2020 OSINT Quiz Writeup 1/6 - Social Media & Forums
A short writeup of the 2020 OSINT Quiz, as I play it.
It’s been a while since I wrote anything on this blog, which I think would be much to my surprise given that I was ready and raring to complete more projects after my last post. Unfortunately, right after that post I got incredibly burnt out on a couple of projects and ended up not really doing anything more. Luckily, I have now found a new sense of executive function, and have set myself a goal to write a post for this blog at least every month in 2020. I’m hoping to do more, of course, but there’s no point setting the goal too high.
Anyway, given that I’ve taken part in Open Source Intelligence challenges before and really enjoyed them, I thought a great way to start would be to complete an OSINT challenge. Recently, I saw a post for a challenge called the 2020 OSINT Quiz on twitter, which actively encouraged writeups. This quiz, taken via email, Poses a series of OSINT Questions from six different categories designed to test your OSINT abilities. As each category contains 3 questions (except for the first), it makes sense to me for these writeups to be spread over six posts. I’m not sure that each post will only contain questions for one category, but given the number of questions, I need to split it up somehow. Also, it’s a public challenge, so if you see this writeup and think it looks like fun, please, use the instructions in the tweet below (make sure to stop reading so you don’t spoil it for your self) and have a go! The quiz is designed for a wide range of skill levels, so it’s worth trying even if you don’t have prior OSINT experience.
It is time to release the 2020 OSINT Quiz!— (@Sector035) December 30, 2020
This time there won't be anything way too difficult. So if you are just starting out in this field of expertise, or you have colleagues that could use some practice, make sure to send them this info pic.twitter.com/UZexQZK4rO
SPOILER WARNING - this article will go over everything, so if you're
currently playing the quiz or interested in doing so I would advise that
you don't continue reading. Sorry, but knowing the answers spoils all
The first question asks us to find a specific tweet, and find the name of the account that was quote tweeted. So, if we’re going to find something, it’s good to start with what we know:
- The tweet we are looking for is a quote tweet
- The tweet will come from the account @sector035
- The tweet is about a geolocation challenge, so may contain words relating to those subjects
- The tweet was made on 28/03/2018
We can then use what we know about the tweet to search for it. Luckily, twitter has a very good advanced search function which we can enter this information into. I’ve put into the advanced search function that the account was from sector 035, that the tweet was sent between March 28 2018 and march 28 2018. I also asked it to look for the words “geolocation”, “challenge” or “challenges” in the tweet, as there is a strong chance that will allow us to find it faster, but this is a guess, so if the query is unsuccessful this is probably the reason why. There might be a way to filter for quote tweets, but I can’t see anything obvious so I’ll check later.
As you can see above, this query returned nothing, which means I’ve made a mistake in my query. I don’t know that the tweet would contain words relating to geolocation or challenges, but I included those words, as I thought it would be likely, and might help filter out all the other tweets made that day. However, this does not appear to be the case, which isn’t surprising, so I’ve done the search again, but this time I've removed the requirement for those words.
This is quite surprising, as I expected this query to work. This means that there is a mistake either in the way that I have specified the dates or the username. I would guess that the mistake was in the way I had specified the dates, so I’ve removed the filter for the dates, and it’s now showing me a whole host of tweets from the correct user, all very recently. As far as I know the only other way that would make sense would be to have the until date be the day after, so I’ve changed the until date to the 29th and voila:
A whole bunch of tweets from the 28th, including a quote tweet that meets all of the criteria for the tweet we are looking for. As this is the only tweet that meets our criteria, this must be the one. So now, we have the account name that we’re looking for, Rickey Gevers. I‘ve formatted the name per the instructions in the email, put the resulting string into an MD5 hash generator, put it in the email, and I was done! The bot replied, and gave me the next question!
The email containing the next question raises an interesting point, as it suggests that you filter by latest tweets. Personally, I’ve had issues before where tweets don’t show in a search if it’s sorted by Top instead of latest. It’s also just good practice – if you’re sorting by latest, you don’t need to deal with twitter deciding to randomly order the tweet, and if a new tweet does occur that meets your search criteria you’ll know about it.
I did go back and check, and there is an additional filtering method that you can use if you’re looking for a Quote tweet specifically. Because twitter sees quote tweets as tweets with a link to another tweet, if you filter to only show tweets with links, this includes quote tweets, as you can see below.
As you might have noticed, this doesn’t only show quote tweets, as it will also show any tweet containing a link. Still, it’ll drastically reduce the number of tweets you have to search through to find the right tweet.
Onto the first real question, and we now need to find the last text that someone tweeted in 2017. To figure out how we will find this tweet, let’s figure out what we know about it:
- The tweet will be from the account @bayer_julia
- The tweet occurred before the 1st of January 2018
- The tweet uses the hashtag #MondayQuiz
- The tweet is the most recent tweet that meets all of these criteria
So, fairly simple, we do a a search for all tweets from bayer_julia, until Jan 1st 2018, with the hashtag #MondayQuiz
And tah-dah, plenty of options. Great! However, here I was really worried about the exact definition of text. Do I need to copy just the main bit? Does the hashtag count as text? What counts as text? God, is an emoji text? So, in typical cybersecurity fashion, I decided to try all of the possible combinations until I found the right one. Luckily, I tried ‘Merry Christmas’ first, and that worked. This is good to keep in mind for future challenges, but I would have preferred this to be clearer. Anyway, onto the second question!
