[1.1: TryHackMe Geolocating Images Writeup]

the header on tryhackme site

Here is the link to the challenge if you want to try em’ out:

TryHackMe | Geolocating Images

So, let us jump into the writeup/walkthough (I will kinda flip-flop with the terms here since I don’t know what’s proper in this case)

Task 1: Getting Started

main point: Yandex, Bing then Google for reverse image searching

Just for extra notes, there are browser extensions that you can download to speed up your process reverse image searching:

1. Fake news debunker by InVID & WeVerify (available on chrome and firefox only)
2. RevEye Reverse Image search extension (available on chrome, firefox and microsoft edge)

I think I will link these 2 articles to get the feel on how to use em:

1. https://datasociety.net/wp-content/uploads/2020/03/How-To-Verify-Online-Census-Media-final.pdf
2. https://citizenevidence.org/2019/12/11/how-to-use-invid-the-swiss-army-knife-of-digital-verification/

Task 2: Getting our feet wet — where is this?

The Question: Where in the world is image 1? The answer is the country name.

The task asks to locate where is the nation of Image 1 located(you actually supposed to download a file from the previous task, just open the “thm” file and find 1.jpeg)

this is the 1.jpeg

In this task, we need to use Yandex, Google, Bing and Tineye to figure out this image location (if you somehow upload this picture online, you can use the RevEye extension but in this case, I just upload the image to all 4 of the search engine)

(Result 1: Google) pretty damn bad in my opinion because it just query out a shape instead of a monument.

(Result 2: Yandex) finally we have a monument. The one that I highlight here is the answer of this task which is China.

(Result 3: Bing) It falls under the monument category but there are 2 major location here which is Chicago Bean, IL, US and Xinjiang, China. Better then Google but for this case but not good enough

(Result 4: TinEye) Well, there’s none.

Based on our result here, the information on the location of the monument is in China only found by Yandex because it is based in Russia compared to Google and Bing(US).

It is kinda well known that Google ban China for using their services. Here is the link that state all of the domain blocked by China for reference:

List of websites blocked in mainland China - Wikipedia

So, Google won’t be your best bet when search anything China related.

Bing on the other hand is not blocked there

The table that’s available on the Wiki article above. As you can see, it is unblocked.

So,Bing to some extent have the info on the monument but not as direct as Yandex but to be fair, the monument in 1.jpeg looks really similar to the Chicago Bean monument

Conclusion that can be drawn here: Yandex is your best bet here to search stuff that is China related (make sure that you standby some sort of translator since Yandex query result mainly in Cyrillic because it is a Russian search engine)

The Answer: China

Task 3: Geolocating Images 101

just a walkthough on how to geolocate a webcam image(if you use reverse image search in this type of image, you won’t get nothing)

General flowchart to Geolocate Image from this task:

1) Look for small identifier on the webcam image (anything really like badges, road sign or anything that can identify the location of the image)

2) See if there’s any ip address or url linked to the webcam image

- If there’s ip address, use Shodan to find ASN number

- If there’s url, just open the url

- If there are no ip/url, just link together the identifer and try googling em’

3) Open google maps and try to locate the image

4) You’re done

Task 4: Now your turn

The Question: Where was image 2 taken?

This is the 2.png.

Let us run through the general flow above to locate the this image:

1. Look for small identifier on the webcam image

• Green road sign with N and W together (Referring GeoTips.net, this is US)

In https://geotips.net/north-america/, you go to the US section and you’ll found this

• A blue sign with “sports corner”
• Not in UK because the license plate does not have the blue bar on the license plate

The UK license plate (generally EU have the blue bar in the left plus in this case, only UK have English as the official language)

2) See if there’s any ip address or url linked to the webcam image

So, in this picture there are no ip address and url linked with it.

We need to link the identifier together and google around.

