Let’s go for another TryHackMe room, this time we’re tackling OhSINT, which begs the question “are you able to use open-source intelligence to solve this challenge?”
This was a fun, different room for me, I love the idea of OSINT and using the web to solve challenges. Despite having a few initial issues along the way, it was fun to answer “what information can you possible get with just one photo?”
Disclaimer, there are spoilers for this room below, please use the hints if you do not want any steps spoiled.
[sub] OhSINT walkthrough // TryHackMe Writeup // THM Guide – powered by Happy Scribe
Welcome back to the channel.
This is going to be a walkthroughof OhSINT, an easy beginner challenge CTF
in Google Dorking and gonna use someopen source intelligence to solve this.
So the only thing we have which is a bitstrange for me anyway is just an image.
So we’re starting withan image and that’s it.
So there’s no box to virtual machineto start up or anything like that.
It’s all just the flaming thing.
So I’ve already downloaded it.
Not to ruin the surprise, but I haveactually gone through this box.
I know what’s up and I will explaina few things along the way.
So we’ll go ahead and download
that and we’ll give it a bit of an insect,a bit of a hover there.
What do we got?Windows XP, JPEG.
So by the untrained eye, we don’t haveanything here, no hidden imagery.
It looks just like a pretty basic image.
So we need to use somethingto assess this little closer.
So if we look at our hint here sowe’ve got our list of questions.
So a few questions.
What is the user’s avatar of?
What is this user’s avatar of?
So it makes zero sense.
So my first intuition was like,let’s just go find it first.
So it’s just on the desktop.
So is there anything unusual about it if
we just look at it and we can run fileagainst it and it is indeed a JPEG.
So the hint here is EXIF tool.
So when we look up EXIFtool we can find that.
This is a pretty popular command lineapplication, pearl library for metadata.
So I’m not an expert in this,
but I know when we take photosthat there is more data behind the photo
than just the photo itself,the pixels and whatnot.
So we can go ahead and sudo apt install
EXIF tool like so I’vealready got installed.
So once it’s installed we can just go
ahead and look at the manpage for that EXIF tool.
We can see here itread and write meta information in files.
So not just JPEGs but all files.
So yeah, there’s a lot that this thing cando, but we can go ahead and just run it
by default against our image thereand we get some information here.
So going through this, it’s reallya case of what sticks out at us.
Okay, so this is where wesort of take our time.
So version number of the tool,the file directory, things that we already
know, the permissions we could alreadysee that nothing really unique here.
Copyright.
Now, I must admit, when I first saw that,I did sort of skip over it.
And this is sort of what’s hard aboutgoing through this stuff is it’s not like
a video game where there will be a lightshining towards
somewhere that as the player weknow that we need to go that way.
We have to use somecritical thinking here.
I honestly skipped over this.
I just went, okay,I don’t know what that is.
It’s probably not too important.Kept looking.
I was like, okay, well,maybe we’ve got some GPS coordination.
Maybe we do something with that.
And maybe this coding baseline,maybe that’s something.
But then I thought back to copyright.
I’m like, you can just sortof whatever in a copyright.
I mean, you can manipulate allthis metadata input or whatever.
But I’m like, I don’t know,I think that this is the thing.
So let’s go ahead and justdo some Google dorking.
So you can see here I’ve alreadygone to these links and this is it.
This is open source intelligence.
And it took me a little bit to get my head
around to be honest, because Ithought we were going to stay here.
And this is what I’m used to,I’m used to cybersecurity.
I’m used to learning hackingin the terminal.
Like this is where we do stuff.
But open source intelligenceis using the Internet.
So this is kind of wildfor my little brain.
The next thing I made a mistake in when
going through this is Ionly looked at Twitter.
I just saw Twitter and I just assumedthat the rest were challenges.
I didn’t even look at these other two.
So learn from me and what my future self
will be better at is actually takingthe time to look at the search results.
So we can see here we have a Twitter
profile, then we have a WordPress.comblog and then we have a GitHub repo.
And then the giveaway is these are all
anything that says tryhack me or write up.
We can confidently say that these are
people have been looking up the Gmailand some spy talks, whatever that is.
Those are just write ups.
But our focus is on these three.And this is really cool.
I have seen this in other CTFs-
from watching John Hammond videosand other YouTubers and that
this is a part of the challenge wherewe’ll have fake
Twitter accounts or Facebook accountsthat we can go and try and hack.
