We’re trying to figure out how to track this Tor traffic but all we’ve got is this string, A68097FE97D3065B1A6F4CE7187D753F8B8513F5! We don’t know what to do with it. We’re looking for someone responsible for hosting multiple nodes. Can you find the IPv4 addresses this node and any of its effective family members?
FLAG FORMAT: RUSEC{family_ip1:family_ip2:…:family_ipX} for X family members
The flag will be the IPs of the node and all the associated family members in order of oldest node to youngest, based on when they were first seen, separated by colons.
The provided string A68097FE97D3065B1A6F4CE7187D753F8B8513F5 is a 40-character hexadecimal string, which is the format of a Tor relay fingerprint. Tor relays are identified by their unique RSA SHA1 fingerprint.
We can look up Tor relay information using the Tor Metrics Relay Search or directly query the Onionoo API.
Query URL:
https://onionoo.torproject.org/details?lookup=A68097FE97D3065B1A6F4CE7187D753F8B8513F5
This returns details about the relay olabobamanmu:
51.15.40.382020-04-03giannoug@gmail.comThe relay’s effective_family field lists all family members:
414E64BA607560F9D9C196A825950DC968700420A68097FE97D3065B1A6F4CE7187D753F8B8513F5 (original)B4CAFD9CBFB34EC5DAAC146920DC7DFAFE91EA20Looking up each family member:
| Fingerprint | Nickname | IPv4 Address | First Seen |
|---|---|---|---|
B4CAFD9CBFB34EC5... |
netimanmu | 212.47.233.86 | 2019-02-18 |
A68097FE97D3065B... |
olabobamanmu | 51.15.40.38 | 2020-04-03 |
414E64BA607560F9... |
kanemeadminmanmu | 151.115.73.55 | 2024-12-29 |
All three relays are operated by the same person (giannoug) and hosted on Scaleway infrastructure.
Sorting from oldest to youngest based on first_seen:
212.47.233.86 — first seen 2019-02-18 (oldest)51.15.40.38 — first seen 2020-04-03151.115.73.55 — first seen 2024-12-29 (youngest)RUSEC{212.47.233.86:51.15.40.38:151.115.73.55}