Back to Writeups

Sakura Room Walkthrough

OSINT Investigation Challenge

Published: September 18, 2025 Difficulty: Easy

Sakura Room on TryHackMe is an OSINT (Open Source Intelligence) challenge that teaches you how to track attackers through their digital footprints. Using various online investigation techniques, you'll piece together clues to identify and locate a cybercriminal.

Task 1: Introduction

Getting Started

Objective: Begin the investigation by acknowledging the briefing.

This task serves as an introduction to the Sakura room. You're presented with the scenario where an attacker has left behind digital evidence that needs to be investigated using OSINT techniques.

Simply type the required phrase to proceed:

Let's Go!

Key Learnings:

OSINT investigations require patience, attention to detail, and the ability to connect seemingly unrelated pieces of information across multiple platforms and data sources.

Task 2: Tip-Off

Image Analysis and Metadata Extraction

Objective: Find the username of the attacker using the image they left behind.

Navigate to the provided link containing the suspicious image. This task demonstrates how attackers often leave unintentional clues in file metadata.

Investigation Steps:

  1. Right-click on the image in your browser
  2. Select "Inspect" or "Inspect Element" from the context menu
  3. Look through the HTML markup in the Elements/Inspector tab
  4. Search for any metadata or embedded information

In the markup, you'll find a key piece of evidence under the inkscape:export-filename attribute:

/home/SakuraSnowAngelAiko/Desktop/pwnedletter.png
🚩: SakuraSnowAngelAiko

Key Learnings:

File metadata often contains valuable information about the creator, including usernames, file paths, and creation timestamps. Always inspect images thoroughly during investigations.

Task 3: Reconnaissance

Social Media Investigation

Objective: Gather personal information about the attacker through online presence.

Now that you have the username, it's time to conduct reconnaissance across social media platforms and online services.

Step 1: Google Search

Search for "SakuraSnowAngelAiko" in Google. This will reveal the attacker's presence on multiple platforms:

  • GitHub profile
  • X (Twitter) account

Step 2: GitHub Investigation

Visit the attacker's GitHub profile and look for repositories. You'll find a repo called "PGP" containing a public key file.

Download the public key and upload it to keys.openpgp.org to extract associated email information.

🚩 Email: sakurasnowangel83@protonmail.com

Step 3: X (Twitter) Profile Analysis

Navigate to the attacker's X profile and examine their posts. Look for personal information in their introduction or bio posts.

🚩 Real Name: Aiko Abe

Key Learnings:

Attackers often reuse usernames across platforms. PGP keys contain valuable identifying information, and social media profiles frequently reveal personal details through casual posts.

Task 4: Unveil

Cryptocurrency and Blockchain Investigation

Objective: Uncover the attacker's cryptocurrency activities and wallet information.

Step 1: Repository Analysis

Return to the attacker's GitHub profile and examine all repositories. Look for one named "ETH" and investigate its commit history.

Find commit ID d507757 where you'll discover references to "ethwallet" - indicating Ethereum cryptocurrency usage.

🚩 Cryptocurrency Type: Ethereum

Step 2: Wallet Address Discovery

Examine the first commit, which was an unsanitized submission revealing the full blockchain address.

🚩 Wallet Address: 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef

Step 3: Blockchain Analysis

Visit Etherscan and search for the wallet address. Navigate to "View all transactions" and search for transactions on January 23, 2021 (2021-01-23).

🚩 Mining Pool: Ethermine

Step 4: Token Transfer Analysis

Examine the token transfers to identify other cryptocurrencies used by the attacker.

🚩 Additional Cryptocurrency: Tether

Key Learnings:

Cryptocurrency transactions are publicly visible on blockchain explorers. Git commits can accidentally expose sensitive information, and mining pools can reveal patterns of cryptocurrency activity.

Task 5: Taunt

Dark Web Investigation and WiFi Analysis

Objective: Track down WiFi access point information through dark web sources.

Step 1: Current Username Update

Check the attacker's current X (Twitter) username, as they may have changed it.

🚩 Current Username: SakuraLoverAiko

Step 2: Dark Web Investigation

Note: This task is currently reported as broken on TryHackMe, but here's the intended solution methodology:

The attacker posts about forgetting their access points with hints about the "Dark Web," "DEEP search," and "PASTEd." This points to Deep Paste, a dark web service.

Investigation Process:

  1. Use Tor browser to access the dark web
  2. Find the Deep Paste onion link
  3. Search for MD5 hash: 0a5c6e136a98a60b8a21643ce8c15a74
  4. Locate the access point notes revealing Home WiFi: DK1F-G

Step 3: WiFi Network Analysis

Use WiGLE (WiFi database) to investigate:

  1. Create an account on WiGLE.net
  2. Navigate to Advanced Search
  3. Enter "DK1F-G" in SSID Exact Match
  4. Retrieve the MAC address from results
🚩 MAC Address: 84:af:ec:34:fc:f8

Key Learnings:

Dark web services can expose sensitive information. WiFi networks have unique identifiers that can be tracked through databases like WiGLE, making them valuable for location intelligence.

Task 6: Homebound

Geolocation and Travel Analysis

Objective: Track the attacker's travel route using social media posts and geographical analysis.

Step 1: Washington DC Location

Analyze the attacker's social media post about cherry blossoms. The Washington Monument visible in the background indicates Washington DC location.

Research the closest airport to determine their departure point.

🚩 Airport Code: DCA (Ronald Reagan Washington National Airport)

Step 2: Japan Layover Investigation

The attacker posts about relaxing in a "final layover" at a JAL Sakura lounge. Search for "JAL Sakura lounge" and examine review images.

Cross-reference with aviation reviews to identify Tokyo Haneda Airport.

🚩 Layover Airport: HND (Tokyo Haneda)

Step 3: Final Destination Analysis

Examine the attacker's photo of their final destination in Japan. Use Google Maps and image comparison to identify the geographical features.

The distinctive landscape matches the area around Lake Inawashiro.

🚩 Location: Lake Inawashiro

Step 4: Final WiFi Network

Review the Deep Paste information again and identify the "City Free Wifi" network assigned to the area.

🚩 Final Location: Hirosaki

Key Learnings:

Social media posts contain rich geolocation data through landmarks, airport lounges, and distinctive geographical features. Travel patterns can be reconstructed through careful analysis of posting timestamps and locations.

Investigation Complete

OSINT Methodology Summary

What You've Learned:

This investigation demonstrated several key OSINT techniques:

  • Metadata Analysis: Extracting usernames from file metadata
  • Cross-Platform Investigation: Connecting accounts across GitHub, X, and other services
  • Cryptocurrency Tracking: Using blockchain explorers for financial intelligence
  • Dark Web Research: Investigating hidden services for leaked information
  • Geolocation Intelligence: Using landmarks and travel patterns for location tracking
  • Network Analysis: Tracking WiFi networks and MAC addresses

Professional Applications:

These techniques are valuable for:

  • Incident response and threat hunting
  • Digital forensics investigations
  • Cybersecurity threat intelligence
  • Law enforcement digital investigations

Next Steps:

Continue developing your OSINT skills with:

  • More TryHackMe OSINT rooms
  • Real-world practice on public information
  • Learning specialized OSINT tools like Maltego, Shodan, or theHarvester
  • Understanding legal and ethical boundaries of information gathering