Sakura Room OSINT CTF Writeup

3 min readMay 31, 2022

Here’s my writeup of the Sakura Room OSINT CTF by OSINT Dojo on TryHackMe, including solutions (spoiler alert!).

If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know!

What username does the attacker go by?

I opened the provided SVG with Atom, a text editor, and saw the file path /home/SakuraSnowAngelAiko/Desktop/pwnedletter.png, which reveals the username SakuraSnowAngelAiko.

What is the full email address used by the attacker?

I searched “SakuraSnowAngelAiko” and found https://github.com/sakurasnowangelaiko and https://jp.linkedin.com/in/sakurasnowangelaiko, but didn’t find an email address. I read the official walkthrough and saw that you’re supposed to extract the email address from the PGP key in GitHub. I found this writeup which explains how to use https://cyberchef.org/ with a From Base64 recipe to reveal the email address as SakuraSnowAngel83@protonmail.com.

What is the attacker’s full real name?

The LinkedIn profile I found has the name Aiko Abe.

What cryptocurrency does the attacker own a cryptocurrency wallet for?

In the Github profile I found https://github.com/sakurasnowangelaiko/ETH/blob/main/miningscript which mentions “ethwallet.” ETH is the ticker symbol for Ethereum.

What is the attacker’s cryptocurrency wallet address?

Github shows the miningscript formerly contained stratum://0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef.Aiko:pswd@eu1.ethermine.org:4444. The address is 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef.

What mining pool did the attacker receive payments from on January 23, 2021 UTC?

I searched “look up ethereum activity” and found https://www.blockchain.com/explorer, which I used to find the transaction, but didn’t see the mining pool. I went back to the search results and tried https://www.etherchain.org/, which showed the From address as Ethermine.

What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?

I looked at the To addresses in https://www.etherchain.org/account/a102397dbeeBeFD8cD2F73A89122fCdB53abB6ef#txs and saw a few Tether transactions.

What is the attacker’s current Twitter handle?

In the provided screenshot, the Twitter handle is @AikoAbe3. I searched for that on Twitter and found this tweet from @SakuraLoverAiko stating “I’m @AikoAbe3!”

What is the URL for the location where the attacker saved their WiFi SSIDs and passwords?

I looked at the other tweets and saw this one about Wi-Fi. I searched the hash (0a5c6e136a98a60b8a21643ce8c15a74) and only saw writeups for this CTF. I saw this tweet which says, “Anyone who wants them will have to do a real DEEP search to find where I PASTEd them.” Based on the capitalization, I searched “deep paste” and found https://deepweblinks.net/pastebin/. I tried to open http://depastedihrn3jtw.onion/ in the Tor browser, but the address is invalid. I found another link on another site, but it didn’t work either. I viewed the hint in the CTF, which gave a screenshot of the DeepPaste page, showing the URL as http://depasteon6cqgrykzrgya52xglohg5ovyuyhte3ll7hzix7h5ldfqsyd.onion/show.php. I opened that and entered the MD5 hash to get to http://depasteon6cqgrykzrgya52xglohg5ovyuyhte3ll7hzix7h5ldfqsyd.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74.

What is the BSSID for the attacker’s Home WiFi?

DeepPaste shows “Home WiFi: DK1F-G Fsdf324T@@”. I went to https://wigle.net and did a Basic Search for SSID “DK1F-G” in Japan (I chose Japan based on other tweets that indicated that location). It showed the BSSID as 84:AF:EC:34:FC:F8.

What airport is closest to the location the attacker shared a photo from prior to getting on their flight?

In this tweet, Aiko said, “Checking out some last minute cherry blossoms before heading home!” In the photo, the Washington Memorial appears in the distance. I used a map to look for airports near the Washington Memorial, and found Ronald Reagan Washington National Airport, which has airport code DCA.

What airport did the attacker have their last layover in?

In this tweet, Aiko said, “Sooo close to home!” with a map showing the Japanese island Sado. I used a map to look for nearby international airports, but there were several. In this tweet, Aiko said, “My final layover” and included a photo of a room with a sign “JAL First Class Lounge Sakura Lounge.” I searched for that and found this list of Sakura Lounges. I couldn’t tell whether Narita or Tokyo was right, so I tried both, and Tokyo was accepted. I looked up the airport codes on Wikipedia.

After finishing this CTF, I looked at the official walkthrough, and it shows finding the location by doing a reverse image search of the lounge photo.

What lake can be seen in the map shared by the attacker as they were on their final flight home?

I was already looking at this area of Japan on a map, and found the named Lake Inawashiro.

What city does the attacker likely consider “home”?

https://wigle.net shows the Wi-Fi in Hirosaki.