Forensics Challenge Writeup: Lord Malakar's Resume

Introduction

The challenge involved analyzing a mysterious resume belonging to Lord Malakar to uncover secrets related to his fall from grace. We were provided with an email containing a link to his resume.

Email Analysis

The email contained a link to the resume at storage.microsoftcloudservices.com:[PORT]/index.php. The email also included a postscript instructing us to replace [PORT] with the instance's port and ensure any hostnames point to our instance's IP address.

Port and IP

The user provided the port number 33728 and the IP address 83.136.250.101, which they used for eldor.ia in their etc/hosts file.

Accessing the Website

We accessed the initial page at http://83.136.250.101:33728/index.php. This page displayed a fake resume for "John Doe" and a "View Full Resume" button.

search: URI

Clicking the button generated a search: URI that didn't directly open anything:
search:displayname=Downloads&subquery=\\\\83.136.250.101@33728\\3fe1690d955e8fd2a0b282501570e1f4\\resumes\\

Exploring the Web Server

We used curl to explore the web server at http://83.136.250.101:33728/. Accessing http://83.136.250.101:33728/3fe1690d955e8fd2a0b282501570e1f4 resulted in a 301 Moved Permanently redirect to http://83.136.250.101:33728/3fe1690d955e8fd2a0b282501570e1f4/.

Navigating to the redirected URL in the browser showed a directory listing.

Finding the Resume

Within the directory listing, we found a resumesS/ directory containing resume_official.pdf. Examining the content of this resume revealed fantastical contact information and hints of Lord Malakar's dark ambitions.

The Key in config.js

The user then found a key within a file named config.js on the website. The content of this key was:


key = base64.decode("SFRCezRQVF8yOF80bmRfbTFjcjBzMGZ0X3MzNHJjaD0xbjF0MTRsXzRjYzNzISF9Cg==")

Decoding the Flag

We used Python to decode the Base64 string:

import base64

encoded_string = "SFRCezRQVF8yOF80bmRfbTFjcjBzMGZ0X3MzNHJjaD0xbjF0MTRsXzRjYzNzISF9Cg=="
decoded_bytes = base64.b64decode(encoded_string)
decoded_string = decoded_bytes.decode('utf-8')
print(decoded_string)

This resulted in the flag:

HTB{4PT_28_4nd_m1cr0s0ft_s34rch=1n1t14l_4cc3s!!}

Conclusion

The challenge was solved by exploring the web server linked in the initial email, finding Lord Malakar's resume which provided context, and then locating and decoding a Base64 string in config.js to reveal the flag.