picoCTF 2023 – who is it

28 March 2023 – Written by Valentin Huber – in ctf, email, forensics, and whois

Challenge

Someone just sent you an email claiming to be Google’s co-founder Larry Page but you suspect a scam. Can you help us identify whose mail server the email actually originated from? Download the email file here. Flag: picoCTF{FirstnameLastname}

Solution

The challenge title indicated a potential whois lookup, so I checked the email for an IP address and found 173.249.33.206.

The lookup yielded Wilhelm Zwalina as the first and last name, so the flag is picoCTF{WilhelmZwalina}.