OSINT: Catch me if you can (500pts)

Challenge Description

By the time the team got there, they had already vanished. A new photo they have sent to taunt us has led us to believe they are now inside the room with us. Find them.

Actor’s Message

From: JR <j.riscman@proton.me>
To: RISC Threat Intelligence <intel@ctf.urisc.club>
Subject: Catch me if you can
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0


Find me if you can.

Sincerely,
J.R.

Photo

Approach

Analysing the photo provided with exiftool reveals the following:

$ exiftool ./IMG_3860.jpg
... omitted
Focus Range:                Auto
Canon Exposure Mode:    	Manual
Lens Type:              	Canon RF 50mm F1.2L USM or other Canon RF Lens
Max Focal Length:       	70 mm
Min Focal Length:       	24 mm
... omitted
Camera Type:	            EOS High-end
Auto Rotate:	            None
ND Filter:	                Off
Canon Image Type:	        Canon EOS RP
Canon Firmware Version: 	Firmware Version 1.6.1
Canon Model ID:         	EOS RP
... omitted

Cleary, the photo was taken on some type of Canon camera, and by looking at the picture provided it’s clear the photo was taken in the room during the event.

Looking around the room, there is one, and only one person holding a Canon camera - our photographer!

The solution here was to go up to our wonderful photographer and ask something along the lines of:

• Are you the threat actor?
• Are you John Riscman?
• I know you’re John Riscman, give me the flag.
• etc.

So, the flag is:

RISC{GOOD_JOB}

Solved!