The Searchlight – IMINT room hosted by TryHackMe contains OSINT challenges in the imagery intelligence category. More details can be found here: https://tryhackme.com/r/room/searchlightosint
In this room we will be exploring the discipline of IMINT/GEOINT, which is short for Image intelligence and geospatial intelligence. This room is suited for those of you who are just beginning your OSINT journey or those brand new to the field of IMINT/GEOINT.
This room will introduce you to several topics within IMINT, among them:
Getting into the right mindset and how to be analytical
Visually extracting key data points from an image or video
Applying different tools to assist you in geolocation and answering context questions
When you have completed this room you should be comfortable applying tools and methodologies to geolocate and answer context questions based on visual intelligence alone. This room will prepare you for harder CTF challenges in this category as well as real-world geolocation work.
Any thoughts, feedback or issues can be forwarded to me directly on the THM or OSINT Curious Discord. You’ll find me there as zewen.
The flag format is: sl{flag} – this means that every answer needs to be submitted within the brackets, sl{your answer}. No capitalization is needed.
If you are stuck or you want someone to discuss these challenges with, head on over to the OSINT Curious Discord server. You can also find me on Twitter if you have any questions!h
The answer to the question below is: ready
Did you understand the flag format?
Answer: sl{ready}
Task 2: Your first challenge!
Your first geolocation challenge!
Let’s introduce you to your first tool – your eyes!
Before we can apply a tool or a methodology for finding the location of an image, we should use our eyes to scan the image for important information. Extracting key data points from the image will allow you to apply the right tool, craft a good Google search or identify which part of the world the image might have been taken in.
There are 5 elements of IMINT that you should consider when looking at an image, according to Geoint expert Benjamin Strick:
A geolocation challenge like this lacks one important factor, which is the context or the source of the image. In real-world cases, you usually have a context in which the image was produced or shared, usually called context clues. Most of these challenges will not have context clues but you may find clues in the titles and descriptions, or if you’re stuck you can use the hint function.
Here are some questions you should ask yourself while looking at the upcoming challenges:
– Are there any obvious data in the image that reveals the location, like a street name or storefront signs?
– Can you determine the country or region of the image by, for instance, which side of the road they drive on, language or architectural characteristics that may reveal a country or continent/region?
– Do you recognize road sign styles, nature and environmental characteristics, or popular motor vehicle brands or vehicle types?
– What is the quality of any visible infrastructure like? Is the road paved or do you see gravel roads?
– Do you see any unique landmarks, buildings, bridges, statues or mountains that can help you geolocate the image?
Download the attached image and answer the question below – good luck!
Task file
task2_1602089234031.jpg
What is the name of the street where this image was taken?
I just read it from the image.
Answer: sl{carnaby street}
Task 3: Just Google it!
The last challenge wasn’t really a challenge, was it?
Let me introduce you to your first tool, Google! If you see anything in the image that can be extracted into a keyword, phrase, a company name, telephone number or any other question you may have as a result of scanning the image up and down: GOOGLE IT!
Here is a short introduction to what we call ‘dorking’, the art of using Google search queries to have Google return specific types of data. The next challenges will require you to do some basic Googling in order to answer the questions. You can also practice dorking by joining the Google Dorking room.
When geolocating a picture finding the exact location is key, but we may need to answer other questions about the location or the image as well, usually referred to as context questions.
The next few challenges will ask multiple questions that you need to answer based on the information you extract from the image.
Task file
task3_1602089306375.jpg
Which city is the tube station located in?
I’m a European and I’ve been to London before, but I’m pretty sure the London tube is famous everywhere.
Answer: sl{london}
Which tube station do these stairs lead to?
It can almost be read from the image itself. Something like xCxxLY CIRCUS STxxxx. I already knew the answer at this point, and it would be easy to be googled with london tube station circus or something like that, but I did a quick Google Image Reverse search to find a similar, confirming image:
Good job solving the last challenge! You were able to find the location of the image and by doing that, you could answer contextual questions about the location. This challenge will also require you to do some ‘Google dorking’ to answer the questions below.
