Sakura Room
Use a variety of OSINT techniques to solve this room created by the OSINT Dojo.
Background story
The OSINT Dojo recently found themselves the victim of a cyber attack. It seems that there is no major damage, and there does not appear to be any other significant indicators of compromise on any of our systems. However during forensic analysis our admins found an image left behind by the cybercriminals. Perhaps it contains some clues that could allow us to determine who the attackers were?
We’ve copied the image left by the attacker, you can view it in your browser here.
Instructions
Images can contain a treasure trove of information, both on the surface as well as embedded within the file itself. You might find information such as when a photo was created, what software was used, author and copyright information, as well as other metadata significant to an investigation. In order to answer the following question, you will need to thoroughly analyze the image found by the OSINT Dojo administrators in order to obtain basic information on the attacker.
Solution :
So let’s visit the page ..
So it contain a message and background has a message in binary and really it is useless I have converted it and message was a hint ….
The binary message was
01000001 00100000 01110000 01101001 01100011 01110100 01110101 01110010 01100101 00100000 01101001 01110011 00100000 01110111 01101111 01110010 01110100 01101000 00100000 00110001 00110000 00110000 00110000 00100000 01110111 01101111 01110010 01100100 01110011 00100000 01100010 01110101 01110100 00100000 01101101 01100101 01110100 01100001 01100100 01100001 01110100 01100001 00100000 01101001 01110011 00100000 01110111 01101111 01110010 01110100 01101000 00100000 01100110 01100001 01110010 00100000 01101101 01101111 01110010 01100101
Which means
A picture is worth 1000 words but metadata is worth far more
so I , run exiftool on that file ..
And we got it ..
Background
It appears that our attacker made a fatal mistake in their operational security. They seem to have reused their username across other social media platforms as well. This should make it far easier for us to gather additional information on them by locating their other social media accounts.
Instructions
Most digital platforms have some sort of username field. Many people become attached to their usernames, and may therefore use it across a number of platforms, making it easy to find other accounts owned by the same person when the username is unique enough. This can be especially helpful on platforms such as on job hunting sites where a user is more likely to provide real information about themselves, such as their full name or location information.
A quick search on a reputable search engine can help find matching usernames on other platforms, and there are also a large number of specialty tools that exist for that very same purpose. Keep in mind, that sometimes a platform will not show up in either the search engine results or in the specialized username searches due to false negatives. In some cases you need to manually check the site yourself to be 100% positive if the account exists or not. In order to answer the following questions, use the attacker’s username found in Task 2 to expand the OSINT investigation onto other platforms in order to gather additional identifying information on the attacker. Be wary of any false positives!
So the Question’s are
Solution
so as now just search the username on google
So there are 2 accounts with same user name
And we got 2nd question’s Answer ……
Now I was checking the accounts and I found this in his GitHub profile.
PGP key it is an encryption program and PGP encryption is also used by proton mail .
so just copy the key and save it in a file with ,asc formate and just run gpg -import and file name .
We got the mail …
Background
It seems the cybercriminal is aware that we are on to them. As we were investigating into their GitHub account we observed indicators that the account owner had already begun editing and deleting information in order to throw us off their trail. It is likely that they were removing this information because it contained some sort of data that would add to our investigation. Perhaps there is a way to retrieve the original information that they provided?
Instructions
On some platforms, the edited or removed content may be unrecoverable unless the page was cached or archived on another platform. However, other platforms may possess built-in functionality to view the history of edits, deletions, or insertions. When available this audit history allows investigators to locate information that was once included, possibly by mistake or oversight, and then removed by the user. Such content is often quite valuable in the course of an investigation. In order to answer the below questions, you will need to perform a deeper dive into the attacker’s GitHub account for any additional information that may have been altered or removed. You will then utilize this information to trace some of the attacker’s cryptocurrency transactions.
Solution
so while looking through attacker GitHub repositories I found This
And after opening it I found
It has some id but is is not what we need so I just watched history .
