CyberDefenders — Intel101 Blue Team Lab Walkthrough
OSINT investigation with WHOIS, Google, The Wayback Machine, & Wikipedia.
Introduction:
Welcome to my weekly walkthrough! Have you ever wondered about using passive Open-Source Intelligence (OSINT) to search the public internet for information? Well we’re about to do just that by tackling the Intel101 Blue Team Lab on CyberDefenders.
This is a threat intelligence challenge requiring us defenders to investigate a series of questions and collect information using passive open-source intelligence (OSINT) to find the answers — it’s like a digital scavenger hunt! We’ll accomplish this task using web-based tools like Google, The Wayback Machine, WhoIS, Wikipedia, and some visual image searching.
Now what is OSINT anyway? According to the SANS Institute:
Open-Source Intelligence (OSINT) is defined as intelligence produced by collecting, evaluating and analyzing publicly available information with the purpose of answering a specific intelligence question.
So, whether you’re here to learn more about OSINT, a new tool, or are just looking for a reference walkthrough for the CyberDefenders Intel101 Blue Team Lab, you’ve stumbled on the right spot. In the spirit of learning, I will not be revealing any answers in this post, but I encourage you to follow along during your own investigation and use this post as a reference if you get stuck. This challenge is a bit tricky since it was created three years ago from the time of this writing and the data was more challenging to find.
Thanks for reading along, let’s have some fun!
Challenge Link: https://cyberdefenders.org/blueteam-ctf-challenges/intel101/
Challenge Scenario:
Open-source intelligence (OSINT) exercise to practice mining and analyzing public data to produce meaningful intel when investigating external threats as a security blue team analyst.
Tools
Question 1: Who is the Registrar for jameskainth.com?
For the first question, we have a variety of tools that we can use to perform a domain lookup but to keep it simple, let’s just use the DomainTools Whois website to perform a simple lookup of the domain:
From the results, we’ll find the domain registrar clearly at the top of the profile!
Question 2: You get a phone call from this number: 855–707–7328, they were previously known by another name? (No spaces between words)
Now, let’s pivot and use a search engine to perform a cursory scan for this phone number. For this example, we’ll use Google. Let’s input the phone number and look at the results:
One of the search results is a familiar website, the Better Business Bureau. This is a consumer trust organization that is used to review the rating of businesses in North America.
This website’s reputation gives us a high degree of confidence that the listed business is indeed tied to this phone number. Now that we have the first part, we need to do some further digging into the history of this company. For this task, we’ll use Wikipedia.
The information about the previous name for this company is conveniently listed inthe right-hand column for us!
Question 3: What is the Zoom meeting id of the British Prime Ministers Cabinet Meeting?
Let’s do a quick Google search again. We’ll find several COVID-era articles about this event. Let’s click on the link for the article from the well-known security reporter, Graham Cluley. Cluley’s article contains the story and a screenshot of the accidental information disclosure very clearly for us!
Question 4: What Percentage of full-time degree-seeking freshmen from the fall of 2018 re-enrolled to Champlain in the fall of 2019?
Okay, now it’s time to do some deeper investigation!
We are looking for the student retention rate from Fall 2018 to Fall 2019 at this University. We’ll start out by performing some Google searches to see if we can discover this information.
We find that Champlain College presents this information as published through the National Center for Educational Statistics:
Once we navigate to the page though, we find only the most current data. We’ll need to figure out a way to view the historical data for previous years, right?
Since the data is showing two years behind (this blog was written in 2024). Maybe we can utilize the Internet Archive’s Wayback Machine and see if we can view this same page as it existed in 2020?
Let’s go ahead and select the only 2020 snapshot and see what we can find:
This data gets us close to the answer, but for the challenge, we need a more precise percentage. So, let’s rewind and go back to Champlain’s Consumer Information and Disclosures page. What if we try that URL in the Wayback Machine instead?
Let’s try that URL and pick a date in 2020. Now, notice that the data was also published by a second website that is no longer present on the current page:
If we try this link and scroll down to Freshmen Returning for Sophomore Year, we get an exact percentage!
Question 5: In 1998 specifically on February 12th, Champlain was planning on adding an exciting new building to its campus. Back then, it was called “The Information Commons”. Can you find a picture of what the inside would look like? Upload the sha256 hash here.
Let’s continue using the Wayback Machine. We’ll search the website domain for Champlain College, champlain.edu, and select the snapshot from February 12th, 1998.
Notice the links at the bottom of the page? There’s one to the Information Commons Project mentioned in the question.
Once we click that, we are taken to a page that showcases a rendering of the inside and outside of the building:
Let’s download the inside view image. We can simply generate a SHA256 file hash to get the answer. I’m using a Linux environment for my analysis but you can do the same process in Powershell if are you in a Windows environment by using the Get-FileHash cmdlet.
Question 6: One of Champlain College’s Cyber Security Faculty got a bachelor’s degree in arts from this Ohioan university. Who was the other faculty member who studied there? (FirstName LastName — two words)
Let’s get back to Google searching a bit for this information. If we simply search for the Champlain university faculty, we can find the full faculty directory, but this is too overwhelming for us to click into each person.
So, let’s refine our search a bit and narrow it down to some specifics:
We can simply go down the line and check the Education section for each of the staff within the department.