Let’s look at these three in order.
And if we go back to whatis the user’s avatar of?
Pretty confident out of all of our three
accounts that we can focus on that theavatar is indeed of a C.A.T. Nice.
What city is this person in now?
Again, I made the mistake of not looking
at the other options that I justwas here and I was like, what?
Oh man.
I was looking at comments and there wassome like base 64 encoded comments.
I’m like, is this a part of it?
Don’t waste your time.
This is an easy challenge after all.
So I go to deep too fast.
It’s another thing.
So let’s just flick through.
So we’ve got on this one.
I’m in New York right now,
so I will update the siteright away with new photos.
Okay, so we’ve gotHello Worlds from my house.
I can get free WiFi, and we have some sort
of MAC address lookingthing back on Twitter.
So this isn’t helping.
We can see here that they are in New York,
but our question is,what city is the person in?
It could be New York.I’m just playing.
I know it’s not.
So let’s go ahead and look over hereat the GitHub repo.
And we can see that this is the only
repo that I have, is this people finder,which I think is in spirits.
Hi, I’m from London.
That is what we’re after now,
this next one, and I got a story,BSSID plus wiggle.
Net.So this was totally new to me.
Let’s just go check out Wiggle.Net.
If we look here, we do havesome more information.
This is linking to our Twitter,talking about photos.
And here, email me if you want.
Before we go down that rabbit hole,
let’s just go over Ispelled it wrong, didn’t I?
Let’s just look up wiggle.There we go.
What’s the SSID of the WAPhe connected to.
So we need to use this website.
Okay, you will need to make an accountin order to Wiggle work,
and you do not need to use youractual personal information.
You can just go aheadand use whatever you want.
So the idea here is we have this hint,
this BSSID, which I did look up whatit stood for and I can’t remember.
But we can use this MAC addresslooking thing, put it in here.
As you can see, my other attempts paste
that in and we can querythe database to find where he’s at.
This is where I had the issue.
So if we sort of look around
the map didn’t really takeme anywhere straight away.
I can’t actually see anything on the map.
There is something in London.
And I must admit, this didnot work out well for me.
When I first did this, I punchedit in and I didn’t see anything.
And I didn’t take my timelooking around the map.
And I must admit,
it stands out now because Iknow what I’m looking for.
But if you tried this like me,
don’t feel silly that you didn’tsee it or it didn’t work.
So we can see here that this MAC address
actually does come up on theirdatabase, which is just nuts.
I was reading an article about thiswebsite, and it’s kind of crazy.
Okay, so this is actually new territory.
I don’t know how to what is the SSIDof the WAP he connected to?
So can I interact with this?
There is a name.
There is a name.
It’s very small.
I definitely didn’t copy this the first
time of the wireless accesspoint that he connected to.
So what’s his personal address?
So, we can find that out ifwe go back to his GitHub.
Interestingly enough,
if we actually go to his pull requests,there’s pull request here of that README
file where he’s added,messaged me on Twitter for my email.
Probably not a good ideato give out publicly.
We can see.
I’m a little confusedbecause it’s got it here.
So the pull request was made meaning,
but he committed it, but he didn’t,like, push it to the master branch.
So that’s why we don’t see thisgreen message instead, we still see.
I think that’s how GitHub works.
Bit of an interesting thing,just I found from poking around.
So what site did you findhis email address on?
So we found it on GitHub.
Where has he gone on holiday?
So if we go back here I’min New York right now.
New York.Oops.
You can paste it in there.
It’s all pretty straightforward.
And what is this person’s password?
Okay.
I had some issues with this room.
Like, this didn’t work for methe first time because I was silly.
It annoyed me a little bit,if I’m being really honest.
I only found this from lookingat another write up.
So if we use our inspect and we can hover
over, we can see that there is a blankarea here and indeed,
there is just a like,if we just change this to #000000
we can see here that the textis actually on the website.
It was just hidden.
So in one way, that’s cool.
Like a little thing like,
make sure you look around and inspectpeople’s websites,
you might find something like this,but at the same time, who does this?
I think that’s what sortof annoyed me about this.
I would have never, ever, ever found this.
I don’t think I would have ever found it.
