Browse CTFs New CTF Sign in

Multi-Platform OSINT Chain: Shop, Git, IMDS and Chat Pivot Across Five Distinct Data Sources

forensic_file_artifacts Difficulty 1–5 30 min certifiable

Theory

Why This Matters

Multi-domain OSINT chains represent the highest-complexity intelligence collection scenario in real-world investigations. Fraud investigators at financial institutions routinely trace from a fraudulent e-commerce transaction through developer identity to cloud infrastructure exposure in a single investigation chain. Threat intelligence teams responding to data breaches document exactly this pivot pattern: a public-facing e-commerce site leads to a developer GitHub profile, which leads to committed secrets, which leads to cloud storage access, which yields internal communications that reveal the full scope of the breach. Understanding how each domain's exposure enables the next pivot is essential for both offensive intelligence collection and defensive gap analysis. This card maps a documented five-domain chain that illustrates how operational security failures compound across organizational layers.

Core Concept

A multi-domain OSINT chain is a sequential series of pivots where intelligence extracted from one source becomes the seed query for the next. Each pivot exploits a different category of public disclosure. The power of the technique lies in how low-sensitivity public data in each domain combines to expose high-sensitivity internal infrastructure.

Domain 1 — E-commerce transaction artifacts: An order confirmation email from a legitimate purchase reveals the sender domain, the transactional email platform (often a subdomain like mail.store.company.com or a third-party relay), the registered business name in the email footer, and embedded tracking pixel domains. The email headers' Received: chain traces the mail path through the organization's infrastructure. This is authorized intelligence — you purchased the product.

Domain 2 — Developer identity: The sender domain and business name enable a targeted search for associated GitHub accounts. Many developers use their work email as their GitHub commit email, which is exposed in git log --format="%ae" on public repositories. The github.com/orgs/ORGNAME/members page lists public organization members. Finding a developer associated with the e-commerce platform leads to their personal and organizational repositories.

Domain 3 — Git history secrets: Git commit history is permanent and publicly accessible even when a file is deleted from the current HEAD. The git log --all --full-history -- .env command lists every commit that touched a .env file, and git show COMMIT:.env retrieves the content. IMDS-sourced AWS credentials (AWS_ACCESS_KEY_ID=ASIA...) embedded in .env files during local development and accidentally committed persist in history indefinitely. truffleHog and gitleaks automate this scan across entire organizations.

Domain 4 — Cloud storage access: IMDS-sourced temporary credentials (if still valid) or long-term credentials grant S3 API access. aws s3 ls s3:// with --no-sign-request lists public buckets; authenticated access reveals private bucket contents. Bucket names are frequently predictable from the organization name or application name found in the repository code. aws s3 sync s3://bucketname ./local/ downloads all objects for offline analysis.

Domain 5 — Chat platform exports: E-commerce and development teams often export Slack or Discord channel histories for archiving, compliance, or migration purposes. These export files (.zip archives containing JSON files per channel) are sometimes stored in S3 buckets with public-read ACLs or world-listable bucket policies set during the migration period. A chat export contains internal communications, shared credentials, infrastructure discussions, and employee handles — completing the intelligence chain from a public purchase to private internal communications.

Operational security failure mapping: Each pivot exploits a distinct OpSec failure: transactional email disclosure (Domain 1), public commit email exposure (Domain 2), secret commit without .gitignore enforcement (Domain 3), predictable S3 bucket naming without access policies (Domain 4), and chat export stored with public permissions (Domain 5).

Technical Deep-Dive

# Domain 1: E-commerce order email analysis
# Extract headers from received email (save as raw .eml)
cat order_confirmation.eml | grep -E "^(From|To|Received|X-Mailer|Message-ID|X-Originating-IP):"
# Received: from mail.company-store.com (203.0.113.10) ...
# X-Mailer: WooCommerce 7.4.1 (PHPMailer 6.6.5)
# Message-ID: <[email protected]>

# Domain 2: Developer identity discovery
# Search GitHub for the domain
gh search code "company-store.com" --limit 30
gh api /orgs/company-store/members --jq '.[].login'

# Git commit email exposure
git clone https://github.com/company-store/webstore.git /tmp/webstore
git -C /tmp/webstore log --format="%ae %an" | sort -u
# [email protected] Alice Developer

# Domain 3: Git history secret extraction
# Scan all repos for secrets
trufflehog git https://github.com/company-store/webstore --only-verified
# Or manual search:
git -C /tmp/webstore log --all --oneline -- .env
git -C /tmp/webstore show abc1234:.env
# AWS_ACCESS_KEY_ID=ASIAQGFJ7EXAMPLE
# AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE
# AWS_SESSION_TOKEN=AQoDYXdzEJr...

