Illumination
As soon as we download the files we can see that it is a Git Repository because of the .git directory inside. There are two files which are part of the repository: bot.js and config.json. The bot basicall connects to the discord API. Here is the part where it uses a token from config.json.
client.login(Buffer.from(config.token, 'base64').toString('ascii')) //Login with secret token
Inspecting the config file we see this.
{
"token": "Replace me with token when in use! Security Risk!",
"prefix": "~",
"lightNum": "1337",
"username": "UmVkIEhlcnJpbmcsIHJlYWQgdGhlIEpTIGNhcmVmdWxseQ==",
"host": "127.0.0.1"
}
We can see that a token is being used. The username is is simple Base64 encoding. Decoding it reveals this message.
echo "UmVkIEhlcnJpbmcsIHJlYWQgdGhlIEpTIGNhcmVmdWxseQ==" | base64 -d
Red Herring, read the JS carefully
Nothing special. Next lets see the history of the git repository. We can do that by using the git command. I found it on this Blogpost which discusses git forensics. Just use this command inside the repository
pwd /root/Illumination.JS
git log --all --full-history
commit edc5aabf933f6bb161ceca6cf7d0d2160ce333ec (HEAD -> master)
Author: SherlockSec <dan@lights.htb>
Date: Fri May 31 14:16:43 2019 +0100
Added some whitespace for readability!
commit 47241a47f62ada864ec74bd6dedc4d33f4374699
Author: SherlockSec <dan@lights.htb>
Date: Fri May 31 12:00:54 2019 +0100
Thanks to contributors, I removed the unique token as it was a security risk. Thanks for reporting responsibly!
commit ddc606f8fa05c363ea4de20f31834e97dd527381
Author: SherlockSec <dan@lights.htb>
Date: Fri May 31 09:14:04 2019 +0100
Added some more comments for the lovely contributors! Thanks for helping out!
commit 335d6cfe3cdc25b89cae81c50ffb957b86bf5a4a
Author: SherlockSec <dan@lights.htb>
Date: Thu May 30 22:16:02 2019 +0100
Moving to Git, first time using it. First Commit!
We can see that in commit 47241a4 a commit was made that removed the token. We can revert back to the previous commit ddc606f to see the removed token. Do this with that command.
git checkout ddc606f --force
Note: switching to 'ddc606f'
You need to use the --force option eventually because otherwise git will not let you without making a commit. Checking the config.json file now reveals the following.
{
"token": "SFRCe3YzcnNpMG5fYzBudHIwbF9hbV9JX3JpZ2h0P30=",
"prefix": "~",
"lightNum": "1337",
"username": "UmVkIEhlcnJpbmcsIHJlYWQgdGhlIEpTIGNhcmVmdWxseQ==",
"host": "127.0.0.1"
}
The token is again a Base64 encoded message. Just decode it and you got the flag.
echo "SFRCe3YzcnNpMG5fYzBudHIwbF9hbV9JX3JpZ2h0P30=" | base64 -d
HTB{***************************}
Flag
HTB{v3rsi0n_c0ntr0l_am_I_right?}