Some part of me thinks I would have,
but another part of me is like,I wouldn’t have looked there because I
guess in my head,who puts a password on the front?
I don’t know.
I guess I’m probably just missedthe reason that it’s just a bit of fun.
It’s not supposed to be like,
super serious,but I guess that’s just my brain.
And I think it was really from when things
went wrong on the wiggle.net for me thatit sort of all started to spiral apart.
So I didn’t have the bestexperience with OhSINT.
I don’t think that’s at the faultof the TryHackMe or the creator.
I think it’s just more me.
But anyway, that was my experience.
It was fun to go through the first time,even though it was quite infuriating,
but I much prefer going through a secondtime and sharing it in this format.
This was much better.
It was nice when things actuallyworked out and getting to show you.
So I hope you enjoyed.
This has been OhSTIN from TryHackMe.
Go show some love to the creatorand the community.
I hope you enjoyed this video.
If you found it helpful,please let me know.
Leaving us comments.
It does help me.
It’s very motivating to see somepositive comments in the description.
If you have any feedback,like if I’ve done anything different
to you or anything like that, I’m alwayskeen to improve, so that would be great.
And the last thing for me is I havea monthly newsletter that I thought I
would let youknow about and let you in on.
If you want to, there’s a link below where
it’s just a littlefriendly monthly update.
And I still have to write last month’s.
But yeah, I’m usually on to it.
Anyway, that has been the video.Enjoy.
Hints
Here are some helpful hints if you need a bit of a nudge without any spoilers.
- What is this users avatar of? Check the metadata of the image, then use a search engine.
- What city is this person in? Use search results based on the metadata.
- Whats the SSID of the WAP he connected to? Zoom in on the city found.
- What is his personal email address? Check all profiles.
- What site did you find his email address on? Did you check?
- Where has he gone on holiday? Again, check each profile found.
- What is this persons password? Right-click, inspect.
Steps
- Enumerate image using
file.
- More enumeration using
exiftool WindowsXP.jpg
- Use a search engine to find information about each profile based on the metadata above. Note, something I even missed the second time around, see the metadata in the search results.
- Based on the information found on each profile/site, use wigle.net to search the BSSID. Take your time, unlike me who rushed and missed the purple circle on the city.
- Continue to search each site/profile for this user to answer the last challenges. Use the hints above or the notes below for more, if you’re really stuck, see the video walkthrough.
*Shamless self-promotion, I know.
Notes
Find metadata: exiftool WindowsXP.jpg
ExifTool Version Number : 12.42
File Name : WindowsXP.jpg
Directory : .
File Size : 234 kB
File Modification Date/Time : 2022:07:04 01:49:32-04:00
File Access Date/Time : 2022:07:04 01:49:34-04:00
File Inode Change Date/Time : 2022:07:04 01:49:33-04:00
File Permissions : -rwxrw-rw-
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
XMP Toolkit : Image::ExifTool 11.27
GPS Latitude : 54 deg 17' 41.27" N
GPS Longitude : 2 deg 15' 1.33" W
Copyright : **************
Image Width : 1920
Image Height : 1080
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1920x1080
Megapixels : 2.1
GPS Latitude Ref : North
GPS Longitude Ref : West
GPS Position : 54 deg 17' 41.27" N, 2 deg 15' 1.33" W
Searched: ********* = Twitter, Github, WordPress.
Helpful link: OSINT: Tracking the Suspect’s Precise Location Using Wigle.net
Reflection
As I said in the video I made a few mistakes in this room the first time around the twist… and I even missed something the second time too. There’s a good lesson in there to slow down and observe more with OSINT. Sometimes clues are right in front of us and skimming doesn’t help, a bad habit I do a lot.
The last challenge was a bit annoying if I’m being honest. It’s not a big deal and even though it’s not realistic, there’s a good lesson in there… somewhere. I think as my first OSINT room, it was really good, I’m very keen to do more challenges like this.
I was expecting a lot more involvement with the initial image, in fact, I thought most of the room was going to revolve around it. It was good using search engines though, it can be an underlooked skill when starting off in Cyber Sec.
So there it is, OhSINT, I hope you enjoyed this write-up and feel free to check out the YouTube channel for more video walkthroughs. Have a great day! This is day 53 of #100DaysOfHacking on my Hackers Learning Path. Subscribe for CyberSec updates or read more, happy hacking, coding, and learning.
