# Identity Fraud (OSINT - 500 points)


-----

# Solution:

You have a twitter account in the description, open it and you will see tweet replies that are related to what is explained in the challenge description.



```
General obvious note:

Some of the players told me that there is a technical problem and they can’t see all the tweet replies, but I mentioned that (Eword) has replied to the fake account, so you need to check Eword twitter account too to see all the replies. (You’ll find Eword account in the replies of the fake account, also in the following list of the fake account)
```


```
The fake twitter account that I’ve mentioned in the description:
https://twitter.com/1337bloggs

Eword Team twitter account:
https://twitter.com/EwordTeam
```

-----

**So, here is the tweet and the replies to it:**


-----

According to the description and the replies, there is a task that needs to be solved…



In one of the replies, Eword says that something will be in their CTFtime team page and will be deleted when Fred (the fake account) takes a screenshot of the CTFtime team page.

**Note:**
You can find Eword CTFtime page link in their twitter account.






```
https://ctftime.org/team/131587
```

When you open Eword CTFtime team page link, you won’t find anything interesting.



<kbd>
</kbd>

**That’s because Eword said in the reply that they will delete that thing from their CTFtime page.**

**So, you need to find that thing before it was deleted.**

...

One of the ways to find something deleted from a webpage is to check previous versions of that page…



**And simple “googling” will give you the method:**


So, using The Wayback Machine on the CTFtime page link will give you what are you looking for:

1. Go to https://archive.org/web/
2. Type the link of Eword CTFtime team page and click (browse history):




You’ll find previous versions of Eword CTFtime webpage:

That one looks interesting, it has a Pastebin link.

Open it and you will find the task:
https://pastebin.com/8bk9qLX1


So, you need to find the leader of Eword team, and when you open the hint, you will find a base64 encoded image.
https://pastebin.com/PZvaSjA0


You can use CyberChef to know what that base64 encoded text will give you:
https://gchq.github.io/CyberChef/



```
Note:
You can use different sites/methods to get the image.
I just explained one of the methods above.
```

This is the image that you will get:




-----

**I put small clues in that image:**







The words “Hotel” and “Advisor” aims to “Trip Advisor” site:


**The intended way to continue solving this challenge:**



**Locate that hotel from the image that you got, then search for it in Trip Advisor site and look in the reviews of that hotel.**

```
Note:
I know that there is a shorter way to reach the review, but it’s unintended and it’s guessy, so I won’t mention it.
```

To locate the hotel, you need to do reverse image searching.

```
- Note: You shouldn’t search manually for all Hilton hotels, because there are too many Hilton hotels around the world! And that’s why I’ve chosen a Hilton hotel (because I don’t want you to guess anything).
```

One of the best sites to do reverse image searching is **Yandex** (https://yandex.com/images/)




You’ll find that the hotel is in Montenegro.




...

Go to TripAdvisor and search for that hotel:




https://www.tripadvisor.com/Hotel_Review-g304088-d600703-Reviews-Hilton_Podgorica_Crna_Gora-Podgorica_Podgorica_Municipality.html

Go to the reviews and you will find this one:


As you see, Eword is mentioned in the review, so this is the person who are you looking for!

-----

Now you need to find a flag in one of his social media accounts
**(That was mentioned in the Pastebin link that you found before)**






...



I don’t want you to guess anything. So, I changed the TripAdvisor username of Eword leader to: (check_my_instagram)


So, you need to find his Instagram account, and you can do that in 2 ways:

1. Search for his name in Instagram.

**or**

2. You’ll find his username in his TripAdvisor bio too:




https://www.instagram.com/wokaihwokomaskustermann/

-----

Check the story highlights in his Instagram account, you will find 2 stories:







The second highlighted story is a hint about the flag location.

**So, check his Instagram full sized profile picture and you will get the flag.**

```
There are a lot of sites/ methods to do that,
Example:
https://www.instadp.com/
```


-----

# Fun facts:

- The pictures of Fred and Wokaihwokomas are for people who don't exist!
```
For more details, read more about (thispersondoesnotexist.com)
```







- **"Fred Bloggs"** is a placeholder name!
```
Placeholder names are words that can refer to objects or people whose names do not exist, are temporarily forgotten, irrelevant, or unknown in the context in which they are being discussed.
```




- **"Wokaihwokomas Kustermann"** is generated using a fake name generator!

Original writeup (https://github.com/Cyb3rDoctor/FwordCTF2020/blob/master/Identity_Fraud.md).