We have a leak - OSINT Challenge



  • Alright so I found the 'default' pass, and based on the previous challenges I have a good idea what the pass for the zip should be but I'm pretty stuck now :/ If anyone can give me a nudge I'd appreciate it, I'll gladly pass along my process so far.

    Hack The Box

  • Pays to keep it simple on this one and read things carefully.

    As others have said, all answers are on social media.

    Both files will unzip with the correct password.

  • Phew, finally got it :D
    Turns out my zips were just acting weird on Windows.
    While I got a popup for the password on 'password.zip', it was actually asking for the password to username.zip. Knocked me off-course for a while. I actually had the correct passes since pretty much the beginning, I was just using them in the wrong order :))

    Hack The Box

  • hey guys, im a new chicken here and i was working on the Infiltration challenge. So, im stuck on twitter now. seriously do not know where to go/ what to do next.
    Can anyone please dm and guide me through this part please? that'd be really awesome. thanks :))

  • edited December 2019

    I am totally lost here. Any guidance from anyone would be really amazing! I think I may be along the right lines and just not piecing it together right but I really don't know what i'm doing at this stage :D

    Solved - turns out I was barking up completely the wrong tree but I solved it after coming back to it. Happy to point others in the right direction if anyone needs a prompt.


  • Type your comment> @Py0t3r said:

    This is crazy, I've got the username password for the zip file, the logic on that was rather simple but cool, now the zip password pass I dont have a clue on that one, I found something but not sure if I have the correct frame for this one...

    EDIT: Oh well apearently I wass just guessing and no using the right technique... cant say the name... awsome challenge...

  • edited December 2019

    Someone actually registered the domain name making this CTF kind of difficult. Someone might go down the path of trying to actually hack the domain thinking it is part of the CTF...

    EDIT: Done.

  • edited December 2019

    Got a semi-working pass for the second stage, getting an error though.

    Edit: Got it, silly mistake


    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • edited December 2019

    i need password, tried logging in with different variation of password changing changing season and year, not sure what is wrong, any hint please ?

    PS: Never mind , i had a typo

  • Can someone give me a small nudge for the username? Im fairly confident that I have all the necessary data for both the username and the password but apparently im entering it the wrong way.

  • Got it, must have messed up the input at the beginning and never bothered to try again :) thanks to @jmehys

  • Can anyone give me some nudge as well? Found some information from twitter but not too sure if the order or case of the input matters?

  • Thanks to everyone who have been a great help especially H11 and 0byte. I've managed to get the password to the last zip file after some manual "brute forcing". I realised that I already have the password in my list of "to try passwords" but I have probably mistyped it while keying it in .

  • Is the password for the username.zip an actual password or is it a username? I feel like I'm going the wrong direction.

  • username, have two options nickname and email.. as here it is just one of them two.


  • It's mandatory to being registered on Twitter?

  • @Sedekt said:
    It's mandatory to being registered on Twitter?

    No, but they make it difficult to use the "Tweets and Replies" tab on a user's profile. You can still view the tweets and retweets made without logging in, but seeing what someone replied to is more difficult. The search function will work, however.

  • Can someone send a nudge?

    I got through username.zip and am at password.zip.

    I think I've found all of the relevant twitter profiles, but am failing at putting together useful intel from the info on the profiles. Currently, I'm trying to bruteforce it, but I'd prefer to do this the right way (and without the numerous hours that bruteforcing is going to take).

    just need a push in the right direction. Thanks!

  • @Sedekt said:
    It's mandatory to being registered on Twitter?

    While I'm stuck where I'm at, I can say that for OSINT, having burner profiles on all the SM platforms is pretty much mandatory. You shouldn't have it tied to anything that would identify you as you - just use a burner email to register and don't use your phone. If you really want to pull out the stops - only use the profile through a VPN or TOR.

  • Well, finally I've got the challenge, all the info it was in front of me, just needed to mount the puzzle.

    No twitter account used, but It was more tricky.

    The fact that I don't have for twitter it's because it always ask me for a phone number, but using the 10 min sms doesn't work.

    Btw, great challenge!

  • Hey everyone, thank you for playing We Have a Leak!

    I really appreciated reading all your positive comments and I'm glad you enjoyed the challenge!

  • Guau! Put on the big glasses guys! Thanks @Dethread for the hint!

  • edited January 10

    I'm stuck on username.zip. I think I tried all permutations of hints from 2 ladies tweets ;( and still get incorrect pwd.

    Edit: Got into username.zip. It was hiding in the plain sight. As always I was focusing to much on the girls :) when the guy had the answer.

    Edit2: password.zip was actually kinda similar to the Breach challenge.

    BIG thanks @morjan27 for the hint! I learned a lot about https://hashcat.net/wiki/doku.php?id=rule_based_attack, but in the end I did not need it. After guessing the pattern I did it manually in few attempts.

  • Hey all, I have found my way into the username.zip file and believe I have found all the info I need for the password.zip but might be overthinking it. Any nudge is appreciated

    Hack The Box

  • Type your comment> @monstr said:

    @SleepyKaze Just pm me if you want, I can try to nudge you in the right direction :) I was stuck at the same place, but the answer was right infront of me the whole time.

    @elearning Media :)

    Do you have a moment to help me there too?

    Hack The Box

  • Can anyone PLEASE give me a hint ?
    I cant even describe how long im stuck on it and im pretty sure ive already seen the answer few times..

  • Type your comment> @Dan1T said:

    Can anyone PLEASE give me a hint ?
    I cant even describe how long im stuck on it and im pretty sure ive already seen the answer few times..

    Popup anyone ? :(

  • @greenwolf will you make new OSINT challenge? We need a new one :)


  • edited January 12

    Hey guys, I have a prob with the challenge. tried to crack the last zip with JTR but it's not working. Can anyone help me out?

  • I know I'm very close but just cant get the password right for password.zip. Can anyone give me a hint?

Sign In to comment.