Hacktoria CTF: The Midnight Slayer

💡 Find the original challenge created by the folks at Hacktoria here

Challenge

“Greetings, special agent…”

Our task is to find the identity and address of a murdered dubbed “The Midnight Slayer” on the loose in Baltimore. The killer leaves bodies disfigured and operates predominantly at night. Check out the full description and story on Hacktoria if you’d like to play on your own before reading on first!

Ultimately the final answer we’re looking for will be a what3words location of the killer’s address. This will decrypt a ZIP file with our “answer code”.

First Look

We’re given:

• an encrypted riddle ZIP file
• a missing persons report
• a list of Baltimore murders from 2024
• four images of likely murder locations sent by the killer
• a screenshot of a what3words location
• a message from the killer

This being my first Hacktoria CTF I was a little overwhelmed and unsure where to start.

Ideas

Some investigative angles that I thought of trying out were:

• clustering the murders by time of day to try and work out which ones were definitely the work of the midnight slayer
  • find similarities in victimology
• look for the same similarities in the missing persons list
• finding a password to the ZIP file …somewhere… (?)
• and of course geolocating the four supposed murder locations

Since I had no idea where to really start, I tried to brute-force the ZIP archive. It’s a cyber challenge, so a commonly-used, weak password could be a feasible, right?

Let It Rip(per) 🔪

Before I disappear into the rabbit hole of geolocating the four images, let’s quickly try and crack open that ZIP file. The archive contains two files, riddle.txt and last-hint-location.png, so maybe those are additional clues that are supposed to guide my investigation…

We use the johntheripper password cracking utility for this. First we need to convert our ZIP file into something that john understands:

zip2john riddle-midnight-slayer.zip > zip.hash

Then we use the infamous rockyou.txt wordlist for a very fast check if cracking this is feasible in our situation. The rockyou wordlist is a compilation of around 14 million common passwords. This is still small enough that a modern computer can run through this in a practical amount of time. If we’re supposed to crack this, I don’t think Hacktoria would choose a password that isn’t included in this wordlist.

john-the-ripper --wordlist=rockyou.txt zip.hash

The above finishes in just a few minutes without any results.

The last thing we can try, is checking the hash extracted with john2zip against online hash databases. Those databases are repositories of previously cracked hashes, basically a big rainbow table. Unfortunately though, neither hashes.com nor CrackStation lead us to the password.

Back to square one.

Reconnaissance

I still wasn’t quite ready to jump the gun and start geolocating. With the amount of material presented, I was sure that I was missing a hint that would tell me where to start my search.

So to make digesting the missing persons report and list of Baltimore murders a little easier, I plotted all those locations (murders, missing persons address, missing persons last known location) on a map. A really nice tool I discovered through this process is batchgeo. It takes data in a tabular format and returns a custom Google Map with those locations. It also lets you export that data to Google Earth, which is exactly where I amalgamated all of my data points.

As you can see, you can’t see much. Nothing so apparent that it hits us in the face. I also split out the murders by time of day to reveal any potential patterns for murders only committed at night (Midnight Slayer!!), but nothing again.

I guess there’s not much left to do than starting to grind away at geolocating…

Baltimore, o Baltimore

Not gonna lie, this took a while and more grey hair than I’m ready to admit. I’ve never been to Baltimore before, but by now you could drop me in any suburb and I’d find my way back to the harbor blindfolded. But we did it, we found all the images, and here’s how.

Before starting, I made sure to download the highest resolution image I could get. By default, Hacktoria’s website will serve a scaled down .webp version of the images, I removed the trailing ?resize=1024%2C742&ssl=1 from their URL and downloaded the images in the original format. Interestingly, right clicking and choosing “Save Image as” will still prompt a download for the webp image. The way I got around this was using wget from the command line.

To download all four images with one command through the magic of bash comprehension:

wget https://i0.wp.com/hacktoria.com/wp-content/uploads/2024/04/location-body-{1..4}.png

Image 1

The sharp turn in the road is something that would stand out on a map considering how uniform blocks in the United States are usually built.

We start with reverse image searching this (what else), and Google Lens brings up a lot of listings for similar looking houses in Baltimore. We simply work our way through them and check their addresses on Google Maps for any sharp turns like the one in our image.

Eventually one of the search results brings us super close to our location: 39.23097615352122, -76.60305663576236

Image 2

This one I was able to directly find with Google Lens. Now that I’m writing this walkthrough, I had an easier time to locate this image again using Yandex’ reverse search, and adding the search term “Baltimore” to the reverse search. This leads us to a Wikipedia page with an image of the house that includes the address.

39.292059725437014, -76.65029990741299

Image 3

This is where things are starting to get messy. Everyone’s got a plan until Google Lens fails.

Eventually I just dropped into different neighborhoods’ StreetView that looked like they could have some greenery. I was looking out for the type of street lamp in our image. Once I found a promising candidate, I systematically crawled through streets until I found the right spot.

It helps to know that this house needs to be on a road (not only an alley) because we can see the curb, and will probably be at a corner, because we can’t see any other houses. I’m not sure if I just got lucky, but this entire process took only about an hour.

39.29522031248207, -76.67769128548588

Image 4

You thought image 3 was hard? Then get ready to suffer.

Recycling, Scrap, and Trailers

I spent a while trying to find the place by focusing on the truck in the back. “Graebel Van Lines” was an American moving company that was liquidated in 2017. I was able to find some listings for trucks like the one in the picture, but obviously the company didn’t only have one truck, so that didn’t lead anywhere productive.

I quickly focused my search efforts on any sort of recycling, scrap yard, used truck sale facilities in Baltimore. The problem was that Google Maps didn’t give me an exhaustive list of all of those facilities. So I kept searching similar sites without success. I also tried paying attention to any facilities that were next to big concrete buildings like the one in the back, but how the hell do you search for this?

