Hack The Box – Infiltration

Posted on by haxez
Hack The Box Infiltration

Hello world, welcome to Haxez. Today I’m looking at the Infiltration OSINT challenge on Hack The Box. The challenge asks the following:

“Can you find something to help you break into the company ‘Evil Corp LLC’. Recon social media sites to see if you can find any useful information.”

Ok, the first thing I did was head straight to google and search for Evil Corp LL in quotation marks. This ensures that we only get exact matches in our results. This technique is known as Google Dorking, although this is a pretty basic search operator.

Links To The Answer

The first result appears to be a Linkedin page which actually has a flag on it. We are Infiltration masters with our first Google search. Unfortunately, it seems that someone is playing games as this flag does not work when submitted. I wasn’t sure what to make of this but we will come back to it later.

Infiltration LinkedIn

I started looking through the employees and found Brian Delany whose job title at Evil Corp LLC is a hacker. Interestingly, his profile had a base64 encoded string. I decided to decode it using CyberChef which produced the following:

“There are people out there that will lie, steal and cheat to hide their own imperfections and to

This gave me an idea, normally Hack The Box flags have a phrase but the fake flag on the Evil Corp LLC profile didn’t. if we take the string to CyberChef and ask it to bake it for us, we get some words of encouragement. Ok, this isn’t our flag. Time to move on.

CyberChef

I poked around on Linked in for a while longer but didn’t find much. I went back to Google and the second result was an Instagram page.

Infiltration of Instagram

I currently work as a penetration tester. One thing I’ve picked up is that before performing a Red Team engagement, it’s a good idea to look at the employee’s social media profiles. If you can spot a badge then you might be able to create a replica which could help get by security. The laptop and badge on this profile immediately caught my attention (Thanks Rich).

Instagram Infiltration

Unfortunately, you need to be registered to view the pictures properly. It’s 2023, who uses Instagram these days? It’s all about TikTok now, isn’t it? I’m kidding of course, I do have an Instagram account and visited her account on my phone. From there I was able to zoom in on the badge and find the flag.

BINGO

Conclusion

These OSINT challenges are a lot of fun. I don’t see any active ones though so I think Hack The Box has moved away from them. It’s a shame honestly because it’s been a good break from smashing my face into box after box. So far, these challenges haven’t require too much effort other than poking around on the web. I will be doing more of them for sure.