Kase Scenarios Orkla: Bounty Hunt Walkthrough

Kase Scenarios just released another awesome OSINT scenario and I had the opportunity to beta test it. Orkla: Bounty Hunt is a cybersecurity OSINT scenario in the format of a chat dialog where you are tasked with investigating suspicious online services.

Image Not Found

The first thing Orkla asks about is the IP address of a specific website.

I went to https://research.domaintools.com/ and entered the domain name Orkla asked about.


The next question is about the number of subdomains of the domain mentioned in the first question that are protected by a valid certificate as of June 2024.

I went to https://crt.sh/ and entered the domain name. Under the “Common Name” column, the domain and subdomains are listed. In the “Not After” column, I looked for dates in June of 2024.

The domains and subdomains are listed more than once (only count the subdomains, not the domains).

The “Not After” column below is highlighted in yellow.

Image Not Found

There are 7 subdomains protected by a valid certificate as of June 2024.


Next, Orkla asks what software is used to remotely connect to the server hosting a specified domain.

I went to https://www.shodan.io/dashboard and ran a search using the following format:

ip:127.0.01

Replace the IP above with the IP of the domain Orkla asked about. The IP is the answer to the first question.

SSH is used to remotely connect to servers. You should see this in the search results.

Image Not Found

OpenSSH


Then Orkla wants to know if there are any major, critical CVEs with a CVSS v3 score of 9.8 related to the version of OpenSSH used on that server that may allow remote code execution.

From the Shodan search from the previous question, SSH version 8.9p1 is being used.

A Google search led me to this site that lists CVEs for SSH vulnerabilities. CVEs affecting that specific version are shown in red: https://repology.org/project/openssh/cves?version=8.9.p1

Image Not Found

CVE-2023-38408 shows a Base Score of 9.8.

Image Not Found

Next, I’m asked what email should be used to contact the owner of the specified website.

I went to the website and found a link to the Terms & Conditions page at the very bottom of the website. At the end of the Terms & Conditions, the email address is listed.


The next task is to find the legal company number for the registrar of the domain of the email address from the previous question.

I used the WHOIS History Lookup from BigDomainData to find the name of the registrar.

Then I went to Open Corporates and entered the name of the registrar in the search bar for Companies. The Company Number is displayed after clicking on the company name in the search results.


After finding the legal company number, the next task is to find the owner of the company.

A google search for: owner of <name of company>

The owner’s name is highlighted in the image below.

Image Not Found

The next question is: “Someone mentioned that in January 2022 a user published a fairly comprehensive list of registrars’ response rates to complaints. I’d be interested in seeing that post and primarily what the username is of the poster. What’s his username?”

I did a google search for: list of registrar response to complaints “<name of company from the previous question>”

I also clicked on “Tools” in Google and set the dates to January 1st – January 31st, 2022

Image Not Found

This is the link to the post in question: https://scammer.info/t/shutting-down-scam-websites/88306

The username is in the image below

Image Not Found

For the next task, the owner of the company was denied accreditation to resell certain domain names and raised a complaint about it. “Can you find the complaint number under which his claim was registered?”

A Google search led to results saying ICANN denied the accreditation.

Further searching led to ICANN’s complaint report list. Search the page for the name of the owner or the company name to find the complaint number.


The next task is to find what the IP address of a specific website was on September 7th, 2023.

I entered the domain into this website: https://viewdns.info/iphistory/

The IP is listed in the row that has 2023-09-07 under “Last seen on this IP”


After that, Orkla asks about a variation of another domain that was registered in Slovenia. “Apparently a variation of this domain was registered in Slovenia and my client needs to know the contact email used to register that domain. According to them they made some sort of OPSEC mistake that should allow you to retrieve the email.”

I Google searched for domain registrars in Slovenia and found this site: https://www.register.si/en/

The country code top-level domain (ccTLD) for Slovenia is “.si” so I entered the variation of the domain as <domain>.si in the website listed above (https://www.register.si/en/).

After clicking on “Check domain data” and accepting the terms of use, the email address of the Domain holder is displayed.


Next, Orkla wants to know about a different company. “I got the feeling that they might just be a sister company or a new company set up to host certain parts of this ecosystem. Can you see if the owner(s) of <aforementioned company> is involved in another company operating in the same space?”

I did a Google search for: <aforementioned company> sister company and the answer came right up.


Then I need to find the owner of the sister company found in the previous task. “Can you figure out who the primary owner is of that company?”

I searched for the name of the company in Open Corporates. I didn’t see an owner listed there so I clicked on the source.

Image Not Found

After changing the language to English, I clicked on “Information about business”, then “Search for businesses”. After entering the company name in the search results, I clicked on the result.

Image Not Found

Clicking on “Roles” lists the name of the Chairman of the board. This is the owner of the company.


Now I’m tasked with finding the personal gmail account of the company owner from the previous question.

I did a Google search for: <“Name of company owner”> AND gmail

There was one result. The company owner posted their gmail account as a comment in a Facebook post.

Image Not Found

The next task from Orkla: “Great, good job! I knew you could find that Gmail. The reason I figured we’d look for it is to see if he has any other domain registered to him. Can you find any other domains registered using that Gmail?”

I entered the gmail address into this website: https://www.reversewhois.io/


Orkla: Oh btw, I forgot to ask earlier if you could find out who owns, <sister company from prior question>, assuming they have a international parent company. I have a gut feeling they are just a front for something bigger.

A Google search for: <company name> owner had several results. The name of the company owner with two words is the correct answer.


Orkla: hmm…and who owns <international parent company>?

I went to Open Corporates and looked up the company name (there is an “INC.” at the end). The owner is listed under Agent Name as well as under Directors / Officers.


Orkla: I remember hearing about this guy losing some sort of legal trial back in 2023…I’d love to read up on that case again, could you dig up the case number?

I’m not going to lie, this one took me a while. There was a case in 2023 that made up most of the search results but that’s not the case Orkla was asking about.

I finally found this: https://trellis.law/doc/158867191/pos040-lee-1

The case number is in the preview.


Orkla: You know what, I don’t really need to read the whole case file do I? I have you, hah! I was curious to see how much money the plaintiff asked for punitive damage. Can you figure that out?

A google search for: <“case number”> AND “punitive damages”

led to this result: https://domainnamewire.com/wp-content/19-CIV-07263-Declaration-in-Support-ROBERT-M-LEE.pdf

The amount of punitive damages is listed on page 7


Now I need to look into who owns a nameserver hosted in Luxembourg.

I went to Domain Tools and entered the IP address. The owner is listed after “OrgName”.


Orkla: I knew you could do this! I’m a bit confused though – I visited their website and it says they are not offering any services through this brand. Underneath this message there seems to be another brand offering the same services. What is the name of the person who runs this company?


Orkla: According to a friend of mine <owner of the company> is using some sort of weird law to protect himself against the police. Can you figure out what that law is called?

I went to the website (the website of the other brand offering services from a prior task) and clicked on “Terms of Service” at the bottom of the page. The law in question is mentioned a couple of times.


Orkla: We’ve looked a lot at domains and related services. What about the IP that is tied to <domain>, who owns that?

That IP was already found in very first question so I went to Domain Tools and entered that IP. The owner is listed after “org-name”.


Orkla: I really appreciate all the help so far. We are closing in on the end, stick with me now. Who owns <company from the previous question>, at least on paper?

I went to Open Corporates and entered the company name. The name of the owner is listed after “Ultimate Beneficial Owners” and “Directors / Officers”. I excluded the “Miss” in the answer.


And that’s it!

Image Not Found