How did you fare in our recent meme-themed Capture-the-Flag challenge? In this blog, we’ll walkthrough some of the approaches you might take to find those flags – as always, there are usually several different ways to solve each challenge, so if you’ve done things differently, we’d love to hear about it on our socials (LinkedIn, X, Bluesky)!

Challenge One – Cave Dweller

Who is the outlier who should not have been counted?

Flag is two words, lowercase. Watch your spelling!

The key to this one is the wording of the question. We don’t have much information to go on, but the phrasing of this question is a little unusual – worth a Google, perhaps? Either an exact phrase or broad keyword search should retrieve the answer: Spiders Georg.

Challenge Two – Early Bird Gets the Spider

When was the original Spiders Georg meme first posted? To make sure we’re all on the same page, convert to Epoch time (assume the post was made at 00 seconds).

Flag is a ten-digit Epoch timestamp.

This is a follow on from our first challenge, ‘Cave Dweller’. First, we need to find the original ‘Spiders Georg’ post. This isn’t too difficult, although using the site: operator to target Tumblr will help weed out irrelevant results.

If we click through, we can see the original post, made by user ‘reallyreallyreallytrying’ back in 2013. Tumblr shows post timestamps when you select the three dots on the top right. All we need to do is convert this into Epoch time, right? Well, not quite.

For OSINT practitioners collecting from social media, timestamps can be a valuable indicator of location and pattern of life, as well as revealing potentially inauthentic activity. However, we need to understand whether the timestamps we can see in our browsers reflect our local time, or a consistent time (i.e. UTC). An easy way to check this is to update your device’s system time (has the timestamp changed?). You can also jump into the page’s source code to see if a time zone is listed.

Tumblr timestamps are based on the user’s system time, so we need to be a little careful when converting to Epoch. There are a range of online time converters available, but Epoch Converter is probably the simplest choice. We just need to make sure we select ‘local time’ when converting our Tumblr timestamp, as per the screenshot below. Our flag is: 1357677960

Challenge Three – Internet Legend

What is the name of this man’s cat?

Flag is one word, lowercase.

Not sure who you’re looking at? A quick reverse image search should reveal the ‘name’ of the meme character (‘Hide the Pain Harold’). Harold’s Wikipedia article has a section on the subject’s personal life and includes the name of his cat: Grecko. 

Challenge Four – Who Let the Doge Out?

Memes have spurned multiple cryptocurrencies – Dogecoin is, perhaps, the most well-known. But it’s had a tumultuous ride in the markets. Can you tell me whether the value of Dogecoin went up or down on 10 July 2024?

Careful, you only get once chance with this one.

Flag is one word (‘up’ or ‘down’), lowercase, no punctuation.

So, did Dogecoin go up or down on 10 July 2024? To make sure you’ve got the correct answer for this one (and you only had one chance), you need to find a tool (preferably multiple tools, for validation purposes) that shows historic cryptocurrency market value. Coin Market Cap shows past market value, but the interface is a bit annoying to use. 

Searching a phrase like ‘Dogecoin market value history’ should retrieve a collection of useful sites that you can use to compare and confirm. A particular handy one is Investing.com, which has excellent filters for retrieving historical data. If we select the correct date, we find our flag – on 10th July 2024, Dogecoin market value went up.

Challenge Five – Sniffer Doge

Speaking of Dogecoin, investigate the following transaction:

7868e2d0873058d1e6d8498c4086f78f0e4752fdfc9c9a3961f79fd1a8d8d61e

Which Reddit user publicly claimed ownership of one of the output addresses associated with this transaction?

Flag is a Reddit username, lowercase i.e. reddituser19

To solve this challenge, we need to conduct a lookup of the given Dogecoin transaction. There are a range of cryptocurrency tools out there, so you might have used something different, but Blockchair is a solid choice for searching across multiple currencies. If we look up the transaction hash in Blockchair, we can see two output addresses:

Searching directly for these output addresses in Reddit may not have yielded any results – this is often the case when posts have been deleted. But a general Google search (currently, Google is the only search engine which reliably indexes Reddit content) reveals two results:

Clicking through, we can see a comment made nine years ago, in response to the user ‘dogetipbot’, containing the second output address from the transaction. The address is associated with Reddit account: rageak49

Challenge Six – Ye Olde May-May

Sometimes touted as the ‘oldest’ meme because of its resemblance to modern internet memes, this cartoon appeared in a magazine in 1921. A copy of the issue can be viewed online. What is the University Library barcode number?

Flag is a 14-digit number, no spaces.

There are plenty of news articles online about this meme – whether it’s really the ‘oldest’ meme is probably up for debate, but it certainly bears a resemblance to modern memes.

Google should lead you to various online mentions of this meme – it has been shared across social media pages as well as news sites. A BBC article (along with others) includes a direct link to the magazine in which the cartoon first appeared:

This leads us to a digitised copy of the magazine. Scroll up, and we’ll find the University of Iowa library code. Our flag is: 31858046260596

Challenge Seven – Just Deserts

What email address was associated with this website registration in 2016?

