TryHackMe — Sakura Room

Use a variety of OSINT techniques to solve this room created by the OSINT Dojo.

Link to room HERE.

“The OSINT Dojo recently found themselves the victim of a cyber attack. It seems that there is no major damage, and there does not appear to be any other significant indicators of compromise on any of our systems. However during forensic analysis our admins found an image left behind by the cybercriminals. Perhaps it contains some clues that could allow us to determine who the attackers were?

We’ve copied the image left by the attacker, you can view it in your browser here.”

Oh no! lol.

Ok, so I see a bunch of binary in the background, maybe that can be translated to something. I’ll start with checking out the metadata though.

Question 1: What username does the attacker go by?

If you view the page source, you can see some info about the file:

The file path shows a user named “SakuraSnowAngelAiko”

Question 2: What is the full email address used by the attacker?

After searching for that username with Google, I found a couple hits:

For the LinkedIn profile, we can see “Aiko Abe” has this username:

I don’t see her email here under the contact info though. I searched a couple other places for her username. I did find a Github page with a bitcoin miner and a few other things:

So finding the email was actually pretty tough, and took me awhile to figure out. I ended up going on a bunch of wild goose chases in random directions, but then ended up back where I started because I didn’t look close enough to begin with..

You can see from her Github page that she has her PGP Keys posted.

You can find a website that will decode some info about those, like this one HERE. Just copy and paste all that in, and in the User ID Packet section you will find her email:

Question 3: What is the attacker's full real name?

Looks like we already found that earlier!

Question 4: What cryptocurrency does the attacker own a cryptocurrency wallet for?

She has a bunch of cryptocurrency stuff on her Github page. In her “ETH” repository, you can see this:

So the answer is Ethereum.

Question 5: What is the attacker’s cryptocurrency wallet address?

On that same page, in the upper right hand corner you can see a little history link. Click that and you will then see this:

If you click on either you can see that it was edited to remove the personal information we are looking for:

The address we need is:

“0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef”

Question 6: What mining pool did the attacker receive payments from on January 23, 2021 UTC?

From here I looked up her wallet HERE and started looking through the transactions. If you sort the transactions by date you can see that on January 23rd she received payments from Ethermine:

Question 7: What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?

If you look at the bottom of the main transactions page again, you will see some outgoing transactions:

Looks like she was exchanging Tether:

Question 8: What is the attacker’s current Twitter handle?

We are given an image of the attacker taunting OSINT Dojo on their Twitter account:

You can see the Twitter handle, “AikoAbe3” in the top right corner. You can search Twitter to pull up her profile:

...which will show you that she has changed it to “SakuraLoverAiko”

Question 9: What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?

Using the two different usernames found on the Twitter account, I found an empty TikTok profile:

Then I found a profile on Hackernoon, which re-directed to nowhere. She may have had a profile here in the past.

There are various photos of cherry blossom stuff on the rest of her page, but then at the bottom she mentions this:

Looks like we are taking a journey to the dark web…

OK, so I’m not actually familiar with much Dark Web stuff, but I am slowly learning. Apparently there is a pastebin type service you can find on there that lets you anonymously store stuff, called DeepPaste, seen here:

That code she posted is actually an md5 hash. You can find the deep paste by navigating here:

Question 10: What is the BSSID for the attacker's Home WiFi?

If you look a little closer you can see specifics about her home wifi:

On her Twitter, she posts a picture of this during her travels:

This is Japan:

You can see on her other WiFi details, there is mention of Hirosaki, which is a city in Japan.

My tactic here will be to used that city as a guide and then use Wigle to search for her specific home WiFi.

I picked a Basic Search:

Then I input her home WiFi SSID and searched:

Here are the results that show her BSSID:

Here is her home:

It is somewhere on this street:

Question 11: What airport is closest to the location the attacker shared a photo from prior to getting on their flight?

Here is the photo:

If you look closely, you can see the Washington monument in the background. This makes sense because that city has a famous cherry blossom festival every spring.

There are a couple airports around DC, but this one ended up being Ronald Reagan Washington National Airport, or DCA.

Question 12: What airport did the attacker have their last layover in?

Here is the photo:

After searching for “first class lounge sakura lounge JAL”, I figured out this was a First Class lounge for Japan Airlines, and that there are many of them around the world.

The one at Tokyo Haneda looked like it matched the picture:

Also, here another picture showing that same little sign:

The code for Haneda airport is HND.

Question 13: What lake can be seen in the map shared by the attacker as they were on their final flight home?

Looking at that same picture from earlier, you can see a lake in the middle:

Heading back to Google maps, we can see that it is called Lake Inawashiro

Question 14: What city does the attacker likely consider "home"?

We actually answered this earlier with the BSSID question. Her home is likely in Hirosaki

A fun room! I liked the cryptocurrency stuff because I am not very well-versed on how all that works. Finding the initial email was actually the toughest part for me. I really did not expect to find it nestled in one of her Github repos, so I spent a lot of time using more traditional methods and getting frustrated.

You might be noticing I’m doing way more OSINT stuff lately. That’s just kind of where my interests are heading. But I plan do some more traditional rooms soon. I might try the Year of the Rabbit box on TryHackMe. I’m also planning to participate in Cyber Apocalypse 2021 with HacktheBox, which is an Alien themed CTF!

Happy Hacking ❤

CTF Writeups to facilitate cyber education.