Scan the image for data and remember the questions from the introduction – Do you see anything in the image that can be used in a search query or help you narrow down the potential location?
Task file
task4_1603353588780.jpg
Which building is this photo taken in?
On first glace, it looks like some kind of restaurant, maybe in a mall. I did a reverse search but didn’t find an answer immediately, so I also googled for YVR connects, which led me to the Vancouver International Airport.
I didn’t find the exact photo immediately, but the Airport fit the flag format and the images that I did find looked similar enough to the task file.
Now that you’ve started to learn some techniques I figured we could try and do some good while we hone our skills.
A friend of mine contacted me asking if I could help them locate a coffee shop that is supposed to serve the best lunch there is. They told me the coffee shop is somewhere in Scotland, and he sent me these two pictures. Do you think you could locate it and answer the questions below for me?
It doesn’t necessarily look like the same building, but the font and colors made it look like the correct brand. So I went to google maps and searched for stores of that brand in Scotland as suggested by the challenge text. I started around Edinburgh and just clicked on each Google Maps entry briefly and hoped for a convincing first image. It didn’t took long until I found one.
From there, I went into Google Streat View and looked for coffee shops nearby.
Only after confirming the correct coffee shop could I confidently answer the question about the city, too. This coffee shop is located at 1 Allan St, Blairgowrie PH10 6AB, United Kingdom
Some of the questions could be answered from the Google Maps entry, but they are more easily available on their Facebook page, which is linked in the Google Maps entry: https://www.facebook.com/weecoffeeshop
Answer: sl{Blairgowrie}
Which street is this coffee shop located in?
Answer: sl{Allan Street}
What is their phone number?
Answer: sl{+44 7878 839128}
What is their email address?
Answer: sl{theweecoffeeshop@aol.com}
What is the surname of the owners?
For this, I had to google some more. I googled The Wee Coffee Shop owners and found some websites.
I just compared the address and phone number on that first entry for confirmation.
Answer: sl{Cochrane}
Task 6: Reverse your thinking
One of the methods for geolocating an image is to do an image reverse search. This means that we are searching for the image itself online, and if the image has been indexed by search engines we may find the exact image or we can do a visual search or crop search to help us find similar images.
Aric Toler from Bellingcat has written a fantastic guide on reversing images, please read it here. OSINT Curious also has a write-up on the topic that you should look through before attempting this challenge.
I recommend adding this extension to ease the workflow for when you find images online that you want to do an image reverse on:
Addon description: “Perform a search by image. Choose between the image search engines Google, Bing, Yandex, TinEye and Baidu.”
Remember that changing the crop and the keywords for searching an image may yield completely different results.
Task file
task6_1602348602115.jpg
I didn’t mention this problem until now: Reverse searching these images obviously also leads to other write-ups of this room, which is unfortunate but can’t be helped. For other searches I could simply include -tryhackme -writeup, but that’s not possible with image searches.
Luckily, for this challenge where reverse searching is supposed to solve the challenge, this was not an issue, as you can see with the below search result.
What is the name of the Bon Appétit editor that worked 24 hours at this restaurant?
I googled Katz's DeliBon Appétit editor that worked 24 hours and found it straight away.
Answer: sl{Andrew Knowlton}
Task 7: Locate this sculpture
This challenge will require you to apply some the techniques I have touched on so far: Scanning the image for visual clues, reverse image searching and Google dorking. Tools should not be your primary focus – don’t underestimate how far you can get with dorking and scrolling search results.
This one was a bit tough because finding the exact image was not easy, especially with other write-ups including it as well and many very similar photographs floating around. I also tried Yandex but didn’t find the exact image easily.
After some minutes I went back to searching for the name itself like I did when confirming the correct name of the sculpture. The first entry when googling Rudolph the chrome nosed reindeer is https://www.visitoslo.com/en/articles/outdoor-sculptures-in-oslo/, however, I didn’t find the sculpture their immediately and assumed it was just some Google cache issue. When I read the hint for this challenge – “If you know the location of the statue you may want to visitoslo” – I went back to the website and took a few more seconds to investigate it and quickly realized their was a map on the website to click through various sculptures in Oslo.
