Intel Writeup [HTB]

4 min readOct 15, 2021

Description

It seems a huge trove of credit card details is being sold by a group going by the name flinchsec. Can you find any sites or artefacts associated with this group that we can use to detect them?

Social Media

When we first look for flinchsec we will find this Linkedin Profile.

This gives us a name; Ractor Burton. I decided to search the username using different tools but ended up with nothing. Then, I thought about reverse searching the profile picture.

Once I saw this image wasn't unique to the challenge, I knew that wasn't the way. At this point, I decided to go back on my steps and began looking for more information on the Linkedin profile, that's when I found the next clue.

Having this website opens up new threads for the investigation. When visiting it, the website seems to be unavailable, therefore, we can use Wayback Machine to take a look at its contents before it disappeared.

Here we can see two possible clues. A domain, and a Github user link. The domain name was nothing, after looking for this information using whois, the only thing we found is that it was hosted 000webhost, which is useless. So I decided to take a look at the provided GitHub account.

Github

The GitHub is pretty interesting because it seems to be almost empty, having only three contributions.

When taking a look at the musical-computing-machine repo, it also seems to be useless. There’s nothing in it…or is it?

In the releases tab, we find there is one release, with three different files. The first file is an executable and the other two are nothing. I decided to download the file and did some analysis, which again, ended up with nothing.

Executable

This was the trickiest part, not because it was hard, but because you had to remember your context. When doing OSINT Investigations, it is imperative to always have your objective in mind. In our case, we were behind a criminal group that was obtaining a large amount of credit card details. So let’s think about their modus operandi. We know a way of doing this is through phishing, but so far we haven’t had any clue about it. There are also breaches, but again, we have no signs of it. There’s also malware, and…we have a .exe which could make this option possible.

One common method used to classify and identify malware is through hashes, specifically, MD5 hashes. So I went ahead and obtained the MD5 sum using the following command

md5sum <file>

and then looked up the hash using VirusTotal. Here we find a match for the hash.

The next thing is to look at the match’s details and there we can find our flag.

Final Thoughts

This was a fun and quick activity. My main takeaway from the activity is that you should always keep in mind your objective. There is a good reason why you are doing what you are doing. Also, this is the first time I use VirusTotal for an OSINT activity which I think is pretty neat.