Open in app

Sign in

Write

Sign in

Writeup_TryhackMe_Webosint

Debojyoti
6 min readMay 9, 2021
TryHackMe- WebOSINT

The below is my write-up about the strategy that I followed to retrieve the flags for this room.

Url: https://tryhackme.com/room/webosint

Target url name: RepublicofKoffee.com

Task#2 : Whois Registration

Lets go to : https://lookup.icann.org/ and put in the domain name RepublicofKoffee.com

  • What is the name of the company the domain was registered with?

Answer: NAMECHEAP INC

  • What phone number is listed for the registration company?

Answer : 6613102107

  • What is the first nameserver listed for the site?

Answer: DNS1.REGISTRAR-SERVERS.COM

  • What is listed for the name of the registrant?

Answer: redacted for privacy

  • What country is listed for the registrant?

Using ICANN Lookup, we only get ICELAND as the country, which is not the correct Answer.

Then, I tried another tool https://whois-history.whoisxmlapi.com/api

Using this tool, we get Panama as the registrant city which is the required flag here.

Answer: Panama

Task#3 Ghosts of Websites Past

  • What is the first name of the blog’s author?

Go to url RepublicOfKoffee.com and it opens the following link.

I have the Chrome extension for added for Wayback machine. “Right click” and then select “All Versions”

The following page will load. So select a date in the past.

I selected the year 2015 and the snapshot as below

Click on any Blog on this page and the authors name is mentioned

Answer : Steve

  • What city and country was the author writing from?

The second blog tells about the author’s location which is Gwangju

Doing a google search reveals that the location is in South Korea.

Answer : Gwangju, South Korea

  • [Research] What is the name (in English) of the temple inside the National Park the author frequently visits?

Did a google search of “Temple”+ “Mudeungsan national park”

The first result gave the name of the temple.

Answer: Jeungsimsa temple

Task#4 Digging into DNS

  • What was RepublicOfKoffee.com’s IP address as of October 2016?

Go to https://viewdns.info/

Use the option “ IP History”

Answer: 173.248.188.152

  • Based on the other domains hosted on the same IP address, what kind of hosting service can we safely assume our target uses?

Doing a reverse ip lookup for 173.248.188.152

We can see the following

Multiple, domains are using the same ip address (173.248.188.152) . Hence they are sharing the hosting resource.

Answer: Sharing

  • How many times has the IP address changed in the history of the domain?

Doing a reverse IP history search we can see the following

Answer : 4

Task#5 Taking Off The Training Wheels

  • What is the second nameserver listed for the domain?

Website name is heat.net

Went to https://whois-history.whoisxmlapi.com/ and did a lookup

Answer : NS2.HEAT.NET

  • What IP address was the domain listed on as of December 2011?

For viewing the historic records lets go to https://viewdns.info/ and select IP history

Answer : 72.52.192.240

  • Based on domains that share the same IP, what kind of hosting service is the domain owner using?

Doing a reverse IP search , we can see multiple sites using the same ip.

Answer: shared

  • On what date did was the site first captured by the internet archive? (MM/DD/YY format)

Went to url heat.net and then clicked on the add-on for wayback-machine.

Going all the back in 1997, we can see the date which is 1st Jun 1997

Answer: 06/01/97

  • What is the first sentence of the first body paragraph from the final capture of 2001?

Let’s navigate to 2001. The final capture is on 6th July.

Answer: After years of great online gaming, it’s time to say good-bye.

  • Using your search engine skills, what was the name of the company that was responsible for the original version of the site?

Answer: Segasoft

  • What does the first header on the site on the last capture of 2010 say?

Lets navigate to 30th Dec 2010

Answer: Heat.net — Heating and Cooling

Task#6 Taking A Peek Under The Hood Of A Website

Go to url heat.net/36/need-to-hire-a-commercial-heating-contractor/

  • How many internal links are in the text of the article?

Clicked on webpage > right click> view source code

Answer : 5

  • How many external links are in the text of the article?

Answer :1

  • Website in the article’s only external link ( that isn’t an ad)

Answer: Purchase.org

  • Try to find the Google Analytics code linked to the site

Searching using keyboard “analytics” we can find the below

Answer: UA-251372–24

  • Is the Google Analytics code in use on another website? Yay or nay

Checked the code <UA-251372–24> in Nerdydata.com.

Result comes as 1.

Answer: nay

  • Does the link to this website have any obvious affiliate codes embedded with it? Yay or Nay

Searched using keyword “affiliate” and also href and it comes as negative.

Answer: nay

Task#7 Final Exam: Connect the Dots

  • Use the tools in Task 4 to confirm the link between the two sites. Try hard to figure it out without the hint.

Upon checking the ip history for purchase.org we see that the owner is Liquid Web, L.L.C

Answer : Liquid Web, L.L.C

Osint
Osint Investigation
Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup

--

--

Debojyoti

Written by Debojyoti

22 Followers

Love everything OSINT

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams