IrisCTF 2025

where's bobby

OSINT | Medium

I took this picture while I was on a road trip. I distinctively remember that there was a body of water along this route, and there weren't many populated areas. Find the route number of the road I was on.
The flag is the route number and the 2-character abbreviation of the country it is in, seperated by an underscore (_). For example, if the route was route 23 in British Columbia, Canada, the flag would be irisctf{23_CA}.

The given image shown above featured a signboard with the text: “西沙屯桥至楼自庄桥行驶畅通”, indicating that it was taken near Beijing. The backdrop also suggested a mountainous area.

Admittedly, I wasn’t keen on manually scouring maps to pinpoint the place. Instead, I took a shortcut to search the signboard text on Douyin and found several driving blogs from the Beijing area. Among them, one video caught my attention as it showcased the same route and the caption was "Yanqing to Beijing.", shown in the screenshot below

With this new clue, I turned to Google Maps and searched for routes between Yanqing and Beijing. The search revealed two primary routes: S3801 and G6. Testing both routes, S3801 was the one featured in the image and it matches the challenge's description with a water body nearby and less populated as compared to the other routes.

└─$ irisctf{S3801_CN}

deldeldel

Forensics | Easy

I managed to log more than just keys... perhaps it was too much data to capture?

The given file is a PCAPNG file containing URB (USB Request Block) packets, primarily consisting of:

URB INTERREUPT IN
URB BULK OUT

Upon analysis, multiple conversations were identified as shown below.

Extract the USB capture data using the following command:

tshark -r x.pcapng -T fields -e usb.capdata | grep -E "." > cap.txt

Then, map the keystrokes using this mapper and do some cleaning:

└─$ irisctf{this_keylogger_is_too_hard_to_use}

PreviousCyberleague 2025

Last updated 1 month ago