Sakura Room | OSINT

2024-02-29

TIP-OFF

  • The username was pretty easy to find, viewing the inside of the image provided in a text editor shows something similar to Fig.1

Image showing the username in the svg file

Fig.1

RECONNAISSANCE

Image showing the email in the pgp key

Fig.2
  • I found Aiko's full name on Linkedin which I came across whilst looking at various results in Google.

UNVEIL

  • Most of the questions in UNVEIL are about cryptocurrency. Aiko has 6 repositories in her Github for crypto related things and in one of the repositories we find this commit...

Image showing the crypto deets in the eth repo

Fig.3 Aiko's Crypto Info
  • Let's recap all the information we just acquired!
    • She owns an Ethereum Wallet with the crypto address of 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef
    • Her mining pool is Ethermine
    • And from etherscan.io, we know she also exchanged Tether.

TAUNT

  • Searching further with the username we received in TIP-OFF reveals this Twitter account, which has a similar but slightly different username: @sakuraloveraiko.

What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?

  • One of the Tweet's Aiko made has the words DEEP and PASTE capitalized. Could this be that TOR Site I've heard of?

Image showing the how I found the website link

Fig.4
  • That was easy, or was it... Even though I found many links to DeepPaste V3, none worked. Until a reddit post saved the day!

Image showing the dark website

Fig.5
  • All we have to do is enter the MD5 Hash from Twitter and we get Aiko's WIFI information.

What is the BSSID for the attacker's Home WiFi?

We need to search for the BSSID and wigle.net is the only site that can help us here. But **wigle.net is a site that I could rant endlessly about how shitty (pardon my language) it is. I like how there is a database for BSSID's but it is very poorly built, and without the help of @ElizabethNoir on Discord, I couldn't have answered it.

HOMEBOUND

What airport did the attacker have their last layover in?

  • Performing a Google Image search on one of the Tweeted images tell me Haneda Airport (HND).

What lake can be seen in the map shared by the attacker as they were on their final flight home?

  • I solved this question with a completely unintended method. Simply looking for lakes in Japan that have the same amount of characters as the answer box shows only one lake as an answer (Lake Inawashiro).

What airport is closest to the location the attacker shared a photo from prior to getting on their flight?

  • In one of the Tweets prior to getting on their flight, the Washington Monument is clear as day. The airport closest to Washington was DCA

What city does the attacker likely consider "home"?

  • Utilizing wigle.net (bad), we can find her home city through her BSSID (Hirosaki).

PERSON OSINT'ED 😎

vipin.b [0x9][Omni]

trophy64259door55target11

tryhackme.com

For any work-related inquiries, please email me at vipin@vipin.xyz. If you want to chat with me, feel free to drop me a message on Discord