OSINT

OSINT: TryHackMe Sakura Room

INTRODUCTION

The room begins with a quick plot to get us into this investigation world..

->1 Let’s Go!

TIP-OFF

We open the image left by the attacker and using the element Inspect of our browsers we can see on the image path a Username, here:

That would give us or Answer: SakuraSnowAngelAiko

RECONNAISSANCE

Here I decided to start googling the Username to see what can we find:

The first 2 things we see here is a Github account and in second place, a possible Linkdin account related to this name.

Here I began checking the repository that contains the public key and tried to find a site to crack/recover anything from it. After some failed attempts, I found this site:

Answer: SakuraSnowAngel83@protonmail.com

Now digging a little bit found other interesting stuff on GitHub, but didn’t lead me to her name, so I decided to check the name from the Linkedin account:

Tested and It worked! our Answer for the second question is: Aiko Abe

UNVEIL

Remember that interesting thing I said before about Github? well, this is it. If you go to:

Check the “History” and select the oldest, you should see the following:

Here’s what it seems to be a cryptowallet. I checked this with a couple sites that gave me some info, but finally the most useful was:

https://etherchain.org/

The first answer as soon as you check this address anywhere is: Ethereum

The second answer is the one we already found at GitHub: 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef

Now on the Etherchain site, after you search for the wallet and see the transactions, you should see the answers to questions 3 and 4 almost at the same place:

Answer 3, for the mining pool of this transaction: Ethermine

And then Answer 4, the other cryptocurrency that the attacker exchanged: Tether

TAUNT

Here, not much of an effort:

Answer: SakuraLoverAiko

Now, this one got me for a while thinking:

Googling a little bit the Keywords DEEP, PASTE and Pasted I got a DarkWeb site called “Deep Paste” or “depasted“. You will need to access using a TOR browser to:

http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74 (Which is our Answer 2)

Here you need to search the MD5 of the previous picture and you will get different Wi-Fi information, the one that we need is Home.

Using the WI-FI name obtained on the well known site Wigle, on Advanced Search (Requires from you to sign in) we get:

Our Answer 3 is listed right there: 84:af:ec:34:fc:f8

HOMEBOUND

The last task…here we go!

Lets check the photos shared on twitter:

looking for the closest airport in google gave me:

And it’s also our first Answer: DCA

Looking at the other tweets, we saw this one:

Once again, googling this:

Actually here I tested both, and it was Haneda. Our Answer is the short version: HND

For the last two I decided to jump first to the last question, using the BSSID obtained from the previous section, we can see on the same Wigle site that the location is Hirosaki

So checking Japan’s map, going from Haneda to Hirosaki you can easily find the lake of the picture:

The Answer 3 is: Lake Inawashiro

And as we already found out a minute ago, the Answer 4 (and last one) is: Hirosaki

I hope you have enjoyed this room as much as I did. Thank you for reading my walkthrough!

Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s