Martin Rozariyo
Back to writeups
Raw MarkdownView on GitHub

L3m0nCTF2025-Writeups

Challenge Overview: Hotel Bagavathi

OSINT/Hotel Bagavathi/Readme.md

Challenge Overview: Hotel Bagavathi

Category: OSINT
Event: L3m0nCTF 2025
Role: Challenge Author

Authors: R0z4riy0 & akvnn

🛠️ Author Note
This challenge was authored by us for L3m0nCTF 2025.
The following explanation describes the intended OSINT investigation path.

Intended Analysis Path

The challenge was designed to test:

  • cross-platform OSINT correlation
  • recognition of indirect social media breadcrumbs
  • interpretation of entertainment media as contextual clues
  • extraction of technical metadata from public reviews
  • assembling unrelated information into a coherent narrative

Brute-force searching or single-platform investigation was intentionally insufficient.

Problem

Target: larry lmn The target is sloppy. They posted a link to their new project on one of their social media accounts. Locate the account, find the project source code, and recover the hidden location metadata. And not only that there is more to find out

We need two things:

The BSSID of the WiFi network.

The Total Bill amount found in the evidence.

Flag Format: L3m0nCTF{BSSID_TOTALBILL}

Authors : R0z4riy0 & akvnn

Analysis Phase 1 — Identifying the Initial Online Presence

The investigation begins by surveying commonly used social media platforms to identify the subject’s public online presence.

We can find it on VK, it's a popular russian social media platform.

image

He had uploaded a post where the github link is present open it and it will redirect you to the github page.

image

Analysis Phase 2 — Source Code Artifact Discovery

Clone the repository and search for any keywords present in it

image

Then after it you can see that there is a base 64 encoded one

aHR0cHM6Ly9vcGVuLnNwb3RpZnkuY29tL3V2ZXIVMzF4NnB1M3hoY2YyNm1sMzRtdWNqZDdzcWgodT9zaT12ZGZnQWVfbVIxbUp4SkZSdXVEWDh3

On decoding that in CyberChef i got a spotify link

image

Analysis Phase 3 — Indirect Identity Expansion

If you search through the profile you can find a playlist with a few songs

image

In this playlist if you just take the first letter from every songs you can find a hidden clue which is INSTAARIVUDAS

From the name you can be somewhat clear that the profile may exist in Instagram searching it we can find a profile in it

On searching it we can conclude that this account exists in Instagram

image

So there are three reels here if see them one by one on a specific reel (the recent reel) it conains two screenshots each of 0.01 seconds you need to see throygh it to proceed to the next clue.

I have added those screenshots below,

image image

So here we can see a conversation of user (instaantonydas) and instaarivudas here he mentioned that, due to the poor signal of wifi and also the coffee too he has reviewed one star rating to the shop.

First we need to find where the shop is right.

If you see the profile picture its a photo in the movie scene of LEO where he is in the cafe, if you watched the movie you could have easily guessed it's Sifar Cafe.

The reference can also be verified using reverse image search to identify the filming location.

Analysis Phase 4 — Location & Network Metadata Correlation

He mentioned in the image that he had reviewed one star for his shop. So now we need to search through the cafe review websites.

One of the well known review websites is the Tripadvisor.

link

So in it if you search for the cafe and when you check the reviews you can find this specific review which is kinda sus,

image

Here you can see that the BSSID of the wifi is given here which is a part of the flag.

Analysis Phase 5 — Secondary Evidence Correlation

Also, we can see that the profile is also kinda sus why is specifically given in alphanumericals which gives no meaning so on seaching it we can find that it is a pastebin url

https://pastebin.com/88fFyTM1
image

We can see another url in this pastebin link itself.

So redirecting to this URL we can find hat it is a website full of Racing Blogs from Vetrivel

As our scenario is set in Jammu and Kashmir, lets look for srinagar if any events occured there so if we see it we can find a blog of Srinagar F4 Street Demo

image

In it if you read they mentioned about the amount he paid that day which was 494.72.

Constructing the details we can get the flag.

Flag

L3m0nCTF{00:1A:2B:3E:4D:5A_494.72}