Hack The Box: [Medium] OSINT Challenges Writeup

Hello everyone… If you guys also find OSINT fun and challenging, then have a look at OSINT challenges by HackTheBox. As of today, there are 8 free active OSINT Challenges available on HTB, categorized into Easy and Medium.

Challenge Link:- https://www.hackthebox.eu/home/challenges/OSINT

So, Let’s Begin…

---

Infiltration:

“Can you find something to help you break into the company ‘Evil Corp LLC’. Recon social media sites to see if you can find any useful information.”

We have a company called “Evil Corp LLC”, we need to investigate it on social media sites to get the flag. Alright, let’s Google the company.

Our first result is LinkedIn; let’s see if we can get something interesting there.

It decoded into this string: “You can do this; keep going!!!”

Cooool, we found the rabbit hole.😃

Let’s see the other results.

Looks interesting, lets check tweets made by her.

Tried using HTB{and all the words one by one} but it was just a rabbit hole.

Let’s check the third result i.e., an Instagram account.

Cool, we have another LinkedIn account. Let’s check. 

Bleh, there is nothing on her LinkedIn account. Let’s have a look at her Instagram posts.

She has posted a photo in which there is an Employee card by Evil Corp LLC

Focus on the text below the barcode… we got our flag…

HTB{Y0ur_Enum3rat10n_1s_Str0ng_Y0ung_0ne}

Missing In Action:

“Roland Sanchez from Birmingham, UK is missing. The family is convinced he was kidnapped on a business trip. Can you help?”

We have a name and country. Ronald Sanchez from Birmingham, UK. Alright, time to google him.

The first result is LinkedIn, let’s see if there is some juicy info.

Amm… nothing much. We have his profile picture and we know where he works, i.e., Egotisical Bank.

The Twitter account we found in google search is of another person…🙂

Let’s see the social accounts of Egotistical Bank.

Bank has a Twitter account with 11 tweets. We may find something in those tweets.

Roland Sanchez is too a CISO.

Go back to our first google search results and see the last result in the screenshot mentioned FourSquare. We may find something there.

Yay !!! we got the flag in the review section of the website. Hehe, Roland shifted to Sheffield.

HTB{J4Va_c0St_M3_m0r3_than_1_th0ugh7}

We Have A Leak:

“Super Secure Startup’s private information is being leaked; can you find out how?”

In this challenge we have one zip file, download it and extract the files.

Password:- hackthebox

Okay, we have another zip file now “mock_ssh_login.zip”. Extracting it gives us another zip file, and it’s password protected .🤧

Tried to crack it with fcrackzip, but it turned out nothing. 

Let’s see if “super secure startup” has any socials.

Cool, there’s a Twitter account.

I found one interesting tweet.

Remember Alia Mccarty? We saw her in one of the previous challenge “Infiltration” both by the same creator greenwolf. 
Also, we have now an email j.boyce@supersecretstartup.com

Let’s see the profile of Johanna Boyce. Looks like she is a fan of Taylor Swift.

She posts too much about her company. You can find several tweets related to her company.

We need to unlock “username.zip” file.
Till now we have these names- Johanna Boyce, Alia Mccarty and Bianka Phelps. Well these were not correct password for zip.

Johanna use j.boyce in her email, so I tried this variant with other names like a.mccarty, b.phelps but again it was useless.

Then another tweet clicked in my mind.

Another name JTerranwald. Let’s try j.terranwald as a password. 

Yayy!!!, It worked. Shitt! one more zip and again password protected.

So, let’s have a look at Josh Terranwald.

Nothing interesting in his account. 

Now we have one more account left.

This looks interesting.

SSH default password ? SupSecStart#Winter2018!

Well, it didn’t work on the password.zip file.

Great! We are stuck…🙂.

Going back to tweet about the hiring of Josh Terranwald.

Josh got hired on March 26, 2019, i.e., Spring of 2019.

Let’s replace SupSecStart#Winter2018! with SupSecStart#Spring2019!

Yay!!! It worked, SupSecStart#Spring2019! is the password for the password.zip file.

HTB{Sav3_The_Startup_Sav3_The_W0rld_#Hiro}

BREACH:

“You managed to pull some interesting files off one of Super Secure Startup’s anonymous FTP servers. Via some OSINT work(a torrent or online Password breach site) you have also procured a recent data breach dump. Can you unlock the file and retrieve the key?”

Okay, Download the zip file. Password: hackthebox

After extracting we get two files. Public-data-breach.txt consists of many usernames, emails and passwords. But we don’t know which username to search for.

Again google the company name “Super secure Startup”. You must remember this company from the previous challenge.

We came across these usernames- Johanna Boyce, Alia Mccarty, and Bianka Phelps, Josh Terranwald. Let’s find these usernames in the public-data-breach.txt file. Only Bianka’s data was present in the file.

We have a password “Love!July2018″ but it turned out incorrect. 

Remember in “We have a leak” we changed the season name to get the correct password. Let’s try the same thing here.

The file was modified in March. Let’s try Love!March2019 as password.

Yay!!! It’s the correct password.

It’s base64. Decode it.

HTB{P4ssw0rd_Br3ach3s_C4n_B3_A_Tr3asur3_Trov3_0f_Inf0rmati0n}

Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!

Try Hack Me’s 1 Month Voucher Giveaway Link : https://forms.gle/xpqS2jgspyC22K5d8