> For the complete documentation index, see [llms.txt](https://lance-kenji.gitbook.io/me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lance-kenji.gitbook.io/me/osint-industries-ctf-writeups/open-source-intelligence-osint/holehe-and-the-secret-email.md).
# 📧 HOLEHE & The Secret Email
### Challenge Overview
This challenge focuses on uncovering the origins of the OSINT tool “Holehe”, specifically tracing back the first public appearance and creation date of the creator’s email address.
Behind every OSINT tool is a developer, and behind that developer is usually a publicly exposed email. The task is to identify:
* The creator of Holehe
* The public email address associated with the project
* The exact creation date of that email address
Only the date is required for the final flag.
Flag format:
```
OSINT{DD-MM-YYYY}
```
Example (not the real answer):
```
OSINT{01-01-2020}
```
Rules:
* Use only legal, open-source information
* Do not contact the developer
* No exploitation or intrusion
* OSINT only (code repositories, public profiles, archives)
***
### Initial Assumptions
Based on the challenge description, the following assumptions were made:
* Holehe is an open-source OSINT tool, likely hosted on a public code repository
* The creator’s email address would most likely be exposed in:
* GitHub repositories
* README files
* Commit metadata
* ProtonMail email addresses may leave public cryptographic or keyserver traces
***
### Investigation Process
#### 1. Identifying the Holehe Repository
The investigation started with a simple Google search:
```
holehe
```
This search returned the official Holehe GitHub repository.
Opening the repository and reviewing the README.md revealed a publicly listed email address used by the creator.
The email found was:
```
megadose@protonmail.com
```
***
#### 2. Understanding ProtonMail OSINT Limitations
ProtonMail does not provide public account creation dates through an official OSINT-friendly API. Searching the Proton website for developer or API documentation revealed a security-related endpoint referenced here:
```
https://proton.me/security/vulnerability-disclosure
```
This page references the domain:
```
api.protonmail.ch
```
This became the next OSINT pivot point.
***
#### 3. Google Dorking ProtonMail API Endpoints
Using Google dorking techniques, the following query was used:
```
inurl:"api.protonmail.ch"
```
One interesting endpoint discovered was:
```
https://api.protonmail.ch/pks/lookup?op=get&search=email@protonmail.com
```
Accessing this endpoint returned an ASC file containing a PGP public key, which suggested that ProtonMail exposes OpenPGP keyserver metadata.
***
#### 4. Finding an Existing ProtonMail OSINT Tool
To better understand how this endpoint could be used, a search was conducted on GitHub for existing ProtonMail OSINT tools. This led to the discovery of:
```
https://github.com/C3n7ral051nt4g3ncy/Prot1ntelligence
```
Instead of cloning the repository, the source code was reviewed directly. Inside prointel.py, the following line stood out:
```
url = f"https://api.protonmail.ch/pks/lookup?op=index&search={email}"
```
This confirmed that the ProtonMail keyserver index could be queried directly using an email address.
***
#### 5. Querying the Holehe Email Address
Using the discovered endpoint, the following request was made:
```
https://api.protonmail.ch/pks/lookup?op=index&search=megadose@protonmail.com
```
The response returned the following data:
```
info:1:1
pub:b2e401ef07705693a0ccd8d1b0e29d2cac738595:22::1610617266::
uid:megadose@protonmail.com :1610617266::
```
The value **1610617266** appeared consistently and matched the format of a Unix timestamp.
***
#### 6. Timestamp Conversion
The Unix timestamp 1610617266 was converted into a human-readable date, resulting in:
```
Thu 14 Jan 2021 17:41:06 PST
```
This timestamp represents the creation or first registration time of the associated ProtonMail PGP identity.
***
### Key Findings
* The creator of Holehe publicly used the email
* ProtonMail PGP keyserver metadata can expose account-related timestamps
* The Unix timestamp 1610617266 corresponds to January 14, 2021
***
### Final Flag / Answer
```
OSINT{14-01-2021}
```
***
### Notes & Takeaways
* Public GitHub repositories often leak valuable OSINT pivots such as emails
* Even privacy-focused services like ProtonMail can expose metadata through PGP key infrastructure
* Understanding how existing OSINT tools work can reveal new investigative paths
* Timestamps hidden in technical outputs are easy to overlook but highly valuable
This challenge highlights how indirect metadata exposure can reveal historical information without any direct interaction or intrusion.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://lance-kenji.gitbook.io/me/osint-industries-ctf-writeups/open-source-intelligence-osint/holehe-and-the-secret-email.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.