Skip to main content

OSINT: Learning by Doing. A walkthrough of The Seint's OSINT Puzzles - PART 3

Greyscale image of Japanese pagoda, courtesy of Pexels

This is a walkthrough of an OSINT CTF set by The Seint in a GitHub repo you can find here. So far, each subsequent step is nested inside a zip archive that is unlocked by solving the previous step. Each layer is password protected, the password being an MD5 hash of the previous stage's answer. You can see how we solved steps 1 to 3 in these earlier posts: Part 1, Part 2.

WARNING  Obviously there are spoilers in this series; they are a walkthrough after all!


STEP 4 - A Visit to Japan

Opening step4.zip, we find two text files and the .zip for the next stage:
- step4.txt
- step4 - hint.txt
- step5.zip

As before, we'll try getting through this without a hint. Opening step4.txt, we find our clue:
---
There is a housing estate somewhere in Japan with the same name as the first five letters of the resort in Hawaii from the previous task. Next to it, there is a dental clinic. The working hours have changed over the past years. What were the clinic’s afternoon working hours in the end of year 2009?
Write the answer in this format: X:XX-X:XX and then make an MD5 hash of it. This will be the password to the next step.
---

The resort referred to in the previous step was called "Hualalai", so I try a search of the first five letters of that in Google Maps. Unfortunately, the nearest Google can get to that is Rock-A-Hula Vintage Clothing in Nagaoka. Eventually though, I found an alternative result on my phone version of the Google Maps app, which I could reproduce on my PC by searching for "huala apartment complex, japan", which takes us to Tokyo:

Google Maps search result showing HUALA apartment complex in Tokyo, Japan

Using the 'Nearby' option, I was then able to search for 'dental practice', only to find that the nearest is some distance away. Zooming in on the map, however, I found Takahashi Dental Practice right next door to Huala apartment complex; I'm not sure why it doesn't show up in the 'Nearby' results.

Google will display opening hours if it can, and we're shown the current afternoon hours as 2:30-6:30pm. 

Google Maps search result showing Takahashi Dental Clinic in Tokyo, Japan

Unfortunately, The Seint wants to know what the opening hours were in 2009. Luckily we have a time machine!

First, open the location in Street View, and you will see Google's timeline feature at the bottom of the small menu at the top:

Google Street View showing Timeline function

From here we can step back in time to December 2009, when there was less scaffolding:

Google Street View of Takahashi Dental Clinic in Tokyo, Japan, in 2009

What this tells us is that Takahashi Dental Clinic is very consistent with its opening hours over the years -- it's still 2:30-6:30, and hashing this gives us the password to Step 5.


STEP 5 - MAC Attack!

In step5.zip we find the usual, but it must be a difficult puzzle as we've got two hints! Let's try without though. Opening step5.txt, we find our next clue:

---
If you found the dental clinic, you also probably found its telephone number. Somewhere near, there is a place with a phone number that differs by 34790. If you find that place, you can notice that some time ago, a Wi-Fi device manufactured by “I-O Data Device” company was spotted there. Are you able to locate where the device was seen? The answer to this step is the second half of the MAC address of that Wi-Fi device (6 characters, in XX:XX:XX format).
Write the answer in this format: XX:XX:XX using only numbers and small letters, and then make an MD5 hash of it. This will be the password to the next step.
---

Going back to Takahashi Dental Clinic, the phone number we're interested in is +81337661218. We're not told whether to add or subtract 34790, so let's do both:
+ 34790 = +81337696008
- 34790 = +81337626428

Searching both phone numbers in Google Maps itself gives a result on the second number, which points to Iriarai 1st Elementary School, less than 150m away at 35.5842418, 139.7251867.

As you probably know, it's possible to search for routers on Wigle.net. We can search locations and SSIDs, but we can also search for specific makes of router. Each router has a MAC address which is six octets of hexadecimal numbers in this format: 00:00:00:00:00:00. Every manufacturer has one or more specific sets of MAC prefixes, i.e. the first three octets. We can look these up on various websites, such as MAC Address Lookup and for “I-O Data Device” we get three:
  00:A0:B0 - Registered 1998-04-22
  34:76:C5 - Registered 2012-04-08
  50:41:B9 - Registered 2019-01-29

The clue says 'some time ago', so let's start with the oldest one. We can do this search from the front screen in Wigle. First, start typing 'Iriarai'  in the place search at the top left of the map. You will be offered a number of schools; all you need to know here is that ichi is the Japanese for one (i.e. first). The map will show a very zoomed out view, but you can click on 'Zoom to' to bring you closer to the school. You can now type the manufacturer MAC prefix in the BSSID field and click Filter. This very quickly leaves you with two candidates (nicely circled by Wigle):

Screenshot showing map search on Wigle.net
Zooming in shows the full MAC address of these two routers, and hashing the second half of one of them (I have to leave a little for you to do) gives us the key to unlock Step 6!

Want to read the whole series? Start with Part 1 here. Otherwise, go on to Part 4!


Pagoda image courtesy Pixabay at Pexels

Labels: