After having such a great time on Kase Scenarios’ Dark Waters, I’m going to move over to Try Hack Me and attempt some of their OSINT specific challenges – https://tryhackme.com/room/somesint
It’s worth noting that this challenge is a number of years old now. And as we know in OSINT, lots of things can change in a short amount of time. If you read the following hack Me blog https://tryhackme.com, the following problems are listed and good to know. I crossed out two, as they are both 100% findable using the wayback machine.. good luck.
KaffeeSec – SoMeSINT offers an intro to SOCMINT (Social Media Intelligence/Investigation) techniques and tooling. We’re going to use our OSINT skills to perform an online investigation of a mysterious husband!
Lets get into it.
We’re told that in this room, we’ll be learning about social media analysis and forensics. We’ll learn about google dorking, website archiving, social media enumeration/analysis, and the basic usage of OSINT techniques in the context of social media investigation. We don’t need any previous knowledge of OSINT for this room.
When we complete this room, we should be comfortable applying tools and methodologies to gather information through social media, and answer context-based questions concerning social media. The goal of this room is to prepare us for CTF challenges in this category, as well as real-world research.
Lets get busy!
All you have to do to complete this task is sign up. So with that done, lets move on to the next task.
You are Aleks Juulut, a private eye based out of Greenland. You don’t usually work digitally, but have recently discovered OSINT techniques to make that aspect of your job much easier. You were recently hired by a mysterious person under the moniker “H” to investigate a suspected cheater, named Thomas Straussman.
After a brief phone-call with his wife, Francesca Hodgerint, you’ve learned that he’s been acting suspicious lately, but she isn’t sure exactly what he could be doing wrong. She wants you to investigate him and report back anything you find. Unfortunately, you’re out of the country on a family emergency and cannot get back to Greenland to meet the deadline of the investigation, so you’re going to have to do all of it digitally. Good luck!
[Question?] Who hired you?
This one’s pretty simple. Reading the background information above it clearly states who we were hired by.
[Question?] Who are you investigating?
Again, this one’s pretty simple. Reading the background information above it states who we are to investigate.
How exciting! Through talking to people who know Thomas, you’ve found out that he has a very guessable online handle: tstraussman. With this handle, we can find his social media accounts, and start off this room.
Before we start answering any of the following questions, we first need to identify who Thomas actually is. For the scope of this investigation, we’ve been told that any accounts of interested will only be found on Twitter and Reddit.
Using the information we currently have which is his known alias and full name. We can perform a basic Google search consisting of tstraussman “Thomas Straussman”. The first hit was get is for a @TStraussman on Twitter, who happens to be located in Greenland, which is where we are normally located and where our services were engaged.
Along side this, I have performed another Google search, this time limiting the results to urls containing reddit.com. The syntax being inurl:reddit.com tstraussman
This gives us a match to the reddit user https://www.reddit.com/user/Tstraussman Which we can correlate back to the Twitter account when we look at the reddit profile.
With these two accounts, we can start to try and identify useful information as part of our investigation.
[Question] Who are you investigating?
So this one was a slight guess as I didn’t see anything that specifically reffered to a favourite holiday. However if we take into account his birthday and look closely at his Twitter profile, we do get some clues.
[Question] What is Thomas’ birth date?
This time we’re going to focus on Thomas’s Reddit posts. Within these you’re see comments celebrating a birthday milestone. It’s from this we can try to work out his birth date.
[Question] What is Thomas’ fiancee’s Twitter handle?
This one should be quite straight forward. What we do know is her name, Francesca Hodgerint (Note, she’s referred to as wife in the background information, but the question, and socials are Fiancee.)
From here we can try to identify any interactions or relationships with other social media accounts that meet our requirements.
[Question?] What is Thomas’ background picture of?
For this we need to go back to our earlier investigation and observations when reviewing Thomas’ Twitter account.
This section seems to be all about using Spiderfoot – https://github.com/smicallef/spiderfoot
SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.
SpiderFoot has an embedded web-server for providing a clean and intuitive web-based interface but can also be used completely via the command-line.
The task has instructions on installing Spiderfoot, which once finished you’ll be able to access a user friendly web interface at http://localhost:5001/
In my case I specified tstraussman as the target and set the use case as ‘All’ which will enable all modules. Now press Run Scan Now to start your scan. Note my mistake below – when setting a username as a target it must be enclosed in quotes.
Running it correctly returns the following (as of April 2023)
[Question?] What was the source module used to find these accounts?