From 1), basically we are somehow in Sports Center in US that located around Sheffield/Addison

From Googling, Addison is from Illonois (Sheffield will output a town with similar town in Alabama

Literally the first link searching Addison USA

Now Googling the Sports Corner il usa, you got a lot of choices of place.

2nd location in the search when we zoom the map, we got roughly the same location of the webcam.

So, as you can see here we have Addison and Sheffield together with the Sports Corner together. The answer here is Wrigleyville Sports

3) Open google maps and try to locate the image

It is really low res but you can roughly see the location of the shot.

The Answer: Wrigleyville Sports

Task 4: Helpful tips for geolocating

Tips given:
1) See small indicator while geolocate

- Religious building like Mosque, Temple, Catholic to guess the main religion of the location

- Language used on shops and vehicles (use Google translate)

- Side of the road the car driving

- The license plate(accidentally used em’ above)

- The markings of the road (every country have different markings)

- The style of traffic lights

- Clothing of the people walking around

2) check is there any EXIF data

3) Is there any location tagged to the image

Task 5: Your turn, again!

The Question: Where was image 3 taken?

This 3.png that we will geolocate in this task

Let us use the general flow in Task 3 to solve this problem:

1. Look for small identifier on the webcam image

• The hint on this task question indicate that the tower in sight is indeed Eiffel Tower (which narrows down the location in Paris, France)

The hint given

• The building is a white coloured observatory (the roof style shows that it is an observatory)

This is what a typical observatory looks like

• The observatory is located above a hill a bit far away from the city

2) See if there’s any ip address or url linked to the webcam image

• no (for both of em’)
• So, we need to link all of the identifiers that we’ve got and Google em’ which is in this case we got Paris observatory (if I put white, Google shows tourist attraction in Paris which not what I want)

So, as you can see there are 2 observatory in Paris. The second one is much more likely to be the location because if it the first one, the Eiffel tower would look bigger in the image because it is much closer to the city center.

To confirm it, we need to open the maps and see the vegetation around the observatory.

3) Open google maps and try to locate the image

As you can see the one observatory that closer to the city center look not tally up with the image given

so, this is the location of the shot, as you can see the vegetation looks really similar to the image.

Opening the details for the observatory that outside the city, you got Meudon Observatory (In Google, both of them named Paris Observatory but the outer one is located at Meudon)

the google maps detail of the outer city observatory

The Answer: Meudon Observatory

Task 7: Your turn, what can you see?

The Question: Where is image 4 taken?

the 4.png that we will use here

1. Look for small identifier on the webcam image

• the car license plate is UK

The UK license plate (the one that I use before used to show you that the location is not europe but in this case, the identifier is not there. Re watching this picture, we can see that the identifier is optional so the license plate style is similar to the plate in the picture)

• A yellow streetlight on both ends
• A pretty popular zebra crossing in UK because there are webcam of this specific crossing
• A white pillar holding a black fence
• Flower at one of the end of the crossing

2) See if there’s any ip address or url linked to the webcam image

So, in this picture there are no ip address and url linked with it.

We need to link the identifier together and google around.

From 1), we can just google “Popular uk zebra crossing”

As you can see here, abbey road specifically stated here. So, let us open the abbey road part

As you can see from the stock image of Abbey road, it ticks all of the boxes of the identifiers that we gathered before.

3) Open google maps and try to locate the image

To be honest, this is a bit overkill for this question but I am quite confused as of why there are no visible zebra crossing in Google maps?

this is what I got from the Google maps. I am confused here but never mind.

The Answer: Abbey road

Task 8: You’re done!

Some link that you can use for further reference in Geolocate image:

Geolocating Venezuelan Lawmakers In Europe - bellingcat

And I think play Geoguessr a lot to train the skills

GeoGuessr - Let's explore the world!

This is quite a long walkthrough for this room. So, if there’s any error in my content here just message me on twitter (@thisisfinx)

Thank you for taking your time reading this writeup/walkthrough :)