IrisCTF 2025

where's bobby

OSINT | Medium

I took this picture while I was on a road trip. I distinctively remember that there was a body of water along this route, and there weren't many populated areas. Find the route number of the road I was on.

The flag is the route number and the 2-character abbreviation of the country it is in, seperated by an underscore (_). For example, if the route was route 23 in British Columbia, Canada, the flag would be irisctf{23_CA}.

wheres-bobby.jpg

The given image shown above featured a signboard with the text: “西沙屯桥至楼自庄桥行驶畅通”, indicating that it was taken near Beijing. The backdrop also suggested a mountainous area.

Admittedly, I wasn’t keen on manually scouring maps to pinpoint the place. Instead, I took a shortcut to search the signboard text on Douyin and found several driving blogs from the Beijing area. Among them, one video caught my attention as it showcased the same route and the caption was "Yanqing to Beijing.", shown in the screenshot below

screenshot from the driving blog

With this new clue, I turned to Google Maps and searched for routes between Yanqing and Beijing. The search revealed two primary routes: S3801 and G6. Testing both routes, S3801 was the one featured in the image and it matches the challenge's description with a water body nearby and less populated as compared to the other routes.

└─$ irisctf{S3801_CN}

where's bobby 2

OSINT | Medium

I took this picture while I was on a trip, somewhere, and I saw this beautiful wall art. However, in a shocking turn of events, I don't know where it was! Can you find it for me?

The flag is the coordinates of the building which contains this wall art, in decimal format and correct to 3 decimal places, and seperated by an underscore (_).

For example, if the building was located at 50°59'52.934"N, 118°13'28.792"W the flag would be irisctf{50.998_-118.225}.

wheres-bobby-2.jpg

A quick search of the given image revealed that it is the 百子嬉戏图 ("Hundred Children Playing"), an artwork located at Baiziwan Station on Line 7 of the Beijing Subway in China. Then, I simply retrieved the coordinates (39°53′29″N 116°29′30″E) from Wikipedia and converted them into the required decimal format.

└─$ irisctf{39.891_116.492}

deldeldel

Forensics | Easy

I managed to log more than just keys... perhaps it was too much data to capture?

The given file is a PCAPNG file containing URB (USB Request Block) packets, primarily consisting of:

  • URB INTERREUPT IN

  • URB BULK OUT

Upon analysis, multiple conversations were identified as shown below.

conversations

Extract the USB capture data using the following command:

tshark -r x.pcapng -T fields -e usb.capdata | grep -E "." > cap.txt

Then, map the keystrokes using this mapper and do some cleaning:

└─$ irisctf{this_keylogger_is_too_hard_to_use}

PreviousCyberleague 2025

Last updated