UIUCTF 2025 - OSINT ┻┳|・ω・)
Mr. Blue Sky suite
Mr. Blue Sky
Mr. Blue Sky is your average go-lucky BlueSky user, but is there something more to his profile? See if you can find anything on his profile
Nothing special to note from the assignment so let's dive into this BlueSky account right away!
Do we have anything interesting ?
- Posts/Responses ❌
- Media/Videos ❌
- Starter kits ✔️ => My Favorite Places on BlueSky 🧐
- Lists ✔️ => Bird Enjoyers 🧐
If we look into the Bird Enjoyers list we don't find anything interesting... other than very cute birbs pics 🥺💖
But if we look into the Starter kit My Favorite Places on BlueSky we do find something interesting... 👀
Ok! Pretty easy challenge, let's keep on moving!
Bad Blood
Mr. Blue Sky is just trying his best to build a following, but he's been trying to hide interactions from a particular troll! See if you can find something on that user's profile.
Clues
Hmmm now we will need to find a profile interacting with our user Mr Blue Sky.
We can note:
- "hide interactions", maybe an answer was hidden ? Maybe deleted ?
- "user's profile", the flag will be on this bad guy's profile.
Finding the missing interactions
As we saw in the first challenge there is 1 post by Mr Blue Sky. Let's inspect that!
Look at that 🧐 5 reposts we can check but 6 total linked to that post 👀
So now we have two paths:
- Chad path: look at the BlueSky API and get all the information needed.
- Idiot Osinter path: use a BlueSky post analyzer like Romiojoseph's one, which also utilizes the API but all the work is already done for us
If we look at the 6 Replies/Quotes we find this Quote
And on this profile we have our flag!
BONUS: Bypass 2 challenges in 10 seconds
Ok you know in crypto we sometimes crack the challenge by using some known clear text? Usually the flag format. In our case it will be uiuctf{...} (maybe upper cased).
What happens if we look at what BlueSky knows about this flag format? 🙂
Well that was easy.
Why didn't the challmaker think about it? My theory is that they are too used to OSINT on Twitter.
Twitter wouldn't have found the accounts as the search feature is pretty limited (I believe on purpose) and you need some large analysis to do the same. But on BlueSky, the all mighty powerful API has a pretty broad search engine. Flags are nowhere safe 😈
Age of Aquarius
Now that we know about Mr. Blue Sky's troll, we can learn more about her. It looks like she's got a birthday party coming up, can you figure out in which country (and province or state, if relevant)?
Clues
We now need to find where 16degreesofscorpio (the profile previously found) was born. Easy right? 🙂
What we know:
- She is a woman
- There will be information about her birthday party
- We are looking for a place
Digging for the birthday party
On 16degreesofscorpio's Bluesky profile we find two links:
There are many posts, people followed/following. Take a quick look for yourself, it's a pretty good exercice to find meaningful information through the noise.
Due to the sheer amount of data I won't go into details and will only show some interesting posts I deemed important, like:
Oh! So we just need to find more information about where this birthday party will be held and we will have our flag! So easy! 🙂
July 22nd - 1 week - three days = math = July 12th
Ok! Good to know!
Oh... Oh... Oh no... 😧
The... The chart... Oooh noooooo 😭
Well this chart will be useful 🙂(🔫)
Ok now we have two choices:
- Bruteforce all the possible rotations to find the exact location degrees and birth time that generated that chart on astro-seek.com
- Dig for more information
What I did during the CTF: none, I went to bed.
But for this writeup we will try to do the intended way and find more information to able to read the chart ⛏️👷
If we look online we find the signs and their symbols:
- ♈ => aries
- ♉ => taurus
- ♊ => gemini
- ♋ => cancer
- ♌ => leo
- ♍ => virgo
- ♎ => libra
- ♏ => scorpius
- ♐ => sagittarius
- ♑ => capricorn
- ♒ => aquarius
- ♓ => pisces
And from the exact same site that made the chart, astro-seek.com, we find a reverse engineering of birth chart page!
It needs the following information to recover the birth date and place:
- Sun (☉)
- Moon (☾)
- Saturn (♄)
- ASC
- MC
Now let's try to read the chart and reverse it!
Where moon? Well no moon needed! If we input these degrees and signs in the reverse calculator, we get:
- birth date: July 12, 1992, 22:15:35
- birth place: 54°56’35’’N, 106°13’44’’W
And voilà! We get our flag and astrology trauma forever! 🥰💖♋
Geoguesser Suite
park
This picture was taken in a park. Find the name of the park.
We have this image given:
If we do the classic search on Google Lens (also called Google Images) we get links to "Tegnérlunden, Stockholm" which is our flag.
cherry_blossom
I love cherry blossoms! But why is this one growing indoors?
This picture was taken inside a building.
We have this image given:
Oh! An indoor fake cherry blossom. The closeup is pretty weird but with the structure, the railings and the car, Google Lens should do the trick!
Hmmmm, nothing.
Let's try adding keywords ✨
So. We can try many different keywords but for me it did not work.
Well, if we can't filter by keywords, let's filter on the image itself!
We can select the structure part to have Google Lens focus on that!
Look at that! It's our structure with the same trees and railings!
If we click on the article we find that it is about the "Big in Japan" exhibition at the Autoworld museum in Brussels, Belgium.
Note: If we still did not find anything. Another last resort trick would be using a VPN in the US (where challmakers are) to have the closest information from Google that the challmakers had when making and validating the challenge.
Recap
Overall really fun OSINT challenges. It was a fantastic introduction to BlueSky and a good Google Lens skill assessment. I recommend that you try yourself and tinker with the challenges, it's pretty fun and you can stiffen your OSINT foundations a lot.
See you next time! (˵ ͡~ ͜ʖ ͡°˵)ノ⌒♡*:・。.
hey
ily
shy