Follow The Money
🕵️ Follow The Money
| Category | Author |
|---|---|
| 🕵️ OSINT | Brady |
Challenge Prompt
Hey Support Team,
We had a bit of an issue yesterday that I need you to look into ASAP. There’s been a possible case of money fraud involving our client, Harbor Line Bank. They handle a lot of transfers for real estate down payments, but the most recent one doesn’t appear to have gone through correctly.
Here’s the deal, we need to figure out what happened and where the money might have gone. The titling company is looping in their incident response firm to investigate from their end. I need you to quietly review things on our end and see what you can find. Keep it discreet and be passive.
I let Evelyn over at Harbor Line know that someone from our team might reach out. Her main email is offline right now just in case it was compromised, she’s using a temporary address until things get sorted out:
evelyn.carter@51tjxh.onmicrosoft.com
Problem Type
- OSINT
Password
[!NOTE] The password to the ZIP archive below is
follow_the_money.
Solve
Zip file has a bunch of emails. Opened each and reviewed.
Last email has a different link:
https://evergatetltle.netlify.app
After clicking the Transfer Closing Funds button and submitting data gives B64 sting:
aHR0cHM6Ly9uMHRydXN0eC1ibG9nLm5ldGxpZnkuYXBwLw==
Decodes to: https://n0trustx-blog.netlify.app/
Hacker name is N0trustX.
Visit GitHub
Open spectre.html repo
Part way down in the HTML is
1
<div id="encodedPayload" class="hidden">ZmxhZ3trbDF6a2xqaTJkeWNxZWRqNmVmNnltbHJzZjE4MGQwZn0=</div>
Flag
flag{kl1zklji2dycqedj6ef6ymlrsf180d0f}