Conducting basic open source intelligence research on a website.

Link to Room: WebOSINT

This is an OSINT challenge that starts off by focusing on a domain called “RepublicofKoffee.com”.

It should be noted that when this challenge was created, the website related to that domain did not exist.

“…the website doesn’t exist, and if it does by the time you read this, the website in its current form is not our target.”

But even if there is no actual website, there might still be information we can find…

The first task has you look up the domain using Google search:

This will mainly just pull up a bunch of walkthroughs for the room. These are both fairly recent. I’m thinking the OSINT SANS conference a couple weeks ago may have inspired some OSINT activities around the web!

Moving on to Task 2, we will now use ‘whois’ to gather more information about the target, which may provide pivot points. This can be done using lookup.icann.org.

Question #1 What is the name of the company the domain was registered with?

First, look up that domain name using the website in the link above:

After that, we can see that it was registered by a company called NAMECHEAP INC.

All of this can also be done using the command line if you prefer:

Question #2 What phone number is listed for the registration company? (do not include country code or special characters/spaces)

This answer can be found in the ‘Raw Registrar RDAP Response’ drop down menu of the search results:

Or here:

Question #3 What is the first nameserver listed for the site?

Use those same search results to get this answer:

Question #4 What is listed for the name of the registrant?

Again, using those search results, you can see that the name has actually been “redacted for privacy”.

If you are using the command line, you will see this:

Which shows they are using WhoisGuard for protection of their personal information.

Question #5 What country is listed for the registrant?

Task 3 involves using the Wayback Machine to look into the past. If you use it to search ‘RepublicofKoffee.com’, it shows that there have been 25 captures since 2015.

Question #1 What is the first name of the blog's author?

I started with the oldest snapshot, from December 31st, 2015:

Scroll down and you will see a bunch of blog posts:

We can see that the blog’s author is “Steve”:

Question #2 What city and country was the author writing from?

From the random blog post I picked above, you can see that Steve mentions the city of Gwangju, which is in South Korea:

Question #3 [Research] What is the name (in English) of the temple inside the National Park the author frequently visits?

This question involved reading through Steve’s blog posts, until I found this passage:

Using Google to search ‘Mudeungsan National Park temple’, you should find these results:

You will notice there is a Starbucks quite close to it, so this all checks out.

Here is a picture of the Temple if you’re interested:

Task 4 has us ‘Digging into DNS’ to get some more technical info from the old website, using https://viewdns.info/

Question #1 What was RepublicOfKoffee.com's IP address as of October 2016?

Use the IP History tool for this one:

Question #2 Based on the other domains hosted on the same IP address, what kind of hosting service can we safely assume our target uses?

I used the Reverse IP Lookup tool for this one. It pulled up 97 different domains for this particular IP:

If you check out the hint for the question, it says, “What kind of hosting plan is usually used by websites on a tight budget that don’t have a lot of visitors?”

The answer to that is SHARED web hosting. Click HERE to learn about some other different types.

Question #3 How many times has the IP address changed in the history of the domain?

For this, you can refer back to Question #1:

It looks to have changed four times.

In Task 5 we start over with an entirely new domain name.

“Congratulations on making it this far. You’ll need all of the skills you’ve learned so far for this task. All I have for you, is a domain: heat[dot]net”

Question #1 What is the second nameserver listed for the domain?

So these next questions will use all the techniques we have already covered. Let’s start off with the ‘whois’ command:

You can see the second name server down near the bottom.

Question #2 What IP address was the domain listed on as of December 2011?

For this one I used the IP History tool once again:

Question #3 Based on domains that share the same IP, what kind of hosting service is the domain owner using?

Using the current IP, I used the Reverse IP Lookup tool and found that this was also likely SHARED.

Question #4 On what date was the site first captured by the internet archive? (MM/DD/YY format)

Using the Wayback Machine, you can see that this domain was captured over 600 times, starting on June 1st, 1997!

Here is a look back at that day…

Ah yes, wrath, fury, vengeance, madness, and a hunger for glory! Sounds like someone I know…

Question #5 What is the first sentence of the first body paragraph from the final capture of 2001?

Here is the last capture of 2001:

And here is that snapshot:

Question #6 Using your search engine skills, what was the name of the company that was responsible for the original version of the site?

I just searched for the company’s slogan and came up with these results:

Looks like it’s SegaSoft.

Question #7 What does the first header on the site on the last capture of 2010 say?

Here is the last capture of 2010:

Looks like now it’s an HVAC company. You can see the first header here:

For this next section we will be checking out the website to look for further clues.

Question #1 How many internal links are in the text of the article?

This won’t work in the 2010 capture if you’re still in it, so you can navigate to the current website in your browser, http://www.heat.net/

Look down on the right side of the home page and there should be some links. Click on “Need to Hire a Commercial Contractor?”

All of the questions in Task 6 will refer to this page.

This one is pretty easy, just look through the text and count the links. You can tell the internal ones by hovering over the link and verifying where it will take you. If it is taking you to another heat.net page, it’s internal.

Question #2 How many external links are in the text of the article?

Same idea here, except when you hover over the link, it will show an external location.

Question #3 Website in the article's only external link ( that isn't an ad)

When you hovered over the link for the last question, where did it lead you?

Question #4 Try to find the Google Analytics code linked to the site

For this question, right-click anywhere on the page and choose to view the source code.

You want to use Ctrl+F to search for ‘UA-’

This will lead you to the Google AdSense ID.

Question #5 Is the Google Analytics code in use on another website? Yay or nay

You can use https://www.nerdydata.com/ to search for the Google Adsense ID.

Here we can see that only one website is using it:

Question #6 Does the link to this website have any obvious affiliate codes embedded with it? Yay or Nay

I assumed this meant the link from heat.net to purchase.org.

You can tell if a link has affiliate codes by looking at it. If you hover over it and it just directs you to ‘www.purchase.org’ then, no, there are no affiliate codes attached to it.

But if you see a bunch of extra info, it could be an affiliate link.

I got that graphic from THIS website, which explains affiliate links a bit further if you would like to read more.

That concludes Task 6, moving on!

The final challenge…

“Experienced OSINT researchers will tell you that chasing rabbit holes all day and night without being able to make some solid connections is not OSINT.

OSINT refers to the patterns that start to emerge as we connect the dots in the analysis of the data.

Congrats! you found that our target, heat[.]net, links to an interesting external site. A question remains though: Why???

There is no affiliate code in the link, so there is no obvious financial connection between the two. Maybe there’s another kind of connection.

This is your final exam, and there is exactly one question.

Get busy!”

Question #1 Use the tools in Task 4 to confirm the link between the two sites. Try hard to figure it out without the hint.

If you recall back to Task 5 when we used the IP History Tool for ‘heat.net’, you can see that the website is owned by Liquid Web, L.L.C

After using the same tool for ‘purchase.org’, it is revealed that they are both owned by the same company:

After reading the debriefing, we find out that heat.net is not actually a legit website.

“…it’s a good bet that the creators of these two sites make most of their money by functioning as what’s called a private blog network (PBN). PBNs exist for one purpose: to convince the search engine algorithms that another site should rank higher in the search engine results.

…heat[.]net, in its current form is probably not designed for human eyes at all. It is designed primarily to trick the search engines into placing purchase[.]org higher in the search results than it would have otherwise.”

Scandalous.

Happy Hacking!

CTF Writeups to facilitate cyber education.