osintfreeeasy

The Puppet Master

hackthebox

Task: OSINT challenge requiring investigation of a React web app to identify military equipment. Solution: Extract hidden image URL from JS source code, identify Bushmaster vehicle from NZDF website, gather technical specifications.

$ ls tags/ techniques/

osint web_source vehicle_id geoint

source_code_analysisimage_reverse_searchtechnical_spec_lookup

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

The Puppet Master — HackTheBox

Description

The Puppet Master is an OSINT challenge that requires conducting an investigation based on data found in a web application and identifying military equipment.

Analysis

Upon examining the challenge website, it was discovered that it is built on React.
In the JavaScript source code (via DevTools), a direct link to an image used in the application was found: https://www.nzdf.mil.nz/assets/Uploads/BannerImages/20230525_NZDF_P1061532_025__FocusFillWyIwLjAwIiwiMC4wMCIsNjAwLDQwMF0.JPG
The link leads to the official New Zealand Defence Force (NZDF) website.

Solution

Step 1: Vehicle Identification

The image shows an armored vehicle. Searching the NZDF website and visual comparison allowed identification of it as the Bushmaster Protected Mobility Vehicle (NZ5.5 variant), used by NZDF.

...

$ grep --similar

Similar writeups

[forensics][free]Obscure— hackthebox
[forensics][free]Diagnostic— hackthebox
[pentest][Pro]Сисадмин (Sysadmin)— hackerlab
[reverse][free]TunnelMadness— hackthebox
[web][free]OmniWatch (session replay)— HackTheBox