TryHackMe - Sakura Room

Task 1  INTRODUCTION

• Background:
• Designed to test various OSINT techniques.
• Beginner-friendly challenges.
• Involves a sample OSINT investigation.
• Goal is to identify information to catch a cybercriminal.
• Each section provides pretext and questions.
• Flags are staged, based on real-world OSINT knowledge.
• Answers via passive OSINT only.
• No active techniques allowed (e.g., reaching out to account owners).
• Contact: Reach out with questions via Twitter @OSINTDojo.
• Instructions:
• Type "Let's Go!" in the answer box to begin.

Answer the questions below

• Are you ready to begin? Let's Go!

Task 2  TIP-OFF

• Background:
• OSINT Dojo recently experienced a cyber attack.
• No major damage reported; no significant compromise indicators on systems.
• During forensic analysis, an image left by the cybercriminals was discovered.
• The image may contain clues to identify the attackers.
• The image is accessible for viewing in the browser.
• https://raw.githubusercontent.com/OsintDojo/public/3f178408909bc1aae7ea2f51126984a8813b0901/sakurapwnedletter.svg
• Instructions:
• Images can reveal valuable information, including creation date, software used, author details, copyright info, and embedded metadata.
• Thoroughly analyze the image left by the cybercriminals.
• The goal is to obtain basic information about the attacker.
• Use the provided image link in your browser to perform the analysis.

Answer the questions below

1. What username does the attacker go by?
1. let’s open the image

2. let’s check the source code of the image to see any related information because the same image doesn’t give us any related information just that I had been hacked

1. as we can see there is the image path with the name of the use under the /home directory
2. answer → SakuraSnowAngelAiko

Task 3  RECONNAISSANCE

• Background:
• The attacker made a significant operational security mistake by reusing their username across multiple social media platforms.
• This presents an opportunity to gather additional information on the attacker by locating their other social media accounts.
• Reusing the username may facilitate the identification process.
• Emphasis on finding other accounts owned by the attacker.
• Instructions:
• Many digital platforms have a username field, and users often reuse their usernames across different platforms.
• Unique usernames can lead to the discovery of additional accounts owned by the same person.
• Particularly effective on platforms where users provide real information, such as job hunting sites.
• Conduct a quick search on reputable search engines or use specialized tools to find matching usernames on other platforms.
• Be cautious of false negatives; sometimes platforms may not appear in search results or specialized searches.
• Manually check platforms for confirmation if needed.
• Use the attacker's username from Task 2 to expand the OSINT investigation onto other platforms.
• Gather additional identifying information on the attacker, but be wary of false positives.

Answer the questions below

1. What is the full email address used by the attacker?
1. let’s search for SakuraSnowAngelAiko using some google dorks → "SakuraSnowAngelAiko" email

1. going to GitHub → https://github.com/sakurasnowangelaiko
2. using the keyword email in github

1. no result
3. going back to the main page and checking interesting pages → the PGP page

1. Let’s try to decode this PGP key
4. going to this website → https://cirw.in/gpg-decoder/


1. answer → SakuraSnowAngel83@protonmail.com
2. What is the attacker's full real name?
1. going back to his GitHub

1. so now his first name is Aiko
2. using Aiko with his name we have → sakurasnowangelaiko "Aiko”

1. as we see we have a twitter - GitHub - LinkedIn account that are related to the same name
3. going to the twitter account

4. using waybackmachine to check if he changed his username

1. no result

d. going to the LinkedIn URL we found → https://www.linkedin.com/pub/dir/Aiko/Abe

• note i didn't found his LinkedIn profile so I’ll just try Aiko Abe as we have results name from the upper URL
• answer → Aiko Abe

Task 4  UNVEIL

• Background:
• The cybercriminal is aware of the investigation, evidenced by edits and deletions on their Github account.
• Indicators suggest the account owner is attempting to obstruct the investigation by altering or removing information.
• The motive for these actions is likely to eliminate data that could contribute to the investigation.
• The goal is to retrieve the original information that the attacker provided on Github.
• Instructions:
• Edited or removed content on some platforms may be unrecoverable unless cached or archived elsewhere.
• Some platforms offer audit history functionality, allowing investigators to view edits, deletions, or insertions.
• Audit history can reveal information initially included by mistake or oversight and later removed by the user.
• This recovered content is valuable in the investigation.
• Perform a deeper dive into the attacker's Github account to identify any altered or removed information.
• Use this information to trace the attacker's cryptocurrency transactions.

