The Puppet Master
https://app.hackthebox.com/challenges/The%2520Puppet%2520Master
Challenge Scenario
An anonymous source has shared a photograph of an unidentified military armored vehicle during field operations. Your mission is to conduct a comprehensive OSINT analysis to identify this vehicle and its specifications.
Summary
An OSINT investigation was conducted into a photographic artifact of a military vehicle. By leveraging cryptographic metadata, visual intelligence (VISINT), and domestic transport registries, the asset was identified as a Bushmaster Protected Mobility Vehicle (NZ variant). The unit was successfully traced to the New Zealand Defence Force (NZDF) "Network Enabled Army" (NEA) program, with specific unit identification (VIN/Plate) confirmed via the NZTA database.
Artifacts Provided
Evidence Collection & Metadata
#confidence/high
Technical Verification & Integrity Check
Objective: Establish a cryptographic baseline for the primary evidence to ensure data integrity throughout the lifecycle of the investigation and to facilitate pivot-based searches using file hashes.
The investigation started with the generation of MD5, SHA1, and SHA256 checksums. Establishing these unique identifiers is a standard procedural step to ensure the image remains untampered and to allow for cross-referencing against known military media repositories or threat intelligence databases.
Metadata Extraction
Objective: Analyze the file's internal structure and metadata for origin indicators, geographic markers, or timestamps.
Analysis & Workflow: The investigation commenced with the generation of SHA-256, SHA-1, and MD5 checksums to ensure data integrity. The exiftool output confirms that the image was processed via the gd-jpeg library, a common indicator that the file was retrieved from a web-based Content Management System (CMS) or automated image resizer rather than directly from a camera's local storage. This suggests the image is likely hosted on an official military or news website.
The most significant intelligence gathered during this phase is the filename itself: 20230525_NZDF_P1061532_025. The string "NZDF" is a known acronym for the New Zealand Defence Force. Furthermore, the prefix "20230525" indicates a chronological marker of May 25, 2023.
Intelligence Extracted:
Artifact Hash (SHA-256):
a1fc740ff08157bbee15798a02de9af61f7709f9b97ef15498d5a7518f71523aSource Organization: New Zealand Defence Force (NZDF) #ioc/org
Temporal Marker: May 25, 2023
Processing Hint: Image likely originated from a public-facing NZDF web portal (due to
gd-jpegprocessing).Initial Pivot: Search queries will now focus on NZDF vehicle procurement and 2023 field exercises.
Visual Intelligence (VISINT)
#attack/T1593_002 #attack/T1594 #confidence/high
Visual Identification & Pattern Matching
Objective: Identify the specific vehicle make and model through reverse image search and visual anatomical matching.
Analysis & Workflow: A reverse image search was performed via Google Lens. To increase result fidelity, the search was constrained using the "NZDF" anchor discovered in the file metadata. This pivot successfully filtered out generic armored personnel carriers (APCs) and isolated results relevant to the New Zealand Army's recent procurement programs.
Intel: Bushmaster PMV (NZ Variant)
Motive: Personnel Transport & Protected Mobility
Targeting: High-threat environments (IED/Ballistic)
Infrastructure: Integrated into the "Network Enabled Army" (NEA) digital backbone.
Associated Systems: High-tech digital comms and secure mapping.
Intelligence Extracted: The search results, corroborated by Google AI Overview, positively identified the vehicle as the Bushmaster Protected Mobility Vehicle (PMV).
Origin: Australian-designed and manufactured (Thales Australia).
Acquisition Context: The New Zealand Defence Force (NZDF) officially took delivery of the first 18 units in May 2023, matching the "20230525" date found in the original filename.
Tactical Role: Replacing the aging Pinzgauer Light Operational Vehicles to provide enhanced IED and ballistic protection.
Documentary Evidence Discovery
Objective: Validate visual findings through official government records and extract technical specifications.
Analysis & Workflow: To confirm the specific configuration and operational role of the identified Bushmaster, a targeted search for official procurement and communication documents was conducted. This led to the discovery of an official New Zealand Ministry of Defence publication.
A search for "NZDF Bushmaster technical specifications" returned a redacted Cabinet paper titled Redacted-Bushmaster-Comms.pdf. Analysis of this document confirms the integration of these vehicles into New Zealand's strategic military framework.
Intelligence Extracted: The document details the Bushmaster Communications Project, providing critical insights into the vehicle's internal capabilities:
Network Integration: The vehicles are part of the "Network Enabled Army" (NEA) program, designed for real-time data sharing with coalition allies.
Capability: Installation of advanced digital radios and cryptographic mapping systems for secure combat and disaster relief operations.
Procurement Status: Confirmation of 43 total units ordered, with funding released from the 2023 Budget.
Although the document was released under the Official Information Act (OIA), the non-redacted technical sections reveal the exact digital architecture and communication protocols intended for these mobile platforms.
A visual comparison between the source photograph and Page 8 of the Ministry of Defence document confirms an identical match in vehicle profile and turret configuration.
The vehicle is confirmed as the Bushmaster Protected Mobility Vehicle, specifically the New Zealand variant introduced into service in May 2023.
Manufacturer and Operational Lifecycle
#attack/T1596 #ioc/location #confidence/high
Industrial Attribution & Origin Analysis
Objective: Determine the industrial origin, manufacturer, and operational lifecycle of the identified asset to satisfy vehicle specification requirements.
Analysis & Workflow: Following the identification of the vehicle as a Bushmaster PMV, the investigation pivoted to industrial defense repositories and official media releases to identify the specific design and manufacturing entities.
