help@cyb4rgeek.xyz

+1 (512) 588 6950

Illumination — HackTheBox Forensics Writeup with Flag | 2023

Home/Illumination — HackTheBox Fo...
Illumination — HackTheBox Forensics Writeup with Flag | 2023

Description:

A Junior Developer just switched to a new source control platform. Can you find the secret token?

Task Files:

Download the Task Files Here

Analysis:

  1. Let’s list all the contents of the Task File

We found 2 Files and 1.git Directory

2. Let’s View the contents of bot.js

//Discord.JS
const Discord = require("discord.js");
const client = new Discord.Client();
const fs = require("fs");
var config = JSON.parse(fs.readFileSync("./config.json"));

//Node-Hue-API
var hue = require(“node-hue-api”),
HueApi = hue.HueApi,
lightState = hue.lightState;

//Display command results in console
var displayResult = function(result) {

console.log(JSON.stringify(result, null, 2));

};

//Function taken from campushippo.com
var rgbToHex = function (rgb) {

var hex = Number(rgb).toString(16);
if (hex.length < 2) {

hex = “0” + hex;
}

return hex;
};

//Function taken from campushippo.com
var fullColorHex = function(r,g,b) {
var header = “0x”
var red = rgbToHex(r);
var green = rgbToHex(g);
var blue = rgbToHex(b);
return header+red+green+blue;
};

//Declarations
var host = config.host,
username = config.username,
api = new HueApi(host, username),
state = lightState.create(),
prefix = config.prefix,
lightNum = config.lightNum;

//Bot code
client.on(“ready”, () => {
console.log(`Logged in as ${client.user.tag}!`);
});

client.on(“message”, message => {
if (message.author.bot) return; //Ignore bot messages
if (message.content.indexOf(prefix) !== 0) return; //Ensure prefix is at the beginning

const args = message.content.slice(prefix.length).trim().split(/ +/g); //Split command into arguments
const command = args.shift().toLowerCase();

switch (command) {

case “light.off” : //Turn light off
api.setLightState(lightNum, state.off())
.then(displayResult)
.done();
message.channel.send(“Light Off!”);
break;

case “light.on” : //Turn light on
api.setLightState(lightNum, state.on())
.then(displayResult)
.done();
message.channel.send(“Light On!”);
break;

case “light.rgb” : //Change light colour
let r = args[0];
let g = args[1];
let b = args[2];
api.setLightState(lightNum, state.on().rgb(r, g, b))
.then(displayResult)
.done();
const embed = new Discord.RichEmbed()
.setTitle(‘Light Colour Change’)
.setColor(fullColorHex(r, g, b))
.setDescription(`Red Value: ${r}. Green Value: ${g}. Blue Value: ${b}`);
message.channel.send(embed);
break;

case “light.switch” : //Switch to different light
let num = args[0];
lightNum = num;
//fs.writeFile(“./config.json”, JSON.stringify(config))
message.channel.send(`Light Number switched to ${lightNum}`);
}
});

client.login(Buffer.from(config.token, ‘base64’).toString(‘ascii’)) //Login with secret token

 

3. config.json

{

“token”: “Replace me with token when in use! Security Risk!”,
“prefix”: “~”,
“lightNum”: “1337”,
“username”: “UmVkIEhlcnJpbmcsIHJlYWQgdGhlIEpTIGNhcmVmdWxseQ==”,
“host”: “127.0.0.1”

}

 

From the config file there is a base64 encoded string, so let’s decode it

Nothing Interesting was Found!! Seems like it was a clue : |

4. Let’s check the git log using the below command (you should be in the Illumination.JS folder before using the Command)

git log

We found some interesting sentences that the contributors have removed the unique token

5. So Let’s view that commit using the Command
(You should use the commit ID displayed for you like in the above screenshot)

git show 47241a47f62ada864ec74bd6dedc4d33f4374699

We found the removed token

6. Let’s decode it…

echo "SFRCe3YzcnNpMG5fYzBudHIwbF9hbV9JX3JpZ2h0P30=" | base64 -d

Flag:

Ans: HTB{v3rsi0n_c0ntr0l_am_I_right?}     

Leave a Reply