OSINTDojo Sakura - TryHackMe Room

I decided for my samurai badge to write about sakura and the steps that i have took to resolve the challenge from OSINT Dojo.


Are you ready to begin?

anwser: Let's Go!

Task 2 - TIP-OFF

What username does the attacker go by?

In this task i open the following url https://raw.githubusercontent.com/OsintDojo/OsintDojo.github.io/d846483eb41dd4fdb6d00ac84ecdb4a66be6a191/TryHackMe/Sakura/sakurapwnedletter.svg

and observe that source code view-source:https://raw.githubusercontent.com/OsintDojo/OsintDojo.github.io/d846483eb41dd4fdb6d00ac84ecdb4a66be6a191/TryHackMe/Sakura/sakurapwnedletter.svg and i have found the following path containing the username of hacker "inkscape:export-filename="/home/SakuraSnowAngelAiko/Desktop/pwnedletter.png"

anwser: SakuraSnowAngelAiko


What is the full email address used by the attacker?

Using the username found previusly SakuraSnowAngelAiko i run a username correlation using https://whatsmyname.app/ and i found the hacker github profile.

Then i open the following github https://github.com/SakuraSnowAngelAiko and open the repository of PGP https://github.com/sakurasnowangelaiko/PGP

Then i imported the PGP key into mail velop and has able to see the hacker's email.

answer: SakuraSnowAngel83@protonmail.com

What is the attacker's full real name?

Also using the username found priviusly i was able to locate from google a linkedin profile of the hacker https://www.linkedin.com/in/sakurasnowangelaiko/?originalSubdomain=jp and has able to have is full name.

answer: Aiko Abe

Task 4 - UNVEIL

What cryptocurrency does the attacker own a cryptocurrency wallet for?

I look into the github that we have found privisly and i found a repository named ETH that means Ethereum

answer: Ethereum

What is the attacker's cryptocurrency wallet address?

In the same github that we have found previusly in the same repository ETH i have saw the history of the files and i notice the wallet address:


answer: 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef

What mining pool did the attacker receive payments from on January 23, 2021 UTC?

Using the same url above mentioned https://github.com/sakurasnowangelaiko/ETH/commit/5d83f7bb37c2048bb5b9eb29bb95ec1603c40135#diff-ed62f5e8bb5f88d470bd6a8aa3cf3c18ad1be17b29153b4896f45e7e57cfb5da

we can see the minning pool that the hacker used.

answer: Ethermine

What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?

In this section i purely guess it since im not really experience in crypto OSINT and i ended up searching some crypto in google and i have found the currency.

answer: Tether

Task 5 - TAUNT

What is the attacker's current Twitter handle?

In this section we are given an image containing a username @AikoAbe3 so decided to search in twitter for that username and i came across her profile https://twitter.com/SakuraLoverAiko

answer: SakuraLoverAiko

What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?

In this section i use the hint tab because i didnt want it to go to dark net so i open the url that has on the int https://ibb.co/1rHfgVb i saw another url for an .onion website.

The location of the saved Wifi SSIDs and pasword is http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74 based on the image and also the md5 result that is mentioned on the website.

answer: http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74

What is the BSSID for the attacker's Home WiFi?

From the information collected in the question above http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74 we can see an SSID named DK1F-G that is the hacker home Wifi.

I took that information DK1F-G and use wigle to find their mac address.

answer: 84:af:ec:34:fc:f8


What airport is closest to the location the attacker shared a photo from prior to getting on their flight?

From the twitter that i have found i found this picture https://twitter.com/SakuraLoverAiko/status/1353471045148110848 and i reverse image search the buildings around and look for the nearest airport .

answer: DCA

What airport did the attacker have their last layover in?

From the twitter the attacker said that this picture has her last layover https://twitter.com/SakuraLoverAiko/status/1353717763097899010/photo/1 so i decided to rum a reverse image search and look for the aiport.

answer: HND

What lake can be seen in the map shared by the attacker as they were on their final flight home?

From the twitter we have a picture of a lake in this post https://twitter.com/SakuraLoverAiko/status/1353733617487241217/photo/1 and i reverse image search a look into google for a lake near this location and i have found it.

answer: Lake Inawashiro

What city does the attacker likely consider "home"?

This has funny i found this anwser in the url from the attackers SSIDs and passwords here it says City Free Wifi.

answer: Hirosaki