top of page

"Hit! You've Sunk My T-90M!" - How I Solved this Week's OSINT Challenge

A communication from the boss owl man tells us to follow the clues to the final answer, but an enigmatic IP address is all we get to start off this week's challenge: 70.34.254.130

 

Part One - IPs for PIs


An internet protocol (IP) address is used to determine how to route packets to a networked system at any given point in time. See: https://en.wikipedia.org/wiki/IP_address.


What can we do with an IP address? It turns out a lot, so the path forward from just having an IP address isn't completely clear, and many people tried approaching this part of the challenge in many different ways.

Perhaps the most immediate path forward is to see if the IP is currently reachable, and what it resolves to. To do this, you can query your DNS server using the 'nslookup' command:


nslookup 70.34.254.130
130.254.34.70.in-addr.arpa      

name = shorturl.atFOWARDSLASHtCMS2.

If you're wondering what some other people were talking about with regard to The Constant Company (constant.com), that's the company that owns the ASN block which the IP address is a part of https://en.wikipedia.org/wiki/Autonomous_system_(Internet).


This IP, 70.34.254.130, is part of AS20473 (subnet 70.34.240.0/20), which has a description of AS-CHOOPA - The Constant Company, LLC, US. You can see this information from the asn object from a service like https://ipinfo.io. That site includes a lot of other useful information, such as rough geolocation for where that particular IP is hosted, whether it's a well-known VPN, proxy, tor relay, or hosting provider.


In this case, it is a hosting provider, which means the company that owns the IP generally sells it to other parties to host services.


There is also a domain registered to the IP, golink.gq, which does currently resolve to that IP address as well.


$ dig golink.gq        
​
; <<>> DiG 9.16.15-Debian <<>> golink.gq
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22670
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;golink.gq.                     IN      A;; ANSWER SECTION:
golink.gq.              300     IN      A       70.34.254.130

The domain doesn't seem to have any interesting DNS records, but many online whois services don't support it since the .gq part is a top-level domain (TLD) for Equatorial Guinea in Africa, so you have to use a global whois service in order to get more information, such as whois.dominio.gq. All of the information seems generic for a registration administered by Getesa, a small network services company in Equatorial Guinea, and managed by Equatorial Guinea Domains BV. Since there's no particularly unusual registrar information or special DNS record fields associated with that domain, let's move on.


Performing DNS queries and even querying a search engine is known as 'passive reconnaissance' because no actual interaction is performed directly against the remote systems and it is [generally] undetectable by the target[s].


Another common thing to do is to perform a quick scan to see what services are listening if any. This is where we transition to 'active reconnaissance' since now we are directly interacting with the remote systems. Some care should be taken at this stage to ensure that you don't inadvertently expose your own information to the target (i.e. IP address) or otherwise tip your hand (i.e. search queries on the target site[s] directly) - and of course, don't engage in anything illegal:


Nmap scan report for shorturl.atFOWARDSLASHtCMS2 (70.34.254.130)
Host is up (0.10s latency).
PORT     STATE    SERVICE
22/tcp   open     ssh
​
Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds

Well, we can see the server isn't obviously listening on any well-known web ports, so we don't have a fun website to explore, but it is running an ssh server. Let's leave that alone for now unless we are given a username to connect later on in the challenge.


At a glance, the most interesting thing we've found so far is the host that the IP currently resolves to - shorturl.atFORWARDSLASHtCMS2. Treating the text 'FORWARDSLASH' as a literal forward slash, we get shorturl.at/tCMS2 - and the next step of the puzzle.

 

Part Two - The Dead Drop[box]


Using checkshorturl.com, we see the shortened URL expands to: https://www.dropbox.com/scl/fo/37862vryeiop8f3rmwflc/h?dl=0&rlkey=fmixypqy0bycr6kr6zzix7igd


The page title is particularly interesting, it says: Dropbox - VigSays


Connecting to dropbox and downloading the file gives us: PmlkpDvee_QimvsakxcGmrrGmyvbsrydiq.mp4


At this point, curiosity got the better of me, and I immediately watched the video. My pulse quickens as the music starts playing. Tanks rolling near a field, a countdown from 3, smoke, and at least two people running from the burning tank to what appears to be another vehicle. Some Cyrillic text, and a Cyrillic watermark near the end. Awesome music. Riveting.


There are a few things that you can do with MP4 files. The first that comes to mind is examining the metadata. A utility like ExifTool is good for this. Here's a short snippet of the kind of information you'll see:


Track Modify Date               : 2023:01:18 18:44:57
Track ID                        : 2
Track Duration                  : 0:00:42
Track Layer                     : 0
Track Volume                    : 100.00%
Matrix Structure                : 1 0 0 0 1 0 0 0 1
Media Header Version            : 0
Media Create Date               : 2023:01:18 18:44:57
Media Modify Date               : 2023:01:18 18:44:57
Media Time Scale                : 48000
Media Duration                  : 0:00:42
Media Language Code             : und
Handler Type                    : Audio Track
Handler Description             : SoundHandler
Balance                         : 0
Audio Format                    : mp4a
Audio Channels                  : 2
Audio Bits Per Sample           : 16
Audio Sample Rate               : 48000
Handler Type                    : Metadata
Date Acquired                   : 2023:01:18 18:43:30
Image Size                      : 1920x1080
Megapixels                      : 2.1
Avg Bitrate                     : 7.25 Mbps

It appears that it was created just a few days ago. This is a big hint that this could be a recent event. Perhaps we can even find a source video. A few google searches later, and sure enough, we read that an expensive Russian T-90M was destroyed by a comparatively cheap AT4 anti-tank weapon system, and there's a [longer] youtube video with the same date: https://www.youtube.com/watch?v=z87FBjbPGy4


The Cyrillic watermark near the end shows up on both videos, so isn't likely related to the challenge, but I didn't see the Cyrillic text with the arrow in the youtube video. That could be relevant, as it could indicate that text and/or image was inserted as part of the challenge. With my attention now focused on the Cyrillic, I eventually notice that @yvmqznrm posted "WE DON'T ABANDON OUR OWN" in the Discord chat. He verifies that the Cyrillic in the video looks like СВОИХ НЕ БРОСАЕМ, which has that translation. Unfortunately, that's a relatively common saying and is far too generic to do anything with at this point with respect to the challenge. It appears that the text was probably just an artifact from wherever the original video was copied from.


