Write Up for Sakura Room (CTF)
Task 1: Introduction
In this task there is not much to do; just type “Let’s Go!”. In the answer section we can pass this task easily.
Task 2: TIP-OFF
As the task says, the cybercriminals left behind an image. From that image we have to get the information about the username by what the attackers go by.
Question 1: What username does the attacker go by?
We will use a tool called “exiftool” in Linux to get the metadata from the image.
First we need to download the image from their GitHub.
Now we have to use the tool and get the metadata from the image.
From the metadata, we can see that the image sakurapwnedletter.svg is exported from a path.
Path:/home/SakuraSnowAngeIAiko/Desktop/pwnedletter.png
In this path we can find the username of the attackers easily.
The answer would be: SakuraSnowAngelAiko
Task 3: RECONNAISSANCE
Question 1: Get the user's email address.
First of all, we need to find the email through the internet by searching the usernames profiles, like GitHub, Twitter, or any other sources.
After searching the web for like half an hour, I came to know that if we can get the PGP (Pretty Good Privacy) key, then we can easily decrypt it through some tools in Linux. Like GnuPG (GPG).
Finally, I got the PGP key from the user's GitHub repository.
Then I downloaded the raw file from it and ran it on the GPG tool.
As we can see the email address easily, then our first question is done.
Question 2: Real Name
For the second question, I have searched the internet and got the user’s Twitter account, where he mentioned his name in a post.
Then I answered the second question that her name is Aiko Abe.
Task 4: UNVEIL
Question 1: What cryptocurrency does the attacker own a cryptocurrency wallet for?
This question was easy because when I looked at her GitHub repositories, I saw a repository named ETH, which means the answer might be Ethereum. And it worked.
Question 2: What is the attacker’s cryptocurrency wallet address?
After getting the ETH repository, I looked into it but couldn’t find any cryptocurrency wallet address. After searching all the repositories, I looked at the history of the ETH repository, and then I saw updated content. That’s it then. I saw that the attacker changed the wallet address. The previous address is the answer.
Question 3: What mining pool did the attacker receive payments from on January 23, 2021?
I searched for “Ethereum wallet finder” and got the website: https://etherscan.io/
On this website we can see the transaction details from the attacker's wallet address.
I searched for transactions on 23rd January 2021 and got the mining pool's name where the attacker received payment.
Question 4: What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?
In the transaction, I also saw Tether-named cryptocurrency, and it was the answer for this question.
Task 5: TAUNT
Question 1: What is the attacker’s current Twitter handle?
From Task 3 we got the real name of the attacker.By searching the real name-related Twitter account, I got the current Twitter account of the attacker.
Question 2: What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?
From the hint, I got the URL for the image that is shared, and in that image we can see the dark web URL of the location where the attacker stores all her Wi-Fi and passwords.
Question 3: What is the BSSID for the attacker’s home WiFi?
To solve this question, what I did first was to search for tools or websites that search the SSID for BSSID.
From there I got to know about WiGLE. Where I can advance search with the SSID and get the desired BSSID.
Task 6: HOMEBOUND
Question 1: What airport is closest to the location the attacker shared a photo from prior to getting on their flight?
The attacker posted this photo before the flight. That means the attacker will be departing from a nearby airport from this location.
First I copied this image and pasted it in Google Lens to reverse image search, but I didn’t recognize the place. Then I pasted this photo to Gemini, and then I got the location where the photo was taken. It’s Washington, DC. That means the attacker will be departing from Washington, DC, airport. In this case the airport code for Washington, DC, is “DCA.”.
Question 2: What airport did the attacker have their last layover in?
From this photo we can see that it says JAL (First Class Lounge Sakura Lounge).
I searched it on the internet and got to know that it is in Tokyo International Airport, which is also called Haneda Airport, and the airport code is “HND.”
Question 3: What lake can be seen in the map shared by the attacker as they were on their final flight home?
The attacker posted this photo on her Twitter. And the lake that is seen from above is “Lake Inawashiro.” Anyone can know that by opening the map.
Question 4: What city does the attacker likely consider “home”?
From the previous task, we got the image of the website where the attacker keeps her Wi-Fi and the passwords. From there we see that the City Free WiFi name is “Hirosaki.” That means that the city name is “Hirosaki.”
