We covered an Open source intelligence case study starting from a Reddit username all the way to geographic location. TryHackMe Advent of Cyber 2 / Day 14 Where’s Rudolph?
Starting Point and Reddit Analysis
My investigation began with a Reddit account username. By carefully examining the comments on this Reddit account, I was able to find two crucial pieces of information: the user’s birth city (Chicago) and the first name of Rudolph’s creator (Robert).
Google Search and Discovering Other Social Media
With “Robert” and “Rudolph creator” in hand, a Google search quickly revealed the creator’s full name: Robert L. May.
While analyzing the Reddit comments further, I noticed a mention of Twitter, indicating the user likely had an account there. The video demonstrated using a tool called “Namecheckup” to find social media accounts associated with a username, though a direct search on Twitter with the Reddit username also worked to find the Twitter account.
Twitter Analysis and Image Forensics
Reviewing the Twitter posts, I successfully identified Rudolph’s favorite TV show: “The Bachelorette.” I also downloaded photos from the Twitter posts for further analysis.
For the image analysis, I employed two techniques:
- Reverse Image Search: Using Google Reverse Image Search on the downloaded photos, I identified the location of a parade Rudolph participated in as Chicago.
- EXIF Data Analysis: I used an EXIF data tool (both a command-line tool and an online tool called “Jeffrey’s Image Metadata Viewer”) on one of the photos to extract GPS coordinates
Checking for Data Breaches and Geolocation 📍
I then attempted to check if the user’s email (which was provided as a hint in the challenge) had been involved in any data breaches using tools like “Have I Been Pwned” and “DeHashed.” The video also mentioned a tool called “Skylab” that would typically show breached passwords but was under maintenance at the time.
Finally, I took the extracted GPS coordinates and plugged them into Google Maps. By zooming in on the location and looking for hotels in the “Magnificent Mile” area (as hinted in the challenge), I was able to identify a likely hotel. From there, I found the specific street number of the hotel.
This entire process successfully demonstrated how to systematically gather various pieces of personal information by meticulously analyzing publicly available data from different online sources, showcasing the power of OSINT.
Room Answers
What URL will take me directly to Rudolph’s Reddit comment history?
https://www.reddit.com/user/IGuidetheClaus2020/comments
According to Rudolph, where was he born?
Chicago
Rudolph mentions Robert. Can you use Google to tell me Robert’s last name?
May
On what other social media platform might Rudolph have an account?
What is Rudolph’s username on that platform?
IGuideClaus2020
What appears to be Rudolph’s favorite TV show right now?
Bachelorette
Based on Rudolph’s post history, he took part in a parade. Where did the parade take place?
Chicago
Okay, you found the city, but where specifically was one of the photos taken?
41.891815, -87.624277
Did you find a flag too?
{FLAG}ALWAYSCHECKTHEEXIFD4T4
Has Rudolph been pwned? What password of his appeared in a breach?
spygame
Based on all the information gathered. It’s likely that Rudolph is in the Windy City and is staying in a hotel on Magnificent Mile. What are the street numbers of the hotel address?
540
Video Walkthrough