Interestingly, it sounds like the edit was part of Russian propaganda since the text appears with respect to the soldiers running away from the destroyed tank. My suspicions that the channel administrators are secretly Russian agents are heightened. Nevertheless, my mind quickly races back to the challenge.


Changing the colors and brightness in the video and watching at a reduced speed don't seem to reveal any hidden text or images in the video. There could also be something wrong with the MP4 structure itself, but the bitrate is consistent with the file size, so there's not much of a chance of hidden data there.


The only really suspicious thing that I've noticed is the file name itself, PmlkpDvee_QimvsakxcGmrrGmyvbsrydiq.


Taken along with the dropbox page title, VigSays, I make a connection to the vigenere cipher. 'Vig' is sometimes used in classical cipher circles as shorthand for the 'vigenere' cipher. But just because it's faster, I check the common caesar shifts with https://www.dcode.fr/caesar-cipher, and check for any simple substitutions with quipqiup: http://quipqiup.com/. Those are useful tools to keep handy if working on CTFs in general.


None of the sections look like any well-known IDs for social media sites, with the exception of the ending Gmyvbsrydiq - YouTube video IDs are the same length (as one example). However, there are no numbers, which is unusual for a Youtube video. I try it anyway just to rule it out. No luck. Nothing obvious jumps out, so it's on to vigenere in line with the hint.


Using the key 'Says' or 'VigSays' produces incomprehensible text. Another cipher? Again no apparent luck with caesar shifts or simple substitutions. As anyone who's worked with ciphers knows, sometimes you just have to spend some time banging your head against a wall before a solution reveals itself.


In this case, the text we have is relatively short, only 33 characters (not including the underscore). Generally, the ACA recommends the key length times 10-15 for creating puzzles with vigenere, in order to help ensure the text is able to be unambiguously decrypted using pen and paper cryptanalysis. With 33 characters, that would mean the key would have to be pretty short to have any luck at decrypting it reliably. (In real life, doing this kind of analysis to rule out longer key sizes wouldn't make much sense, but it turns out it is pretty useful for CTFs). Let's look for a key of length 3, so write out the cipher text in sets of 3:


PML
KPD
VEE
QIM
VSA
KXC
GMR
RGM
YVB
SRY
DIQ

Not many repeats, only 'V' repeats twice in the first position. Assuming that's the most common English letter, E (12% frequency in English text), we can use a site like https://gchq.github.io/CyberChef/ to quickly test different keys. If the text is E, we can use a key with E against the cipher text to see what it produces, then that would be the key in that position. In this case, that gives an 'R'. Trying an 'R' as the key in the first position, we see the message might start with a 'Y'. More interestingly, the third letter in that case (with the same key) would be a 'U'. Could it be 'YOU'? The key wouldn't make sense for that, it would be 'RYR', but trying it gives nonsense after the word 'YOU', so no luck. Worse, I notice the key 'R' in the first position produces a 'Z' in the fourth set... that pretty much rules that out.


Hopefully, this illustrates some of the trial and error involved, especially if you're not using an automated solver, so that you get an idea about what to look for and what might make good heuristics. Eventually, after some trial and error, I guess the key. To my astonishment, it is simpler than I was making it out to be - the key is simply 'key'.


This gives FinalFlag_GeolocateWithCoordinates.

 

Part Three - No Steeples in Sight


I look in the video for anything that might be able to be used to help geolocate the area. Unfortunately, there are no unique buildings with strange steeples this time around. Perhaps this wasn't intended, but armed with the knowledge of this being a recent event and some useful context about what happened from the previous stages - a Russian T-90M tank being destroyed by an AT4 in Ukraine - I begin to search for clues to geolocate the event depicted.


Limiting search results to the last month is helpful in this part of the hunt since there are several posts about other tanks being destroyed - and a lot of chatter about Luhansk Oblast in particular. (Allegedly, multiple people recently posted that the building in Rubizhne at these coordinates is storing some Russian tanks - while I cannot confirm, it was interesting enough to share: 48°59'06.5"N 38°25'10.2" E).


After ruling out a couple of locations that seemed to talk about the incident but didn't seem likely, eventually I come across this video which identifies the incident as being near Novoselivske: https://www.youtube.com/watch?v=CudsIRtt4bk.


Novoselivske is a very small town, and the surroundings look very similar. I quickly send Overt Operator the coordinates of Novoselivske, after sanitizing them to be relatively generic, but he says I have to be more specific.


Dang, he's on to me.


After searching maps of Novoselivske for a few minutes, I find a field that seems very likely and send more specific coordinates - 49°31'34.0"N 37°57'56.8"E. I imagine the response as I receive the confirmation:


"Hit! You've just sunk my T-90M!".

 

Epilogue: I realize now that, had I watched the second YouTube video to the end, it shows the location pinpointed as well. Just a friendly reminder for my future self to fully explore any relevant material.

bottom of page