Hello again!
After having such a great time on Kase Scenarios’ Dark Waters, I’m going to move over to Try Hack Me and attempt some of their OSINT specific challenges – https://tryhackme.com/room/somesint
It’s worth noting that this challenge is a number of years old now. And as we know in OSINT, lots of things can change in a short amount of time. If you read the following hack Me blog https://tryhackme.com, the following problems are listed and good to know. I crossed out two, as they are both 100% findable using the wayback machine.. good luck.
- Shadowban service no longer exists
Hans comment isn’t visible using wayback machinehttps://ghostbin.com/post/JENxv/ is no longer accessible [ https://ghostbin.com/post/JENxv/1qaz2wsx with password]
KaffeeSec – SoMeSINT offers an intro to SOCMINT (Social Media Intelligence/Investigation) techniques and tooling. We’re going to use our OSINT skills to perform an online investigation of a mysterious husband!
Lets get into it.
Task 1
Overview
We’re told that in this room, we’ll be learning about social media analysis and forensics. We’ll learn about google dorking, website archiving, social media enumeration/analysis, and the basic usage of OSINT techniques in the context of social media investigation. We don’t need any previous knowledge of OSINT for this room.
When we complete this room, we should be comfortable applying tools and methodologies to gather information through social media, and answer context-based questions concerning social media. The goal of this room is to prepare us for CTF challenges in this category, as well as real-world research.
Lets get busy!
All you have to do to complete this task is sign up. So with that done, lets move on to the next task.
Task 2
Story
Background Information:
You are Aleks Juulut, a private eye based out of Greenland. You don’t usually work digitally, but have recently discovered OSINT techniques to make that aspect of your job much easier. You were recently hired by a mysterious person under the moniker “H” to investigate a suspected cheater, named Thomas Straussman.
After a brief phone-call with his wife, Francesca Hodgerint, you’ve learned that he’s been acting suspicious lately, but she isn’t sure exactly what he could be doing wrong. She wants you to investigate him and report back anything you find. Unfortunately, you’re out of the country on a family emergency and cannot get back to Greenland to meet the deadline of the investigation, so you’re going to have to do all of it digitally. Good luck!
[Question?] Who hired you?
This one’s pretty simple. Reading the background information above it clearly states who we were hired by.
[Question?] Who are you investigating?
Again, this one’s pretty simple. Reading the background information above it states who we are to investigate.
Task 3
Lets get started!!
How exciting! Through talking to people who know Thomas, you’ve found out that he has a very guessable online handle: tstraussman. With this handle, we can find his social media accounts, and start off this room.
Before we start answering any of the following questions, we first need to identify who Thomas actually is. For the scope of this investigation, we’ve been told that any accounts of interested will only be found on Twitter and Reddit.
Using the information we currently have which is his known alias and full name. We can perform a basic Google search consisting of tstraussman “Thomas Straussman”. The first hit was get is for a @TStraussman on Twitter, who happens to be located in Greenland, which is where we are normally located and where our services were engaged.
Along side this, I have performed another Google search, this time limiting the results to urls containing reddit.com. The syntax being inurl:reddit.com tstraussman
This gives us a match to the reddit user https://www.reddit.com/user/Tstraussman Which we can correlate back to the Twitter account when we look at the reddit profile.
With these two accounts, we can start to try and identify useful information as part of our investigation.
[Question] Who are you investigating?
So this one was a slight guess as I didn’t see anything that specifically reffered to a favourite holiday. However if we take into account his birthday and look closely at his Twitter profile, we do get some clues.
Given the time of year that Thomas has his birthday and a comment on his twitter profile implying peace comes from x-mas for him, I felt he had a strong connection to Christmas – which is the correct answer.
[Question] What is Thomas’ birth date?
This time we’re going to focus on Thomas’s Reddit posts. Within these you’re see comments celebrating a birthday milestone. It’s from this we can try to work out his birth date.
Looking at Thomas’ Reddit posts, we can see he made a comment on the 20th of December 2020 about making it to 30 years old.
The post itself only says “submitted 2 years a go” so we don’t see an exact date. However, there’s two ways we can revel this.
