TryHackMe
Advent of Cyber 3 (2021): Day 16 Write-up
Welcome to Day 16 write-up, and I hope you find it helpful.
If you haven't solved Day 14, click here.
[Day 16] OSINT Ransomware Madness
In today's tasks, we will discuss OSINT and its importance in information gathering and reconnaissance for an attack.
Learning Objectives
- Understanding what OSINT is and where it originates
- Understand the implications of OSINT and how you can use it for surveillance and information gathering
- Learn how to conduct an OSINT investigation to gather information on an individual
OSINT & The Digital Footprint
OSINT stands for Open Source Intelligence, information obtained from free and public sources. Offensive teams commonly use OSINT to perform surveillance on a target, an individual, or a corporation. Agencies and law enforcement can also leverage OSINT to gather information.
OSINT may seem scary at first; where do I find this information? Will I get in trouble? No need to worry; most OSINT operations are straightforward using tools you are already familiar with on the clearnet.
OSINT is an extensive term. It is an overarching term of many intelligence disciplines; however, we will cover the topic as it is commonly known in this task. Information is at the core of OSINT; information is typically found in two places,
Clearnet: This refers to anything you can publicly access from your traditional web browser, including,
- GitHub
Darknet: The darknet is accessed using special software and requires additional configuration; it is most commonly used by privacy-minded individuals, whistleblowers, censored people, criminals, journalists, and government law enforcement agencies. Below are a few examples of what the darknet has to offer,
- TOR
- Freenet
- I2P
- IPFS
- Zeronet
In this task, we will focus on leveraging the clearnet to our advantage to gather information on a specified target. The clearnet is often used due to the vast amount of public data.
Information used in OSINT originates from your digital footprint. This may seem like a ""buzz"" word, but it is key to why OSINT can be rewarding. When conducting OSINT, we look at what data a target left behind to lead us to the information/objective we are seeking.
To learn more about OSINT, you can refer TryHackMe OhSINT, Google Dorking rooms, and Day 16 of AOC3.
Let's get started!
- You are the responding intelligence officer on the hunt for more information about the infamous ""Grinch Enterprises"" ransomware gang. In response to the recent ransomware activity from Grinch Enterprises, your team has collected a sample ransomware note.
!!! ВАЖНЫЙ !!!
Ваши файлы были зашифрованы Гринчем. Мы используем самые современные технологии шифрования.
Чтобы получить доступ к своим файлам, обратитесь к оператору Grinch Enterprises.
Ваш личный идентификационный идентификатор: «b288b97e-665d-4105-a3b2–666da90db14b».
С оператором, назначенным для вашего дела, можно связаться как “GrinchWho31” на всех платформах.
!!! ВАЖНЫЙ !!!
For the first question, an answer is unnecessary; you have to translate the above text using https://translate.google.com.
Answer: No answer needed2. What is the operator's username?
From the translated note, we learned that GrinchWho31 is the operator's username.
Answer: GrinchWho313. What social media platform is the username associated with?
You can start by searching the operator's username on Google.
We'veWe've found one match that leads to our objective
After opening the https://keybase.io/grinchwho31/sigs/1GW8QR7CWW3cpvVPGMCF5tZz4j96ncEgrVaR, you can see that this account belongs to the operator.
If we open the Twitter given there, we can see this twitter belongs to the operator with the username @GrinchWho31.
Answer: Twitter4. What is the cryptographic identifier associated with the operator?
If we look into the Twitter account, we can see in the top tweet; grinch posted the cryptographic identifier along with the Keybase.io link.
Answer: 1GW8QR7CWW3cpvVPGMCF5tZz4j96ncEgrVaR5. What platform is the cryptographic identifier associated with?
If you open the given link in the tweet, you can see this cryptographic identifier is associated with https://keybase.ioIf you open the provided link in that tweet; you can see this cryptographic identifier is associated with https://keybase.io.
Answer: keybase.io6. What is the bitcoin address of the operator?
On the keybase.io page, you can see the bitcoin address of the operator.
Answer: bc1q5q2w2x6yka5gchr89988p2c8w8nquem6tndw2f7. What platform does the operator leak the bitcoin address on?
If we look into the christmashater31 GitHub account given on the Keybase page, we can see that there is a ransomware code in the Christmas-Stealer repository written in C++, which can be helpful.
Here we've found the ransom.cpp in the repository.
After opening the file, you can see that the operator leaked the bitcoin address here.
Note: bitcoin address is revealed on the Keybase website, too, but in this question, that's not the answer.
Answer: GitHub8. What is the operator's personal email?
After digging more into the GitHub account, we can see in ChristBashTree that there are four commits which can give us some clue, open the commits.
You can see at the end tree.sh has been updated; if you open it, you can see that operator deleted two lines from the code.
Answer: DonteHeath21@gmail.com9. What is the operator's real name?
We also found the operator's username from the same commit history.
Answer: Donte HeathClosure
Today's task taught us about OSINT, its importance in information gathering and surveillance, and how to find operators or any specific target.
This task also taught us how hackers could use OSINT to find essential information about organizations, their employees, or individual targets.
Hence it's better to be aware of what we are sharing online.
Yay!
You did it! Great job on completing Day 16!
I hope you found this write-up easy to follow.
For more write-ups, follow me, and stay tuned.
To check out Day 17 write-up, click here.
Thank you for reading.
