HackTheBox OSINT Challenge We have a Leak

For any HackTheBox Challenge you need to first look for Files that can be downloaded or Start instances with a given port on docker.hackthebox.eu and for any zip file first password is always hackthebox.

So, I downloaded the zip file for this challenge and opened it with "hackthebox" password.


HackTheBox often consist of clues that can really help in understanding what needs to be done. For OSINT challenges always focus on these small details.


So, in this challenge we get to know that

Super Secure Startup's private information is being leaked; can you find out how?

So, I used the same approach as I used in earlier challenges. I looked for information on Social Media accounts linked to Super Secure Startup.



I find out that Twitter have a lot of information from there I got a default SSH which needs to be modified accordingly and act as a password to unzip username.zip and password.zip.


Follow the below procedure to retrieve a flag.

root@kali:~# cd Downloads/

root@kali:~/Downloads# unzip We_Have_a_Leak

Archive: We_Have_a_Leak.zip

[We_Have_a_Leak.zip] we_have_a_leak/mock_ssh_login.zip password:

inflating: we_have_a_leak/mock_ssh_login.zip

root@kali:~/Downloads# cd we_have_a_leak/

root@kali:~/Downloads/we_have_a_leak# ls

mock_ssh_login mock_ssh_login.zip

root@kali:~/Downloads/we_have_a_leak# cd mock_ssh_login/

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login# ls

abc.txt username.zip

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login# unzip username.zip

Archive: username.zip

[username.zip] username/password.zip password: CLUE: Search for a new joinee and use his username to unlock

extracting: username/password.zip

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login# ls

abc.txt username username.zip

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login# cd username/

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login/username# ls

password.zip

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login/username# unzip password.zip

Archive: password.zip

[password.zip] password/flag.txt password: CLUE: Search for Default SSH and modify it according to the new joinee.

inflating: password/flag.txt

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login/username# ls

password password.zip

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login/username# cd pas

bash: cd: pas: No such file or directory

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login/username# cd password/

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login/username/password# ls

flag.txt

root@kali:~/Downloads/we_have_a_leak/mock_ssh_login/username/password# cat flag.txt


After this you will get a flag.


Please share your comments and If you enjoyed this blog post, share it with a friend! See you guys in next post soon.

306 views0 comments

Recent Posts

See All