ByteGuardian
A Cyber Security Blog

Navigating IT and Cyber Security – Exploring the Digital Frontier Together!

X-twitter Linkedin

#002 – HackTheBox – Jingle Bell

Note: I could not, for the life of me, find a readme file or any kind of information online that wasn’t a straight-up list of solutions to give me a hint or send me in the right direction. There is an aspect of this that I enjoy as I feel like I have to figure it out on my own but a little nudge in the right direction would not hurt. Even something as simple as a hint about which software to use.

Task 1 – Which software/application did Torrin use to leak Forela’s secrets?

With a little bit of “research” (googling), I was able to figure out that the wpndatabase.db is a Windows Push Notification database file, I chose to use SQLite Database Browser to go through the data.

The second I saw Slack I had a good feeling it was the answer but to be sure I just read through the code on the left which confirmed my suspicions.

Answer: Slack

Task 2 – What’s the name of the rival company to which Torrin leaked the data?

Note: During some earlier“research” (once again… just googling) I found this useful repo which mentioned a tool called Notifications Visualiser available on the MS Store app. The type “toast” is for application push notifications, so using the visualiser we can rebuild each notification by simply pasting the payload into the Visualiser. By no means is this necessary but it’s kinda neat so I thought I’d add it here.

In each notification Slack we can see the name “PrimeTech Innovations”.

Answer: PrimeTech Innovations

Task 3 – What is the username of the person from the competitor organisation whom Torrin shared information with?

For every notification with an ID > 274 we can see the username “Cyberjunkie-PrimeTechDev”.

Answer: Cyberjunkie-PrimeTechDev

Task 4 – What’s the channel name in which they conversed with each other?

For every notification with an ID > 275 we can see the channel name “#forela-secrets-leak”.

Answer: forela-secrets-leak

Task 5 – What was the password for the archive server?

Within the notification with the ID 278 we can find that the message sent from Cyberjunkie-PrimeTechDev is “Confirmation that password is “Tobdaf8Qip$re@1″”.

Answer: Tobdaf8Qip$re@1

Task 6 – What was the URL provided to Torrin to upload stolen data to?

The notification with ID 280 shows Cyberjunkie-PrimeTechDev sending the link “https://drive.google.com/drive/folders/1vW97VBmxDZUIEuEUG64g5DLZvFP-Pdll?usp=sharing”.

Answer: https://drive.google.com/drive/folders/1vW97VBmxDZUIEuEUG64g5DLZvFP-Pdll?usp=sharing

Task 7 – When was the above link shared with Torrin?

This one had me scratching my head for a second because initially when I looked in the ArrivalTime column it was just one big number. After going back the the repo I found earlier for some guidance I found this script which parses the information within the database. I used the script within SQLite and it spat out the answer for me.

IMPORTANT Note: Something must have happened somewhere with the data on my end, as I could not actually figure out why my data was a few minutes out from the answer. I’d even figured out that the big number I mentioned earlier was a timestamp and I did some brief googling on how they work but every answer I entered was wrong. At some point, I got so fed up that I decided just to google the answer and all I could find was some other dude’s blog in which he hides the answers behind a paywall. In his words, he just inputted that entire line from the database into chatGPT and it spat out a Python script. He pasted a copy of the script with the correct timestamp, so I ran the script and got the answer that way. This could mean that I’m totally wrong and the answer isn’t actually within the ArrivalTime column, however, I’ve already wasted over an hour on something as basic as a timestamp, so I’m just going to wave the white flag. If anyone ever reads this blog and figures out if it was just my data or how I was an idiot I’d love to know so maybe leave a comment or get in touch with me via socials.

Answer: 2023-04-20 10:34:49

Task 8 – For how much money did Torrin leak Forela’s secrets?

This one didn’t give me anywhere near as much trouble as the last one, but it still didn’t want to go down without a little fight. So the trick to this one is to use the pound symbol and make sure there are no spaces and commas. The data we’re looking for tho is found within the notification which has the ID 281.

Answer: £10000

Table of Contents

Linkedin X-twitter