Hack The Box – Infiltration

Hello world, welcome to Haxez. Today I’m looking at the Infiltration OSINT challenge on Hack The Box. The challenge asks the following:

“Can you find something to help you break into the company ‘Evil Corp LLC’. Recon social media sites to see if you can find any useful information.”

Ok, the first thing I did was head straight to google and search for Evil Corp LL in quotation marks. This ensures that we only get exact matches in our results. This technique is known as Google Dorking, although this is a pretty basic search operator.

Links To The Answer

The first result appears to be a Linkedin page which actually has a flag on it. We are Infiltration masters with our first Google search. Unfortunately, it seems that someone is playing games as this flag does not work when submitted. I wasn’t sure what to make of this but we will come back to it later.

Infiltration LinkedIn

I started looking through the employees and found Brian Delany whose job title at Evil Corp LLC is a hacker. Interestingly, his profile had a base64 encoded string. I decided to decode it using CyberChef which produced the following:

“There are people out there that will lie, steal and cheat to hide their own imperfections and to

This gave me an idea, normally Hack The Box flags have a phrase but the fake flag on the Evil Corp LLC profile didn’t. if we take the string to CyberChef and ask it to bake it for us, we get some words of encouragement. Ok, this isn’t our flag. Time to move on.

CyberChef

I poked around on Linked in for a while longer but didn’t find much. I went back to Google and the second result was an Instagram page.

Infiltration of Instagram

I currently work as a penetration tester. One thing I’ve picked up is that before performing a Red Team engagement, it’s a good idea to look at the employee’s social media profiles. If you can spot a badge then you might be able to create a replica which could help get by security. The laptop and badge on this profile immediately caught my attention (Thanks Rich).

Instagram Infiltration

Unfortunately, you need to be registered to view the pictures properly. It’s 2023, who uses Instagram these days? It’s all about TikTok now, isn’t it? I’m kidding of course, I do have an Instagram account and visited her account on my phone. From there I was able to zoom in on the badge and find the flag.

BINGO

Conclusion

These OSINT challenges are a lot of fun. I don’t see any active ones though so I think Hack The Box has moved away from them. It’s a shame honestly because it’s been a good break from smashing my face into box after box. So far, these challenges haven’t require too much effort other than poking around on the web. I will be doing more of them for sure.

Hack The Box – Easy Phish

Hello world, welcome to Haxez. Today I’m going to be looking at the retired Easy Phish OSINT challenge from Hack The Box. The challenge description explains:

“Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?”

Based on the information provided, it seems like this will have something to do with enumerating the DNS records on the domain.

Enumeration

In order to solve this challenge we need to understand how to look up the DNS records associated with a domain. Furthermore, we will need to know which records to query. Once we know that, we should be able to retrieve the flag from the DNS records of the domain. First, we can use NS lookup. Unfortunately, we only get the A record associated with the domain.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup secure-startup.com
Server: 192.168.80.2
Address: 192.168.80.2#53
Non-authoritative answer:
Name: secure-startup.com
Address: 34.102.136.180

Since we know we’re looking for a flag we could try to brute force subdomains, perhaps the flag is a subdomain. However, a more likely approach would be to look at the TXT records as TXT records can contain text and are likely going to be the hiding place of our flag.

First, I start off by performing a nslookup where the query type is set to TXT. This appears to give us the flag, well part of it anyway. As you can see below we have a partial flag claiming that SPF is dead and is always second.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup -q=txt secure-startup.com
Server: 192.168.80.2
Address: 192.168.80.2#53
Non-authoritative answer:
secure-startup.com text = "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"

Second to what? DMARC probably. SPF only checks the “envelope from” address, which can be easily circumvented by attackers who spoof the visible “from” address. DMARC, on the other hand, checks both the “envelope from” and visible “from” addresses to prevent unauthorized use of domain names. It also provides a mechanism for domain owners to receive reports on email authentication failures. DMARC is considered to be a more effective solution for email authentication than SPF alone.

Solving Hack The Box Easy Phish

So, we can now change our query to query the subdomain _dmarc for a TXT record. This value would usually contain information about the configuration of the mail server but in this case, it has the second half of the flag.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup -q=TXT _dmarc.secure-startup.com
Server: 192.168.80.2
Address: 192.168.80.2#53
Non-authoritative answer:
_dmarc.secure-startup.com text = "v=DMARC1;p=none;_F1ddl3_2_DMARC}"

Put them together and pow, we have the flag.