Exactly the image used on that website is the one of the challenge.
Answer: sl{Kjersti Stensrud}
Task 8: …and justice for all
This challenge is a step up in difficulty from the previous challenges and you shouldn’t expect to solve this quickly, especially if you are new to IMINT. While you can certainly apply the techniques and tools you’ve used to s far, this challenge may force you to revise your thinking and your approach while you’re working on solving this challenge.
I highly recommend watching this Ted talk by Amy Herman on visual intelligence – “A lesson on looking” if you want a unique view on how you perceive visual data.
Task file
task8_1603365958159.png
What is the name of the character that the statue depicts?
A female person with a blindfold and scales wearing a toga? Pretty sure it’s Lady Justice, even though I usually see her with a sword and a set of scales in one hand (I mean, having scales in two hands like this variation of the statue kind of defeats the purpose of a scale, unless you want to say that Lady Justice’ own interpretation influences the weights or that she really takes both side into consideration or something like that). For confirmation, I did a google reverse image search once again.
Most of these didn’t name the statue but just used it for the symbolism.
There you can read “YAN UNITED STATES CO”. I guessed the “CO” would stand for “COURT” and judging by the URL (blind-justice-statue-outside-albert-v-bryan-u-s), I googled albert v bryan united states court and found what I was looking for.
The question isn’t very prices as it doesn’t ask for a city or coordinates or the name of the building but simply for where it is located. The flag format is as follows, though: **{**********, ********}
What is the name of the building opposite from this statue?
First I searched for the courthouse on Google Maps, then I went into Street View to see what side of the building the statue was, and then I checked on Google Maps what building was next to there.
Answer: sl{The Westin Alexandria Old Town}
Task 9: The view from my hotel room
Geolocating videos aren’t much different from geolocating images. A video is just a string of images, usually played at 24 frames(or images) per second. In other words, a video will hold a whole lot more images that can be analyzed, reversed and scrutinized by you.
Here’s a good writeup by Nixintel on a tool called FFmpeg, which will help you extract the key images from the video that you may need to solve this challenge. Download the attached video and follow Nixintel’s guide!
You may have to apply other tools to solve this challenge as well!
Since the video is too big to be uploaded in WordPress directly, I uploaded it to my cloud.
What is the name of the hotel that my friend stayed in a few years ago?
The video is 47 seconds long and includes many potentially unique features to search for.
One of those features was the Riverside Point building at around 16 seconds.
I googled "riverside point" and confirmed what I found by comparing images.
It’s a shopping center in Singapore at 30 Merchant Rd, Singapore 058282.
To find the hotel of the challenge, I took this frame of the video as reference:
Based on the angle, the hotel would be across the river on the left when looking from the Riverside Point. And it would have some yellow and orange brick walls.
Apparently, the “Clarks Quay” is a famous street with many hotels. Interestingly, Google Maps doesn’t show the name of the hotel. That’s a big hint: The hotel doesn’t exist anymore. So I went into Street View again and looked through different timestamps.
When it was still there in 2019, it was called “Novotel”.
The challenge was created on 18th of December 2020. The demolition started around January 2021. I wonder if the challenge author had this in mind.
Answer: sl{Novotel Singapore Clarke Quay}
That concludes this CTF. A fairly easy one. I was surprised that no use of Exif data was necessary and that no satellite images were to be investigated, but I did like having to go back in time in Street View. What I did not like was the flag format. Please don’t include curly brackets just for adding them. It’s annoying having to add them for every answer and the challenge even saw it necessary to include a question in the beginning just to confirm we understood how to format the flags. Also, when I’m at it: “where is this statue located?” is not a very precise question. Some of my suggestions: https://blog.michweb.de/2023/03/01/thoughts-on-flag-formats-in-ctf-challenges/
