INTRODUCTION
The room begins with a quick plot to get us into this investigation world..
->1 Let’s Go!
TIP-OFF
We open the image left by the attacker and using the element Inspect of our browsers we can see on the image path a Username, here:
That would give us or Answer: SakuraSnowAngelAiko
RECONNAISSANCE
Here I decided to start googling the Username to see what can we find:
The first 2 things we see here is a Github account and in second place, a possible Linkdin account related to this name.
Here I began checking the repository that contains the public key and tried to find a site to crack/recover anything from it. After some failed attempts, I found this site:
Answer: SakuraSnowAngel83@protonmail.com
Now digging a little bit found other interesting stuff on GitHub, but didn’t lead me to her name, so I decided to check the name from the Linkedin account:
Tested and It worked! our Answer for the second question is: Aiko Abe
UNVEIL
Remember that interesting thing I said before about Github? well, this is it. If you go to:
Check the “History” and select the oldest, you should see the following:
Here’s what it seems to be a cryptowallet. I checked this with a couple sites that gave me some info, but finally the most useful was:
The first answer as soon as you check this address anywhere is: Ethereum
The second answer is the one we already found at GitHub: 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef
Now on the Etherchain site, after you search for the wallet and see the transactions, you should see the answers to questions 3 and 4 almost at the same place:
Answer 3, for the mining pool of this transaction: Ethermine
And then Answer 4, the other cryptocurrency that the attacker exchanged: Tether
TAUNT
Here, not much of an effort:
Answer: SakuraLoverAiko
Now, this one got me for a while thinking:
Googling a little bit the Keywords DEEP, PASTE and Pasted I got a DarkWeb site called “Deep Paste” or “depasted“. You will need to access using a TOR browser to:
http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74 (Which is our Answer 2)
Here you need to search the MD5 of the previous picture and you will get different Wi-Fi information, the one that we need is Home.
Using the WI-FI name obtained on the well known site Wigle, on Advanced Search (Requires from you to sign in) we get:
Our Answer 3 is listed right there: 84:af:ec:34:fc:f8
HOMEBOUND
The last task…here we go!
Lets check the photos shared on twitter:
looking for the closest airport in google gave me:
And it’s also our first Answer: DCA
Looking at the other tweets, we saw this one:
Once again, googling this:
Actually here I tested both, and it was Haneda. Our Answer is the short version: HND
For the last two I decided to jump first to the last question, using the BSSID obtained from the previous section, we can see on the same Wigle site that the location is Hirosaki
So checking Japan’s map, going from Haneda to Hirosaki you can easily find the lake of the picture:
The Answer 3 is: Lake Inawashiro
And as we already found out a minute ago, the Answer 4 (and last one) is: Hirosaki
I hope you have enjoyed this room as much as I did. Thank you for reading my walkthrough!
C:\Users\Escafl0wn3 