If we look at the Source Module column, this is where the module will be listed.
[Question?] Check the shadowban API. What is the value of “search”?
Unfortunately at the time of attempting this challenge, Shadowban is no longer in existence and no longer part of Spiderfoot. This answer will have to be obtained from a historical writeup to continue with the challenge
Now that you have Thomas’ Reddit and Twitter accounts, you can do some cool stuff!
At this point, consider downloading a reverse search extension for your browser, my favorite is RevEye, which lets you choose from a handful of great reverse search engines, or use all of them simultaneously. Chrome / Firefox
There are a few key types of information that we want to find from socials:
Images of places that contain clear identifiers like buildings, signs, monuments, or landmarks (For IMINT/GEOMINT purposes).
Clear images of the subject’s face (For reverse image searches and possibly finding more accounts/sources of info).
Clear images of the subject in a group of people (Family photos, friend groups, other information that can give context to their relationship with the group).
Personal information in their bio, or other personal data from their profile itself (Where they grew up, currently live, went to school, etc..).
Relevant posts that may contain information on their whereabouts or personal habits (Do they smoke? Drink? Go to bars often? Love to vacation to specific places? All this information can help in an investigation.)
Since you have gotten most useful information from Thomas’ Twitter, it’s time to “pivot” to his fiancee’s account.
What personal information can you find?
[Question?] Where did Thomas and his fiancee vacation to?
Okay, at first glance when we look through Francesa’s Twitter account we can obviously see that she vacationed to Germany.. but the question needs a more specific answer than that. We need to know where in Germany they were?
To answer this question, we can perform a reverse image search to try and identify the location.
[Question?] When is Francesca’s Mother’s birthday? (without the year)
Okay, staying with Francescas Twitter account, this is just simply a review of previous posts to obtain the information. While in the real world you would defiantly try to cross reference this information with another source, for this challenge we can make an assumption.
[Question?] What is the name of their cat?
This should be another easy one.. I really hope Francesca doesn’t use her cats name in any of her passwords.
This is easily found by reviewing Francescas previous tweets.
[Question?] What show does Francesca like to watch?
This one was a little obscure to me as I’m not familiar with the show, so it didn’t catch my eye. Reading through Francescas’ replies highlights an interest in this show
Now that we’ve gathered intel from Thomas and Francesca’s Twitters, lets move to another platform – Reddit.
For the sake of this investigation, we’re going to be using Reddit in two different ways:
Use the old version (http://old.reddit.com/) for wayback machine purposes
Use the new version (https://www.reddit.com/) for other purposes (later on)
First, you’re going to want to install the WayBackMachine extension for your browser (you don’t need it, but it’ll make your life much easier).
Using Reddit’s old site, navigate to Thomas’ profile. Right click anywhere on the page and click on Wayback machine –> All Versions. You will see a calendar that shows all of the saved versions of the site, click through and take a look at each saved version (in this case there should be none).
So it hasn’t been saved yet… Nothing out of the ordinary, right?
Next, go to Thomas’ birthday post. Repeat the steps to find the first version of the site and….. Voila!
We’ve discovered a coworker, which is another source of intel for us! But the question is… how much intel?
[Question?] What is the name of Thomas’ coworker?
Okay, this is a tricky one. Remember at the start of this write up I mentioned some things had changed over the years. It has been communicated that Hans’ comment is no longer viewable in the Wayback machine.. but lets see how we go.
[Question?]Where does his coworker live?
I’m not sure if I should have don’t a but more digging on this one. But as he’s a co-worked of Thomas’ I made an assumption that they both live in the same city.
[Question?]What is the paste ID for the link we found?
I wasn’t quite sure what this was about. I looked at ID’s in the page code for the various posts with no luck. However I was still focusing my search on a small window which was December 2020.
If we start scrolling through the wayback machine captures for this user account we can see any other changes that may have occurred.
As we do this, we come across something interesting..
[Question?] Password for the next link?
If you got this far, you’ll just need to review the Ghostbin post which contains the link and password.
[Question?]What is the name of Thomas’ mistress?
Only one way to find out.. lets delve further into Thomas’ little secret and see where that takes us..
[Question?]What is Thomas’ Email address?
This is also an easy one. Both found in the previous two Ghostbin posts
So there you have it. And what did we learn? We learn’t that true love never involves a Nigerian prince. Never. Ever.
Time for a slice of accomplishment. Until next time.