OSINT Tracing: The Police

OSINT Tracking – The Police

In this lab, you will take on the role of a digital intelligence analyst tasked with locating an undercover agent who has been kidnapped by a criminal organization. Their last communication was through a trace found on an old monitoring server. Before disappearing, the agent left a hidden clue that could help you discover their exact location. Your mission is to analyze the clues, deduce their whereabouts, and access a vulnerable web panel using enumeration and brute-force techniques.

In this lab you will learn:

• Logical reasoning and deduction from hidden clues
• Automated brute-force attacks with Hydra
• Identifying hidden files and paths on web servers

🌱 How to start this lab

👉 This challenge is solved from your browser, but the final validation is done inside the virtual machine web-threats-lab.

1. If you don't have it yet, download the virtual machine from this link:

1https://storage.googleapis.com/cybersecurity-machines/web-threats-lab.ova

1. Import the virtual machine into VirtualBox or VMware.

2. Start the VM and log in as user student:4geeks-lab.

3. Access the investigated website in your browser, for example: http://<vm_ip>/thepolice/

📄 Instructions

We have lost contact with Officer M., an undercover agent investigating a trafficking network in Eastern Europe. It is a coastal country. The last digital trace we managed to recover points to a backup of an old web panel hosted on an isolated surveillance server. According to internal reports, this panel was hastily installed, using weak credentials based on the deployment region and names of nearby cities. The agent left clues before disappearing, trusting that someone would know how to interpret them.

A suspicious file was detected on the website. It is undocumented, but its name starts with a dot. Maybe the agent hid something there...

Your mission:

1. Explore the website structure from a browser or using console tools. Not everything is in plain sight.
2. Look for hidden clues that give you context about the country where the agent might be.
3. Use logical and geographical reasoning: not all clues are obvious, but if you think like an investigator, the correct country becomes clear.
4. Create a file with real city names that match your previous hypothesis. Some public sources can help you.
5. Use controlled brute-force techniques to test credential combinations until you find the correct one.
6. If you succeed, the web system itself will let you know: it will display a confirmation along with the flag.

Tip: Pay attention to the behavior of the form, how it responds to different methods, what messages it returns, and what parameters it uses. There is more information hidden there than it seems.

Discover the country and city where the officer is located. Only then will the flag confirming the success of the mission be revealed.

We’re counting on you! 🕵️‍♀️