The CaseVegas CTF created by Andrew fordred at cyberdefenders.org is OSINT themed and can be played here: https://cyberdefenders.org/blueteam-ctf-challenges/70 (Update 2024: https://web.archive.org/web/20230519170552/https://cyberdefenders.org/blueteam-ctf-challenges/70#nav-questions)
The CTF is built around a video with a file size of 1 GB that can be downloaded from the CTF page. Alongside it, a couple of images are provided.
Challenge Details
You are a detective, and you have been instructed to find a suspect who was employed in a major hotel chain and was responsible for the theft of US$ 3.5 million from his employers.
When you were given the instruction, you were busy with another investigation and immediately abandoned that to start this new investigation. You were also meant to be home hours ago to take your loved one to a nice restaurant for a well-deserved dinner and relaxation time.
During the investigation, your attempt to find the suspect was recorded in the included video. Analyze the video and other files and try to extract answers for some of the case questions.
Question #1
File->Vehicle-number.png:
At which minute of the video was the vehicle observed?
The first task is pretty straightforward: I just skipped through the video in VLC ([SHIFT + Arrow Keys] for small jumps), until I found the car with the license plate.
The plate is unreadable before minute 36, but the car is seen in minute 35 already.
Answer: 35
Question #2
File->Vehicle-number.png:
What is the zip code of the place where the vehicle was observed in the video.?
I tried checking the license plate by googling “license plate 266-LYK“, which led me to this page: https://findbyplate.com/US/NV/266LYK/ However, that only confirmed that the car is registered in Nevada in the United States, which is already evident from the signs seen in the video.
So I looked through the video for signs that seemed unique or rare, like “Elvis slept here” or this one:
So this video was clearly taken in Las Vegas, but since Las Vegas has multiple zip codes, I wanted to know where exactly the car was observed, so I looked for the nearest street sign.
Then I googled “las vegas e stewart ave 500“, which revealed the place to be at “Las Vegas, NV 89101, USA”.
Answer: 89101
Question #3
File->Chapel:
This chapel has a live webcam. What is the name of the chapel?
From the image I could read something that looked like “Elvis” and “wedding”, so I just googled for “Elvis wedding chapel“, and indeed, a chapel with that name exists in the area called either “Las Vegas Elvis Wedding Chapel” or “The Little Vegas Chapel”. I think there are two chapels in the same building or very close by…
But since the flag had the format of “E**** W****** Chapel”, only one of them is correct.
Answer: Elvis Wedding Chapel
Question #4
File->Chapel:
What strip hotel does the chapel have a view of?
Using Google Street View, a building called “STRAT” can be seen.
Googling “las vegas strat” told me this was the “Las Vegas Stratosphere”, a hotel and casino, which calls itself “The STRAT”.
Answer: The STRAT
Question #5
What date did the Mandalay Bay shooting take place?
This question seemed a bit odd to me because it was not about finding something from the video. However, googling the exact question reminded me that this was the 2017 shooting in Las Vegas. It took place on October 1, 2017 and was committed by Stephen Paddock, a 64-year-old man.
Answer: 01/10/2017
Question #6
On 30/09/2017 at 14:47, Stephen Paddock was seen on CCTV footage. Where was he?
I googled “Stephen Paddock CCTV“, which showed several videos of him walking through the hotel, but none I found showed the exact time and date. The closest I found was this video, where he enters an elevator at 14:48, one minute late: https://youtu.be/WpiDHq5atpg?t=3561 That means, at 14:47 he was either still in the hall, in his room, or maybe in another elevator. Judging from the flag format (“e*******”), he was probably in an elevator, so I just tried that.
Answer: elevator
Question #7
File->Vehicle.png:
This vehicle may be related to our investigation. What place did it go to?
The vehicle enters the scene at 29:55 in the video. At 30:56 it turns right.
Answer: Tux & Gown
Question #8
Find MGM financial report in the form of a PDF document (not website) which contains the words:
‘Consolidated net revenues increased 13% compared to the prior-year quarter to $3.2 billion’
Submit the URL as an answer.
Just googling “Consolidated net revenues increased 13% compared to the prior-year quarter to $3.2 billion” even without specifying the file type already presented a PDF as the top result.
Answer: http://q4live.s22.clientfiles.s3-website-us-east-1.amazonaws.com/513010314/files/doc_financials/quarterly/2019/q2/Q2-2019-ER-FINAL-(006).pdf
Question #9
File->Number:
What is the complete number?
The sign can be seen at 33:36, but still only “702 735” can be read.
But we can also see the street name and number: Bridger 500.
Googling “bridger e 500 las vegas” leads to the “500 E Bridger Ave”. Going to this exact location in Google Street View and switching to Apr. 2019 shows the complete sign. Link.
Answer: 702-735-5700
Question #10
File->Number:
Who is the number’s owner?
Googling “702-735-5700” leads to this website: https://www.chamberofcommerce.com/united-states/nevada/las-vegas/real-estate-agency/2003535578-colliers There it basically says the owner is “Colliers International”.
Answer: Colliers International
Question #11
What is New York-New York?
Since everything so far was centered around Las Vegas, I just assumed this was something in Las Vegas, too, and googled “new york-new york las vegas” which showed the “New York-New York Hotel & Casino”.
Answer: Hotel & Casino
Question #12
In 2018, a famous hacking conference was held in Las Vegas. Who was the keynote speaker?
Even without knowing about the DEFCON, just googling “2018 Las Vegas keynote speaker” shows just that and also shows the speaker.
Answer: Parisa Tabriz
Question #13
File->Devil.png:
What does this belong to? The Devil is in the detail. Provide the tower name.
Those blue lights can be seen at 34:34.
Some seconds later, a sign can be seen on the building.
Going to ogdenlv.com reveals this building is called “The Ogden”.
Answer: The Ogden
Question #14
At which minute of the video was The Deuce (Las vegas bus) observed?
The first thing I did was to google “The Deuce (Las vegas bus)” to see what it looks like.
I think the bus was seen earlier in the video already, but it can definitely be seen at 34:45.
Answer: 34
Question #15
File->Location:
What does this belong to?
This looked tough at first, but it seemed familiar. Scrolling up a bit, you can see we already saw this building. The flag format also gave it away a bit: “T** S**** H****, C****** & S*****”
Answer: The STRAT Hotel, Casino & SkyPod
Question #16
The sign at 36.131749, -115.164647 is advertising what show?
Naturally, the first thing I did was to enter the coordinates in Google Maps and going into Street View. However, even after looking around quite a bit in space and time, I couldn’t find a sign that matched the flag format: “T** A********* B** G*** S***”
So instead, I just looked through the video once more and searched for a sign that matched the flag format. At 21:34 I found a promising advertisement.
Answer: The Australian Bee Gees Show
Question #17
Files->Person-2:
At which minute of the video did you see this person?
This was pretty straightforward again: I just looked through the video until I saw the person. They can be seen at 11:03 on the right.
Answer: 11
Question #18
Facebook ID 250240925003365 is linked to a criminal group. What are they called?
Going to https://www.facebook.com/250240925003365/ redirects to https://www.facebook.com/themobmuseum/.
Answer: The Mob Museum
That concludes this CTF. I liked the idea of focusing an investigation around one video. However, most of the questions didn’t really seem to be connected to each other and the difficulty was pretty low.