Category: OSINT
Points: 250
Flag: DawgCTF{N609AS}
Description: You managed to snap this photo just after takeoff. The view looked familiar… but you didn’t think much of it at the time. Now you’re curious, what aircraft were you actually on? Find the registration number of this aircraft.
I started by figuring out where the photo was taken. The approach was dumb, but it worked: I opened Google Maps and manually checked coastal US cities that had airports near the water. Seattle matched. The key area was the pair of airports there, King County International Airport and Seattle-Tacoma International Airport. Switching Google Maps into 3D made the skyline and coastline line up with the photo, so that gave me Seattle.
After that, the only thing left to pull from the image was the timestamp.
exiftool "/home/rei/Downloads/planespotting3.jpg"Date/Time Original : 2023:07:18 06:54:49.512-07:00That gave a local time of 06:54:49 in UTC-7, which is 13:54 UTC. From there the problem turned into a historical flight lookup around Seattle at that exact minute.
ADS-B Exchange’s map help page documents that the replay view can be enabled with the replay parameter, so I used its historical replay around Seattle and compared aircraft visible at 13:54 UTC and 13:55 UTC. The first broad replay view at 13:54 UTC showed a mix of airline traffic and local aircraft. The rows that mattered most were the lower-altitude departures and approaches, especially these two: a1388c ... E75L ... 675 ... 126 and a7e8bf ... B737 ... 5425 ... 258. A separate row also showed a331f6 ... ASA108 ... B739 ... 10075 ... 287, but that aircraft was already much higher.
I initially checked the low E175 candidate and resolved its hex code with adsbdb, but that ended up being the wrong direction of travel. To tell whether the low aircraft was climbing out or coming in, I moved the replay forward by one minute and compared the same area again at 13:55 UTC. At that point a1388c had dropped from 675 feet to 100 feet, which meant it was descending toward the airport, not leaving it. In the same comparison, a7e8bf had climbed from 5425 feet at 13:54 UTC to 8000 feet at 13:55 UTC, which fit a departure.
After that, I resolved the climbing aircraft’s Mode S code with adsbdb.
curl -s https://api.adsbdb.com/v0/aircraft/a7e8bf{"response":{"aircraft":{"type":"737NG 790/W","icao_type":"B737","manufacturer":"Boeing","mode_s":"A7E8BF","registration":"N609AS","registered_owner_country_iso_name":"US","registered_owner_country_name":"United States","registered_owner_operator_flag_code":"ASA","registered_owner":"Alaska Airlines","url_photo":"https://airport-data.com/images/aircraft/001/650/001650478.jpg","url_photo_thumbnail":"https://airport-data.com/images/aircraft/thumbnails/001/650/001650478.jpg"}}}That identified the aircraft as Alaska Airlines registration N609AS.