ch1se
  • Home
  • CERTIFICATES AND PARTICIPATIONS
    • HackTheBox - Cyber Apocalypse CTF 2025: Tales from Eldoria
    • The SecOps Group
  • bitsctf-2025-writeups
    • HotPause
  • BRONCOCTF-2025-WRITEUPS
    • theflagishere!
  • ACECTF-2025-WRITEUPS
    • The Mysterious Building
    • Social Circles
    • Broken Secrets
    • Cryptic Pixels
    • Tabs&Spaces
  • PEARLCTF-2025-WRITEUPS
    • Hidden Marker
    • SentMail
    • Van Gogh's GARBAGE hunt
  • 1753CTF-2025-WRITEUPS
    • Dude where is my car
    • Happy New Year!
    • Somewhere in Space
  • CITCTF-2025-WRITEUPS
    • Timesink
    • Throwback to the Future
    • No Country for Old Keys
  • BYUCTF-2025
    • Universal-ty
  • OSINT-WRITEUPS
    • gralhix
Powered by GitBook
On this page
  • Introduction
  • Step by Step Solution
  • Step 1: Inspecting the Given File
  • Step 2: Decoding the Hidden String
  • Step 3: Investigating the Username
  • Step 4: Checking the X account
  • Step 5: Searching for the BSSID
  • Step 6: Reverse Image Search
  • Step 7: Identifying the Shop
  • FLAG
  1. PEARLCTF-2025-WRITEUPS

Van Gogh's GARBAGE hunt

OSINT

PreviousSentMailNextDude where is my car

Last updated 2 months ago

Introduction

Helga, a maid working at Mr. X’s mansion, made a huge mistake—she unknowingly gave away his gold jewelry along with some old clothes. Now, she has no idea which textile collection point she left them at.

Our job? Track down the exact shop where the jewelry ended up and retrieve the flag.

Step by Step Solution

Step 1: Inspecting the Given File

The challenge provided a file: vangogh.zip. Unzipping it gave me a single image file:

I started by checking the metadata using exiftool.

exiftool chall.jpeg

The comment field contained something that looked like Base64-encoded text.

Step 2: Decoding the Hidden String

The extracted Base64 string was:

SnVzdGFub3JtYTgxODYx

I decoded it using:

echo "SnVzdGFub3JtYTgxODYx" | base64 -d

Which gave me:

Justanorma81861

Looks like a username.

Step 3: Investigating the Username

I used sherlock to find where this username exists online.

sherlock Justanorma81861
https://freelance.habr.com/freelancers/Justanorma81861
https://gitlab.gnome.org/Justanorma81861
https://nationstates.net/nation=Justanorma81861
https://nationstates.net/region=Justanorma81861
https://torrentgalaxy.to/profile/Justanorma81861
https://x.com/Justanorma81861
Total Websites Username Detected On : 7

The X (Twitter) account stood out, so I checked it.

Step 4: Checking the X account

The profile had only two tweets. One contained another Base64-encoded string:

QjQ6NUQ6NTA6QUE6ODY6NDE=

I decoded it:

echo "QjQ6NUQ6NTA6QUE6ODY6NDE=" | base64 -d

Result:

B4:5D:50:AA:86:41

This looked like a BSSID (Wi-Fi MAC address).

Step 5: Searching for the BSSID

I searched for the BSSID on wigle.net to get its location.

It pointed to His Majesty’s Theatre, so I checked Google Maps.

The location didn’t seem right. I decided to try reverse image searching the original chall.jpeg.

Step 6: Reverse Image Search

I uploaded chall.jpeg to Google Lens and found a match.

Clicking the third link gave me this address:

Buiten Oranjestraat 14-A

I looked it up on Google Maps.

Step 7: Identifying the Shop

From the challenge description:

Helga, a maid at Mr. X’s mansion, mistakenly gave away his gold jewelry to some textile collection point along with a pile of old clothes thinking they were GARBAGE.

The clue pointed to a textile collection point.

There was a store nearby called "The Swapshop", which fit perfectly.

FLAG

pearl{the_swapshop}