Question 2 makes an interesting change, switching Twitter for Instagram. I haven’t used Instagram for any OSINT activities before, or used any advanced search functions on instagram, so this was all going to be entirely new to me. To start off with, I read over Part 1 and Part 2 of OsintCurious’s searching Instagram articles, as mentioned in the email, to try and get acquainted with the search functions. The immediate impression I got was that Instagram is quite a difficult platform to use for OSINT. The built in search features really don’t really seem to be up to snuff, and there are quite a lot of useful features that require the mobile version of the app, or chrome extensions. I didn’t quite take it all in, but I had an idea of what I needed to do, and had it on hand for reference, so I began looking at the question itself.
Yet again, we need to find a post from the details we’ve been given. So, yet again, let’s list all we know about the post:
- The post is from @twone2
- The post was made on 24/11/2018
- The post contains an image (not a video)
One of the big issues we have at the moment is that we don’t actually have @twone2’s Instagram account, just their twitter account. The first thing I tried was to find the Instagram user with the handle @twone2, but that leads to an account that doesn’t have any posts, so it can’t be the right person. I remembered seeing something in the two osintcurious articles about finding an instagram account from twitter posts, so I thought given that we have a twitter account that might be relevant. I almost did this, which would have involved twitter searching for a the start of a URL, but then I noticed that he had a link to his Instagram in his bio. Whoops!
So, now we know what account the photo would have been posted from, we just need to filter down by date to find the correct post! Unfortunately, I tried to figure out how to do this, and didn’t have much luck. There seem to be a fair few third party android apps that would help, but I’d decided logging to instagram was far enough already. I’m pretty sure that there’s no good way of doing this using a filter or search, so I’m just going to sift through his Instagram posts manually. My plan is go down his timeline, and check if the date on a given post is earlier or later than 24/11/2018. You could almost describe it as a manual binary search.
I’ve done a minute or so of searching and found this photo, the only one from the specified date. I must say, I’m glad that I didn’t need to sort through too many photos! Given that the datestamp is in the site, it might be also be possible to use a google dork to find this image. We’ll need to see what the answer tells us about how we should have done it. From there, I found out how to find the ID (I used a feature that gives you a json output for any given page) and I was done!
The follow-up email didn’t give any more information on how I was supposed to find the correct post, which makes me think a manual search may have been the correct way to go about this, but I couldn’t say for certain.
The next question is on google dorks, basically using advanced queries to perform more specific searches than you would do otherwise. If you’ve been looking at the search bar in the twitter challenges, you may have been able to see a set of small queries when we’re doing an advanced search. It’s just like that, but you’ve got to type the words yourself instead of putting them in nice boxes (mostly). So we know we’re going to need to use google and google dorks. But what do we know about what we’re looking for?
- The post is from September 2019
- It was posted in an aviation forum
- It explained how someone called Christiaan Triebert used shadows as sun dials
I’ve decided to search for “aviation forum Christiaan Triebert” (no quotes) as a starting point
This, somehow worked, and the post in question was actually the first result. Which was easier than I expected. I’d assume I was meant to do some impressive google-fu, but I’ll hopefully find out once I’m done with the question.
This post, which started the topic, meets all of the requirements, so I tried the username, and success! The challenge was supposed to be slightly more complicated than I found it, as I was supposed to use quotes and date filters, but otherwise I was actually decently close to completing this the intended way. it’s possible that other people searching for this post for the same quiz may have resulted in google making this a lot more relevant that the quiz author intended.
Overall, these challenges have been pretty fun so far. I haven’t struggled with them too much, but I’ve learned, and people who are entirely new to OSINT do need a learning curve, otherwise they’ll bounce straight off. It feels like they maybe could have done more with the social media angle, which is why it’s a shame that there’s only 4 challenges. It’s possible that social media related challenges pop up in other categories however, and the fact that I want more social media challenges says a lot about how much I enjoyed these few. I’m definitely looking forwards to the next category!
The person who created the OSINT quiz, Sector035, sent me a twitter DM with some information relevant to the quiz. This was very lovely and a nice surprise, but also contains some great information I think is definitely worth making sure other people are aware of!
Firstly, he sent me a great video on getting Instagram photos from a certain date. This is relevant to the 2nd question, and using this technique would have allowed me to find the correct photo. If there were a larger number of photos to sort through think might be the only way to find photos from a specific date so it’s a really useful technique to remember.
They also said that the google search challenge (Question 3) was intended to require more google dorking, and it did require this when it the quiz first released. At release it required some filters to ensure that it’d appear at least reasonably clearly, but it seems that the amount of people visiting this page has made google see it as more relevant and therefore require less effort to show it. It’s a shame, but it’s kind of inherent to these kind of challenges and there’s not much that could be done. It was still by all means a very interesting challenge though, and hopefully the impact on these kind of challenges isn’t as bad because google dorking challenges are a lot of fun. Thanks to sector for the pointers, they were absolutely lovely!