meeting near a transparent glass
Photo by Charles Forerunner / Unsplash

As well as Capture the Flag rooms, TryHackMe also has some OSINT rooms, where you can practice information gathering and analysis.

OSINT, or Open-source Intelligence, is the process of researching and analysing information about a target based on what they post on social media and the wider internet.  It's surprising how much useful information can be found by looking on Instagram, Facebook, Twitter, Reddit and LinkedIn.  

For example, you might find someone on LinkedIn listed as a Sys Admin for your target company.  From their name, you manage to find their Reddit username.  Their comments on a tech-related subreddit may reveal which version of a particular program their employer is running, or if they're looking for help solving a specific problem they're having.  

All this information can be useful to an attacker.

To gain some experience in gathering this type of information, I started by attempting to solve the TryHackMe OhSint room.

Objectives

To complete the room, I had to find out the following information, based only on a simple jpeg image.

The image below is the only starting point I had.  I started off by running it through a steganography program to see if there was any data hidden inside the image.  There wasn't.  The second thing I did was run an EXIF tool to read the EXIF information about the image.

WindowsXP.jpg
Some interesting information in here...

So from this, I find out that the photograph is copyrighted to someone called Owoodflint.  This looks like it could be a username of some kind.  I also have some GPS co-ordinates about where the picture was taken.

A quick google search for the username Owoodflint revealed a Twitter user.

From the profile picture I can see that the avatar for the user and the answer to the first question is a:  Cat.

The second result, when googling Owoodflint is a link to a repository on GitHub called people_finder.  In the README.md file, there is the following text, which gave me the answer to the second question:  London

and also the fourth and fifth questions, the email address: OWoodflint@gmail.com and the place it was discovered: GitHub.

people_finder

Hi all, I am from London, I like taking photos and open source projects.

Follow me on twitter: @OWoodflint

This project is a new social network for taking photos in your home town.

Project starting soon! Email me if you want to help out: OWoodflint@gmail.com

Finding the SSID of the WAP

On Twitter there was a tweet from this account which talked about a BSSID, which is the MAC address of the radio interface of a wireless access point.  This seems like a good starting point for the third question.

I wonder what the first reply is all about...

I did some googling around this but came up short, so decided to try and decode the first reply message.  I ran it through base64decode.org and it gave me the following piece of advice, "Give wigle.net a try".

I went to wigle.net and signed up with a user account, which allowed me to do a basic search for wireless access points, by BSSID.

There's a WiFi in London matching the BSSID

This gave me the answer to the third question, which was:  UnileverWiFi.

Further OSINT

Now I only had the final 2 questions left.  Where did this person go on holiday and what is their password?  I went back to Google and searched again for Owoodflint to see if any more sites came up that seemed like they might belong to this same person.

Interesting top 3 links...

The third link in the search results takes us to a WordPress page, with 1 blog entry. The blog entry says that this person is in New York right now.  So that was the answer to the sixth question:  New York.

Security through obscurity..

The final answer to the question, the password, was found simply by selecting all the text on the page.  I like to do this first as a quick way of checking to see if there's anything hidden, before opening the dev tools to investigate deeper.  So as we can see, the final answer, the password was: pennYDropper.!.

Review

This was an interesting introduction to OSINT.  It introduced me to a new resource, wigle.net and showed how easy it is to research and gather information about someone, starting only with the tiniest amount of information about them.  In real life, I expect most people aren't posting their BSSIDs on Twitter, or including their passwords in WordPress, so I don't know how accurate this is as training for a real-world situation, however, the tools and techniques learned are certainly something that can be carried forward and used in a more realistic scenario in future.