PLATFORM: TryHackMe
LINK ROOM: https://tryhackme.com/room/sakura
DIFFICULTY: Easy
CATEGORY: OSINT
TOOLS USED: Exiftool, Sherlock, Google, Yandex, Tor
INTRODUCTION:
Today it will be a less technical writeup. Let’s practice our investigation skills.
I tried to put a lot of details, like this you will be able to understand my methodology.
Enjoy reading!
Task 1: INTRODUCTION
The answer is straightforward.
Task 2: TIP-OFF
What username does the attacker go by?
First, let’s download this image and see what its Metadata is. In order to find the Metadata, I will use Exif Tool.
There is a lot of information here, but only one interests me. The Export-filename. With this information, we can see the patch where he saved the image. Thanks to that, I can see the username of his system.
/home/username/Desktop/pwnedletter.png
Task 3: RECONNAISSANCE
What is the full email address used by the attacker?
As we know his username, we can use another tool to check if he uses the same username on other platforms. I will use Sherlock in order to look up that information:
Thanks to sherlock, we can see that he has a GitHub profile.
In his GitHub, we will be able to find a lot of information (small hint).
We can see that he pushed several things. Let’s focus only on the repositories that he created himself: PGP, IO and ETH.
If you use protonmail, you are maybe familiar with PGP encryption. If you look in this repository, you will find a PGP PUBLIC KEY.
Maybe we can play around with this right? It looks encoded on base64. Let’s use CyberChef in order to decrypt it:
Biimm! There we can find his email.
What is the attacker’s full real name?
Using Sherlock is a good thing, but sometimes it will miss some social media. Let’s try to google his username and see if we can find something.
Haaa!! He has a LinkedIn account, and we can see his real name.
Task 4: UNVEIL
What cryptocurrency does the attacker own a cryptocurrency wallet for?
Remember that I told you that he put a lot of information in his GitHub?
Let’s check the other repositories that he created. This time, let’s focus on the ETH. (Another little hint: in the cryptocurrency world, ETH stands for Ethereum).
What is the attacker’s cryptocurrency wallet address?
The goal of GitHub is to stock and track all the changes that you made in your code, right? Maybe we can try to find some changes that he made in his code?
Exactly! First, he put his wallet in plain text then he removed it.
What mining pool did the attacker receive payments from on January 23, 2021 UTC?
If you google “check cryptocurrency transactions”, you will find this website https://www.blockchain.com/
There you can see a history of transactions that he made.
FYI: The first line of the HASH is the transaction and the second one is the pool.
If you google this pool, google will give you this result:
If you look for the code of this pool, you will see that the pool is …
What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?
The website blockchain.com is a good website, but I couldn’t find the other cryptocurrency there.
However, I found this website https://etherscan.io/. Here we can have extra information about the transactions.
You will see that most of the transactions is on Ether. However, there are some on …
Task 5: TAUNT
What is the attacker’s current Twitter handle?
Apparently, the attacker did another big mistake. He sent a message with his personal Twitter account. Meanwhile, he changed his username.
However, if you search on Twitter for AikoAbe3, you will find a tweet.
Perfect, now we know his personal Twitter account.
What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?
If you investigate a bit his personal account, you will see this post:
This post contains a hint: we can see that he wrote two words on capital letter: DEEP and PASTE. If you google it, you will see that some people talked about it on reddit:
I tried to access this website with Tor but apparently, the website was down when I was trying to solve this room. So, I took the hint of the room that you can see the rest of the link.
URL => http://depastedihrn3jtw.onion/show.php?md5=complitewiththecodethatyoufoundontwitter
What is the BSSID for the attacker’s Home WiFi?
I got stuck here for a while. Then a friend told me that I could “wigle” a SSID. So, I started to search for it.
I found the website wigle.net. It a database with a lot of information about SSID and BSSID. There you can find a BSSID if you have the physical address of the target or a SSID. As we have a SSID, we can search for the BSSID of the hacker.
Task 6: HOMEBOUND
What airport is closest to the location the attacker shared a photo from prior to getting on their flight?
This question is a bit tricky but let’s found out how we can find this answer.
First, I put this image on Yandex.com (for me, it is a good website to reverse image).
I tried to isolate this monument. Yandex shows some picture that looks like a Turkish monument. In the beginner, I thought he took the picture in Istanbul, but he didn’t.
Then I tried to google: “cherry blossoms turkey” and I found this picture. It looks very similar to the picture that he posted.
If you click on this picture, you will see a lot of information about this place. Basically, he was in Washington during the National Cherry Blossom Festival. Apparently, our hacker really loves Cherry Blossoms.
The airport of Washington is the Ronald Reagan Washington National Airport. From here, it is easy to find the airport code, right?
What airport did the attacker have their last layover in?
Let’s take a look at the other picture that he posted.
Here we have 2 information:
· JAL: First class Lounge Sakura Lounge
· SKYTRAX: 5 Star AIRLINE
If you google “SKEYTRAX” you will find their website: https://skytraxratings.com
There you can filter the airports: https://skytraxratings.com/airports?stars=5®ions=asia
You will see that there is a 5* airport in Tokyo => https://skytraxratings.com/airports/tokyo-haneda-airport-rating. From here you can find the code of the airport.
What lake can be seen in the map shared by the attacker as they were on their final flight home?
That one is quite easy. Now, you are quite sure that he lives in Japan, right? If you compare his image with google maps you can locate this lake easily.
What city does the attacker likely consider “home”?
That one is not so hard. Indeed, we found already the answer. Do you remember where? You are right, on the WiFi identifications.
One of the WiFi is “City Free Wifi” and the ID of this WiFi is xxxx_Free_Wi-Fi.
CONCLUSION:
Well done if you arrived so far!
If you have an interest in OSINT, I advise you to check the OSINT Framework https://osintframework.com/. It will help you in your future investigations.
I hope that my writeup helped you to understand better all the aspects of this CTF. If you want to read more writeups like this one or have any question, you can find me on Twitter @dropn0w
Stay safe and keep learning!