Home / Blog / OhSINT
OSINT Easy APR 2026  ·  5 min read

OhSINT — TryHackMe
Walkthrough

Starting from a single image file — WindowsXP.jpg — and using ExifTool to extract hidden metadata, a username, GPS coordinates, and a full OSINT trail. Seven questions. All answered from one photo.

#osint #exiftool #tryhackme #metadata #wigle #twitter
Platform
TryHackMe
Difficulty
Easy
Category
OSINT
Solved
Apr 2026
// OVERVIEW

OhSINT is one of TryHackMe's most popular OSINT rooms. You're given a single file — the famous WindowsXP.jpg wallpaper — and asked to answer 7 questions purely through open-source intelligence gathering. No hacking tools needed, just ExifTool, a browser, and methodical thinking.

// What you need: ExifTool, a browser, Wigle.net account (free). That's it.
// STEP 1 — EXTRACT METADATA
01Run ExifTool on the image

The first thing you always do with an image in OSINT — check its metadata. ExifTool reads all embedded data from the file including camera info, GPS coordinates, author fields, and more.

BASH exiftool WindowsXP.jpg

The output will show many fields. The one that matters immediately is the Copyright field — it contains a name that will be our starting point for the entire investigation.

OUTPUT ExifTool Version Number : 12.x File Name : WindowsXP.jpg File Size : 234 kB Image Width : 1024 Image Height : 768 ... Copyright : OWoodflint GPS Latitude : 54 deg 17' 41.27" N GPS Longitude : 2 deg 15' 1.33" W GPS Position : 54 deg 17' 41.27" N, 2 deg 15' 1.33" W
🏁
Q1 — What is this user's avatar of?
// Find the Twitter profile of OWoodflint → check their avatar
// STEP 2 — FIND THE TWITTER PROFILE
02Search the username

Take the username OWoodflint and search it on Google, Twitter/X, and GitHub. You'll find a Twitter account immediately.

GOOGLE SEARCH OWoodflint

The Twitter profile picture is the answer to Q1. While on Twitter, look at the tweets — one of them contains a BSSID (a WiFi access point identifier). This is the answer to Q3.

🏁
Q1 — Avatar
A cat
🏁
Q2 — What city is this person in?
London — found from their Twitter bio / posts
🏁
Q3 — BSSID of their home WiFi router
B4:5D:50:AA:86:41 — found in a tweet
// STEP 3 — WIGLE.NET LOOKUP
03Look up the BSSID on Wigle

Wigle.net is a crowdsourced WiFi geolocation database. If a WiFi access point has ever been scanned by someone running Wigle's app, its physical location is logged. Take the BSSID from the tweet and search it.

WIGLE.NET # Go to: wigle.net → View → Advanced Search BSSID: B4:5D:50:AA:86:41

The map will drop a pin on the location. Zoom in to see the SSID (WiFi network name) of that access point — that is the answer to Q4.

🏁
Q4 — SSID of the WAP he connected to
UnileverWifi — found via Wigle BSSID lookup
// STEP 4 — GITHUB PROFILE
04Find the GitHub account

Go back to your Google search results for OWoodflint. There will be a GitHub profile. The bio or repository details reveal their email address.

URL github.com/OWoodfl1nt/people_finder
🏁
Q5 — Email address
OWoodflint@gmail.com — found in GitHub profile
// STEP 5 — WORDPRESS BLOG
05Find the blog

The Google search results also surface a WordPress blog by OWoodflint. The blog post reveals where they are travelling to — answering Q6. Reading the page source (right-click → View Source) reveals a password hidden in a white-coloured font in the page HTML.

TIP # Password is hidden as white text on white background # Use Ctrl+U (View Source) or browser DevTools to find it Ctrl+F → search for "password" in page source
🏁
Q6 — Where has he gone on holiday?
New York — found in the WordPress blog post
🏁
Q7 — Password
pennYDr0pper.! — hidden in white text in blog source
// ANSWERS SUMMARY
# Question Answer Source
Q1Avatar of?A catTwitter
Q2City?LondonTwitter bio
Q3BSSID?B4:5D:50:AA:86:41Twitter tweet
Q4SSID?UnileverWifiWigle.net
Q5Email?OWoodflint@gmail.comGitHub
Q6Holiday?New YorkWordPress blog
Q7Password?pennYDr0pper.!Blog page source
// WHAT I LEARNED

This room is deceptively simple but teaches a critical lesson — metadata is data. A photo you share online can contain your GPS coordinates, device info, and even a username embedded by the software that created it.

The chain here was: ExifTool → username → Twitter → BSSID → Wigle.net → location. One piece of information unlocks the next. That's exactly how real OSINT investigations work.

The password hidden in white text is also a good reminder — hiding data in plain sight doesn't mean it's hidden. Always check page source.

// Key takeaway: Before sharing any photo online, always strip its metadata. On Linux: exiftool -all= yourphoto.jpg
← Back to Blog View Room on TryHackMe →