps I got the correct building.

I did a quick confirmation by googling the floor plans, too, but more on that for the next question.

Answer: Kunsthistorisches Museum Wien


Floor Plans

What is the name of the painting being stolen from the next heist? As directed in the floor plans.

Googling for “Kunsthistorisches Museum wien floor plans” leads to this page: https://www.khm.at/nocache/en/objectdb/saalplan/

Those are the same plans as seen in the images from dropbox. Following the notes in the images, one of the thieves should enter on level 0.5, go up the stairs to level 1, then turn the second right, and enter the third room. There should be a painting showing “all the fat babies”.

The floor plans on the website are interactive and by clicking on a room, you can see all the paintings in that room. However, due to some coincidence, exactly room XIII was closed when I first wanted to look into it.

Luckily, it was only closed until the 4th of July and I had access on the 5th of July.

A total of 19 paintings are included in Saal XIII. Multiple of these have what could be considered “fat babies” in them.

The Feast of Venus:

The Infant Christ with John the Baptist and Two Angels:

Since the first of the two is also the first painting in the room out of all the paintings and since it has more babies in it than the second painting with babies, I assumed “The Feast of Venus” to be correct.

Answer: The Feast of Venus


Real or Fake

Is painting 1 real or fake?

There are 8 images of paintings in dropbox. For each of them, we are tasked to say if they are real or fake. Now, you could just take a guess and basically get the answer via email, but I obviously also wanted to know, why the paintings are fake or not.

To put them into perspective: According to the mission briefing, 13 paintings have been stolen. Or rather: Out of all the paintings that have been stolen, 13 of the most prominent ones that have been reported recently seem to be connected to this group of thieves, with the latest painting being the Mona Lisa.

Now, I immediately saw that the Mona Lisa was not among the paintings in the dropbox. I have to admit, I don’t know many paintings and had to reverse search all of them to know what they are called. For most of them, that was pretty straightforward, as all of them are pretty famous. So using Google Lens and Yandex did the trick.

However, some paintings are quite mysterious in themselves. For example, sometimes it’s not clear who the painter was or when the painting was created. But here is what I found, basically:

  • Painting1 = Marc Chagall – America Windows
  • Painting2 = Sandro Botticelli – The Annunciation
  • Painting3 = Leonardo da Vinci – Lady with an Ermine
  • Painting4 = Hans Holbein the Younger – The Passion (of Christ)
  • Painting5 = David Stein – Tribute to Marc Chagall
  • Painting6 = Leonardo da Vinci – La Bella Principessa
  • Painting7 = Sandro Botticelli – An Allegory
  • Painting8 = Master of the Mornauer Portrait – Portrait of Alexander Mornauer

Comparing that with the list of stolen paintings:

  • Watercolors – Marc Chagall
  • An Allegory – Sandro Botticelli
  • La Bella Principessa – Leonardo da Vinci
  • Portrait of Alexander Mornauer – Hans Holbein
  • The passion – Hans Holbein
  • Lady with an ermine – Leonardo da Vinci
  • The Annunciation – Sandro Botticelli
  • America Windows – Marc Chagall
  • The School of Athens – Raffaello Sanzio da Urbino
  • The Starry Night – Vincent van Gogh
  • American Gothic – Grant Wood
  • The Persistence of Memory – Salvador Dali
  • Mona Lisa – Leonardo da Vinci

There are matches. Actually, only the Tribute to Marc Chagall by David Stein seems to be missing from the list of stolen paintings. But before thinking about that too much, I also looked at file sizes and EXIF data of all 8 images. Those did spark my interest at some points, but ultimately didn’t result in anything and didn’t help me in deciding which were fakes. I assumed that the EXIF data would contain names of painters that would either be matching the real ones or not or something like that, but that wasn’t the case.

So I thought about other ways to determine if the paintings would be fakes. I quickly dismissed the idea of manually checking for real-world indicators of fakes, like wrong colors or something like that, since I was dealing with digital copies of the actual paintings which alter the paintings through compression and that kind of stuff anyway. Also, there are different digital versions of the same painting oftentimes:

So if the images were altered to make them identifiable as fakes, it would have been something very obvious like a hidden word somewhere on the image, but I didn’t find anything like that either while looking at some of the images in detail for a couple of minutes.

Another idea was that only those paintings that were not reported as stolen would be fakes, because if the real painting is not stolen, then the thieves are in possession of a fake. But: The one painting that was not on the list could just not have been reported or maybe it was reported but the police didn’t see the connection to this group of thieves. Or maybe the thieves were selling fakes of the stolen paintings, too and maybe all of them were fakes. In short: That didn’t lead anywhere.

I mentioned that one of the paintings was not included in the list of stolen paintings. That painting was created by David Stein and I think it is called “Tribute to Marc Chagall”. David Stein was an art forger who copied the style of “Marc Chagall”. So in a way, this painting is fake by definition. Not just the image that was included in the dropbox, but the real painting itself.

By thoroughly investigating the other paintings, similar stories are true for some of them. “La Bella Principessa” was thought to be created by an unknown German artist of the 19th century until a fingerprint was found on it. Then experts agreed it was actually created by Leonardo da Vinci. However, that attribution is now disputed. Some people also say it is a forgery to look like a da Vinci. “An Allegory” was believed to be by Sandro Botticelli, but has been revealed as a fake by now: https://www.theguardian.com/artanddesign/gallery/2010/apr/15/fakes-exhibition-national-gallery. And the “Portrait of Alexander Mornauer” was painted to look like it was created by Hans Holbein while that can’t actually be true.

Googling for any painting’s name and “fake” shows all that information about those four paintings, but no such story for the other four. Well, except for “Lady with an Ermine”, because that one seems to be a painting in an Animal Crossing game and can be a fake in that game. But the real painting doesn’t seem to be fake in any way.

Honestly, I’m still not entirely convinced this is the correct way to solve the questions, but the answers are correct and it’s the only way I found to correctly categorize those 8 paintings into reals and fakes. If this was not the intended way of solving it, I’m still glad I did it this way, as I learned a fair bit about art.

Answers:

  • Painting 1: Real
  • Painting 2: Real
  • Painting 3: Real
  • Painting 4: Real
  • Painting 5: Fake
  • Painting 6: Fake
  • Painting 7: Fake
  • Painting 8: Fake

I hope the police can make use of my information and prevent the next heist and maybe even catch the thieves in the process.

I like how real-world paintings and places are used in this CTF as I could learn a bit about art and art forgery while solving the challenges.

Looking forward to next month’s CTF!

If you want to read other peoples‘ write-ups, check them out here: https://hacktoria.com/write-ups/