For context if you’re coming to this late: I dabble in the Dark Arts of Open-Source Intelligence (OSINT). Kase Scenarios is a phenomenal company bringing affordable and realistic experiential training to the masses through scenario-based learning. Their most recent scenario, “Orkla – Bounty Hunt,” puts the “player” in the shoes of an OSINT analyst exploring various real-world people and corporate entities online.
Okay. After all of the drama from my last iteration, I was able to sit down and finish the remainder of the scenario. This time was way less dramatic, and I didn’t hit any additional snags. I think this took me under two hours to finish. So, without further ado, let’s finish this up and bid each other adieu.
Guess what? The other company isn’t really called Otherhost. But it is…something-host.
This only took a quick a quick search on OpenCorporates, which linked to a Norwegian business registration site. Searching the business name on that site brings us straight to the CEO, whose name is distinctly and obviously Nordic.
This was a quick and easy Google dork query — “Obviously Nordic Name” AND “gmail.” The email address was in the top five search results.
Why yes, I can, in fact. There’s a really handy tool that handles this nicely. It’s like a whois lookup, but in reverse. A reverse whois, if you will. But I’m not telling you what it’s called.
Your gut is correct, Orkla; there’s definitely something bigger afoot. I didn’t see anything about this on OpenCorporates or the other site it linked to, but a quick search on https://www.proff.no/ made it happen.
Ok, this is nuanced. I see where we’re going, but this company technically has 38 owners . However, five of them are variations on the same name, and collectively “they” own 66.07% of the company. So for practical purposes, sure, we can say he’s the owner. That said, getting to the answer Orkla is looking for was a quick and easy search on Open Corporates. Hint: there are a few different companies by this name. Not all of them are active. The person you’re looking for is listed under “agent name.”
Don’t go down the rabbit hole looking at their Articles of Incorporation and Annual Reports. Just don’t. It’s not worth it. Ask me how I know.
Google Dorking again. There’s probably a better way to go about it, but this worked; I searched “Person’s Name” AND “case,” and it was the first result in Google. There are at least two separate court cases that fit the description, so if the case number you get isn’t right, try to find the other one. I found it on Domain Name Wire.
I mean, I can, but…Orkla seems lazy.
I already had the document open. Ctrl-f, “punitive.” Easy peasy.
That sounds nice. I want to be hosted in Luxembourg.
Domain Tools to the rescue! I…honestly don’t even know what else to say about this.
If you find that company’s website, it links to another company. I poked around a bit on the second company’s site, and found the name I was looking for.
I Googled “company name” AND “Person name.” It took a couple of pivots, but I quickly found a New Yorker article about the gentleman in question. This took some ‘reading between the lines.’ The legal argument in question isn’t a “law,” per say, but the word “Law” is in its name. I know. It sounds weird. You’ll think so when you find it, too, but it makes sense in context.
Orkla: A fine collection of shady characters revolve around Cyberfile… We’ve looked a lot at domains and related services. What about the IP that is tied to cyberfile.me, who owns that?
Back to Domain Tools again! I still don’t know what else to say.
Back to Open Corporates, which gives a link to the website for the British “Companies House.” Clicking on “People” takes us to — wait for it — the person we’re looking for.
Ok, but seriously; why aren’t you sharing the bounty with me?!
And that, my friends, is all she wrote. Or he. I don’t know — Orkla could be anyone, I guess.
Orkla told me how amazing I am, and proceeded to expound upon the virtues of OSINT as a discipline, before reminding me that there’s a bounty involved and I’m not getting a cut. But of course, I don’t do this for the money; I do it for…the love of the game? The challenge? The future career prospects? (Are there career prospects? Email me for my resume!)
Lessons Learned: What did I learn today? What did I do well, and what can I do better?
1) Don’t go down rabbit holes. When Orkla asked who “the owner” of a particular company is, the flag was the person I was looking for was the registered agent on the Open Corporates main page for that company. I didn’t need to go down the rabbit hole looking at all the articles of incorporation, annual reports, etc. That’s usually not necessary for a Capture the Flag – type scenario like this. Would I dive that deep on a real world investigation? It depends on the client and the level of detail they’re looking for. (As you may have noticed, this is something I often struggle with.)
2) Pivot faster. There were a couple times that I found myself diving too deep into one site or tool, when what I should have done was grab the single key selector from there and plug it into a different tool. Sometimes it’s hard to tell when you need to go deep and when you just need to scrap the surface; again, with a CTF-style scenario like this, you probably don’t need to go deep.
Final Thoughts
This scenario, like Kase’s other offerings, is accessible and inclusive. It may not be easy for a complete beginner, but there are hints if needed, and anyone with just a little bit of Google-Fu should be able to stumble their way across the flags eventually. For the intermediate practitioner, I thought it was a good mix of difficulty; some flags jumped right to me, and others put me on an emotional roller coaster of failure. And that was fine — tenacity is a key trait of a successful OSINT practitioner.
Having made it through the scenario, there’s one obvious question: was it worth it?
At a price point of $49.99, it kept me busy for about 4 evenings, not counting writing time. I honed some existing skills, learned some new ones, and had loads of fun doing it. Your mileage may vary, but to me it was well worth the time and money.
What’s next?
I have a voucher for CompTIA Network+ that expires in January. I need to get hot on studying for that. I write to learn, so I imagine there will be some musings about that. I would apologize for boring you, but…nobody reads this anyway.
Stay hungry. Stay humble.
I did, in fact, read this. Thank you for your help.