← Back to home

0xL4ugh CTF 2024 — Cheater

Our team received a request from a man who believes his wife may be cheating on him. He asked us to help by checking her accounts for any evidence. He provided his wife's name, "Hamdia Eldhkawy" and mentioned that a friend informed him she shared a picture with someone on social media. He couldn't find the image and wants us to discover the man's real name.

Flag Format: 0xL4ugh{First Name_Last Name}

This one's a real doozy.

At the start, we're given only the wife's name, but googling it doesn't turn up any relevant results:

image

Trying another search engine, we can find this instagram page: hamdia_elhob_kolo, with four 3-day-old posts.

image

Slightly suspiciously, the account is 3 years old with one username change, but there doesn't seem to be any more information obtainable from that. Further, she doesn't seem to have any accounts on other social media. Looking through the account's followers and likes and comments on the account's posts also doesn't yield any leads.

image

Instead, the hint here is that all four of her posts are of AI art. Searching for "hamdia_elhob_kolo" now (again, not on Google) reveals this OpenAI community post by an account of the same name:

image

In the comments on that post, a reply from one Hamada_Elbes features an Instagram post starring our culprit and another man — the "shared picture" mentioned in the challenge description!

image

image

Assumedly, the Instagram account tagged in this post belongs to the person we're looking for. Unfortunately, the tag is cropped off in this picture, and the post itself has since been deleted.

image https://www.instagram.com/p/C3AfgY7A7If/

Also of note is the bookmark in the top left corner of the screenshot, which leads to a pastebin:

https://pastes.io/xlal5phvda

Unfortunately, this is just a red herring (though interestingly, looking at this pastebin on the Wayback Machine reveals that until the day before the CTF, it housed a list of 1000+ CS:GO Steam reviews 🤔).

Code: 

10xL4ugh{Fake_Flag_Lol}

It would be ideal if this Instagram post was archived before it was deleted, but unfortunately looking it up on the Wayback Machine doesn't return any leads.

Here we have to realize two things:

  • The URL contains an uppercase I, not a lowercase l.
  • The URL was archived on another site, not the Wayback Machine.

Knowing this, we can look it up on archive.is to find:

image

Finally, we have the Instagram page of our target: spidersh4zly.

image

Again, the likes and follows don't tell us much, though, amusingly, the account's profile picture and sole post comes from a frame of a bizarre Arabic Spiderman TikTok.

"Spider Shazly"'s Instagram bio leads us to a Linktree containing a nonexistent Twitter and Facebook account, a link back to his Instagram, and a Gmail address:

image

(weirdly, the Twitter account kept showing up in searches for spidersh4zly, though there's no other evidence on the Wayback Machine or otherwise that it ever existed).

Finally, we have to look up his Gmail address spidersh4zly4love@gmail.com on a sketchy OSInt site to get his name and the flag:

image

Code: 

10xL4ugh{Abdelfatah_ElCanaway}