One of my personal takeaways here is to spend some time and properly learn how to use Overpass Turbo. I tried Bellingcat’s wrapper OSM search which is really cool and generally pretty easy to use, but sadly didn’t have much luck with it either.

Thinking Ahead

What helped me in the end was thinking ahead. What could be the next step after geolocating all images? Something will need to be revealed, but how? I took a look at the message the killer sent the police:

I was pretty certain that the last sentence here unlocks the message and that we’re supposed to draw lines between the body locations to form a cross.

It’s the lines that mark where our lives were crossed.

The intersection would lead us to the what3words location displayed in the image next to the message, and the three words pinpointing this location could be the password to our riddle ZIP file?

If this assumption is correct then we can narrow down our search space tremendously.

Below is a rough approximation of the new search space if we assume Body 1 and Body 3 are going to form our first line. While Body 3 and Body 2 could theoretically also connect for the first line, the resulting cross would be very skewed and unlikely to have been created on purpose. We’re basically abusing the human tendency to make things “fit” here.

After a few more hours of skimming the Google Maps satellite view for scrap sites, we finally find what we were so desperately looking for. Our trailer in all its glory, peaking out from behind the fence.

39.256113208122194, -76.65578641367107

Crossing Lines

As expected we find the image next to the slayer’s message at the crossing of the lines connecting the locations.

It is located at 39.2744921435941, -76.65329400017988 or as its what3words address: ///belts.chips.mental

Wise Eyes of the Hunt

Using the what3words location without the three leading slashes as a password, we successfully decrypt our riddle file. It contains two files:

riddle.txt

Wise eyes of the hunt, keep watch. Rodents you are, your time will come.

To me the riddle shows that the killer sees themselves as a hunter. He is wise and superior, and hunts his victims (rodents), just like a bird of prey, or a lion, or something similar. We’ll get back to that.

last-hint-location.png

Another what3words location. This must be the password to the final answer file. Looks like a roof, but impossible to find without further clues.

By now I’m convinced that the Google Maps part of this CTF is over. We’ll soon come to learn this was a big mistake.

I’m now focused on finding something related to the riddle with a connection to Baltimore or the other provided materials, the murder and missing persons lists had to be there for a reason. The difficult part here is not knowing how complex a task is, or what is expected in the next step. Just to name a couple, here are some of my failed investigation angles:

Ravens

Baltimore is the city of ravens. Edgar Allen Poe lived and was buried in Baltimore and his poem “The Raven” famously gave Baltimore’s American Football team its name. Raven’s are kinda wise. They’re definitely mysterious. Maybe hunting rodents is a stretch, but I wouldn’t put it past them. I checked the Edgar Allen Poe house and his grave (both famous landmarks in Baltimore) on Google Maps, but didn’t really know what was expected, or what I was looking for. The what3words location was nowhere to be seen.

Eagles

Yeah eagles, they definitely match the definition of a hunter more than Ravens. Let’s see then, one of the missing persons has an eagle tattoo! She was last seen close to Federal Hill Park, and next to the park I find this:

Wise Eyes anyone?

The building is the American Visionary Art Museum. Digging a bit, we can find the late artist Brian Dowdall featured on the museum’s website who lived in Baltimore. One of his most famous paintings is this lion with a lot of wise eyes…

Of course none of that had anything to do with the CTF’s solution.

Another of the missing persons was last seen in the vicinity of Coppin State University. Checking the place out with satellite view, we spot a giant eagle on the football (soccer) field, the mascot of CSU! That is pretty cool, but unfortunately this is another dead end, at least I’m not seeing where this leads?

Yet another person went missing near the playground at Gwynns Falls/Leakin Park. Guess what street this playground is on? Eagle Drive! Flanked by two stone eagle statues! Come on, that must be it, right? Nope.

Phoenix

Eagles don’t cut it anymore. We’ve got to step it up a notch, we’re now investigating Phoenixes 🔥

One of the missing persons has a phoenix tattoo. Baltimore has a phoenix shot tower, and it’s very close to the suspected home address and the last known location of the missing person. Think I’m going crazy? I’ve got more.

Those were just the more promising leads I followed. I thought I could Google my way to the answer instead of map crawling yet again. In my mind I would find a mural or statue of a bird of prey, an owl, something. But as outlined beautifully above, there were just too many possibilities to find a definitive answer.

Legwork

Eventually, I bit the bullet and investigated every murder address, every missing person’s home address and last known location on Google Street View. This took about three repetitions and runs through all of those locations until I spotted this little bugger perched at one of the missing persons home addresses.

At this point I had tried enough fruitless alternatives to know I had struck gold. I checked the house in satellite view and indeed, it’s our last-hint-location.png: 39.30579926066516, -76.5514015236047. In what3words notation, the address is ///forum.report.rent.

Using this address as the password for the final answer file, we obtain the answer code and can finally sleep again. Thanks Hacktoria 🦉😴

Final Remarks

For real though, thanks for putting this together Hacktoria team. Even though (or maybe exactly because) I couldn’t think of anything else for three days straight, this was a lot of fun. My only constructive feedback would be to include more variety in future CTF design. I would have loved to find one of the missing persons’ Twitter profiles still active after their alleged disappearance or something else that isn’t Google Maps!

Maybe this was the design choice though and I just happened to join a geolocation-heavy edition of the CTF! In any case, I’ll be joining the next one!

Oh ands here’s my official CTF card 🔥

Tools used

• hashes.com
• CrackStation
• Google Lens
• Yandex Image Reverse
• Google Maps + Street View
• Bellingcat OSM Search