Hack the Box: We Have a Leak

Challenge Lab: OSINT

Difficulty: Medium

“Super Secure Startup’s private information is being leaked; can you find out how?”

Zip Password: hackthebox

sha256: 40f3ad64d83c3e18052888a6a64653c947683480d2caf225419d207a050f242f

Begin by downloading the file and using the password provided to extract everything.

Inside, you will find a couple more .zip files nested within each other, eventually hitting a roadblock when “username.zip” needs a password. I organized them all in a row on my desktop because it was easier to work with:

For this I first tried fcrackzip. It should be included with Kali, but if you need it:

apt-get update

apt-get install fcrackzip

I’m also going to use the rockyou.txt word-list, which can be found HERE if you don’t have it (auto-download).

fcrackzip -uDp <path to wordlist> <path to file>

However, it eventually turned up no results, so I am guessing the password was not in that wordlist. I reran the command using the bruteforce option, but did not have hope of that working anytime soon.

While that was running, I was looking up Super Secure Startup online, and found some things on Twitter:

I will check out this one first:

I found this post down at the bottom:

I think I recognize Alia from another challenge I did? Yeah, she is also involved in the “Infiltration” OSINT challenge on HTB (both by greenwolf). So this seems like a good lead.

We have an email with a domain name. However, supersecurestartup.com just pulls up a sketch looking site that I don’t think is part of the challenge.

Looking into Johanna, she does seems to post a lot of info about the company:

I downloaded these and tried stegsolve, which did not bring up much. I also tried strings on them both.

After this, I was thinking that the folder I need to unlock is called “username”. We have Johanna posting her company email name as j.boyce. I tried variations of all the employees I found:

j.boyce

jboyce

a.mccarty

amccarty

bphelps

b.phelps

Did not get anywhere with that, until I saw this tweet:

j.terranwald worked!

Annnnd now we have another .zip file to unlock.

Tried fcrackzip on it JUST to be sure…and it failed again…

So, let’s have a look at Josh Terranwald, “Web Developer, Father, Full of front of stack passion.”

He seems to like Eminem:

Cute dogs:

And the Avengers:

I thought it was interesting he posted an Eminem song named “Venom”, and that there is also a character named Venom in the Marvel Universe:

So I tried quite a few variations of that, but got nowhere.

He also seemed to be following a lot of football teams:

I tried many variations of these, which did not work, and wasted a lot of my time.

I’m moving on from Josh and looking a bit more closely at Bianka:

Eventually I focused on this:

I skipped by this originally because it just looked like a stock photo, but upon closer inspection you will see this:

SSH default password?

SupSecStart#Winter2018!

This did not work. So then I’m thinking, Josh got hired in Spring of 2019, right?

Let’s try:

SupSecStart#Spring2019!

Yep, it’s big brain time.

Your flag will be in the password folder, in a document called flag.txt:

Happy Hacking! ❤

CTF Writeups to facilitate cyber education.