[1.4: TryHackMe KaffeeSec — SoMeSINT Writeup]

The header of this room

This is the finale of this series for now (in retrospect, we cover a lot more in depth on image intelligence than any other type of intelligence in this series so in the future if I can found a different type of intel room, I will post em’ as bonus article in this series)

Here is the link to the challenge if you want to try em’ out:

TryHackMe | KaffeeSec - SoMeSINT

SoMeSINT is Social Media Intelligence/Investigation which basically advanced search for social media platforms (and tools used to do that)

So, let us jump to the writeup

Task 1: Overview

this part just give general overview of the room, some prerequisite before you do this room and the flag format for this room.

Prerequisites:

• Critical Thinking.
• A love of going deep into rabbit-holes.
• Basic understanding of Google.(I think for this one, you need to finish the Google Dorking room first. Here’s the link for the room: https://tryhackme.com/room/googledorking)
• Python 3.7+(for this part, there are 2 option. Either you download the package here https://www.python.org/downloads/release/python-370/if you’re using a windows machine or if you’re using linux distro, use this guide instead: https://docs.python-guide.org/starting/install3/linux/)

Flag Format: ks{flag}. Just copy paste the flag into the curly brackets.

Oh and also the creator of this room links TryHackMe and Kaffeesec discord server for any help on this room:

Join the TryHackMe Discord Server!

Join the KaffeeSec Discord Server!

Task 2: Story

the scenario given in this room

Q1: Who hired you?

A1: ks{H}

Q2: Who are you investigating? (ks{firstname lastname})

A2: ks{Thomas Straussman}

Task 3: Let’s get started!!

Prerequisites:

• Patience, curiosity, and a passion for digging into rabbit holes.
• Firefox, Chrome, or another chromium-based browser (I recommend Brave).

The creator also highlights this specific alert on this room:

“ Before starting, I will preface this by saying the only places these accounts are found on are Twitter and Reddit. Please do not try to investigate further out-of-scope, as you will both meet a dead end and be snooping on accounts not involved with this CTF at all. I am not responsible for any actions/interactions made with an account outside of the sockpuppets created for this CTF. As a general rule, we’re collecting PASSIVE information — there’s no interacting directly with these accounts.”

So, no hacking. Just collect info.

As usual, we will start first with googling the targets name and see what shows up:

We can see that only Twitter account is here but not reddit account. Now, let us search “Thomas Straussman Reddit”. Maybe, this one will yield the reddit account.

Nope, it dosen’t yield the result that we want which is the reddit account however I can see that we can search the accounts using keyword tstraussman. Let us try that.

Finally we got both of the account :)

The accounts header

Q1:What is Thomas' favorite holiday?

You can see directly on the bio here :

A1: ks{Christmas}

Q2: What is Thomas’ birth date?

You can’t see this detail here on Twitter.. Let us go to reddit instead

As you can see, he is 30 years old at 20 December 2020 so his birthday is 20 December 1990

Here’s the hint for this task. Month comes first which is why 12–20–1990 not 20–12–1990

A2: 12–20–1990

Q3: What is Thomas' fiancee's Twitter handle?

This is Francesca’s Twitter (you can see em’ because this account recommended to you when you open Thomas Twitter)

A3: ks{@FHodgelink}

Q4: What is Thomas' background picture of?

A4: ks{Buddha} You can clearly see the background pic in the header above.

Task 4: Spider…what?

Requirements:

• Spiderfoot (this is the guide to download spiderfoot if you use linux https://www.spiderfoot.net/documentation/#installing)
• Python 3 (I’ve given the guide to download this one on the intro)

Basically you need to follow the instruction on this task(to grossly simplify, after install python + spiderfoot you run spiderfoot on the terminal and also your browser.Then, you just scan em’ with the keyword given in the task)

Q1: What was the source module used to find these accounts?

This is the hint given for this question

According to the hint, this is our answer

A1: ks{sfp_accounts}

Q2: Check the shadowban API. What is the value of "search"?

This is the hint given for this question. I have no idea what this mean being honest.

So, we need to use help of previous writeup on this room:

Here is the writeup that I reference (https://www.secjuice.com/try-hack-me-kaffeesec-somesint/). This writeup is a lot better than mine so it’s better if you switch.

Ok, so I need to open this link: https://shadowban.eu/.api/tstraussman on the same browser I open the spiderfoot. I have no idea how to look for this link…

So, here’s what I’ve got.

A2: ks{1346173539712380929}

Task 5: Connections, connections..

Now in this task, we will do reverse search images.

For the last 3 rooms, I’ve focused on IMINT. And I think I would like to relink the Searchlight IMINT room writeup (if you want a complete dive into image intelligence):

[1.3: TryHackMe Searchlight-IMINT Writeup]

But for this part, I will copy paste the software recommendation that I’ve done in the writeup:

There are 2 extension that I think will smoothen your process doing reverse image search

1) Fake news debunker by InVID & WeVerify (available on chrome and firefox only)

2) RevEye Reverse Image search extension (available on chrome, firefox and microsoft edge)

I think I will link these 2 articles to get the feel on how to use em:

1) https://datasociety.net/wp-content/uploads/2020/03/How-To-Verify-Online-Census-Media-final.pdf

2) https://citizenevidence.org/2019/12/11/how-to-use-invid-the-swiss-army-knife-of-digital-verification/

Simply after you download the extension, right click and choose what you want.

