BSides Canberra 2018 CTF Write-Up: Maze — Two Bird

This is a write-up of the Maze — Two Bird challenge from the BSides Canberra 2018 CTF. This challenge was worth 350 points.

So you know my first name. What else do you know about me? Or, what do you want to know?

I’ll give you a hint, have a look at my profile picture attached. If you can find any of the medium’s I’m on, you’ll be rewarded.


For this challenge we are given the description above as well as a file called image.jpg

This is the image provided in the challenge

There did not appear to be any data hidden through steganographic means, so we instead turned our attention to the metadata of the image.

To gather this metadata we used a free online tool such as .

From this metadata we noticed that artist was “h. hashimoto”. Given that the CTF was called “The Return of Hahn” we make the assumption that his first name is Hahn. Full name, Hahn Hashimoto.

Using this information, we look at the information provided in the description — which mentioned a PGP signature. With a bit of research we find out that PGP is a method of sending encrypted messages. PGP uses public keys whcih are often listed on public databases.

So, we searched the MIT PGP key database at for “Hahn Hashimoto”.

This returned a result for a ProtonMail email address — which we promptly emailed but did not receive a reply 🙁 We figured that the reply would be instant, so we stared looking elsewhere.

Since this is a challenge of logic, we needed to turn to our riddle solving skills. The challenge description mentions birds, so what mediums this person is on? What social media platforms have a bird as a prominent mascot? Twitter!

There is a method to find Twitter accounts from an email address, but you need to install the Twitter app and then sync your contacts. So, we created a new Twitter account, a blank address book on our computer, added to the address book, and then synced the contacts to the Twitter account. This then allowed us to use the “Find Friends” feature on Twitter and search for Hahn Hashimoto.

This yielded a Twitter account for Hahn Hashimoto and the biography seemed to match. The profile picture was a QR code…

…which when scanned, showed the flag.

This was a really cool puzzle in logic, so thanks to Elttam for this super fun challenge!