OSINT Dojo: Sakura
In this article, I learn how to use Open Source Intelligence (OSINT) techniques to identify a number of identifiers and other pieces of information in order to help catch a hypothetical cybercriminal. This challenge is available on the TryHackMe platform and is titled “Sakura Room”, created by the user “OSINTDojo”.
Task 1: Tip Off
Challenge Description
The OSINT Dojo recently found themselves the victim of a cyber attack. It seems that there is no major damage, and there does not appear to be any other significant indicators of compromise on any of our systems. However during forensic analysis our admins found an image left behind by the cybercriminals. Perhaps it contains some clues that could allow us to determine who the attackers were?
We’ve copied the image left by the attacker, you can view it in your browser here.
Challenge Questions & Answers
1. What username does the attacker go by?
I can use the tool exiftool to look at the metadata of the image, where I can see the username of the attacker in the Export-filename tag.
$ exiftool sakurapwnedletter.svg 
Task 2: Reconnaissance
Challenge Description
It appears that our attacker made a fatal mistake in their operational security. They seem to have reused their username across other social media platforms as well. This should make it far easier for us to gather additional information on them by locating their other social media accounts.
Challenge Questions & Answers
1. What is the full email address used by the attacker?
I started by performing a search for the attacker’s username “SakuraSnowAngelAiko”. I found the attacker’s Github account and their LinkedIn account. Looking through the Github account, I saw a repository that contained a PGP public key.
A PGP key is a public encryption key. A PGP key can be used to sign and encrypt emails and files. When you create a PGP key, a keypair having a public key and a private key is generated.
I can use gpg tool on my Linux machine to add the public key’s file contents to my public key ring and retrieve the users email.
2. What is the attacker’s full real name?
Looking at the attackers LinkedIn account, I can see that their full name is Aiko Abe, which also matches the username seen on the Github account identified earlier.
Task 3: Unveil
Challenge Description
It seems the cybercriminal is aware that we are on to them. As we were investigating into their Github account we observed indicators that the account owner had already begun editing and deleting information in order to throw us off their trail. It is likely that they were removing this information because it contained some sort of data that would add to our investigation. Perhaps there is a way to retrieve the original information that they provided?
Challenge Questions & Answers
1. What cryptocurrency does the attacker own a cryptocurrency wallet for?
Looking at the attacker’s Github account, I can see multiple repositories related to crypto currencies. Inside the repository called “ETH”, I can see a file called “miningscript” with a single line that appears to be a placeholder for the attacker’s Ethereum cryptocurrency wallet.
2. What is the attacker’s cryptocurrency wallet address?
If I select “History”, I can see that there were two commits on the 23rd of January 2021.
Selecting the first commit titled “Create miningscript” provides the attacker’s cryptocurrency wallet address.
3. What mining pool did the attacker receive payments from on January 23, 2021 UTC?
Searching for “ethereum mining pools”, I found the website ethermine.org. I searched for the attackers wallet address and found a history of payouts. I can see that the attacker received payments from ethermine on January 23, 2021 UTC.
4. What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?
Using the website etherscan.io, I was able to identify Tether as the other cryptocurrency the attacker exchanged with using their cryptocurrency wallet.
Task 4: Taunt
Challenge Description
Just as we thought, the cybercriminal is fully aware that we are gathering information about them after their attack. They were even so brazen as to message the OSINT Dojo on Twitter and taunt us for our efforts. The Twitter account which they used appears to use a different username than what we were previously tracking, maybe there is some additional information we can locate to get an idea of where they are heading to next?
We’ve taken a screenshot of the message sent to us by the attacker, you can view it in your browser here.
Challenge Questions & Answers
1. What is the attacker’s current Twitter handle?
Looking at the provided image, I can see the attackers old Twitter handle is “@AikoAbe3”. Performing a search on Twitter for this handle, I can see the attacker’s current Twitter handle is “@SakuraLoverAiko”. I can confirm this because the profile picture matches the one seen in the challenge file above.
2. What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?
If I look through the tweet history of the attacker’s account, I can see a post about saving their WiFi SSIDs and passwords on the dark web.
For this challenge, I decided to use the image provided in the hint since the Dark Web site for this answer may go up and down for hours at a time.
I can see the full URL for the dark web site, with the MD5 hash obfuscated. We can simple append the MD5 hash seen on the website to the URL.
3. What is the BSSID for the attacker’s Home WiFi?
I can see that the SSID of the attacker’s Home WiFi is “DK1F-G”. I can use the website Wigle.net and perform an advanced search to retrieve the BSSID for the attacker’s Home WiFi.
Task 5: Homebound
Challenge Description
Based on their tweets, it appears our cybercriminal is indeed heading home as they claimed. Their Twitter account seems to have plenty of photos which should allow us to piece together their route back home. If we follow the trail of breadcrumbs they left behind, we should be able to track their movements from one location to the next back all the way to their final destination. Once we can identify their final stops, we can identify which law enforcement organization we should forward our findings to.
Challenge Questions & Answers
1. What airport is closest to the location the attacker shared a photo from prior to getting on their flight?
Looking through the attacker’s Tweet history, I saw a picture they posted of some cherry blossom trees before they boarded their flight home. In the photo, I can see a large white obelisk in the distance that appears to be the Washington monument.
The closest airport to the Washington monument is the Ronald Reagan Washington National Airport, also known as DCA.
2. What airport did the attacker have their last layover in?
The next tweet from the attacker shows the name of a first class lounge they visited for their final layover.
I can see that the lounge belongs to Japan Airlines (JAL) and a quick search on google for the Sakura lounge, shows that it is located in Tokyo International Airport, Haneda (HND).
3. What lake can be seen in the map shared by the attacker as they were on their final flight home?
The attacker tweeted a satellite image of their home country, which includes a lake.
Based on previous tweets, I know the attacker was in Tokyo International Airport, Haneda, before boarding their final flight. Pulling up Google maps for Japan, I searched for similar landmarks and found the same island and lake as seen above in the tweet.
Zooming in on the lake, I can see it’s name.
4. What city does the attacker likely consider “home”?
Using the information I have collected so far throughout the investigation, I know that the attacker’s nationality is Japanese and lives somewhere in northern Japan. Looking at the list of WiFi SSID’s from earlier, I can see that there is an SSID called “HIROSAKI_Free_Wi-Fi”.
Hirosaki is the name of a city in northern Japan and is the answer for this challenge.
Final Thoughts
I really enjoyed working through this room and getting the opportunity to learn more about OSINT techniques. The challenge had a nice progression and I learned a lot about gathering information by analyzing photos and social media accounts. Thank you for reading till the end and keep hacking 😄!
