OhSINT

Writeup author : Hicham Terkiba (@IOBreaker)

• Level : Easy
• Box link : https://tryhackme.com/room/ohsint

I have been provided with a picture named windowsXP.jpg

I started looking to it’s exif information

π ~/Downloads ❯ exiftool WindowsXP.jpg 
ExifTool Version Number         : 12.16
File Name                       : WindowsXP.jpg
Directory                       : .
File Size                       : 229 KiB
File Modification Date/Time     : 2021:02:28 15:31:11+01:00
File Access Date/Time           : 2021:02:28 16:33:05+01:00
File Inode Change Date/Time     : 2021:02:28 16:33:05+01:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
XMP Toolkit                     : Image::ExifTool 11.27
GPS Latitude                    : 54 deg 17' 41.27" N
GPS Longitude                   : 2 deg 15' 1.33" W
Copyright                       : OWoodflint
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Position                    : 54 deg 17' 41.27" N, 2 deg 15' 1.33" W

From Exif information I got 2 informations :

• Copyright : OWoodflint
• GPS Position : 54 deg 17′ 41.27″ N, 2 deg 15′ 1.33″ W

Doing some google search i found 3 interesting site

• WordPress site
• Github project
• Twitter account

The First site was a wordpress blog

From the blog we have

• Nickname : owoodflint
• Name : Oliver Woodflint
• Actual position : New York

The actual position is confirmed by the GPS coordinates from exiftool

Using the actual position I was able to answer the question

Where has he gone on holiday?

The second site was a Github repository

Now we have more information about Oliver

• Nickname : owoodflint
• Name : Oliver Woodflint
• Actual position : New York
• Email : OWoodflint@gail.com
• Twitter Account : @OWoodflint
• From location : London

From there i was able to answer to the folowing questions

• What city is this person in?
• What is his personal email address?
• What site did you find his email address on?

I checked the commits but noting interesting

The last site was the twitter account

Immediatelly I was able to respond to the first Question of the challenge 😉

What is this users avatar of?

One of the tweets show a BSSID (The mac of a wireless access point)

• B4:5D:50:AA:86:41

I started looking for information that i can grab using the BSSID i got

I used the Wigle because it’s allow to do recon using the BSSID as a filter

From wigle.netI was able to identify the SSID of the Wifi network

• Wifi SSID : UnileverWIFI

So I was able to answer to the question

Whats the SSID of the WAP he connected to?

The last question was

What is this persons password?

For this part i focused on the on site i did not recon yet (the blog).

As usual, I always start looking into the code, many leaks can be founded somtime

After searching I founded a white text hidden inside the index page

Bingo, It was the answer to the last question

Enjoy 😉