**OSINT Challenge IV** [https://tryhackme.com/room/osintchallengeiv](https://tryhackme.com/room/osintchallengeiv) --- ## Task 1 **Description** An ACME Jet Solutions employee uploaded a photo of a residential property believed to be linked to ACME Jet’s early operations. The goal is to figure out where the picture was taken to confirm or debunk the rumour. **Flag format:** `THM{City}` --- ### Investigation From the image provided, one unique thing immediately stood out, the sign **“The Rectory”** on the building. I also noticed an **ADT armed response** badge on the door. From prior knowledge and experience playing GeoGuessr, armed response systems for private homes are extremely common in **South Africa**, which made it stand out compared to most other countries. This made South Africa my initial guess, so I then checked the **EXIF data** of the image. The metadata showed the following coordinates: `26° 12' 14.76" S, 28° 2' 50.28" E` Providing these coordinates to Google Maps confirmed that the image was taken in **Johannesburg, South Africa**.   **Flag:** `THM{Johannesburg}` --- ## Task 2 ACME Jet Solutions (`warc-acme.com/jef/`) is all over social media claiming they were founded in **2025** and that they are the fastest-growing data company in Africa. However, a former employee claims the company existed long before that. The task is to verify the company’s founding date using **only public information**. **Flag format:** `THM{YYYYMMDDHHMMSS}` --- ### Investigation Attempting to use traditional website archives, such as the Wayback Machine, did not return any results for the site. Because of this, I pivoted to checking **Internet Archive WARC metadata** using: [https://archive.org/search?query=warc-acme.com](https://archive.org/search?query=warc-acme.com) Expanding the result revealed archived crawl metadata, including fields such as **Addeddate** and **Firstfiledate**, which are useful for determining when the site first existed publicly.  Relevant metadata: `WARC: acme.com/jef/ Publication date 2016 Topics warcarchives Item Size 9.5G Access-restricted-item true Addeddate 2016-02-13 00:40:30 Firstfiledate 20160210224602 Lastfiledate 20160212160442 Scandate 20160210224602` The key field here is: `Firstfiledate: 20160210224602` This confirms that the website existed publicly in **February 2016**, directly contradicting the claim that the company was founded in 2025. **Flag:** `THM{20160210224602}` --- ## Task 3 Further investigation uncovered another image believed to be connected to the company’s international expansion. Research reveals that to the **right of the iconic landmark** is a building that played a major role in a country’s fight for independence. The building’s name is visible on the exterior wall. **Flag format:** `THM{Landmark}` --- ### Investigation The image clearly shows text and signage consistent with **Dublin, Ireland**.  Using Google Lens confirmed that the image shows **The Spire of Dublin**.  Another angle of the area:  While the Spire is the most visually obvious structure, it is not the answer. The Spire stands on **O’Connell Street**, directly outside and associated with the **General Post Office (GPO)**. The question “What is the landmark?” refers to the **named, historically recognised building**, not the modern structure used as a visual clue. In this case, the Spire acts as a ruse but also helps determine the actual landmark. **Flag:** `THM{General Post Office}` --- ## Task 4 After uncovering ACME Jet Solutions’ origins and tracing their online presence through archived websites and landmarks, investigators believe an **internal document** was accidentally leaked by one of the company’s developers. The document may contain information about the individual responsible for maintaining their systems. The downloaded file was: `internal-docs-1769695301727.odt` --- ### Investigation Reviewing `meta.xml` revealed the following useful information: - **Internal username:** `markwilliams7243` - **Description note:** “Just remember Robin, don’t publish this externally!” - Creation and edit timestamps, likely red herrings This gives two clear human pivots: - `markwilliams7243` - `Robin` Since the document text mentioned that a **video would be released soon**, this suggested checking platforms where videos are commonly published. Using a username checker: [https://instantusername.com/?q=markwilliams7243](https://instantusername.com/?q=markwilliams7243)  Most platforms returned no results. However, **YouTube** did have a user with this exact username. Inspecting the YouTube profile revealed the flag directly in the post content.