# Domain 4: S3 bucket access
export AWS_ACCESS_KEY_ID="ASIAQGFJ7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE"
export AWS_SESSION_TOKEN="AQoDYXdzEJr..."
aws sts get-caller-identity
aws s3 ls s3://company-store-backups/
aws s3 sync s3://company-store-backups/ /tmp/s3data/ 2>/dev/null

# Domain 5: Chat export discovery and parsing
ls /tmp/s3data/
# slack-export-2024-01-15.zip  discord-backup-2023-12.zip

unzip /tmp/s3data/slack-export-2024-01-15.zip -d /tmp/slack/
# Parse JSON channel exports:
python3 -c "
import json, glob
for f in glob.glob('/tmp/slack/**/*.json', recursive=True):
    data = json.load(open(f))
    for msg in data:
        if any(kw in str(msg) for kw in ['password','secret','key','token']):
            print(f, msg.get('text',')[:200])
"

Intelligence Collection Methodology

  1. Domain 1 recon: Purchase a low-cost item or use a guest account. Save the full raw email headers from the order confirmation. Analyze Received: chain, X-Mailer, Message-ID domain, and any embedded pixel or tracking link domains using exiftool on any PDF attachments for metadata.
  2. Domain 2 pivot: Use the sender domain to search GitHub (gh search code "domain.com"), identify the organization account (github.com/orgs/ORGNAME/members), and enumerate public repositories. Extract commit author emails with git log --format="%ae" across all repos.
  3. Domain 3 extraction: Run truffleHog (trufflehog git URL --only-verified) and gitleaks (gitleaks detect --source /tmp/clonedrepo) against all discovered public repositories. Manually inspect git history for .env, .aws/credentials, config.yml, and docker-compose.yml files using git log --all --full-history -- FILENAME.
  4. Domain 4 access: Validate any discovered AWS credentials with aws sts get-caller-identity. List accessible S3 buckets with aws s3 ls and enumerate bucket contents. Derive additional bucket name candidates from application names and environment names found in repository code (staging, prod, backup).
  5. Domain 5 harvest: Identify archive files in S3 objects (.zip, .tar.gz, .json) with names suggesting chat exports or backups. Download and parse JSON structures for credential patterns, infrastructure references, and personnel data.
  6. Chain documentation: Map each pivot in a linear diagram: Order Email → Developer GitHub → Git Secret → S3 Bucket → Chat Export. Document the specific OpSec failure at each node and the intelligence yield.
  7. Impact assessment: Correlate chat export usernames with the employee email list from Domain 2, and infrastructure references in chat with bucket names and domains found in Domain 4. Assess the data sensitivity of each discovery.

Common Intelligence Collection Errors

  • Stopping at Domain 3 when credentials are expired: IMDS temporary credentials that fail validation may have been recently rotated. Continue the chain by searching S3 for public buckets using --no-sign-request and by using Pacu to enumerate what the role could have accessed to scope the historical risk even if live access is not possible.
  • Missing git history after a force push: Developers who discover a committed secret sometimes use git push --force to rewrite history. However, GitHub retains dangling commits for 90 days, and third-party mirrors (GitLab mirrors, sourcegraph.com) may have cached the original history. Search these sources when the main repository history appears clean.
  • Treating the first S3 bucket found as the only relevant one: Organizations typically have dozens of S3 buckets. The compromised credentials may have access to multiple buckets not visible via aws s3 ls if bucket listing is restricted. Enumerate specific bucket names derived from application names in the repository code.
  • Ignoring non-AWS cloud infrastructure: The same chain applies to GCP (service account JSON keys committed to git → GCS bucket access) and Azure (Azure storage connection strings in config files → blob container access). Do not assume AWS-only when git history reveals cloud infrastructure.
  • Failing to preserve chain-of-custody documentation: In investigations that may lead to legal action, each pivot must be documented with timestamps, source URLs, and the specific commands or actions taken. Undocumented pivots undermine evidentiary value.
  • Overlooking Discord export structure differences from Slack: Slack exports use per-channel JSON files in a flat directory; Discord exports (via DiscordChatExporter) produce HTML or JSON per channel with a different schema. Apply appropriate parsers for each format rather than assuming uniform structure.

NICE Framework Alignment

Code Knowledge/Skill/Task Statement How This Card Develops It
K0058 Knowledge of network protocols Tracing SMTP Received: headers, HTTP tracking pixels, S3 API calls, and chat platform APIs across five domains in a single intelligence chain
K0145 Knowledge of security assessment approaches Constructing a structured multi-domain OSINT chain with documented pivots, failure points, and intelligence yields at each step
K0272 Knowledge of network security architecture Mapping the interconnected architecture of e-commerce, version control, cloud storage, and messaging platforms as an attack surface
K0427 Knowledge of encryption algorithms Identifying AWS temporary credential types, understanding session token structure, and assessing the encryption posture of each discovered storage endpoint
S0040 Skill in identifying and extracting data of interest Extracting actionable intelligence (credentials, employee data, internal communications) from five heterogeneous public source types in a connected chain
T0569 Apply and utilize authorized cyber capabilities to achieve objectives Applying truffleHog, AWS CLI, git, and Python parsing tools across a complete five-domain collection chain within authorized scope

Further Reading

  • Open Source Intelligence Techniques, 9th Edition — Michael Bazzell, Chapter 14: Advanced OSINT Chains (IntelTechniques.com)
  • Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities — Vickie Li, Chapter 5: Web Recon (No Starch Press)
  • Practical Threat Intelligence and Data-Driven Threat Hunting — Valentina Costa-Gazcón, Chapter 6: Pivot Techniques (Packt Publishing)

Challenge Lab

Reinforce your learning with a hands-on generated challenge based on this card's competency.