Operation Slither -- TryHackMe OSINT Challenge Writeup

🏴 Room: Operation Slither
🔬 Category: OSINT
🟠 Difficulty: Medium
🛠️ Tools Used: Web browser, idcrawl.com, Base64 decoder
⏱️ Reading time: ~7 min

Scenario #

We gained access to a hacker forum and discovered company data from TryTelecomMe being sold by a threat group called Sneaky Viper. Our mission: trace every operator in the group using nothing but a forum post and pure OSINT.

The initial forum post reads:

Full user database TryTelecomMe on sale!!!

As part of Operation Slither, we've been hiding for weeks in their network and have now started to exfiltrate information. This is just the beginning. We'll be releasing more data soon. Stay tuned!

@v3n0mbyt3_

Task 1 -- The Leader #

Objective #

Find any information related to the leader of the Sneaky Viper group.

Recon #

Starting with the username v3n0mbyt3_, I searched across common social platforms. The handle was found on:

• X / Twitter -- @V3N0MBYT3 (no underscore variant). The bio hinted that Threads was the preferred platform: "Threads is more fun! Twitter out..."
• Instagram -- @v3n0mbyt3_
• Threads -- @v3n0mbyt3_ -- the main hub of activity.

The Flag #

On the Threads profile, the Replies tab revealed a conversation between v3n0mbyt3_ and another user, _myst1cv1x3n_. One reply from _myst1cv1x3n_ contained a suspicious string:

VEhNe3NsMXRoM3J5X3R3MzN0el80bmRfbDM0a3lfcjNwbDEzcyF9

Decoding from Base64:

$ echo "VEhNe3NsMXRoM3J5X3R3MzN0el80bmRfbDM0a3lfcjNwbDEzcyF9" | base64 -d
THM{sl1th3ry_tw33tz_4nd_l34ky_r3pl13s!}

Notable Observations #

The Threads posts also included a workstation photo with posters reading "AXEL SMITH" and "ARNIE 2" on the wall -- potential alias breadcrumbs.

The conversations between the two users were openly discussing the operation:

"I still can't believe that they are still not aware of us for weeks." "time to harvest soon!" "Yea for sure. That last OP was wild."

Task 2 -- The Second Operator #

Objective #

A second forum post appeared advertising the stolen data for bidding. The operator handle was redacted, but we were told to follow the crumbs from Task 1.

60GB of data owned by TryTelecomMe is now up for bidding! Number of users: 64,500,000 Accepting all types of crypto For takers, send your bid on Threads via this handle: [HIDDEN]

Recon #

From Task 1, the username _myst1cv1x3n_ (Mystic Vixen) was already identified as a frequent collaborator of v3n0mbyt3_ on Threads. Searching this handle revealed:

• Instagram -- @_myst1cv1x3n_ -- 5 posts, bio: "Delightfully Chaotic xo"
• Threads -- @_myst1cv1x3n_ -- posts about "Lo-fi and chill" and "Finally! Vix3n is here!"

The Trail: Instagram to SoundCloud #

The Instagram profile had 5 posts -- mostly aesthetic images. The 3rd post (an anime-style bedroom Reel) contained a SoundCloud link in its caption.

Following the link led to a SoundCloud account with multiple tracks. One track in particular, "Prototype2", was not music at all -- it was a recording of three people discussing a GitHub repository and technical infrastructure. At the end of the recording, they realized they were being recorded and abruptly cut the stream.

The Flag #

The SoundCloud recording contained an encoded value that, when decoded, revealed the flag:

(socmint + opsec + finger misclick -- they accidentally published the recording)

Task 3 -- The Third Operator & Attack Infrastructure #

Objective #

A third forum post surfaced -- this time selling a full phishing toolkit. Hunt the third operator and find details about the infrastructure used for the attack.

FOR SALE -- Advanced automation scripts for phishing and initial access!

Inclusions: Terraform scripts, evilginx v3.0 phishlet, GoPhish automation, Google MFA bypass, Cobalt Strike aggressor scripts, EDR bypass payloads...

PRICE: $1500

Recon #

From the SoundCloud "Prototype2" recording, a user named sh4d0wF4NG had liked the track -- a visible interaction that exposed the third operator.

