Hidden Marker

OSINT

Introduction

A whistleblower using the alias "spiriteawx" has revealed a large-scale art smuggling operation, leaking crucial financial documents and leaving behind cryptic hints. The goal of this challenge is to track down the smuggling location and identify the associated transaction.

---

Step by Step Solution

Step 1: Finding Social Media Accounts

Since we have a username, I used Sherlock to check for social media accounts.

Result of Sherlock:

https://allmylinks.com/spiriteawx
https://www.artstation.com/spiriteawx
https://cults3d.com/en/users/spiriteawx/creations
https://freelance.habr.com/freelancers/spiriteawx
https://gitlab.gnome.org/spiriteawx
https://nationstates.net/nation=spiriteawx
https://nationstates.net/region=spiriteawx
https://torrentgalaxy.to/profile/spiriteawx
https://x.com/spiriteawx
Total Websites Username Detected On : 9

Among these, we found an X account. Checking it revealed the following:

A tweet related to major art smuggling contained a link to Pastebin with financial records. The tweet also included an image, which supposedly shows where the smuggling took place.

Step 2: Identifying the Location

To determine the location, I first attempted reverse image searches but found no matches. Assuming the image was taken from Google Maps, I decided to use my favorite tool, Find Picture Location & Identify Photo Location Using AI.

This led me to a possible location: Prague, Czech Republic.

I then manually searched the map for about 30 minutes, but the area was too vast to check every street. Upon closer examination of the provided image, I noticed a vintage car, which stood out. This suggested it could be a known attraction. Searching for 'Prague Czech vintage cars location' on Google helped narrow it down.

The first result in Google Maps provided the answer.

FOUND IT! The street name is 'Celetna'. This gave me half of the flag.

Step 3: Finding the Transaction ID

Now, I needed to extract the transaction ID from the financial records. The logs contained over 1000 entries, and I had only 500 attempts to find the correct one.

After skimming through the data, I found suspicious entries such as:

"UserId","TransactionId","TransactionTime","ItemCode","NumberOfItemsPurchased","CostPerItem"

"309960","5988543","Wed May 02 10:36:00 IST 2023","469644","3067248","4.08"
"321426","6268163","Tue Dec 18 08:56:00 IST 2023","459921", BACK DOOR ,"72"
...
537. "-1","-1","[REDACTED BY ADMIN]","-1","-1", "-1"

After 12 failed attempts with different transaction IDs, I became suspicious of the redacted entry:

"-1","-1","[REDACTED BY ADMIN]","-1","-1", "-1"

I was initially confused as to why it was censored. Scrolling further, I found a comment in the Pastebin log:

It was there. I swear! - ArmoredVortex

This suggested that the log had been edited. If the original data had been altered, I needed to find an earlier version. Searching for "ArmoredVortex" and "spiriteawx" using Sherlock yielded nothing useful, so my last resort was the Wayback Machine.

Using the Wayback Machine:

Bingo! The redacted entry at line 537 was visible in an earlier version:

"845921","6382938","Sat Jan 07 00:00:00 IST 2024","372819","7", "3.21"

---

FLAG

pearl{celetna_6382938}