We covered an Open source intelligence case study starting from a Reddit username all the way to geographic location. TryHackMe Advent of Cyber 2 / Day 14 Where’s Rudolph?

Starting Point and Reddit Analysis

My investigation began with a Reddit account username. By carefully examining the comments on this Reddit account, I was able to find two crucial pieces of information: the user’s birth city (Chicago) and the first name of Rudolph’s creator (Robert).

Google Search and Discovering Other Social Media

With “Robert” and “Rudolph creator” in hand, a Google search quickly revealed the creator’s full name: Robert L. May.

While analyzing the Reddit comments further, I noticed a mention of Twitter, indicating the user likely had an account there. The video demonstrated using a tool called “Namecheckup” to find social media accounts associated with a username, though a direct search on Twitter with the Reddit username also worked to find the Twitter account.

Twitter Analysis and Image Forensics

Reviewing the Twitter posts, I successfully identified Rudolph’s favorite TV show: “The Bachelorette.” I also downloaded photos from the Twitter posts for further analysis.

For the image analysis, I employed two techniques:

  • Reverse Image Search: Using Google Reverse Image Search on the downloaded photos, I identified the location of a parade Rudolph participated in as Chicago.
  • EXIF Data Analysis: I used an EXIF data tool (both a command-line tool and an online tool called “Jeffrey’s Image Metadata Viewer”) on one of the photos to extract GPS coordinates

Checking for Data Breaches and Geolocation 📍

I then attempted to check if the user’s email (which was provided as a hint in the challenge) had been involved in any data breaches using tools like “Have I Been Pwned” and “DeHashed.” The video also mentioned a tool called “Skylab” that would typically show breached passwords but was under maintenance at the time.

Finally, I took the extracted GPS coordinates and plugged them into Google Maps. By zooming in on the location and looking for hotels in the “Magnificent Mile” area (as hinted in the challenge), I was able to identify a likely hotel. From there, I found the specific street number of the hotel.

This entire process successfully demonstrated how to systematically gather various pieces of personal information by meticulously analyzing publicly available data from different online sources, showcasing the power of OSINT.

Room Answers

What URL will take me directly to Rudolph’s Reddit comment history?

https://www.reddit.com/user/IGuidetheClaus2020/comments

According to Rudolph, where was he born?

Chicago

Rudolph mentions Robert.  Can you use Google to tell me Robert’s last name?

May

On what other social media platform might Rudolph have an account?

Twitter

What is Rudolph’s username on that platform?

IGuideClaus2020

What appears to be Rudolph’s favorite TV show right now?

Bachelorette

Based on Rudolph’s post history, he took part in a parade.  Where did the parade take place?

Chicago

Okay, you found the city, but where specifically was one of the photos taken?

41.891815, -87.624277

Did you find a flag too?

{FLAG}ALWAYSCHECKTHEEXIFD4T4

Has Rudolph been pwned? What password of his appeared in a breach?

spygame

Based on all the information gathered.  It’s likely that Rudolph is in the Windy City and is staying in a hotel on Magnificent Mile.  What are the street numbers of the hotel address?

540

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles