Sakura Room Walkthrough [THM]

You can find all the tools used in this room and much more here.

Photo by Brett Sayles from Pexels

TIP-OFF

What username does the attacker go by?

As we start the room, we are told the story of the misfortuned hack OSINT Dojo suffered, for which the only evidence left is a note created by the attacker. We can take a look at the image right here. As we’re told, all files hide precious information called metadata, and images are no exception. Therefore, we should start by taking a look at the bowels of this one.

The first step to analyze the image is to download it, which can easily be done using wget:

wget <link>

Once we have our file we can analyze it using Exiftool or an online tool like Metadata2Go. The command looks like this:

exiftool <file>

Usually, we find the username in a Copyright tag, but in this case, there's none. When taking a closer look at the Export-filename, there’s a path, where the username can be found.

RECONNAISSANCE

What is the full email address used by the attacker?

Whenever I'm prompted with social media tasks, I like to start by using the following tools. I’ve come to realize that these are better when used in combination, so don’t see them as a substitute for each other.

Github account found using the attackers username

For the time being, we’ll focus on analyzing the attacker’s Github account. After looking around, the thing that looks the most useful for this task is the PGP key. If you are not familiar with this term, this is a good article. Basically, we can extract the email from the key, using PGP and Kleopatra. Once the file has been downloaded it can easily be examined, and you should see the answer right away.

Importing the key

What is the attacker’s full real name?

For this one, we could easily Google the username found in the previous task, and find an account on a site where people usually use their real names.

UNVEIL

What cryptocurrency does the attacker own a cryptocurrency wallet for?

By taking a glimpse at the Github repositories we find that most of them have to do with crypto mining. Some of these repos are forks, therefore we can assume they won’t be the most useful ones.

Forked repositories

We’ll come back to these if we do not find anything useful on the ones created by the attacker. There are multiple ways to find what we are looking for, so it’s safe to say that after a few moments of browsing the site you’ll end up finding this:

What is the attacker’s cryptocurrency wallet address?

This is a template for a file that contents a wallet and a mining pool, but as stated in the room, it was edited to stop us. The good news is that Github, being a control version platform, allows us to see all the changes made on the files it hosts. If we scroll to the bottom of the page in the user’s profile, we find this:

If you're not familiar with Git, a commit is a successful modification made. By clicking on 2 commits, you’ll be able to see the changes that have been made on the file.

What mining pool did the attacker receive payments from on January 23, 2021 UTC?

For finding this we can use different sites, but I’ll be showcasing this one. We only need to paste the wallet we found et voilà, now we see all the transactions.

What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?

The answer can be found on one of these tabs.

TAUNT

What is the attacker’s current Twitter handle?

Just look on Twitter the given account.

What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?

From the attacker's account, we find this tweet. By reading it we know we’re looking for a service like Pastebin but for the Deepweb. With a quick search using all the info given in the tweet, we know the site we want is called DeepPaste. Sadly, I haven't been able to find the site up, therefore I had to use the hint. Just extract the URL and add the given query.

What is the BSSID for the attacker’s Home WiFi?

Always that you’re doing WiFi Geolocation, WiGLE is your friend. Just create an account and use the WiFi’s SSID to perform a basic search.

HOMEBOUND

What airport is closest to the location the attacker shared a photo from prior to getting on their flight? (Use the 3-digit Airport Code)

Following the attacker’s Tweeter activity we find a post before boarding the plane back home. Social media sites usually erase metadata, so that's not an option. Take a good look at the picture, can you find any recognizable landmarks? the architecture looks familiar? If you haven't found it yet, look at the background. There we can see the Washington monument. Now you only need to look for the closest airport.

What city does the attacker likely consider “home”?

I know this is the last question, but since we already found this on task 5, we can use it to pivot. If you don't know what I'm talking about, just go back to the WiFi question, and remember most cities offer public WiFi.

What lake can be seen in the map shared by the attacker as they were on their final flight home?

The first thing you should do is look at the city found, using Google Maps.

If we zoom out, do you find any familiar landmarks that are also visible from the plane photo?

What airport did the attacker have their last layover in? (Use the 3-digit Airport Code)

This was my favorite question, because I didn't find the answer through the image given, but through all the other info we had. If we do a search we’ll find Sakura Lounges in different airports, but none of them are the one we’re looking for. Using the lake photograph as a reference, and knowing were the attacker is heading, we can infer that the flight is coming from the South. Adding up to that, after researching the city, we find out it isn’t a major one, therefore it wouldn’t be the most common thing for it to receive many international flights. In order to verify, we can look for direct flights to it.

Most of the flights are coming from inside the country

Now the only thing left is to analyze which of those flights could go past the lake, and verify if the airport has a Sakura Lounge.

Conclusion

This was such a fun room! Getting a backstory truly made every achieved task so gratifying. The gamification behind it was great and it encompassed a variety of OSINT skills. The pivoting process was also good established. Therefore I want to thank OSINT Dojo for this amazing challenge!

InfoSec student, OSINT practitioner