2024 CISA ICS CTF - Mission Inconceivable

Onto the next challenge category in the CISA ICS CTF - Virbank City. This time we’re going to be taking a look at the Mission Inconceivable challenge set. There was a ton to learn from this one, so I’m excited to take a shot at this one next.

This CTF has some infrastructure setup for the players to use; Malcolm, Arkime, NetBox and CyberChef. Some of these services we’ll be using in this challenge, some won’t. I’ll probably put this brief little introduction in each post so we’re all on the same page. Anyways, onto the challenges!

Mission: Inconceivable 1

Virbank Medical was hit in a ransomware attack - or that’s how it seems. The hackers were demanding something interesting not money, no. Something else… Tacos! The task here is to identify the name of the city/town that the hackers are in.

Right off the bat, I noticed something peculiar about this picture. There’s a pen from a California based hotel and spa. Now, truth be told, I didn’t read the question as well as I should have… There was a bold disclaimer stating Note: It has nothing to do with the pen found in this image :,) oh.

Well, that’s neat. What else can we gather. Better Homes and Gardens in the background, Charles Schwab, barcodes, sunglasses, and mail. Well, mail is always an interesting one. I’m sure you’ve probably noticed this marking before on some mail you’ve received.

Well, as it turns out, this can be used to trace the originating location of the mail. This is a barcode called the “Intelligent Mail Barcode”. I tried to look up an OCR tool to expedite the process, but ultimately, I couldn’t find one. This is honestly probably just a skill issue, but I knew what I had to do once I saw it. Armed with this online utility from USPS, I was on a quest. Each bar represents a “key”. This key is used to translate into a code, which they then parse into a location. Magic.

So, let’s practice, the first set is. DAFFFDDFTTF. One descending, one ascending, three full bars, two descending, one full, two tracks and one full. Eventually, the whole thing will be decoded and we’ll be left with the following answer: 82336. This is a ZIP code that belongs to Wamsutter, Wyoming. Definitely the middle of nowhere.

Mission: Inconceivable 2

Next, we need to narrow the location down even more. Using classic OSINT tactics, we need to use WiGLE (as directed) to identify any suspicious location where the attacker may be hiding out. The initial reaction is maybe their SSID has something to do with Tacos?

Surprise… That’s exactly it :D The BSSID is 8A:9C:67:46:08:B1

Mission: Inconceivable 3

Now, through the power of magic, we’ve identified a list of shared coordinates in Google Maps that are numbered 1-9. Looking at the locations themselves, there’s nothing that really stands out about them - they’re all located in Australia, but there’s nothing that spells out any sort of flag. Maybe the name of the locations? Ehh. Nothing really lines up well.

But you know what does? Switching to Satellite view. Doing so gives us a different perspective.

noburrito! Now that sounds like a flag to me!

Mission: Inconceivable 4

Now, the last question wasn’t as fun - they kinda threw it in there as a curve ball. The question is essentially “What is the property value of this location in 2022?”. This location is One Apple Park Way, Cupertino, California.

You can solve this one pretty easily by searching for property tax records and going back to 2022 where the appraised value of the land is listed for some obnoxious amount of money.

About $354,182,317 was the right answer, I believe. Like I said, some obnoxious amount of money. I just kinda rolled my eyes on this one.

Closing Thoughts

This was a fun one because it taught me something new about Intelligent Mail Barcodes - not something you get to do, or even think about every day. It’s pretty cool that USPS has this on their site. Chal 4 felt super out of place and kind of unnecessary, but none the less, I enjoyed the rest of them.