Flag is an email address, lowercase, i.e. [email protected]

The first step is to parse the QR code – you could use your phone’s camera, or one of many QR code readers available online (QR Scanner or Cyberchef, for example) to read the address. The less cautious amongst you might have found yourself Rickrolled – it’s the meme that keeps on giving! The domain we’re investigating is, of course, rickrolled.com.

WHOIS registrations (sometimes) provide information about the organisation or individual responsible for registering a domain name. Though availability of data has been impacted by privacy services and regulations in recent years, historical WHOIS information can reveal past owners and associations. You’ll find a list of WHOIS look-up tools in our OSINT Bookmark Stack, though most of these don’t retrieve historical data. The hero of the hour, though, is Whoxy – this is probably the best free, no registration required tool available for retrieving old WHOIS data. When you conduct a lookup of a domain, you should see the WHOIS History link on the right-hand side of the page.

Click into the records to scan the registration details. The record from 2016 shows the registrant’s email address: [email protected]

Challenge Eight – Call Me Sometime

The email address [email protected] registered six domains, one of which provided anonymous calling services. It also provided a special number for pranking purposes… What was the number?

Flag is an 11 digit number, no spaces or punctuation.

Whoxy shows six other domains linked to the Yahoo address from the previous challenge. One of them seems a likely candidate for an anonymous calling service –callvibe.com.

While this site is technically still available (though not secure), it looks to have changed hands over the years.

Review the domains and look for one connected to anonymous calling services. A likely candidate is callvibe.com. Although the site may still be online, it appears to have changed over time, so the current version won’t reveal what we’re after.

This is where the Internet Archive’s Wayback Machine is valuable. It allows us to view older versions of websites and recover content that has since changed or disappeared. A search for archived captures of callvibe.com reveals multiple snapshots, with most of them from 2008.

If we navigate into the early captures, we can see some of the services on offer, including free voice mail and conference calling (they were simpler times!). There’s also a ‘directory’ link in most captures – clicking on this will reveal a dedicated Rickrolling number: 19856552550

Challenge Nine – Church Bells

The building in this image is across the road from a classic meme location. What is the character in this meme commonly referred to as?

Flag is two words, lowercase.

To solve this challenge, we need to identify the location shown in the image. Key clues include the brick church building, street signage (including language), tree lined streets, and vehicles. Using these features in a reverse image search or geolocation workflow (we’ve covered this in other blogs, including A Geolocation Walkthrough) should lead to the town of Mebane, North Carolina.

Once the location is uncovered, searching for terms such as ‘Mebane meme’ or ‘famous meme Mebane NC’. This quickly leads to the classic ‘Disaster Girl’ meme, which was photographed directly across the road from the church shown in the challenge image.

Challenge Ten – Happy Snap

What kind of camera was used to take the ‘Disaster Girl’ picture?

Flag is a camera model, lowercase i.e. canon eos r100

This follow-on challenge from ‘Church Bells’ requires a bit more digging. Searches relating to ‘Disaster Girl’ will reveal that the image was taken by the subject’s father, who maintained a family blog called ‘Traveling Roths’ at travelingroths.com. We couldn’t get the existing site to load, so this is another challenge for the Wayback Machine. Luckily, there are plenty of captures, going back to 2007.

Browsing archived versions of the blog reveals a tag – ‘firestarter’ – which was used for posts about the famous photograph. In one of these posts (from 2008), the photographer tells the story of how the image came to be taken and mentions the camera model – a Minolta Dimage 7Hi.

Challenge Eleven – Intrepid Explorer

Memes on the high seas? It’s more likely than you’d think! I have a vessel number, but it’s missing a digit at the end – can you find out the vessel name? 23545678

Flag is the name of the vessel, two words, lowercase i.e. sea shanty

Google searching probably won’t yield the correct result (although cycling through all possible numbers can get you there eventually). This is where topic-specific vessel searching websites come in handy – you’ll find a selection of them in our OSINT Bookmark Stack. Marine Traffic is the standout option, as it allows partial MMSI searches. Searching for the given number should retrieve one result – the legendary research vessel Boaty McBoatface.

Challenge Twelve – Cinematic

A lot of the most recognisable memes originate from films. The attached screenshot is from a film that gave rise to a well-known reaction gif. What is the name of the film?

Flag is the film’s name, two words, lowercase.

There are probably lots of different methods out there for solving this challenge, but let’s take the image provided as our key clue. A snowy landscape with a lone buck doesn’t give us much to go on, but reverse image searching might help. Google’s AI overview was patchy on this one – initially, it didn’t provide much information, beyond a description of the image. After our CTF went public, though, it quickly cottoned on to the film name (making this challenge a bit easier!). However, AI wasn’t the only option, here. A visual match from reverse image search sends us to a clip hosting website.

At the top of the clip, we can see the name of the film, Jeremiah Johnson.

If you managed that one, then you deserve this gif:

Challenge Thirteen – A Bit Forgetful

The Tiktok account @oldmemes appears to have forgotten to post any memes… That’s a shame. While we wait, though, what is the account’s user ID?

Flag is a 19 digit TikTok user ID.

