TryHackMe | OhSint

As well as Capture the Flag rooms, TryHackMe also has some OSINT rooms, where you can practice information gathering and analysis. OSINT, or Open-source Intelligence, is the process of researching and analysing information about a target based on what they post on social media...

TryHackMe | OhSint

As well as Capture the Flag rooms, TryHackMe also has some OSINT rooms, where you can practice information gathering and analysis.

OSINT, or Open-source Intelligence, is the process of researching and analysing information about a target based on what they post on social media and the wider internet.  It's surprising how much useful information can be found by looking on Instagram, Facebook, Twitter, Reddit and LinkedIn.  

For example, you might find someone on LinkedIn listed as a Sys Admin for your target company.  From their name, you manage to find their Reddit username.  Their comments on a tech-related subreddit may reveal which version of a particular program their employer is running, or if they're looking for help solving a specific problem they're having.  

All this information can be useful to an attacker.

To gain some experience in gathering this type of information, I started by attempting to solve the TryHackMe OhSint room.

Objectives

To complete the room, I had to find out various pieces of personal information, based only on a simple jpeg image.

The old Windows XP Background

The image above is the only starting point I had.  I started off by running it through a steganography program to see if there was any data hidden inside the image.  There wasn't.  The second thing I did was run an EXIF tool to read the EXIF information about the image.

gareth@enso:~/Desktop/Files/OhSINT$ exiftool WindowsXP.jpg 
ExifTool Version Number         : 11.88
File Name                       : WindowsXP.jpg
Directory                       : .
File Size                       : 229 kB
File Modification Date/Time     : 2021:11:07 00:48:36+01:00
File Access Date/Time           : 2021:11:07 00:48:36+01:00
File Inode Change Date/Time     : 2021:11:07 00:48:52+01:00
File Permissions                : rw-rw-r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
XMP Toolkit                     : Image::ExifTool 11.27
GPS Latitude                    : 54 deg 17' 41.27" N
GPS Longitude                   : 2 deg 15' 1.33" W
Copyright                       : OWoodflint
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Position                    : 54 deg 17' 41.27" N, 2 deg 15' 1.33" W

So from this, I find out that the photograph is copyrighted to someone called Owoodflint.  This looks like it could be a username of some kind.  I also have some GPS co-ordinates about where the picture was taken.

Some interesting information here..

A quick google search for the username Owoodflint revealed a Twitter user.

From the profile picture I can see that the avatar for the user and the answer to the first question is a:  Cat.

The second result, when googling Owoodflint is a link to a repository on GitHub called people_finder.  In the README.md file, there is the following text, which gave me the answer to the second question:  London

and also the fourth and fifth questions, the email address: OWoodflint@gmail.com and the place it was discovered: GitHub.

people_finder

Hi all, I am from London, I like taking photos and open source projects.

Follow me on twitter: @OWoodflint

This project is a new social network for taking photos in your home town.

Project starting soon! Email me if you want to help out: OWoodflint@gmail.com

Finding the SSID of the WAP

On Twitter there was a tweet from this account which talked about a BSSID, which is the MAC address of the radio interface of a wireless access point.  This seems like a good starting point for the third question.

I did some googling around this but came up short, so decided to try and decode a message someone had commented on the tweet.  

Thanks @PTestical

I ran it through base64decode.org and it gave me the following piece of advice, "Give wigle.net a try".

I went to wigle.net and signed up with a user account, which allowed me to do a search for wireless access points, by BSSID.

This gave me the answer to the third question, which was:  UnileverWiFi.

Further OSINT

Now I only had the final 2 questions left.  Where did this person go on holiday and what is their password?  I went back to Google and searched again for Owoodflint to see if any more sites came up that seemed like they might belong to this same person.

The third link in the search results takes us to a WordPress page, with 1 blog entry. The blog entry says that this person is in New York right now.  So that was the answer to the sixth question:  New York.

The final answer to the question, the password, was found simply by selecting all the text on the page.  I like to do this first as a quick way of checking to see if there's anything hidden, before opening the dev tools to investigate deeper.  So as we can see, the final answer, the password was: pennYDropper.!.

Review

This was an interesting introduction to OSINT.  It introduced me to a new resource, wigle.net and showed how easy it is to research and gather information about someone, starting only with the tiniest amount of information about them.  In real life, I expect most people aren't posting their BSSIDs on Twitter, or including their passwords in WordPress, so I don't know how accurate this is as training for a real-world situation, however, the tools and techniques learned are certainly something that can be carried forward and used in a more realistic scenario in future.