OhSINT Writeup [thm]
Before doing this consider completing Introductory Researching and Google Dorking first. It's not mandatory but it will help if you are a complete beginner at open source intelligence gathering.
OhSINT Are you able to use open source intelligence to solve this challenge? What information can you possible get with just one photo?
Quite a lot it turns out.
ExifTool is your friend
We start out with a single image WindowsXP.jpg. Download the image and let's analyze its metadata using ExifTool:
ExifTool Version Number : 12.22
File Name : WindowsXP.jpg
Directory : .
File Size : 229 KiB
File Modification Date/Time : 2021:03:26 22:36:37+01:00
File Access Date/Time : 2021:03:26 22:38:28+01:00
File Inode Change Date/Time : 2021:03:26 22:38:11+01:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
XMP Toolkit : Image::ExifTool 11.27
GPS Latitude : 54 deg 17' 41.27" N
GPS Longitude : 2 deg 15' 1.33" W
Copyright : OWoodflint
Image Width : 1920
Image Height : 1080
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1920x1080
Megapixels : 2.1
GPS Latitude Ref : North
GPS Longitude Ref : West
GPS Position : 54 deg 17' 41.27"N,2 deg 15' 1.33"W
A google search on this mysterious OWoodflint found in the copyright field immediately returns a twitter profile with a very distinctive avatar.
Location, Location, Location
Where is this person located?
If you look through his tweets we find something particularity interesting:
0x00000000000000000000 @OWoodflint Mar 3, 2019 From my house I can get free wifi ;D Bssid: B4:5D:50:AA:86:41 - Go nuts!
So we have the basic service set identifier (BSSID) of the WiFi he is using (stealing). If we are lucky, it can be found on WiGLE.
Scroll out to maximum and insert the BSSID 'B4:5D:50:AA:86:41'. We got a hit! Scroll in to see the location.
Finding the SSID of wireless access point
If we keep on scrolling in on the map the service set identifier (SSID) will be revealed.
What's his email address?
"The Buddha struggled with sending emails. He was always leaving his attachments behind."
By looking more thoroughly at the google results we find a wordpress page with no useful data but we also find one of his github repositories people_finder that contains the data we're looking for.
Hi all, I am from London, I like taking photos and open source projects. Follow me on twitter: @OWoodflint This project is a new social network for taking photos in your home town. Project starting soon! Email me if you want to help out: [REDACTED]@gmail.com
Note that if we had checked out hit repo first we would have gotten some intel for free.
A recent holiday?
Maybe the wordpress site wasn't useless after all. It mentions taking photos in a certain big city.
Finding his password
This was the hardest part of the challenge for me.
I first tried looking into his commit history on github in case he was sloppy in the past and included a password in an old commit. No luck there.
Has he been pwned? Nope.
He only has two tweets under his belt and none of them are helpful here. Nothing interesting in his twitter bio and the wordpress site is sparse on intel.
Googling his email address mostly results in writeups of this room but I didn't cheat.
I solved it by pure chance by going to the wordpress site with the command line web browser w3m. There might be something hidden in plain sight there.
Conclusion
OhSINT is a fun and easy little challenge. I think the last part of the challenge, finding the password, was a bit stupid and felt out of the OSINT spirit. On the other hand stuff like this keeps you on your toes, expect the unexpected.