STORY DRIVEN OSINT CTF

easy
medium
hard
insane

Caged Princess

Briefing

Greetings, Special Agent.

It has come to our attention that one of our subsidiaries, crucial for reconnaissance operations, has fallen victim to a ransomware attack. This incident has disrupted our ongoing mission in the Riviera region. Although the impact on our overall operations is minimal, we require your expertise to investigate this breach and ensure the security of our digital infrastructure. Your mission, should you choose to accept it, is to conduct a thorough investigation into the ransomware attack.

You will need to identify the threat actor behind this attack, assess the extent of the damage, and determine how much sensitive data has been compromised. It is imperative that you trace the origin of the attack but also maintain Operational Security as you may become a target yourself. To aid in your investigation, you will be provided with minimal details regarding the cyber attack. Our Hacker Dimitri will be available to assist you as needed. Once you have gathered sufficient information and have a clear understanding of the situation, you are to provide a detailed report of your findings back to the Tiberian Order.

Time is of the essence in this matter, as we cannot afford any further disruptions to our operations. We have complete faith in your abilities to handle this situation with the utmost professionalism and discretion.

As always, Special Agent. The Contract is yours, if you choose to accept.

Materials

The words below are clues to the answer, all information is available via public domain.

Monaco 2023

Ransomware

Answer Instruction

Answer format: company-name-threat-actor-data-amount-exfiltrated

GB at the end of the amount-exfiltrated not required

Flagfile

Be advised, the flagfile is an encrypted ZIP. Make sure your OS supports the ZIP format. Ensure the password contains no hidden characters or formatting, paste in Notepad first if the password doesn’t seem to work.

Download Flagfile here

PS: Don’t forget to claim your Coins and XP, by posting your card in the #card-brag channel in Discord.

Official Write-up

Provided here is the official write-up, it does contain the answer. Use this if you’re stuck, or want to verify if you got the answer correct.

Caged Princess

In this challenge, codenamed “Caged Princess,” you must investigate a ransomware attack on a subsidiary company involved in reconnaissance operations in the Riviera region. The mission requires identifying the threat actor, determining the extent of compromised data, and reporting findings back to SERPENT HQ.

Available Materials

  1. Location context (Riviera region, Monaco)
  2. Time period (2023)
  3. Reference to ransomware attack
  4. Connection to “Monaco Technologies”

Solution Path

Step 1: Investigation Parameters

Key elements to investigate:

  1. Monaco Technologies as the target
  2. 2023 timeframe
  3. Ransomware incidents in the region
  4. Public breach notifications

Step 2: Required Information

You need to identify:

  1. Company name: Monaco Technologies
  2. Threat actor: LockBit 3.0
  3. Data amount: 23.7 TB

Step 3: Answer Format

The answer must be formatted as:

company-name-threat-actor-data-amount-exfiltrated

Correct format:

monaco-technologies-lockbit3.0-23.7

Formatting Requirements

  1. All lowercase
  2. Hyphens between elements
  3. No spaces
  4. Exact spelling of “lockbit3.0”
  5. Precise data amount (23.7)

Research Approach

  1. Search cyber security incident databases
  2. Monitor ransomware tracking sites
  3. Review 2023 Monaco cyber incidents
  4. Cross-reference LockBit 3.0 activities
  5. Verify data exfiltration claims

Common Pitfalls to Avoid

  1. Wrong case (must be lowercase)
  2. Missing or extra hyphens
  3. Incorrect company name format
  4. Wrong spacing
  5. Misspelling “lockbit3.0”
  6. Wrong data amount format

OPSEC Guidelines

As mentioned in the briefing:

  1. Maintain operational security
  2. Use secure research methods
  3. Avoid direct threat actor contact
  4. Practice safe dark web access
  5. Keep research activities anonymous

Verification Steps

Confirm:

  1. Correct company name
  2. Proper threat actor identification
  3. Accurate data amount
  4. Proper formatting
  5. All hyphens in place

The “Caged Princess” name likely refers to the captured/encrypted state of the company’s data, emphasizing the importance of your investigation into this security breach.

Creator: Vance Poitier