Eventually, we stumble upon this profile which meets the question criteria — Ohioan University and Bachelor of Arts! Now we have a university name that we can use to further refine our Google search. Maybe we can use the URL of that full faculty site that we found earlier to search the directory?
If we click the first link and check the Education section, we can confirm that we have found another faculty member who attended the same University — great find!
Question 7: In 2019 UVM’s Ichthyology Class Had to Name their fish for class. Can you find out what the last person on the public roster named their fish?
We’ll start this challenge the same way we did with the previous one, with Google!
Quickly we discover that this search is particularly tricky since the challenge was made three years ago from the time of this blog. It doesn’t seem like search engines today have indexed anything helpful other than some quick overview information of the Ichthyology class.
Let’s try to narrow the scope a bit by learning a little more about the University and specific school the Ichthyology program is part of:
We’ve discovered that the program is part of the Rubenstein School of Environmental and Natural Resources. That’s a start, now we can check out the University’s course catalog and hopefully locate the course number of the Ichthyology class to help refine our search:
We’ll navigate to: The Rubenstein School of Environment and Natural Resources > Wildlife and Fisheries Biology Program and we’ll find the course information in the catalog. Of course, the catalog represents the offerings at the time of this writing (2024) and NOT 2019.
So, let’s try to get to the same information from back in 2019 and check for any differences. If we check the course catalog site using the Wayback Machine, we’ll find that the course number was different in 2019:
What does this mean? It means we know that we need to refine our search using the course number, WFB 232, to get closer to the information. Let’s check out the home page for the Rubenstein School of Environment and Natural Resources in the Wayback Machine.
This time, however, instead of viewing a site snapshot, let’s use the URLs button and see if we can locate further information about the WFB 232 program:
Okay, now we’re getting somewhere. Let’s try our luck and see if we can add some additional keywords to the filter and look for “names”…
Bingo! We found the document we are searching for. Since the archive has a snapshot of this file, we can access it and view the information we are looking for!
Question 8: Can You Figure Out Which State This Picture Has Been Taken From? See attached photo
Okay, last question! First, we’ll open the evidence file and focus on the included image, UNADJUSTEDNONRAW_thumb_4859.jpg.
Let’s try using an image or visual search to see if we can locate a match. Typically, it’s a good idea to try your search on several different services like Bing visual search, Google Lens, and Yandex to maximize the chances of locating a hit since each service approaches this process differently.
Unfortunately for me (and probably for you if you are reading this walkthrough) after trying this process with all three services and scrolling through hundreds upon hundreds of Dragon and Pteranodon images, it seems like there is no clear match…
I suspect what is happening here is that the image results have changed since the challenge was originally made three years ago, and the result isn’t quite as easy to locate as it was then (or no longer exists).
Stick with me though as I remain undeterred! We need to narrow this search scope down somehow. Our only lead is that the challenge question mentions “State” I am making the assumption that this means the United States since the rest of the challenges have referred to American entities.
So, I will do what any normal analyst would do — search for “List of dinosaur parks” on Wikipedia and scroll to the United States section.
That is a lot of parks…
Now for some hindsight: Did I absolutely go through Google’s street view of each one of these parks in the vain hope of finding this Pterodactyl to complete this write-up? Yes, I did.
In my search, I eventually and mercifully stumbled upon this image:
Red building — check. Weird rocks — also check. Potential Pterodactyl sighting — Maybe?
So, I decided to go through every single one of the Google photos for this location using the handy “Dinosaur” tag filter.
Thanks to some user content, we can finally confirm that we found the same Pterodactyl! Since I went through the Wikipedia list, we know what state this park is in already!
Conclusion:
Whew! Excellent job with the investigation! We made it through the Intel101 Blue Team Lab and successfully uncovered the public data we were looking for.
To wrap this up, thank you to CyberDefenders for the challenging (and sometimes frustrating) lab and the opportunity to practice OSINT analysis. The research process using Google and The Wayback Machine was really engaging and kept me thinking creatively while exploring the breadth of exposure that a user might have online and how difficult it is for data to truly be removed.
Thank you so much for reading along, too! I hope that you had as much fun as I did and learned something new, too. Until next week — stay curious!
Tools & References:
CyberDefenders: https://cyberdefenders.org/
SANS: https://www.sans.org/blog/what-is-open-source-intelligence/
DomainTools Whois: https://whois.domaintools.com/
Google: https://www.google.com
Better Business Bureau: https://www.bbb.org/us/ga/dublin/profile/cable-tv/charter-spectrum-0743-45535
Wikipedia (Charter Communications): https://en.wikipedia.org/wiki/Charter_Communications
Graham Cluley: https://grahamcluley.com/uk-cabinet-zoom-meeting/
Champlain College: https://www.champlain.edu/about-champlain/consumer-information-and-disclosures
Internet Archive Wayback Machine: https://web.archive.org/
Bing: https://www.bing.com/
Google Lens: https://lens.google.com/
Yandex: https://yandex.com/images/
Wikipedia (Pteranodon): https://en.wikipedia.org/wiki/Pteranodon
Wikipedia (List of Dinosaur Parks): https://en.wikipedia.org/wiki/List_of_dinosaur_parks
