Name: | Peel Back The Layers |
---|---|
Hint: | It seems a huge trove of credit card details is being sold by a group going by the name flinchsec. Can you find any sites or artefacts associated with this group that we can use to detect them? |
Base Points: | Easy - Retired [0] |
Rated Difficulty: | |
HTB-Bot | |
Creator: | fallamos |
There is no download on this one but check the hint:
Hint: It seems a huge trove of credit card details is being sold by a group going by the name flinchsec. Can you find any sites or artefacts associated with this group that we can use to detect them?`
We first need to search for flinchsec. The very first result is a LinkedIN profile for Ractor Burton in the UK:
Clicking the Contact Info link will pop up a window with a website link of:
But when we click that link, we get a "Page not found" error.
If we check the Wayback Machine (internet Archive) and go back to the Oct 2020 snapshot, we can see the old website.
Follow that github link and dig through it. In Tags we find a v01 tag. Clicking it, we see an exe, a zip, and a tarball. If we download the exe, we can attempt to reverse engineer it. Once I download it, my AV goes ballistic. So instead, sandbox the file and upload it into VirusTotal.
Sure enough, it's a Trojan. Go to the Details tab, and you'll see the flag under the Names section.
HTB{051N7_F0R_M3}.exe