Prompt: What information can you possibly get with just one photo?
Using the photo provided in the task files, I began my investigation online about how to get information from a photo and how to hide information in a photo. The following results stuck out to me: image metadata and steganography.
Based on the question prompts from TryHackMe, I think I will first explore what image metadata I can pull from the image which may answer questions like what city the person was in. I’ll start off there.
I searched for online metadata extractors and selected Jimpl to analyze my photo. A couple things pop out to me that I want to explore more closely:
- Copyright: I know that this copyright data comes from user input, the username, or some other identifier from the person who posts an image. In this case, the value of copyright is “OWoodflint.”
- GPS position: 54 deg 17' 41.27" N, 2 deg 15' 1.33" W. This could give me a hint as to where the photo was taken.
Lets start by simply googling “OWoodflint.” There appears to be a user account on X with the handle @OWoodflint…too good to be true? Lets see…
Considering one of the questions in the THM room asks about an avatar, lets try “cat”… that’s correct!
What else could this X account help us with? I see a post that lists out the BSSID he uses to get Wifi. The BSSID is a Wifi point’s physical mac address. With this information, I can use a website called Wigle.net that I’ve learned can help me search BSSIDs across the world and retrieve their ID’s.
Let’s search the BSSID “B4:5D:50:AA:86:41” on wigle.net. Using the View -> Basic Search tool on the top of the screen, I entered in the BSSID under the Wifi kit, then clicked Query.
After zooming out on the map, I found there was a hit on this BSSID in the UK, so I zoomed in and sure enough, I found the SSID associated with it: “UnileverWiFi”. That’s another flag!
I can also see that the location this BSSID is at is in London, so I would guess that OWoodflint must be in range of that WAP if he can use it from his house. Therefore, London must be where he is at. Another flag!
If OWoodflint is “smart” enough to post the BSSID of the Wifi he uses on the Internet, maybe he’ll post more information in the open. Let’s do a google search of “OWoodflint.” From this search, I can see a linked Github page with the email address “owoodflint@gmail.com”. I can’t be certain this is a hit, but let’s see what the contents of the link are.
Considering the content of what’s written on the readme of this repository, I think it is a pretty safe bet that “owoodflint@gmail.com” belongs to our target. Sure enough, that is the answer to what his personal email address is too!
Our target’s Github repository shows us his personal email address and a link to his WordPress blog
And of course, since that email is correct, we can try “Github” as the name of the website we found the email on, and sure enough that’s correct!
I also like this link to his WordPress site. I’m willing to guess that details of his vacation are going to be on there…let’s see.
What a nice name! Based on the wording of this blog post, I’m willing to bet that “New York” is the answer to the question regarding where he is on vacation. Let’s try that…success!
The last flag is asking about passwords. I’m going to assume that Woodflint at least knows that he shouldn’t post his password publicly online. But I do know that sometimes source code can reveal information not otherwise posted. So let’s take a look at the source code of this WordPress post and see what we can find.
After going through the source code several times (and missing the answer just as many time), I finally found some text that looks out of the ordinary based on the context of the code.
It appears that this text, “pennYDr0pper.!” may fit the hint provided by TryHackMe, so let’s see if it takes. It sure does! That’s the last flag.
Exercise complete!