I’m excited to take you through a detailed walk-through of how I solved the “Last Flight” CTF challenge from Hacktoria. This challenge was a thrilling test of my skills, involving the identification of a passenger airplane using various OSINT tools and techniques. From takeoff to landing, I’ll break down each step of my investigation process.

Prologue, Briefing, Images, Materials, and Zip File are found on Hacktoria’s Discord Server.

Prologue

Wanda had been tasked with an urgent and critical mission. An old top-secret electronic device had been planted on a passenger plane in April 1993. This device offered ECCM capabilities to the plane in order to avoid missile and rocket targeting during the Cold War. Unfortunately, all information about this device has been destroyed due to economic restrictions on storage in the year 2000.

Wanda had to locate the plane and retrieve the device quickly. This device could explode at any moment due to battery instability.

Wanda was a seasoned spy with years of experience in tracking down targets and gathering intelligence. But this mission was unlike any she had undertaken before. She had to locate a plane in the vast expanse of the world, and she had very little information to go on.

The Special Device Service Archive gave Wanda just a photo of the plane, but without any exploitable metadata.

Wanda quickly realized that she needed to gather more information about the plane’s whereabouts. She began to dig deeper, looking for any clues that might help her locate the plane. She spoke to airline officials, retired air traffic controllers, and even ground staff at various airports. But no one had any information on the whereabouts of the plane.

With time running out, Wanda decided to take a straightforward approach. She began to search for the plane herself. She spent countless hours scouring satellite images and flight tracking data, looking for any sign of the missing plane.

Briefing

Greetings, Special Agent K.

Wanda has called for help, and you have been assigned the task of supporting her investigation. You must find the last known location of the plane. Wanda is waiting for your signal to proceed with the UXO team. Additionally, we need to determine the country where the plane was during the device deployment to retrieve intelligence for defusing the device.

As always, Special Agent K. The Contract is yours, if you choose to accept.

Materials Provided

Image

Answer Instruction

Answer Format:

country_of_deployement-icao_code_of_airport-country_of_airport

Answer Sample :

belgium-lfou-france

After reading the prologue and reviewing the image, I wrote down what I thought I needed to research:

  • Special Device Service Archive
  • Passenger Plane April 1993
  • ECCM capabilities to the plane
  • UXO Team
  • Icao code
  • Countries involved in Cold War

I also jotted down what I noticed about the plane in the photo:

  • white plane body
  • no logos, brands, or carrier names
  • dark blue underbelly
  • plane has an upper-deck; I counted 9 windows
  • three symbols/characters on nose, second one looks like an X
  • one of the engines on right wing looks part dark blue and part sand-colored paint, like it had been camouflaged
  • The photo does not include the tail. I guessed it was prob because it is painted or it has writing on it and would give away a clue to the solution
  • three different varieties of trees on the right near the nose
  • looks like pebbles or gravel in foreground
  • is that snow, not sure
  • looks like red brick barracks in background building on horizon in lower left below the plane

My Tasks:

  1. find the last known location of the plane
  2. determine the country where the plane was during the device deployment to retrieve intelligence for defusing the device

My Methodology:

  • To start, run the airplane photo through Google Images for a direct hit.
  • Rinse & repeat.

After being unable to find a match, I googled “comparison of airplanes” and found these pinterest links:

  1. https://www.pinterest.com/pin/147844800241936527/
  2. https://www.pinterest.com/pin/46584177391004727/

The 747 plane in the Boeing pinterest photos have a hump on the upper forward fuselage. Also the plane looks to be a 747 200 or a 747 SP. I was then pretty sure that the airplane I am chasing is at minimum, a Boeing 747.

After googling 747 upper decks, I learned that the 747’s upper deck never extended the length of the airplane, unlike the Airbus model with an upper deck that does extend all the way.

I then googled “unmarked double-deck B747 1993 flight data” and learned that unmarked planes could be converted into cargo planes. I also learned that when a plane is marked it is called “livery”.  When it is unmarked, it is referred to as “no livery”.  So maybe the passenger plane was converted from a commercial plane to a cargo plane after it had been sold or leased or whatever to another operator.

I found this post on Reddit about cargo planes:

https://www.reddit.com/r/aviation/comments/1656kz5/a_white_747_parked_at_mia_internationa l_airport/

After pouring over dozens of 747 images, articles on missing planes and conspiracy theories on forums and such, I found some random links I bookmarked that I felt may be important as well as a reminder to research some more on ELINT 1993 (Electrical Intelligence)

https://www.airliners.net/photo/Universitades-Amoiensis/Boeing-747-236BM/632595

https://www.nytimes.com/1993/04/11/travel/travel-advisory-electronics-use-aboard-planes- debated-in-us.html

https://www.electrospaces.net/2017/05/the-equipment-aboard-ep-3e-electronic.html ELINT 1993

Then I googled “AI Image tools” and learned about geospy.

There are two versions of geospy: geospy.net and geospy.web.app.  Both of these tools are created and managed by Graylark Entities.

Geospy.net produced the following results when I uploaded the plane photo.  I use Obsidian for taking OSINT notes and for linking screenshots so the image below of geospy’s results, which was inside one of my Obsidian notes, had to be reduced by 50% so that all results would fit onto one Obsidian page.

 

The image from GeoSpy.net reads as follows:

This is the back end of a Boeing 747 airplane.

Country: United States
State: Washington
City: Everett
Explanation: This is the Future of Flight Aviation Center & Boeing Tour in Everett, Washington

Country: United States
State: Washington
City: Seattle
Explanation: This is the Museum of Flight in Seattle, Washington.

Country: United States
State: Missouri
City: Kansas City
Explanation: This is the Kansas City Museum in Kansas City, Missouri.

