By Kavindu Sahan

Jingle Bell — HTB Sherlock

Easy Sherlock

Jingle Bell — HTB Sherlock

Easy Sherlock

Sherlock Scenario

Torrin is suspected to be an insider threat in Forela. He is believed to have leaked some data and removed certain applications from their workstation. They managed to bypass some controls and installed unauthorised software. Despite the forensic team’s efforts, no evidence of data leakage was found. As a senior incident responder, you have been tasked with investigating the incident to determine the conversation between the two parties involved.

There are three files that you can see on this sherlock

/ Path is -> jinglebell/Torrincase/C/Users/Appdata/Local/Microsoft/Windows/Notifications

But only one file required to this challenge.

  • wpndatabase.db

You can use SQLite database browser easily

I will use SQLite database browser throughout this walkthrough

  • Select “Browse Data” tab
  • Select “Notification” table
  • go to toast type section (these 7 entries all we need :))

Task #1

Which software/application did Torrin use to leak Forela’s secrets?

In toast tag what launched?

Task #2

What’s the name of the rival company to which Torrin leaked the data?

What is the title in the header?

Task #3

What is the username of the person from the competitor organization whom Torrin shared information with?

Who accepted the invitation?

Task #4

What’s the channel name in which they conversed with each other?

In the third toast entry where is “New Message”? (enter without # sign)

Task #5

What was the password for the archive server?

Fourth toast entry

Task #6

What was the URL provided to Torrin to upload stolen data to?

Sixth entry

Task #7

When was the above link shared with Torrin?

Uploaded the 6th entry to chatgpt and got this python script:

import datetime 
 
# Define the timestamp value from the message 
timestamp_str = "1681986889.660179" 
 
# Convert the timestamp string to a float (assuming it's in seconds since Unix epoch) 
timestamp_seconds = float(timestamp_str) 
 
# Convert the timestamp to a datetime object in UTC timezone 
utc_datetime = datetime.datetime.utcfromtimestamp(timestamp_seconds) 
 
# Print the UTC datetime in a readable format 
print("Message Delivered at (UTC):", utc_datetime)

Task #8

For how much money did Torrin leak Forela’s secrets?

Seventh entry

#bl4ckf0xk