Answer the questions below

1. What cryptocurrency does the attacker own a cryptocurrency wallet for?
1. going to his GitHub repertories → https://github.com/sakurasnowangelaiko?tab=repositories



1. as we can see he have an eth-wallet → so ETH is Ethereum
2. answer → Ethereum
2. What is the attacker's cryptocurrency wallet address?
1. at the same page we are at let’s check the history


1. opening the update page

2. answer → 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef
3. What mining pool did the attacker receive payments from on January 23, 2021 UTC?
1. search for 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef

2. going to → https://etherscan.io/txs?a=0xa102397dbeebefd8cd2f73a89122fcdb53abb6ef


1. answer → Ethermine
4. What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?
1. going back to the main page

1. we have outgoing transactions let’s check it out
2. opening it

1. answer → Tether

Task 5  TAUNT

• Background:
• The cybercriminal is aware of the investigation and taunted the OSINT Dojo on Twitter.
• The Twitter account used for taunting has a different username than the one previously tracked.
• The goal is to locate additional information about the attacker's Twitter account.
• Instructions:
• Users may have alternative accounts separate from their main ones for various purposes.
• These alternative accounts could contain unique information not found in their primary accounts.
• Investigate thoroughly to uncover details from alternative accounts.
• View the screenshot of the message sent by the attacker to the OSINT Dojo on Twitter.
• Use the screenshot to locate additional information about the attacker's Twitter account.
• Follow leads from the Twitter account to explore connections on the Dark Web and other platforms.
• Discover additional information to enhance the understanding of the attacker's activities and intentions.

Answer the questions below

1. What is the attacker's current Twitter handle?
1. as the previous search we found his twitter account → https://twitter.com/sakuraloveraiko?lang=en

2. answer → SakuraLoverAiko
2. What is the URL for the location where the attacker saved their WiFi  SSIDs and passwords?
1. in his twitter account I found two important posts that are related to the WiFi

2. I’ll go to the dark web to DEEP PASTE ( these are the only CAPS letter he gave me ) → http://depastedihrn3jtw.onion → DeepPaste, a new extensive site. Paste, chat and links → but the website was down


3. opening Hint

4. opening → https://raw.githubusercontent.com/OsintDojo/public/main/deeppaste.png

1. answer → http://deepv2w7p33xa4pwxzwi2ps4j62gfxpyp44ezjbmpttxz3owlsp4ljid.onion/show.php
3. What is the BSSID for the attacker's Home WiFi?
1. going to https://www.wigle.net/
2. in the advanced search → DK1F-G

3. answer → 84:af:ec:34:fc:f8

Task 6  HOMEBOUND

• Background:
• Tweets from the cybercriminal suggest they are heading home as claimed.
• The Twitter account contains photos that can help piece together their route back home.
• The goal is to track the cybercriminal's movements from one location to the next, ultimately identifying their final destination.
• The intention is to forward findings to the appropriate law enforcement organization.
• Instructions:
• OSINT often involves synthesizing multiple pieces of intelligence for conclusions.
• There might not be a clear "smoking gun," but combining data helps form likely, unlikely, or possible conclusions.
• Leverage information from the attacker's Twitter account and data obtained in previous parts of the investigation.
• Track the cybercriminal's journey back home using the breadcrumbs left in the Twitter photos.
• Identify the final stops to determine the law enforcement organization to which findings should be forwarded.
• Utilize all available data to make informed decisions and minimize data gaps in the investigation.

Answer the questions below

1. What airport is closest to the location the attacker shared a photo from prior to getting on their flight?
1. going to his twitter account I find tweets that are related to each other, one about a city Bethesda so I’ll search for Bethesda airport codes and this tweet have cherry blossom keywords and the other have “Checking out some last minute cherry blossoms before heading home!” so I’ll assume they are related to each other


2. search for → Bethesda airport code

3. answer → DCA
2. What airport did the attacker have their last layover in?
1. going with this tweet with layover keyword

2. using image lens

1. the lounge belongs to Japan Airlines (JAL)
3. search for → japan airlines jal sakura lounge

4. search for → Tokyo International Airport Haneda code

1. answer → HND
3. What lake can be seen in the map shared by the attacker as they were on their final flight home?
1. going to the twitter account for a lake image

2. going to google map and searching for Tokyo


1. answer →Lake Inawashiro
4. What city does the attacker likely consider "home"?
1. going back to the dark web image

1. answer →hirosaki