Kase Scenarios just released another awesome OSINT scenario and I had the opportunity to beta test it. Orkla: Bounty Hunt is a cybersecurity OSINT scenario in the format of a chat dialog where you are tasked with investigating suspicious online services.
The first thing Orkla asks about is the IP address of a specific website.
The next question is about the number of subdomains of the domain mentioned in the first question that are protected by a valid certificate as of June 2024.
Next, Orkla asks what software is used to remotely connect to the server hosting a specified domain.
Then Orkla wants to know if there are any major, critical CVEs with a CVSS v3 score of 9.8 related to the version of OpenSSH used on that server that may allow remote code execution.
Next, I’m asked what email should be used to contact the owner of the specified website.
The next task is to find the legal company number for the registrar of the domain of the email address from the previous question.
After finding the legal company number, the next task is to find the owner of the company.
The next question is: “Someone mentioned that in January 2022 a user published a fairly comprehensive list of registrars’ response rates to complaints. I’d be interested in seeing that post and primarily what the username is of the poster. What’s his username?”
For the next task, the owner of the company was denied accreditation to resell certain domain names and raised a complaint about it. “Can you find the complaint number under which his claim was registered?”
The next task is to find what the IP address of a specific website was on September 7th, 2023.
After that, Orkla asks about a variation of another domain that was registered in Slovenia. “Apparently a variation of this domain was registered in Slovenia and my client needs to know the contact email used to register that domain. According to them they made some sort of OPSEC mistake that should allow you to retrieve the email.”
Next, Orkla wants to know about a different company. “I got the feeling that they might just be a sister company or a new company set up to host certain parts of this ecosystem. Can you see if the owner(s) of <aforementioned company> is involved in another company operating in the same space?”
Then I need to find the owner of the sister company found in the previous task. “Can you figure out who the primary owner is of that company?”
Now I’m tasked with finding the personal gmail account of the company owner from the previous question.
The next task from Orkla: “Great, good job! I knew you could find that Gmail. The reason I figured we’d look for it is to see if he has any other domain registered to him. Can you find any other domains registered using that Gmail?”
Orkla: Oh btw, I forgot to ask earlier if you could find out who owns, <sister company from prior question>, assuming they have a international parent company. I have a gut feeling they are just a front for something bigger.
Orkla: hmm…and who owns <international parent company>?
Orkla: I remember hearing about this guy losing some sort of legal trial back in 2023…I’d love to read up on that case again, could you dig up the case number?
Orkla: You know what, I don’t really need to read the whole case file do I? I have you, hah! I was curious to see how much money the plaintiff asked for punitive damage. Can you figure that out?
Now I need to look into who owns a nameserver hosted in Luxembourg.
Orkla: I knew you could do this! I’m a bit confused though – I visited their website and it says they are not offering any services through this brand. Underneath this message there seems to be another brand offering the same services. What is the name of the person who runs this company?
Orkla: According to a friend of mine <owner of the company> is using some sort of weird law to protect himself against the police. Can you figure out what that law is called?
Orkla: We’ve looked a lot at domains and related services. What about the IP that is tied to <domain>, who owns that?
Orkla: I really appreciate all the help so far. We are closing in on the end, stick with me now. Who owns <company from the previous question>, at least on paper?
And that’s it!