This is for RevEye.

This is for the Fake news Debunker one. As you can see, there are 2 more search vector added compared to the RevEye one which is Baidu and Reddit

Here are things you need to focus on while doing this reverse image search:

• Images of places that contain clear identifiers like buildings, signs, monuments, or landmarks (For IMINT/GEOMINT purposes).
• Clear images of the subject’s face (For reverse image searches and possibly finding more accounts/sources of info).
• Clear images of the subject in a group of people (Family photos, friend groups, other information that can give context to their relationship with the group).
• Personal information in their bio, or other personal data from their profile itself (Where they grew up, currently live, went to school, etc..).
• Relevant posts that may contain information on their whereabouts or personal habits (Do they smoke? Drink? Go to bars often? Love to vacation to specific places? All this information can help in an investigation.)

p/s: I am sorry for the long start for this task but these details are necessary for this task

Q1: Where did Thomas and his fiancee vacation to?

the picture of the vacation in the fiance’s tweet. Now, let us reverse search the image using RevEye.

[Result 1: Google] Damn, they are good suprisingly. We got our answer already which is Koblenz, Germany. How about the rest?

[Result 2:Bing] This result is quite disappointing. The search engine outputs river cruises.

[Result 3: Yandex] We got our answer in Russian. I can’t read cryllic let alone understand em’ so we will use the translate option to translate the one in the box

As you can see, it shows Belgrade Port. Belgrade is not in Germany, it is in Serbia.

[Result 4: TinEye] Most of the result shows that this picture is a stock image. Not helpful at all.

Suprisingly, Google wins this one.

A1: ks{Koblenz, Germany}

Q2:When is Francesca's Mother's birthday? (without the year)

The related link for her mother. It suggested here that her mother’s brithday in Xmas which 25 December

A2:ks{December 25th} following the format in the hint:

Q3: What is the name of their cat?

This is the tweet related to this question. So, the name is Gotank. Quite cute there

A3: ks{Gotank}

Q4: What show does Francesca like to watch?

As you can see clearly here, Francesca really like 90 Day Fiance to the point that she tweeted about em’

A4: ks{90 Day Fiance}

Task 6: Turn back the clock!!

For this one we need to use 2 stuff:

1. Reddit in both style (old: http://old.reddit.com/ for wayback machine stuff and the regular reddit)
2. WayBackMachine (this extension have on Firefox and Chrome)

After that, you right click the page, click Wayback Machine > All version

This is what you will be greeted with, let us try clicking the December 21, 2020 part.

Hello, what do we got here…. A coworker’s account. Let us open that account.

We got this. Save em’ for later.

Q1: What is the name of Thomas' coworker?

This is the avatar details of the coworkers profile (just open one of the post and you will see em’). So, Hans is the firstname then.

The hint given in this question

A1: ks{Hans Minik}

Q2: Where does his coworker live?

Again there are 2 things that can show his location. One, he said Nuuk is the best. Might not be enough. Two, he is coworker of Thomas who lives in Nuuk, Greenland. You can’t get coworker if you don’t reside at the same city generally right?

A2: ks{Nuuk, Greenland}

Q3: What is the paste ID for the link we found?

This is the hint given for this question.

So, we need to open the very first saved version of Han’s profile

Meh, still the same. How about if we jump to the second capture?

Nah, we still didn’t get the Electric one. Let us jump to one more capture

Finally we got em’. It is the 3rd capture. Let us open the electric one

This is the answer for this question

A3: ks{ww4ju}

Q4: Password for the next link? (flag format)

You can see a pastebin link and a password to open the pastebin(that is our answer)

A4: ks{1qaz2wsx}

Q5: What is the name of Thomas’ mistress?

For this one, we need to open the pastebin.

As you can see the name of the girl is Emilia Moller.

A5: ks{Emilia Moller}

Q6:What is Thomas' Email address?

Based on the two pastebin given above, we can conclude that the email is straussmanthom@mail.com

A6:ks{straussmanthom@mail.com}

Task 7: Resources

the room creator also links room and other CTF for y’all to try:

TryHackMe | WebOSINT

TryHackMe | Searchlight - IMINT

for Searchligh IMINT, I have done the writeup on that room here:

[1.3: TryHackMe Searchlight-IMINT Writeup]

TryHackMe | Google Dorking

CyberSoc | Cyber Detective CTF

Sourcing.Games is under construction

Well, this is it. The finale of the TryHackMe series for now.

These 4 room I extensively focus on IMINT part of OSINT(even this room also need to use reverse image search, I can’t escape it)

I think that all for now. Reach me on twitter (@thisisfinx) if there’s error in this article or things that I miss.