Searching sh4d0wF4NG across platforms revealed a GitHub profile:

• GitHub -- sh4d0wF4NG (display name: sdF4NG) -- bio: "Chillin."

The Repositories #

The account had 3 public repositories, all directly matching the toolkit advertised in the forum post:

Digging Into Commits #

The red-team-infra repository had 9 commits, all from April 23, 2024. Following the recon guide's advice to "analyse activity history for embedded information", I inspected each commit diff.

Commit 78de1f1 -- "Added automation for user" -- was the jackpot. The Terraform state file had been committed to the repo, leaking:

VEhNe3NoNHJwX2Y0bmd6X2wzNGszZF9ibDAwZHlfcHd9

$ echo "VEhNe3NoNHJwX2Y0bmd6X2wzNGszZF9ibDAwZHlfcHd9" | base64 -d
THM{sh4rp_f4ngz_l34k3d_bl00dy_pw}

The classic blunder: committing .tfstate to a public repository. The .gitignore excluded .terraform/ directories but not the state files themselves.

Summary #

Key Takeaways #

1. OPSEC is hard. Every public interaction -- a like, a reply, a fork -- is a potential pivot point for investigators.
2. Platform correlation is powerful. A single username reused across platforms can unravel an entire operation.
3. Git never forgets. Even if you delete sensitive data from the latest commit, the history preserves everything. Never commit state files or credentials.
4. Social media metadata matters. Threads replies, SoundCloud likes, and Instagram captions all became links in the attribution chain.

The Sneaky Viper group's downfall wasn't a technical exploit -- it was human error at every level. From Base64-encoded flags in public replies, to accidentally recording a planning session, to pushing Terraform state to a public GitHub repo. A textbook case of OPSEC failure.

OSINT Pivot Chain — The Big Picture #

  ╔══════════════════════════════════════════════════════════════════════════╗
  ║            OSINT Investigation Flow — Operation Slither                 ║
  ╚══════════════════════════════════════════════════════════════════════════╝

                            ┌──────────────┐
                            │ Hacker Forum │
                            └──────┬───────┘
                                   │
         ┌─────────────────────────┘
         │
         ▼
  TASK 1 ─ The Leader
  ┌─────────────┐     ┌───────────┐     ┌─────────┐     ┌─────────┐
  │ v3n0mbyt3_  │────▶│ X/Twitter │────▶│ Threads │────▶│ Replies │──▶ 🚩 FLAG 1
  └─────────────┘     └───────────┘     └─────────┘     └────┬────┘
                                                              │
                          discovered _myst1cv1x3n_ in replies ╎
                                                              │
         ┌────────────────────────────────────────────────────┘
         │
         ▼
  TASK 2 ─ 2nd Operator
  ┌────────────────┐     ┌───────────┐     ┌────────────┐
  │ _myst1cv1x3n_  │────▶│ Instagram │────▶│ SoundCloud │──────────▶ 🚩 FLAG 2
  └────────────────┘     └───────────┘     └─────┬──────┘
                                                  │
                           sh4d0wF4NG liked track ╎
                                                  │
         ┌────────────────────────────────────────┘
         │
         ▼
  TASK 3 ─ 3rd Operator
  ┌─────────────┐     ┌────────┐     ┌──────────────┐
  │ sh4d0wF4NG  │────▶│ GitHub │────▶│ Commit Diffs │─────────────▶ 🚩 FLAG 3
  └─────────────┘     └────────┘     └──────┬───────┘
                                             │
                                             ▼
                                    ┌─────────────────┐
                                    │ Leaked .tfstate  │
                                    │─────────────────│
                                    │ Region: Sydney   │
                                    │ EC2: evilginx   │
                                    │ IP: 13.210.88.* │
                                    └─────────────────┘

  ── Legend ──────────────────────────────────────
  ────▶  Platform pivot       ╎  Cross-task pivot
  Task 1: Social media trail
  Task 2: Audio OSINT (SoundCloud recording)
  Task 3: Code OSINT (GitHub commit history)

⬛⚪⬛
⬛⬛⚪  ☠ user
⚪⚪⚪  rm -rf /ignorance && echo 42 > /dev/brain