Boom !!! we got the cryptocurrency wallet address.
and it’s is the answer of 2nd Question
And this is Ethermine account which is ETHEREUM MINING POOL so the currency must be a Ethereum.
We got it now I just went to some blockchain explorers site to see the wallet history.
And their is a history of that day according to question
And we got 3rd Ans
And for 4th Ans I was just looking through history and i found it
And that’s what we need .
Background
Just as we thought, the cybercriminal is fully aware that we are gathering information about them after their attack. They were even so brazen as to message the OSINT Dojo on Twitter and taunt us for our efforts. The Twitter account which they used appears to use a different username than what we were previously tracking, maybe there is some additional information we can locate to get an idea of where they are heading to next?
We’ve taken a screenshot of the message sent to us by the attacker, you can view it in your browser here.
Instructions
Although many users share their username across different platforms, it isn’t uncommon for users to also have alternative accounts that they keep entirely separate, such as for investigations, trolling, or just as a way to separate their personal and public lives. These alternative accounts might contain information not seen in their other accounts, and should also be investigated thoroughly. In order to answer the following questions, you will need to view the screenshot of the message sent by the attacker to the OSINT Dojo on Twitter and use it to locate additional information on the attacker’s Twitter account. You will then need to follow the leads from the Twitter account to the Dark Web and other platforms in order to discover additional information.
Solution:
So this is the screenshot ,
So it’s a twitter Dm screen l, let’s visit her account…
But the account doesn’t have anything except some 2 Following and 3 Followers so let’s cheek it
I think all the Followers are CTF players lol!!
I didn’t get anything from Following. but in same time I found this …
And after opening this account I got something …
So i am on right way lets see the questions ..
And we got the 1st answer…
In 2nd Question we need to use dark web
Warning : I am doing everything is a protective ways If you don’t feel comfort to use dark web plz go with hint .
So I will just show the way
And there is a image .
So while doing deep search we will get a onion site of deep past and we have a md5 id is upper image
so Let’s play with it
I just uploaded a sample file and I got this this md5 so just replace my md5 with attacker md5 ..
and we found it
and boom
And if you don’t want to visit dark web use hint it has a screen shot of the page …
And next Question is little harder We need to find BSSID so let’s the game .
I have solved many ctf so I know that we can use wigle.net for this …. 😁😁
So let’s do it ..
I use advance feature to found it You need a account for this this just search it on bugmenot ….
And we got the Ans of 3rd question
Background
Based on their tweets, it appears our cybercriminal is indeed heading home as they claimed. Their Twitter account seems to have plenty of photos which should allow us to piece together their route back home. If we follow the trail of breadcrumbs they left behind, we should be able to track their movements from one location to the next back all the way to their final destination. Once we can identify their final stops, we can identify which law enforcement organization we should forward our findings to.
Instructions
In OSINT, there is oftentimes no “smoking gun” that points to a clear and definitive answer. Instead, an OSINT analyst must learn to synthesize multiple pieces of intelligence in order to make a conclusion of what is likely, unlikely, or possible. By leveraging all available data, an analyst can make more informed decisions and perhaps even minimize the size of data gaps. In order to answer the following questions, use the information collected from the attacker’s Twitter account, as well as information obtained from previous parts of the investigation to track the attacker back to the place they call home.
Solution:
So it’s an IMINT Lets play it
So some were near “cherry blossoms” . But mean while I found this
So it might be a hint lets check it ..
I think we got it …
BOOM!! that’s right..
Now for 2nd question I found this image
Their is “jal “ and “first Class Lounge , Sakura Lounge” written so lets search that :
JAL is Japan Airlines and boom we got airport name
And we got Ans no 2
Now foe 3rd Ans this tweet might help ..
Just google searching the image I found this
so let’s see this on map and i found this
and we got the last answer
Thanks ….
Originally published at https://adarshkrdubay.github.io.