Sakura is an OSINT-focused room created by The OSINT Dojo. The room is designed to test a variety of OSINT techniques, such as social media analysis, blockchain analysis, and geospatial intelligence.
Task 2
Question 2: What username does the attacker go by?
By clicking on the image provided, we can check the page source to see if there are details that we are interested in. Right-click the image and click view page source. We can see many metadata available such as the software used to create it, as well as the file path it was saved to, which contains a username of our target.
SakuraSnowAiko
Task 3
Question 3: What is the full email address used by the attacker?
There are many ways to find matching usernames on other platforms such as using a search engine or by using specialized tools. For this task, we will be using SpiderFoot. Just type the username at the Seed Target field and let it run.
After a few minutes, we get one result for a Github account belonging to our target. Navigate to that account, we can see some repositories.
The one that we are interested in is the PGP repo, as we are looking for an email address.
We then copy the entire public key block to our local machine and save it as a .asc file. We can extract the target’s email address by using PGP software like Kleopatra or gpg command on Linux.
SakuraSnowAngel83@protonmail[.]com
Question 4: What is the attacker’s full real name?
Searching the target’s username on Google will give us a result for a LinkedIn profile, complete with the target’s full name.
Aiko Abe
Task 4
Question 5: What cryptocurrency does the attacker own a cryptocurrency wallet for?
Question 6: What is the attacker’s cryptocurrency wallet address?
There are a few repos related to cryptocurrency, but the one that we are after is the ETH repo. Looking at the repo, there is a file called miningscript which contains only one line.
There are two commits on this file, indicating that it had been edited. Click on the first commit, we can see the wallet address.
Ethereum
0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef
Question 7: What mining pool did the attacker receive payments from on January 23, 2021 UTC?
We can use a blockchain explorer to view the public transaction of this wallet. For this, we will be using Etherscan as the wallet is an Ethereum wallet. Just type in the address and we can see the transaction history.
Looking at the history, we can find one transaction that happened on January 23, 2021. At the from field, we can see where the fund coming from.
Ethermine
Question 8: What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?
The flag from this question also can be found by looking at the transaction history.
Tether
Task 5
Question 9: What is the attacker’s current Twitter handle?
We have the old Twitter handle of our target that we get from the image, @AikoAbe3. By searching it on Google, we can get the new handle. We also can confirm this by looking at his tweet.
@SakuraLoverAiko
Question 10: What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?
Using the image provided, we can see an MD5 hash and a list of APs with SSIDs and passwords.
http[:]//depasteon6cqgrykzrgya52xglohg5ovyuyhte3ll7hzix7h5ldfqsyd.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74
Question 11: What is the BSSID for the attacker’s Home WiFi?
By using only the provided SSID for the Home Wifi, we can get other information by using WiGLE. Just key in the SSID in the search bar.
84:af:ec:34:fc:f8
Task 6
Question 12: What airport is closest to the location the attacker shared a photo from prior to getting on their flight?
There are some clues left for us on our target’s Twitter account about the route they take before going home. The first one is an image of cherry blossoms.
There is a unique large white obelisk at the center of the image. We can crop it out and by doing a reverse image search, we now know that the obelisk is called Washington Monument located within National Mall in Washington, DC, United States.
There are three major airports in Washington, DC, which are Ronald Reagan Washington National Airport, Washington Dulles International Airport, and Baltimore/Washington International Thurgood Marshall Airport. The one that closest to the National Mall is Ronald Reagan Washington National Airport.
DCA
Question 13: What airport did the attacker have their last layover in?
The next image on their Twitter post is taken in a lounge, probably at an airport lounge.
We can run the image through a reverse image search, and we will get a few different websites. The first website is in Japanese and contains a matching image from our target. Translate the page to English and we will get the name of the airport. Then we need to look up the three-letter airport code for this airport
HND
Question 14: What lake can be seen in the map shared by the attacker as they were on their final flight home?
The target also tweets an image of what appears to be a satellite view of the flight path. The image is a part of the Japanese peninsula. Using Google Maps, we can get the name of the lake.
Lake Inawashiro
Question 15: What city does the attacker likely consider “home”?
Based on Questions 13 and 14, we know that the target is flying North. We get the direction, but not the exact city. However, on Question 10, there are a few other SSIDs given including “Home Wifi”. We can check this SSID with Wigle to find the location. The other SSIDs also happen to be in the same city, which is along the expected direction.
Hirosaki
Bonus
In Question 3, there is another way to get the email address from Github, but it doesn’t always work. The first step is we need to locate a non-forked repo. For this example, we will choose the IO repo. Next, we need to click on the commit ID, as shown by the red box in the image below.
Then, we need to add .patch to the end of the URL, to load the patch view, like this:
https://github.com/sakurasnowangelaiko/IO/commit/d4778c338b0cbe98da7da6c6fad6d03aad6cff54.patch
The email address that we got is in the form of username@users.noreply.github.com. This means that our target enables the privacy option to mask the email address and we can’t get to see his real email address, unlucky.
But, if the user didn’t enable this privacy option, we can get the email address. This one is from my repo, for demonstration purposes.
