OSINTDojo Sakura - TryHackMe Room
I decided for my samurai badge to write about sakura and the steps that i have took to resolve the challenge from OSINT Dojo.
Are you ready to begin?
anwser: Let's Go!
What username does the attacker go by?
In this task i open the following url https://raw.githubusercontent.com/OsintDojo/OsintDojo.github.io/d846483eb41dd4fdb6d00ac84ecdb4a66be6a191/TryHackMe/Sakura/sakurapwnedletter.svg
and observe that source code view-source:https://raw.githubusercontent.com/OsintDojo/OsintDojo.github.io/d846483eb41dd4fdb6d00ac84ecdb4a66be6a191/TryHackMe/Sakura/sakurapwnedletter.svg and i have found the following path containing the username of hacker "inkscape:export-filename="/home/SakuraSnowAngelAiko/Desktop/pwnedletter.png"
anwser: SakuraSnowAngelAiko
What is the full email address used by the attacker?
Using the username found previusly SakuraSnowAngelAiko i run a username correlation using https://whatsmyname.app/ and i found the hacker github profile.
Then i open the following github https://github.com/SakuraSnowAngelAiko and open the repository of PGP https://github.com/sakurasnowangelaiko/PGP
Then i imported the PGP key into mail velop and has able to see the hacker's email.
answer: SakuraSnowAngel83@protonmail.com
What is the attacker's full real name?
Also using the username found priviusly i was able to locate from google a linkedin profile of the hacker https://www.linkedin.com/in/sakurasnowangelaiko/?originalSubdomain=jp and has able to have is full name.
answer: Aiko Abe
What cryptocurrency does the attacker own a cryptocurrency wallet for?
I look into the github that we have found privisly and i found a repository named ETH that means Ethereum
answer: Ethereum
What is the attacker's cryptocurrency wallet address?
In the same github that we have found previusly in the same repository ETH i have saw the history of the files and i notice the wallet address:
https://github.com/sakurasnowangelaiko/ETH/commit/5d83f7bb37c2048bb5b9eb29bb95ec1603c40135#diff-ed62f5e8bb5f88d470bd6a8aa3cf3c18ad1be17b29153b4896f45e7e57cfb5da
answer: 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef
What mining pool did the attacker receive payments from on January 23, 2021 UTC?
Using the same url above mentioned https://github.com/sakurasnowangelaiko/ETH/commit/5d83f7bb37c2048bb5b9eb29bb95ec1603c40135#diff-ed62f5e8bb5f88d470bd6a8aa3cf3c18ad1be17b29153b4896f45e7e57cfb5da
we can see the minning pool that the hacker used.
answer: Ethermine
What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?
In this section i purely guess it since im not really experience in crypto OSINT and i ended up searching some crypto in google and i have found the currency.
answer: Tether
What is the attacker's current Twitter handle?
In this section we are given an image containing a username @AikoAbe3 so decided to search in twitter for that username and i came across her profile https://twitter.com/SakuraLoverAiko
answer: SakuraLoverAiko
What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?
In this section i use the hint tab because i didnt want it to go to dark net so i open the url that has on the int https://ibb.co/1rHfgVb i saw another url for an .onion website.
The location of the saved Wifi SSIDs and pasword is http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74 based on the image and also the md5 result that is mentioned on the website.
answer: http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74
What is the BSSID for the attacker's Home WiFi?
From the information collected in the question above http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74 we can see an SSID named DK1F-G that is the hacker home Wifi.
I took that information DK1F-G and use wigle to find their mac address.
answer: 84:af:ec:34:fc:f8
What airport is closest to the location the attacker shared a photo from prior to getting on their flight?
From the twitter that i have found i found this picture https://twitter.com/SakuraLoverAiko/status/1353471045148110848 and i reverse image search the buildings around and look for the nearest airport .
answer: DCA
What airport did the attacker have their last layover in?
From the twitter the attacker said that this picture has her last layover https://twitter.com/SakuraLoverAiko/status/1353717763097899010/photo/1 so i decided to rum a reverse image search and look for the aiport.
answer: HND
What lake can be seen in the map shared by the attacker as they were on their final flight home?
From the twitter we have a picture of a lake in this post https://twitter.com/SakuraLoverAiko/status/1353733617487241217/photo/1 and i reverse image search a look into google for a lake near this location and i have found it.
answer: Lake Inawashiro
What city does the attacker likely consider "home"?
This has funny i found this anwser in the url from the attackers SSIDs and passwords here it says City Free Wifi.
answer: Hirosaki