Collecting unique identifiers associated with social media accounts is a key skill when it comes to social media investigations. If a user changes their account name, or a URL is updated, we can (often) find our way back using their unique identifier. TikTok, like Facebook, can retrieve profiles based on a user ID. But how do we find it?

The process has changed a few times over the years, and it’s likely to change again – that’s why building familiarity with a page’s source code and browser developer tools is a key skill for OSINT practitioners. The current process is:

  1. Browse to user profile
  2. Right-click and select ‘Inspect’ to open developer tools
  3. Navigate to the ‘Network’ tab and refresh the page
  4. Select the username result (right up the top!) and open ‘Response’
  5. Ctrl + F for ‘userinfo’
  6. Retrieve user ID, larger profile image, and account statistics

The identifier is: 7325777265152345121

Challenge Fourteen – Life’s a Game

The ‘Dancing Baby’ was one of the first viral videos, becoming an internet phenomenon back in 1996. In which Melbourne video game arcade could you win a vintage ‘Dancing Baby’ doll? It’s displayed on the prize wall…

Flag is the second word of the arcade name, five letters, lowercase.

Keyword searching for relevant terms retrieves a list of possible arcades in Melbourne with vintage prizes. Our answer is on the first page of Google’s results, so it’s entirely possible to find the flag without any other techniques.

However, to speed things up a little (and to save ourselves browsing through several different arcade websites searching for clues), we could check our image for any location data. EXIF data can sometimes reveal coordinates. One of our favourite online EXIF viewers is Jimpl as it provides easy-to-copy coordinates and a Google maps preview.

Note: It’s important to verify coordinates when relying on EXIF data in investigations, as location data can be inaccurate or spoofed.

In this case, the EXIF data doesn’t show us the exact location – instead, it suggests that the photograph was taken in a pancake restaurant – but it narrows down our area of interest to a shopping centre, Melbourne Central.

Sure enough, there is a gaming arcade located in the centre – B. Lucky & Sons. Our flag for this challenge is the second word of the arcade name: lucky

Challenge Fifteen – Wall Buddies

You can win all sorts of unique prizes at B. Lucky & Sons. What kind of stuffed animal once held pride of place just to the right of the ‘Dancing Baby’?

Flag is one word, the name of the animal i.e. ferret.

This challenge requires us to source some interior imagery of B. Lucky & Sons. Finding photographs of interiors can be a challenge for OSINT investigators – we can’t rely on satellite imagery or street view, so we need to look for other options. These often include:

  • Real estate and property websites
  • User reviews on Google, Yelp, Tripadvisor etc.
  • Social media accounts mentioning a location or business
  • Personal blogs
  • Archives (particularly for historic buildings)
  • Commercial websites

In this case, B. Lucky & Sons’ website is a little clunky, but it does include a 360 virtual tour of the arcade.

With a bit of trial and error, we can locate the wall of prizes featuring the Dancing Baby. And just to the right of it? A rabbit.

Challenge Sixteen – Meme Wars

A group called ‘Explosive Media’ made headlines earlier this year with its pro-Iran Lego-style animations. While some of this group’s accounts have been suspended from mainstream platforms, others are still up and running.

What is Explosive Media’s Solana wallet address?

Flag is a cryptocurrency wallet address, exactly as it appears online.

The wording of the challenge suggests that we’ll find Explosive Media’s Solana wallet address on a social media page, so a sensible first step is to craft a search string to locate these pages. Remember, we can use our ‘OR’ operator to target multiple platforms at once. This should reveal the common spelling of Explosive Media’s handle – there’s an extra ‘a’ at the end.

From here, we can either:

  • Navigate to each profile and search for references to cryptocurrency wallets.
  • Refine our search further.

Adding ‘Solana’ as an exact phrase to our search retrieves a post containing the flag from X (Twitter).

You might have found the address on other platforms such as Telegram as well. The wallet address is: AdHe8x4nmNYFwv1yaT53byxw7zfpgNrTou3QJsnTCyKH

Challenge Seventeen – Threadshare

Which Threads user shared a link to Explosive Media’s Telegram page in early April?

Flag is a Threads username, no punctation i.e. username21.

A follow on from the previous flag, this challenge asks us to find a social media post sharing a link to Explosive Media’s Telegram page on Threads. We can target Explosive Media’s Telegram URL (you might have already found it for ‘Meme Wars’) as an exact phrase, and restrict our search to Threads using the site: operator.

This should reveal the post in question, made by user dinndan713.

Challenge Eighteen – Jurassic

Another classic meme! But there’s more than meets the eye. Can you find the secret message?

Flag is a three word phrase, lowercase, no punctuation.

We haven’t included a steganography challenge before, although they’re a staple in many Capture the Flags. This one could be solved using browser-based tools, although may have required a little research to find one that worked. One of the options was Steganography Online – uploading the image and selecting ‘decode’ revealed the secret message: not a stegosaurus

How did you fare? We had six players who achieved top scores (3800 points in total), and user doxtrine was first past the post. Congratulations!

Want to take your OSINT skills to the next level? Check out our training opportunities here https://www.osintcombine.com/training or get in touch with us at [email protected].