Hack The Box – Sherlock – Jingle Bell

Posted on By Sagahiko
HackTheBox, Sherlocks

I will walk through Jingle Bell Sherlock.

We have a database file. So let’s open it with Sqlite3.

sqlite3 wpndatabase.db

And let’s see the contents of the database.

sqlite> .tables
HandlerAssets        Notification         TransientTable     
HandlerSettings      NotificationData     WNSPushChannel     
Metadata             NotificationHandler
sqlite> .schema Notification
CREATE TABLE [Notification]( [Order] INTEGER NOT NULL PRIMARY KEY, [Id] INTEGER NOT NULL, [HandlerId] INTEGER CONSTRAINT[NotificationToHandler] REFERENCES[NotificationHandler]([RecordId]) ON DELETE CASCADE ON UPDATE CASCADE, [ActivityId] GUID,[Type] TEXT NOT NULL, [Payload] BLOB, [Tag] TEXT, [Group] TEXT, [ExpiryTime] INT64, [ArrivalTime] INT64, [DataVersion] INT64 DEFAULT '0', [PayloadType] TEXT NOT NULL, [BootId] INT64 DEFAULT '0', [ExpiresOnReboot] BOOLEAN DEFAULT 'FALSE', UNIQUE([Id]) ON CONFLICT REPLACE);
CREATE INDEX [notificationById] ON [Notification] ([Id]);
CREATE INDEX [notificationByApp] ON [Notification] ([HandlerId]);
CREATE INDEX [notificationByActivityId] ON [Notification] ([ActivityId]);
CREATE INDEX [notificationByAppByType] ON [Notification] ([HandlerId], [Type]);
CREATE INDEX [notificationByTagGroup] ON [Notification] ([HandlerId], [Type], [Group], [Tag]);
CREATE INDEX [notificationByType] ON [Notification] ([Type]);
CREATE INDEX [notificationExpired] ON [Notification] ([ExpiryTime] DESC);

Ok, I see there is the column called Payload.

Which software/application did Torrin use to leak Forela’s secrets?

select Payload from Notification;

Then you can see Slack is used for communication.

What’s the name of the rival company to which Torrin leaked the data?

If we look carefully at the messages, the rival company’s name is written in the title.

What is the username of the person from the competitor organization whom Torrin shared information with?

The username is written before the message.

What’s the channel name in which they conversed with each other?

The channel name can be found between text scripts.

What was the password for the archive server?

The password is exposed in the message.

What was the URL provided to Torrin to upload stolen data to?

The URL is also written in the message.

When was the above link shared with Torrin?

There are two messages containing the shared URL.

Then, you can see the number in the message field.

Actually, it is an Epoch timestamp.

You can convert it to human-readable date time using online tools.

I share one online tool.

https://www.epochconverter.com

For how much money did Torrin leak Forela’s secrets?

The amount of money that Torrin received is written in the message.

Actually, for this challenge, you can find all the answers by using grep commands.

Go for what you feel comfortable with.

2

You may also like

HackTheBox
Sherlock Ultimatum write-up
HackTheBox
Hack the box – machine – Blue
HackTheBox
OSCP series – Sau writeup
HackTheBox
OSCP series – Soccer writeup