This WriteUp includes a challenge for the Introduction to OSINT certification presented by the Security Blue Team, as given in the challenge:
Twitter handle used by actor: @sp1ritfyre
Requirements:
Known Info:
Twitter Handle: @sp1ritfyre
Required Info:
[1] First Name:
[2] Last Name:
[3] Age:
[4] Country:
[5] Interests (5 minimum):
[6] Hacker's employer (company name):
[7] Hacker's position within the company:
Online Presence:
[8] Self-Owned Website (Hacker owns the domain):
[9] Other Websites (Person does not own the domain, such as blogs):
Email Addresses Utilized:
[10] What email addresses have been used by the hacker?
Enumeration:
When we take a look at the target’s Twitter account, we notice that he has placed a link in his bio: cmVkaHVudC5uZXQK.xyz
We decoded this link to see if it meant something that might be useful to us by using base64decode.org, and we were surprised by the result, as shown below.
It turned out to be a link to a redhunt.net website! We wrote it down and completed the Google search, and here we found something interesting, as shown below.
What is eye-catching here is that when we did the first Google search, it became clear to us that this link exists, but we did not expect it to be linked to it because the website name does not have any relationship to the target, as indicated by its description.
Furthermore, the second link, which is the blogger website, is more striking because it has the same target username. We clicked on it since it has a similar name and a blog; we may benefit from collecting personal information if this is the target’s page. When we entered it, we found the following:
Interesting! If we notice that the blog image is the same as the target posted on his personal Twitter account, confirming that this is his personal account. Also, we see here that there are two interesting things. The first is that there is a “contact me” button. When we clicked on it, we found that we had been transferred to an email address d1ved33p@gmail.com.
We also note that the location has the following hexadecimal value: “68747470733a2f2f73616d6d6965776f6f647365632e626c6f6773706f742e636f6d” after we converted it we found this following link: sammiewoodsec.blogspot.com as shown below.
After we entered the website, it became clear that we had reached the target after reading its blog page, and we found there was a similarity in the email that we found in the previous blog, as shown below.
We found all the required information after clicking on the personal information link on the right side, as shown below!
Now we can confidently answer all the required questions, which are as follows:
Known Info:
Twitter Handle: @sp1ritfyre
Required Info:
[1] First Name: Sam
[2] Last Name: Woods
[3] Age: 23
[4] Country: United Kingdom
[5] Interests (5 minimum): Security, Programming, Technology, Gaming, Photography, Camping
[6] Hacker's employer (company name): Philman Security Inc
[7] Hacker's position within the company: Junior Penetration tester
Online Presence:
[8] Self-Owned Website (Hacker owns the domain):
https://redhunt.net
[9] Other Websites (Person does not own the domain, such as blogs):
https://sammiewoodsec.blogspot.com/
https://sp1ritfyrehackerstories.blogspot.com/
Email Addresses Utilized:
[10] What email addresses have been used by the hacker? d1ved33p@gmail.com