This is a continuation of the challenge called “Party Time!”. The location of the party house was located 29°39'10"N 82°19'59"W | https://maps.app.goo.gl/8jBBXp2jQffKt6LJ7

Using the ’nearby’ search featured, used ‘restaurants’ as the search term.

Looked at closest restaurant first, which was Grill Express. Looked at the reviews, sorting by newest first. Nothing of note there.

Looked at ‘Checkers’ sorted reviews by newest first.

The image is very dark and nothing visually identifiable.

First thing to check is whether there is anything in the EXIF data that may provide information or clues.

Using exiftool to extract the exif data:

ExifTool Version Number         : 13.10
File Name                       : blank.jpg
Directory                       : .
File Size                       : 3.1 kB
File Modification Date/Time     : 2025:03:29 08:13:54+11:00
File Access Date/Time           : 2025:03:29 08:14:21+11:00
File Inode Change Date/Time     : 2025:03:29 08:14:15+11:00
File Permissions                : -rwxrwx---
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Title                           : D3 A6 D0 BA D0 BC D1 8B D1 81 D3 A7 D0 B4 20 D0 B2 D0 BE D1 81 D1 8C D0 BA D0 BE D0 B2 2E 20 D0 9C D0 B5 D0 B7 D0 B4 D0 BB D1 83 D0 BD 2E
Description                     : D3 A6 D0 BA D0 BC D1 8B D1 81 D3 A7 D0 B4 20 D0 B2 D0 BE D1 81 D1 8C D0 BA D0 BE D0 B2 2E 20 D0 9C D0 B5 D0 B7 D0 B4 D0 BB D1 83 D0 BD 2E
Image Width                     : 356
Image Height                    : 200
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Colour Components                : 1
Image Size                      : 356x200
Megapixels                      : 0.071

The Title and Description contains identical hex values.

Challenge

Challenge description:

We caught a threat actor, called MuddyWater, bruteforcing a login for our Domain Controller. We have a packet capture of the intrustion. Can you figure out which account they logged in to and what the password is?

Flag format is swampCTF{<username>:<password>}

Writeup also available on my blog

Filtering

We are given a .pcap file, which we can open in WireShark or other similar software.
There are 97k packets in this file, so we need to filter to find data that’s useful to us.
When we open the file and scroll, we can see lots of SMB2 packets with “Error: STATUS_LOGON_FAILURE” and “Error: STATUS_MORE_PROCESSING_REQUIRED”:

How can we filter these out?
If we click on one of them we can look at the SMB2 details:

We can see that the one related to this error is NT Status, to copy the value in brackets right-click this field and choose Copy -> Value.
After this we can filter it out with the display filter smb2.nt_status != 0xc000006d, this still leaves all the STATUS_MORE_PROCESSING_REQURIED errors.
To filter both out we can use the display filter smb2.nt_status != 0xc000006d and smb2.nt_status != 0xc0000016, which leaves us with ~9000 packets displayed out of the 97k total packets:

There’s still lots of Negotiate Protocol Response packets in the list, let’s filter those too with and smb2.cmd != 0 which leaves us with just 3 packets:

Now we can right-click packet number 72074 and choose Follow -> TCP Stream to filter to just this conversation, we can close the window that comes up.
This updates the display filter to tcp.stream eq 6670 where we can see an Encrypted SMB3 conversation, and the username DESKTOP-0TNOE4V\hackbackzip:

This writeup is also available on Medium.com

In OSINT (Open Source Intelligence) Capture The Flag (CTF) challenges, even the smallest details — such as identifying the type of tree in an image — can provide crucial insights.

In one particular challenge, we were given an image featuring an oak tree next to a sign displaying the name “Hackerman,” with the letters “HB” above it. My initial search yielded no results, but a teammate successfully identified the location: the Norman Hackerman Building at the University of Texas at Austin.

Challenge Summary

Nobita was given a simple task: update the company’s internal network drive. It stored important files that everyone needed. He didn’t understand much about networks, but he wanted to prove he could handle it.  
  
Without checking the instructions, he pressed a few buttons and messed the network up. The shared ftp drive disappeared. Within minutes, employees started complaining.  
  
Gian and Suneo, who relied on the files, stormed into the IT room. “What did you do?” they demanded. Nobita panicked and called Dekisugi.  
  
Help Dekisugi fix the network!  

Challenge by hampter & NotAProton.
This challenge was part of ApoorvCTF 2025 (ApoorvCTF 3.0).
This writeup is also available on blog.grace.sh.