Room Banner

KaffeeSec - SoMeSINT

An intro to SOCMINT (Social Media Intelligence/Investigation) techniques and tooling. Use your awesome OSINT skills to perform an online investigation of a mysterious husband!

medium

75 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Overview

In this room, you will be learning social media analysis and forensics. You will learn about google dorking, website archiving, social media enumeration/analysis, and the basic usage of OSINT techniques in the context of social media investigation. You don't need any previous knowledge of OSINT to do well in this room, but it definitely helps. I have included some resources in the " Resources " task at the bottom of the room that I encourage you to check out after completing this room!

Prerequisites

  • Critical Thinking.
  • A love of going deep into rabbit-holes.
  • Basic understanding of Google.
  • Python 3.7+

When you have completed this room, you should be comfortable applying tools and methodologies to gather information through social media, and answer context-based questions concerning social media. The goal of this room is to prepare you for CTF challenges in this category, as well as real-world research. All tools in this room are optional, as you could technically get all of the information you need through a web browser and methodologies; however, the tools mentioned will make this room much more beginner-friendly.

Sometimes, you will come across a question that requires a flag format.

The format for this room's flags is ks{flag} . Flags are not case-sensitive but must be spelt right (copy/paste).

At any point along the way, you can ask for help in the TryHackMe Discord (in the #room-help channel).

Any and all feedback is also welcome in the KaffeeSec discord server.

Answer the questions below

I fully read and understand the overview, and understand flag format

Background Information:

You are Aleks Juulut, a private eye based out of Greenland. You don't usually work digitally, but have recently discovered OSINT techniques to make that aspect of your job much easier. You were recently hired by a mysterious person under the moniker "H" to investigate a suspected cheater, named Thomas Straussman.

After a brief phone-call with his wife, Francesca Hodgerint, you've learned that he's been acting suspicious lately, but she isn't sure exactly what he could be doing wrong. She wants you to investigate him and report back anything you find. Unfortunately, you're out of the country on a family emergency and cannot get back to Greenland to meet the deadline of the investigation, so you're going to have to do all of it digitally. Good luck!

Answer the questions below
Who hired you?

Who are you investigating? (ks{firstname lastname})

Prerequisites:

  • Patience, curiosity, and a passion for digging into rabbit holes.
  • Firefox, Chrome, or another chromium-based browser (I recommend Brave).

How exciting! Through talking to people who know Thomas, you've found out that he has a very guessable online handle: tstraussman. With this handle, we can find his social media accounts, and start off this room.

The overall process for finding information from social media accounts starts with finding the social media accounts themselves. Finding social media accounts from names or emails can be automated through a process called enumeration. This is usually done with CLI tools or scripts, but you can get similar effects with Google dorking. Here is a room on Google dorking; it's great reading material before you attempt this task and also includes a cheat sheet that comes in handy.

Disclaimer: Before starting, I will preface this by saying the only places these accounts are found on are Twitter and Reddit. Please do not try to investigate further out-of-scope, as you will both meet a dead end and be snooping on accounts not involved with this CTF at all. I am not responsible for any actions/interactions made with an account outside of the sockpuppets created for this CTF. As a general rule, we're collecting PASSIVE information - there's no interacting directly with these accounts.

Answer the questions below
What is Thomas' favorite holiday?

What is Thomas' birth date?

What is Thomas' fiancee's Twitter handle?

What is Thomas' background picture of?

Requirements:

First things first, make sure that you've downloaded the latest version of Python 3 . Then follow this guide to install the latest version of Spiderfoot (currently v3.3).

Once it's installed correctly, run it by typing python3 sf.py -l 127.0.0.1:5001.

You can access the web interface by navigating to localhost:5001 in your browser.

Click on "New Scan". In the "Scan Target" field, type in "Thomas Straussman" or "tstraussman"; then, under By Use Case, ensure that you checked the All option. Finally, press run.

Looking at the results, you can figure out which are false positives by filtering out anything that isn't related to Reddit or Twitter.

If you find a Twitter account that leads to shadowban.eu, click on the link.

If you can't find anything related to Twitter, go to Settings --> Account Finder and set the highlighted option to False.

After checking to see if the account exists, you can search their username on twitter (or go to twitter.com/[username]).

Answer the questions below
What was the source module used to find these accounts?
Check the shadowban API. What is the value of "search"?

Now that you have Thomas' Reddit and Twitter accounts, you can do some cool stuff!

At this point, consider downloading a reverse search extension for your browser, my favorite is RevEye, which lets you choose from a handful of great reverse search engines, or use all of them simultaneously.

Chrome / Firefox

There are a few key types of information that we want to find from socials:

  • Images of places that contain clear identifiers like buildings, signs, monuments, or landmarks (For IMINT/GEOMINT purposes).
  • Clear images of the subject's face (For reverse image searches and possibly finding more accounts/sources of info).
  • Clear images of the subject in a group of people (Family photos, friend groups, other information that can give context to their relationship with the group).
  • Personal information in their bio, or other personal data from their profile itself (Where they grew up, currently live, went to school, etc..).
  • Relevant posts that may contain information on their whereabouts or personal habits (Do they smoke? Drink? Go to bars often? Love to vacation to specific places? All this information can help in an investigation.)

Since you have gotten most useful information from Thomas' Twitter, it's time to "pivot" to his fiancee's account.

What personal information can you find?

NOTE: If you get stuck on the first flag, consider two things:

  • You can reverse image search landscapes / locations and most likely get a result.
  • You can look at the source of the website (ctrl + shift + c, then click on the image) and try to find some metadata from the image.
Answer the questions below
Where did Thomas and his fiancee vacation to?

When is Francesca's Mother's birthday? (without the year)

What is the name of their cat?

What show does Francesca like to watch?

Now that we've gathered intel from Thomas and Francesca's Twitters, lets move to another platform - Reddit.

For the sake of this investigation, we're going to be using Reddit in two different ways:

  • Use the old version (http://old.reddit.com/) for wayback machine purposes
  • Use the new version (https://www.reddit.com/) for other purposes (later on)

First, you're going to want to install the WayBackMachine extension for your browser (you don't need it, but it'll make your life much easier).

Using Reddit's old site, navigate to Thomas' profile. Right click anywhere on the page and click on Wayback machine --> All Versions. You will see a calendar that shows all of the saved versions of the site, click through and take a look at each saved version (in this case there should be none).

So it hasn't been saved yet... Nothing out of the ordinary, right?

Next, go to Thomas' birthday post. Repeat the steps to find the first version of the site and..... Voila!

We've discovered a coworker, which is another source of intel for us! But the question is... how much intel?

Answer the questions below
What is the name of Thomas' coworker?

Where does his coworker live?

What is the paste ID for the link we found? (flag format)

Password for the next link? (flag format)

What is the name of Thomas' mistress?

What is Thomas' Email address?

Congrats on making it here! Below are a few resources that I encourage you to try after completing this room:

Other TryHackMe Rooms:

Fancy some more challenges? Check out these CTFs:

Answer the questions below
I'll check these out!
Hi Jayy#6024

Created by

User avatar
oxitocin
User avatar
str3g4tt4

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

9,808

Created

1600 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more