Skip to main content

Write-Up Illumination HTB

·2 mins·
WriteUp HTB Challenge Cyberchef git Forensics
Table of Contents

In this writeup I will show you how I solved the Illumination challenge from HackTheBox. The challenge is an easy forensics challenge. Let’s start!

Initial Analysis
#

After downloading and unzipping the file we can see that there are two different files, bot.js and config.json. The first thing that I did was to open the config.json file with notepad++ but there wasn’t anything that could help me. I did the same thing with the bot.js file but the code was ok. So I tried with the ls -al command on the directory to see if there were hidden files, and there was a .git directory.

Git
#

I decided to use git to see if there were any commits that could help me. This is the command I’ve used to see the commits history:

git log --oneline

Now I knew that the flag was in the config.json file in the first commit. So I decided to explore a little bit the .git/logs directory, where I found a file called HEAD. I opened it and I found the first commit hash that is 1ccf7afbde496b9f53ffe7f22134b490e66008f7.

Using the git cat-file -p <file_hash> command I was able to look at one of the early commits.

┌──(marcocampione㉿kali)-[~/…/HTB_files/Illumination.JS/.git/logs]
└─$ git cat-file -p 1ccf7afbde496b9f53ffe7f22134b490e66008f7
tree 3051d4746a51f549ea82c72c6a23db3fbbd33c6a
author Dan <[email protected]> 1559250962 +0100
committer Dan <[email protected]> 1559250962 +0100

Moving to Git, first time using it. First Commit!

Theres was tree object listed in this file. This was going to contain detail of the modified files and could be treated in the same way.

┌──(marcocampione㉿kali)-[~/…/HTB_files/Illumination.JS/.git/logs]
└─$ git cat-file -p 3051d4746a51f549ea82c72c6a23db3fbbd33c6a
100644 blob 7eb834acc2350f020aa94cbd2f3f54767605fbfb    bot.js
100644 blob 316dc217bceb0ca5bfdfa814c18e60ac833620b6    config.json

Now I did the same thing with the config.json file and I found the token.

┌──(marcocampione㉿kali)-[~/…/HTB_files/Illumination.JS/.git/logs]
└─$ git cat-file -p 316dc217bceb0ca5bfdfa814c18e60ac833620b6
{

        "token": "SFRCe3YzcnNpMG5fYzBudHIwbF9hbV9JX3JpZ2h0P30=",
        "prefix": "~",
        "lightNum": "1337",
        "username": "UmVkIEhlcnJpbmcsIHJlYWQgdGhlIEpTIGNhcmVmdWxseQ==",
        "host": "127.0.0.1"

}   

I used Cyberchef to decode the token and I got the flag.

Marco Campione
Author
Marco Campione
MSc. Cybersecurity Student @KTH