Country: United States
State: Kansas
City: Wichita
Explanation: This is the Kansas Aviation Museum in Wichita, Kansas.

Country: United States
State: Ohio
City: Dayton
Explanation: This is the National Museum of the United States Air Force in Dayton, Ohio.

I was pleased to see that Geospy confirmed that the plane was the backend of a Boeing 747. Now it was time to visit the google map for each location above. Because of the red brick buildings I had noticed in the original photo, which look like barracks to me, I decided to visit the National Museum of the United States Air Force in Dayton, Ohio first, which is the 5th response from Geospy.net on the above list.

Time to move on to Geospy.web.app:

I uploaded the airplane photo and got this result:

This is the Jumbo Stay Hotel, a Boeing 747-200 located at Arlanda Airport (ARN) in Stockholm, Sweden.

I thought it was not the correct airplane because the plane in the GeospyAI photo of the hotel linked to a photo that shows a blue nose on its fuselage and the photo I am investigating shows a white nose.  Plus there are no symbols on the nose fuselage either.

I guess it could have been painted over but I think an exact match is required.

Here is a screenshot of https://geospy.web.ap p / reply:

Yet, when I clicked on Open in Maps and Open in Street View, I could not find this Jumbo Stay Hostel on their maps but it did link to this wikipedia link from China.

https://zh.wikipedia.org/zh-cn/File:Jumbohostel.JPG

File:Jumbohostel.JPG

I tried a different tactic:

I google imaged the nose of the plane which had the three symbols on the nose with the middle one looking like it was an X. Didn’t find anything meaningful.

I couldn’t find a match and I was running out of patience with myself.

I also googled: “white 747 with dark blue belly and blue and sand colored engines. ”

Nothing meaningful.

I was getting weary and decided to call it a night.

The next day, I went over my notes and googled the same exact keywords I had previously.

Then I found this planespotters.net link:

https://www.planespotters.net/photo/170125/n981jm-jumbo-hostel-boeing-747-212b

While looking a the screenshot, the angle of the plane looked familiar to me but this photo showed an airplane with a blue tail and the double-deck has 10 windows, not 9. The original image I have shows an airplane with only 9 windows in the upper deck, but if you look closer below, the 10th window is there, it’s just blotted out (from L to R)

I still was not confidant that this is the right plane but then I noticed something in the photo on the bottom left.  I added the red arrow to the photo to highlight what I was looking at.

Also the name on this photo seemed like it could be relevant: # N981JM Jumbo Hostel Boeing 747-212B

Because I was stubborn, I kept googling tools and fortuitously learned about Picarta.ai.

After uploading the original photo to Picarta , I got these resuts:

Location #3 stood out.

  1. Modderfontein, South GPS location around: -26.122700, 28.237867 Confidence: 94.42%
  2. Highland, United GPS location around: 34.096310, -117.235620 Confidence: 94.36%
  3. Rosersberg, Sweden. GPS location around: 59.639690, 17.937380 Confidence: 94.28%
  4. Germiston, South GPS location around: -26.241673, 28.160007 Confidence: 94.12%
  5. Merritt Island, United GPS location around: 28.599716, -80.679470 Confidence: 94.10%
  6. Elsloo, Netherlands. GPS location around: 50.921660, 5.775847 Confidence: 02%
  7. Hallbergmoos, GPS location around: 48.347107, 11.779101 Confidence: 93.85%
  8. Palmdale, United GPS location around: 34.603096, -118.087280 Confidence: 93.80%
  9. Palmdale, United GPS location around: 34.603275, -118.089455 Confidence: 93.80%
  10. Aalsmeer, GPS location around: 52.299393, 4.748866 Confidence: 93.78%

Where else did I read about Sweden before? Oh yes, from geospy.web.app.

I then clicked on Picarta’s “maps” and all 10 GPS locations lit up on a single map.

I clicked on the Sweden location first.

It took me to the GPS location via Google Maps.

I found it!

The half-painted engines, the blue and sand-colored paint, the X in the middle of the symbols on the nose and the building structure on the horizon matches IDENTICAL to the original airplane photo I had to identify.

Picarta.ai for the win!

The plane tail is painted Jumbo Stay. The photo from planespotters is named Jumbo Hostel.

Below is the original photo with annotation.  Again, please note the same tree near nose of plane, same gravel road, same building in far left background.  See the red arrow on the left.

Below is the same building in far left background photo on picarta, enlarged.  I added a red arrow to help point it out:

So I found the plane and yes, it’s in Sweden but I have not yet answered the questions to win the badge.

I still need to find out what # N981JM Jumbo Hostel Boeing 747-212B means.

What is N981JM?  Google replied with a lot of links.

The first one was airhistory.net and it even offered the ICAO code which I circled below:

https://www.airhistory.net/photo/236451/N981JM

To confirm the ICAO code, I googled “ICAO ESSA”.

Google replied:

Stockholm Arlanda Airport (IATA: ARN, ICAO: ESSA) is the main international airport serving Stockholm, the capital of Sweden.

I also found another planespotters.net link which lists all the operators of the plane since it was born in 1976.

https://www.planespotters.net/airframe/boeing-747-200-n981jm-jet-midwest/e0wd63?refresh=1

I looked for the date of April 1993 that was mentioned above in the prologue.

In April 1993 it was operated by NationAir of Canada and leased.

I clicked on the NationAir link:  https://www.planespotters.net/airline/Nationair

Here we go! I found all three elements of the password to unlock the zip file.

To review they were:

country_of_deployement-icao_code_of_airport-country_of_airport

And so, my fellow OSINTers, the correct answer is:

canada-essa-sweden

HACKTORIA BADGE EARNED #7.

 

Leave A Comment

related news & insights.