OHsint (TryHackMe) — OSINT Lab

disclaimer — this post uses only publicly available information from a training room. sensitive details are masked to avoid sharing personally identifiable information. methods shown are for educational purposes.

briefing

• room: OHsint (TryHackMe)
• goal: use public info to answer 7 questions about a subject.
• artifact provided: WindowsXP.jpg

plan of attack

1. metadata → exiftool WindowsXP.jpg to enumerate EXIF/IPTC/XMP fields.
2. handle pivot → search the discovered handle across X (twitter), wordpress, github.
3. network breadcrumbs → parse posts for BSSID; look up on WiGLE to infer city + SSID.
4. identity → pull email from public repos or profile pages.
5. content mining → review blog/posts for travel or other personal hints.
6. source review → inspect page source for accidental secrets (inline JS, commented creds).

tools used

• exiftool for metadata
• web search (exact-handle queries)
• WiGLE (BSSID → geolocation / SSID)
• browser dev tools (“view source”)

step-by-step (sanitized)

1) extract metadata

exiftool WindowsXP.jpg | tee exif.txt

look for fields like Artist/Creator/Copyright that can disclose a unique handle.

hint: where the handle is

the handle appears in a copyright/creator-like field. use it as your primary pivot.

2) pivot on the handle

• search the handle on X (twitter), wordpress, github.
• confirm the same person by cross-referencing avatar, bio, or linked sites.

answer: avatar

the X (twitter) avatar is a cat.

3) mine posts for network clues

on the X profile, note a posted BSSID (AP MAC). query it on WiGLE to resolve city and SSID.

wigle tips
- use "search" → "basic" → BSSID (MAC)
- a free account may be required to view results

answers: city + SSID (masked)

city: L****** (greater metro area)
SSID: U********WiFi

4) find a personal email

pivot to the subject’s github or personal site; look for an email in repo metadata, README, or commit history.

answers: email + where found (masked)

email: O*********@g****.com
found on: github

5) confirm travel / holiday

scan posts or blog entries for recent travel mentions.

answer: holiday location (masked)

location: N** Y***

6) inspect page source for leaks

open the personal site → view source and search for likely secret patterns (e.g., password-like strings).

answer: exposed password (masked)

p****YDr0****.!

---

command snippets

# 1) EXIF/metadata
exiftool WindowsXP.jpg | tee exif.txt

# 2) fast handle pivots (replace <handle>)
# X (twitter) profile
open "https://x.com/<handle>"
# GitHub code search
open "https://github.com/search?q=<handle>"
# WordPress author archive (if seen)
open "https://wordpress.com/search?q=<handle>"

# 3) WiGLE BSSID lookup (replace with observed BSSID)
open "https://wigle.net"

# 4) source-code scan on a personal site
# mac
open -a "Google Chrome" "view-source:https://<site>"
# linux
xdg-open "view-source:https://<site>"

ethics & ops (the short version)

• public stuff only — no logins, no scraped dumps, no work data. if it isn’t already on the open internet, i don’t use it.
• keep people out of the blast radius — blur emails, trim bssids/addresses, crop faces.
• no naming-and-shaming — don’t name real folks/companies unless they’ve said it’s ok; call them “the subject.”
• don’t hoard pii — grab what i need to learn, toss the rest.
• this is training content, not targeting guidance.