A room named Sakura Room at TryHackMe to learn and play with Open Source Intelligence techniques.
Task 1: INTRODUCTION
Q: Are you ready?
A: Let’s Go!
Task 2 : TIP-OFF
After the introduction you are told that the OSINT Dojo recently found themselves victim to a cyber attack with very little indicators of compromise left on the system and want you to take a look at what they have to see if you can determine who the attackers were.
A image file that was left from the attacker has been provided to you and is available here.
Q: What username does the attacker go by?
A: provided from exifdata from image (steps provided below).
wget https://raw.githubusercontent.com/OsintDojo/OsintDojo.github.io/d846483eb41dd4fdb6d00ac84ecdb4a66be6a191/TryHackMe/Sakura/sakurapwnedletter.svexiftool sakurapwnedletter.svg
Task 3: RECONNAISSANCE
Q: What is the full email address used by the attacker?
A: Searching the username and finding a pgp public key provided the email (steps provided below)
A search engine provided a quick hit on a business based social media site but did not show any usable email address.
Using the username identified from the previous question I started to do some looking on a few sites to see where that username was being used. A quick search on namechk showed multiple sites where the username was being used.
The username is being used at github and would probably have the highest possibility of containing an email in a config file or some other user generated content.
The PGP public key would have the attackers email address.
Q: What is the attacker's full real name?
A: The users full name was found in the first search from the response provided by the business based social media site. (steps provided below)
Task 4: UNVEIL
We are now informed that the attackers are on to us and now editing and deleting information to cover their tracks online.
Q: What cryptocurrency does the attacker own a cryptocurrency wallet for?
A: This answer was found browsing all of his repositories.
Ultimately a guess based off the names of the crypto repositories
Q: What is the attacker’s cryptocurrency wallet address
A: solution provided in steps below
By clicking on the “2 commits” you can view the individual edits of the files.
Clicking on the lower of the two files you will be able to see the contents of the original file.
Q:What mining pool did the attacker receive payments from on January 23, 2021 UTC?
A: Ethermine
With the wallet address you are able to go the etherscan.io and look up all the transactions for the wallet.
Q: What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?
A: Following the transactions in the wallet using etherscan at the bottom of the page you will find the answer
Task 5: TAUNT
We find out that the attacker is aware we are tracking them down and they provide a taunting twitter message below.
Q: What is the attacker's current Twitter handle?
A: @SakuraLoverAiko
Q: What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?
A: The Dark Web site for this answer may go up and down for hours at a time. If the website has been down for multiple days, or if you do not feel comfortable searching the Dark Web, you can view this screenshot to help complete the tasks in this section: https://ibb.co/1rHfgVb ← this helped a great deal.
Task 6: HOMEBOUND
Q:What airport is closest to the location the attacker shared a photo from prior to getting on their flight?
A: DCA (See below for walkthrough)
After some initial struggles and some deep breathing exercises I looked closer at the images and saw something familiar to search for and realized the picture was in Washington D.C.
Q: What airport did the attacker have their last layover in?
A: HND
The image of the twitter account showed the Sakura Lounge from JAL on skytrax.
A quick internet search of JAL Sakura Lounge provided results with a airport name.
With the Haneda airport name you can obtain the airport code from Wikipedia.
Q: What lake can be seen in the map shared by the attacker as they were on their final flight home?
A: Lake Inawashiro
Q: What city does the attacker likely consider “home”?
A: Hirosaki
Looking back at the previous information we obtained from the wifi information we know the geographic location.
Cross referencing it with an online map we can see the city is Hirosaki.
Thank you to OSINTDojo for such a great room! I learned a lot and had a lot of fun researching and learning new techniques to perform OSINT techniques. #greatjob
[OSINTDojo on TryHackMe]