The first and easiest is to hover your mouse over the text showing 2 years ago. When you do this a little box will show with the exact date that the post was made. This clearly shows Sun Dec 20 20:32:57 2020 UTC
The second is to inspect the page code, and by drilling down to the area of interest we’ll see the following which clearly has a time/date stamp of Sun Dec 20 20:32:57 2020 UTC
I had to try a few different formats to get the answer to work, but using the hint will tell you straight away that the format is MM-DD-YYY so taking the above date of Thomas’ post, subtracting 30 years and the answer will be 12-20-1990
[Question] What is Thomas’ fiancee’s Twitter handle?
This one should be quite straight forward. What we do know is her name, Francesca Hodgerint (Note, she’s referred to as wife in the background information, but the question, and socials are Fiancee.)
From here we can try to identify any interactions or relationships with other social media accounts that meet our requirements.
Looking again at Thomas’ Twitter account, we can look at his replies and also who he follows to quickly identify Francesca’s Twitter handle
So the answer to this question is @fhodgelink
[Question?] What is Thomas’ background picture of?
For this we need to go back to our earlier investigation and observations when reviewing Thomas’ Twitter account.
Task 4
Spider… what?
This section seems to be all about using Spiderfoot – https://github.com/smicallef/spiderfoot
SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.
SpiderFoot has an embedded web-server for providing a clean and intuitive web-based interface but can also be used completely via the command-line.
The task has instructions on installing Spiderfoot, which once finished you’ll be able to access a user friendly web interface at http://localhost:5001/
In my case I specified tstraussman as the target and set the use case as ‘All’ which will enable all modules. Now press Run Scan Now to start your scan. Note my mistake below – when setting a username as a target it must be enclosed in quotes.
Running it correctly returns the following (as of April 2023)
[Question?] What was the source module used to find these accounts?
If we look at the Source Module column, this is where the module will be listed.
[Question?] Check the shadowban API. What is the value of “search”?
Unfortunately at the time of attempting this challenge, Shadowban is no longer in existence and no longer part of Spiderfoot. This answer will have to be obtained from a historical writeup to continue with the challenge
Back when the Shadowban service was running, it would have shown the following
Thant would hake the answer to this question (in the correct flag format) ks{1346173539712380929}
Task 5
Connections, connections..
Now that you have Thomas’ Reddit and Twitter accounts, you can do some cool stuff!
At this point, consider downloading a reverse search extension for your browser, my favorite is RevEye, which lets you choose from a handful of great reverse search engines, or use all of them simultaneously. Chrome / Firefox
There are a few key types of information that we want to find from socials:
Images of places that contain clear identifiers like buildings, signs, monuments, or landmarks (For IMINT/GEOMINT purposes).
Clear images of the subject’s face (For reverse image searches and possibly finding more accounts/sources of info).
Clear images of the subject in a group of people (Family photos, friend groups, other information that can give context to their relationship with the group).
Personal information in their bio, or other personal data from their profile itself (Where they grew up, currently live, went to school, etc..).
Relevant posts that may contain information on their whereabouts or personal habits (Do they smoke? Drink? Go to bars often? Love to vacation to specific places? All this information can help in an investigation.)
Since you have gotten most useful information from Thomas’ Twitter, it’s time to “pivot” to his fiancee’s account.
What personal information can you find?
[Question?] Where did Thomas and his fiancee vacation to?
Okay, at first glance when we look through Francesa’s Twitter account we can obviously see that she vacationed to Germany.. but the question needs a more specific answer than that. We need to know where in Germany they were?
To answer this question, we can perform a reverse image search to try and identify the location.
Using either Google or Bing will be fine, and while you may get different results, they’ll mostly be similar given this is a popular destination.
Google Image search identifies the specific monument as Deutsches Eck in Germany.
If we further search on Deutsches Eck in Germany the top result presented is a Wiki page dedicated to this monument.
And it is here we can identify the location, and answer to this question as Koblenz, Germany
[Question?] When is Francesca’s Mother’s birthday? (without the year)
Okay, staying with Francescas Twitter account, this is just simply a review of previous posts to obtain the information. While in the real world you would defiantly try to cross reference this information with another source, for this challenge we can make an assumption.
Now, while the post is made on the 26th, it also states “merry Xmas”, so my assumption here an dthis is always good to keep in mind, my timezone is ahead of Francescas’ so if she were to post on the 25th, it would actually show in my feed as the 26th.
With that said, Francesca’s mums birthday and the answer to this question is December 25th
[Question?] What is the name of their cat?
This should be another easy one.. I really hope Francesca doesn’t use her cats name in any of her passwords.
