Miscellaneous sure is one way to describe it.
We are evil. Not just evil: we are a gigantic corporation that controls superheroes and hopefully one day, the world. Our current mission? Hunt down a skinny white kid. Armed with nothing but his GitHub username, we must figure out how to bring this dangerous vigilante to justice. Even if he is only 5’7” and 130 pounds soaking wet.
Alright then, let’s check out his profile. It has one just one repository.
And just two commits.
Whelp. There’s step one, I guess. And when we go to the link, we get a WAV file that supposedly contains a secret message. Nice job sk1nnywh1t3k1d. Didn’t anyone ever tell you not to commit private information?
Well, let’s go ahead and toss that in a spectrum analyzer.
There’s definitely a message here, but it’s also backwards. We could reverse the audio file, but I’d much rather practice my backwards reading skills. After utilizing our massive brainpower to read the text, we’re greeted with another link that leads us to this image:
Ok well, let’s unscramble it. Once again, we could be smart and write a program to unscramble the image… or we could just manually cut out that parts with text and rearrange them in a photo editor. This gives us our final clue: an email address.
Wait, an email address? What do we do with that? Well, I can’t spoil anything, but I can give you a list of things that we do NOT do with that.
- Send an email asking for the flag
- Use the address as the flag
- Go back and spend hours looking for more information in the WAV and PNG files (only to find nothing and become very frustrated)
- Open a ticket and ask what to do with the email
- Realize that this email address was the one associated with the GitHub account in the first place, and there wasn’t much point to all of this song and dance
You might be thinking to yourself, “Wow Sam, those sound like wonderful ideas, how in the world did they not work?” Well, dear reader, you make a mighty fine point, and I would have agreed with you. Except you see, we both missed the very obvious solution: go to this guy’s Google Calendar, where the flag was hiding.
- Go to the given GitHub account.
- Go to the Google Calendar of the person who owns the GitHub account.