Manufacturer Verification: Cross-referencing the New Zealand Defence Force (NZDF) media center with industrial data (via Wikipedia and Thales Group) confirmed that the vehicle was designed and produced by Thales Australia (formerly Australian Defence Industries - ADI).
Operational History: Historical records indicate the Bushmaster first entered operational service in 1997. While newly introduced to the NZDF in 2023, the platform has a 26-year service history with the Australian Defence Force (ADF) and other global partners.
Geographical Verification: A Reddit-based lead from
r/The_NZDFindicated that the initial delivery ceremony for the first 18 units occurred at Trentham Military Camp.
Search & Query Logic:
Intel: Thales Australia (Manufacturer)
Motive: Defense Manufacturing / Military Logistics
Targeting: Global Defense Forces (primarily Australia, New Zealand, Netherlands, UK)
Infrastructure: Production facilities in Bendigo, Victoria (Australia)
Associated Assets: Hawkei PMV-L, Bushmaster PMV (Multi-role variants)
Geospatial Correlation
Objective: Confirm the likely location of the original photograph based on technical metadata and corroborating media.
Analysis & Workflow: By analyzing the "Trentham" string found in the delivery announcements and comparing it to the terrain in the source image, the investigation identified a geographical match.
The terrain in the source image—characterized by flat, open fields and proximity to a military installation—is consistent with the Trentham Military Camp in Upper Hutt, New Zealand. Google Maps imagery of the camp's transit and training areas shows architectural and topographical similarities to the background of the primary evidence.
Official NZDF documentation confirms that the Bushmaster Protected Components Modernisation Project (PCMP) acceptance ceremony and initial training phase were centralized at the Trentham Military Camp.
Intelligence Extracted:
Manufacturer: Thales Australia (formerly ADI) #ioc/org
Country of Origin: Australia
Initial Service Date: 1997
Primary Deployment (NZ): Trentham Military Camp
Specifications & Capacity Verification
#attack/T1594 #confidence/high
Operational Specifications Analysis
Objective: Validate the physical and operational parameters of the identified asset through authoritative military documentation and open-source intelligence.
Analysis & Workflow: The investigation cross-referenced the New Zealand Defence Force (NZDF) equipment portal with specialized defense databases to establish a technical profile for the Bushmaster PMV.
Analysis of the NZDF's official "Armoured Bushmaster Vehicle" specification sheet revealed the following tactical parameters:
Weight
11 tonnes (unladen), 5 tonne payload
Gross Vehicle Mass (GVM)
15,400 kg - 17,000 kg (Variant dependent)
Dimensions
7,180mm (L) x 2,480mm (W) x 2,650mm (H)
Powerplant
7,200cc Diesel Engine
Performance
100 km/h Max Speed; 319L Fuel Capacity
Configuration
4x4 Power Assisted
Regarding internal capacity, there is a minor variance between sources (NZDF lists "10 personnel" total, while technical manuals distinguish between roles). Analysis of the seating configuration confirms the vehicle accommodates one driver and nine passengers (infantry section), for a total of ten.
Vehicle Registration Intelligence (Pivoting)
#ioc/plate #ioc/vin #confidence/high #attack/T1591
Registry Enrichment & Lifecycle Verification
Objective: Utilize unique identifiers (License Plates) captured from secondary media to confirm the vehicle's provenance and registration status within New Zealand.
Analysis & Workflow: As an "Extra Mile" investigative pivot, the analyst identified a high-resolution frame from an NZDF official YouTube demonstration showing the license plate QCW341. This identifier was then queried against CarJam, the New Zealand national vehicle registry, to verify the asset's technical registration.
Source Identification: Analysis of NZDF video media (Timestamp 00:38) provided a clear view of the vehicle's rear registration plate.
Registry Lookup: The plate
QCW341was queried via the New Zealand Transport Agency (NZTA) database mirror.Data Correlation: The registry confirmed the asset as a "2023 FACTORY BUILT BUSHMASTER," matching the temporal markers found in the initial file metadata.
Intel: NZDF Fleet Registry (Unit QCW341)
Motive: Domestic Defense Operations / Personnel Protection
Targeting: New Zealand Army (Royal New Zealand Armoured Corps)
Infrastructure: Trentham Military Camp (Hub for PCMP Project)
Associated Identifiers: VIN: 6E9BMAR44MBZX6014, Plate: QCW341
Registry Intelligence:
The identification of the VIN (6E9BMAR44MBZX6014) provides a persistent identifier that can be used to track this specific unit's maintenance history or international deployment if it is ever sold or transferred to a different operating force.
Intelligence Extracted:
VIN:
6E9BMAR44MBZX6014License Plate:
QCW341Registration Date: August 17, 2023
Verification: The registration data confirms the vehicle's origin (Australia) and its status as a brand-new asset within the NZDF fleet as of 2023.
Conclusion
Investigative Timeline
Metadata: Identified NZDF affiliation and 2023 temporal marker via filename analysis.
VISINT: Confirmed model as Bushmaster PMV via RIS and MoD document correlation.
Industrial: Traced manufacturing origin to Thales Australia and operational entry to 1997.
Registry Pivot: Leveraged public transport registries to extract VIN and engine specifications for unit QCW341.
Intelligence Table
Vehicle Model
Bushmaster PMV (NZ Variant)
#confidence/high
Manufacturer
Thales Australia (formerly ADI)
#confidence/high
Operator
New Zealand Defence Force (NZDF)
#confidence/high
Location
Trentham Military Camp, NZ (-41.1437, 175.0353)
#confidence/high
License Plate
QCW341
#confidence/high
VIN
6E9BMAR44MBZX6014
#confidence/high
In-Service Date
1997 (Global); May 2023 (New Zealand)
#confidence/high
References & Sources
Last updated