This is easily found by reviewing Francescas previous tweets.
The name of the cat is Gotank
[Question?] What show does Francesca like to watch?
This one was a little obscure to me as I’m not familiar with the show, so it didn’t catch my eye. Reading through Francescas’ replies highlights an interest in this show
What ever floats your boat I guess. So Francesca likes to watch 90 Day Fiance
Task 6
Turn back the clock!!
Now that we’ve gathered intel from Thomas and Francesca’s Twitters, lets move to another platform – Reddit.
For the sake of this investigation, we’re going to be using Reddit in two different ways:
Use the old version (http://old.reddit.com/) for wayback machine purposes
Use the new version (https://www.reddit.com/) for other purposes (later on)
First, you’re going to want to install the WayBackMachine extension for your browser (you don’t need it, but it’ll make your life much easier).
Using Reddit’s old site, navigate to Thomas’ profile. Right click anywhere on the page and click on Wayback machine –> All Versions. You will see a calendar that shows all of the saved versions of the site, click through and take a look at each saved version (in this case there should be none).
So it hasn’t been saved yet… Nothing out of the ordinary, right?
Next, go to Thomas’ birthday post. Repeat the steps to find the first version of the site and….. Voila!
We’ve discovered a coworker, which is another source of intel for us! But the question is… how much intel?
[Question?] What is the name of Thomas’ coworker?
Okay, this is a tricky one. Remember at the start of this write up I mentioned some things had changed over the years. It has been communicated that Hans’ comment is no longer viewable in the Wayback machine.. but lets see how we go.
Running the Wayback machine on the reddit post of Thomas’ birthday and requesting all versions we can see the following https://web.archive.org/web/20230000000000*/https://www.reddit.com/user/Tstraussman/comments/kh1pzg/big_thank_you/
If we select the oldest archive, back in 2020, and select the entry on the calendar. We can now view the post which includes the comment “Hey, It’s Hans from work. Congrats!!”
Now, I’m not sure about you, but on mine the author isn’t showing at all. Completely gone.. sooo Lets inspect the page and see if we can dig anything up in there. Searching for the word ‘Author’ in the code gives me 9 results. Most are obviously not what i’m looking for. But this one catches my eye.
Here we can see the author listed as minikhans which we can then view directly via https://www.reddit.com/user/minikhans
So far so good.. But we only have part of his name.. or do we?
Based on the information we have so far, I tried Minik Hans and yes, that is the name of Thomas’ coworker.
[Question?]Where does his coworker live?
I’m not sure if I should have don’t a but more digging on this one. But as he’s a co-worked of Thomas’ I made an assumption that they both live in the same city.
So it looks like Minik Hans lives in the city of Nuuk, Greenland
[Question?]What is the paste ID for the link we found?
I wasn’t quite sure what this was about. I looked at ID’s in the page code for the various posts with no luck. However I was still focusing my search on a small window which was December 2020.
If we start scrolling through the wayback machine captures for this user account we can see any other changes that may have occurred.
As we do this, we come across something interesting..
Clicking on this link takes us to the following Ghostbin post.
The full URL to the post is https://ghostbin.com/paste/ww4ju which means the Past ID and answer to this question is ks{ww4ju}
[Question?] Password for the next link?
If you got this far, you’ll just need to review the Ghostbin post which contains the link and password.
So the password for the next link, and answer to this question will be ks{1qaz2wsx}
[Question?]What is the name of Thomas’ mistress?
Only one way to find out.. lets delve further into Thomas’ little secret and see where that takes us..
Notice the format of encrypted pastes have this format: ghostbin.com/<pasteId>/<password>
And there we have it. Thomas’ mistress is Emilia Moller
[Question?]What is Thomas’ Email address?
This is also an easy one. Both found in the previous two Ghostbin posts
So the answer to this question will be straussmanthom@mail.com
So there you have it. And what did we learn? We learn’t that true love never involves a Nigerian prince. Never. Ever.
Time for a slice of accomplishment. Until next time.
Kase Scenarios - Dark Waters
So if you haven’t heard of it already, this is my write up for the Kase Scenarios OSINT challenge called Dark Waters. To give you a bit of background information, this is the offical intro.. Welcome to Dark Waters, a scenario that allows you to take on the role of [...]| Play | Cover | Release Label |
Track Title Track Authors |
|---|