Forensics Challenge Writeup: Lord Malakar's Resume
Introduction
The challenge involved analyzing a mysterious resume belonging to Lord Malakar to uncover secrets related to his fall from grace. We were provided with an email containing a link to his resume.
Email Analysis
The email contained a link to the resume at storage.microsoftcloudservices.com:[PORT]/index.php
. The email also included a postscript instructing us to replace [PORT]
with the instance's port and ensure any hostnames point to our instance's IP address.
Port and IP
The user provided the port number 33728
and the IP address 83.136.250.101
, which they used for eldor.ia
in their etc/hosts
file.
Accessing the Website
We accessed the initial page at http://83.136.250.101:33728/index.php
. This page displayed a fake resume for "John Doe" and a "View Full Resume" button.
search:
URI
Clicking the button generated a search:
URI that didn't directly open anything:
search:displayname=Downloads&subquery=\\\\83.136.250.101@33728\\3fe1690d955e8fd2a0b282501570e1f4\\resumes\\
Exploring the Web Server
We used curl
to explore the web server at http://83.136.250.101:33728/
. Accessing http://83.136.250.101:33728/3fe1690d955e8fd2a0b282501570e1f4
resulted in a 301 Moved Permanently redirect to http://83.136.250.101:33728/3fe1690d955e8fd2a0b282501570e1f4/
.
Navigating to the redirected URL in the browser showed a directory listing.
Finding the Resume
Within the directory listing, we found a resumesS/
directory containing resume_official.pdf
. Examining the content of this resume revealed fantastical contact information and hints of Lord Malakar's dark ambitions.
The Key in config.js
The user then found a key within a file named config.js
on the website. The content of this key was:
key = base64.decode("SFRCezRQVF8yOF80bmRfbTFjcjBzMGZ0X3MzNHJjaD0xbjF0MTRsXzRjYzNzISF9Cg==")
Decoding the Flag
We used Python to decode the Base64 string:
import base64
encoded_string = "SFRCezRQVF8yOF80bmRfbTFjcjBzMGZ0X3MzNHJjaD0xbjF0MTRsXzRjYzNzISF9Cg=="
decoded_bytes = base64.b64decode(encoded_string)
decoded_string = decoded_bytes.decode('utf-8')
print(decoded_string)
This resulted in the flag:
HTB{4PT_28_4nd_m1cr0s0ft_s34rch=1n1t14l_4cc3s!!}
Conclusion
The challenge was solved by exploring the web server linked in the initial email, finding Lord Malakar's resume which provided context, and then locating and decoding a Base64 string in config.js
to reveal the flag.