ThePuppetMaster
ThePuppetMaster is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
ThePuppetMaster attack path
ThePuppetMaster is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on OSINT evidence, validation, and reusable operator lessons.
Walkthrough flow
Inspect static frontend bundle for API endpoints and...
Start the API session and save question metadata.
Resolve scenario mismatch by prioritizing live API...
Identify NZDF evidence image as a Bushmaster...
Submit accepted answer components and request final...
Source coverage
High source coverage
Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Good confidence: the page has enough source material to read as a complete walkthrough, but the supporting evidence set is smaller than the highest-confidence cases.
- OSINT/ThePuppetMaster/writeup.md
- htb-challenge/OSINT/ThePuppetMaster/notes.md
- htb-challenge/OSINT/ThePuppetMaster/memory-summary.md
- htb-challenge/OSINT/ThePuppetMaster/hypothesis-board.md
Technical Walkthrough
Writeup
Challenge
- Name: The Puppet Master
- Category: OSINT
- Difficulty: Unknown
- Remote:
<TARGET>:30796
Summary
The supplied chat scenario described a corporate BreachScope investigation, but the live target served a different OSINT challenge. The React bundle exposed an evidence image hosted by NZDF and the API returned five vehicle-identification questions.
The vehicle in the image is a Bushmaster protected mobility vehicle. The live API accepted the answer chain: Bushmaster, Thales Australia, 1997, Australia, and 9 passengers and 1 driver.
Artifact Inventory
analysis/http-index-response.txt: app shell.analysis/index.js: frontend bundle with API routes and evidence image URL.analysis/source-image.jpg: downloaded evidence image.analysis/answer-format-attempts-2.txt: accepted answer-format validation.solve/solve.py: reproducible API solve.
Analysis
The frontend bundle calls:
POST /api/start-challengePOST /api/submit-answerPOST /api/get-flag
/api/start-challenge returns a session id and five questions. The image URL embedded in the bundle points to a NZDF asset. Visual inspection showed Bushmaster vehicles, not NZLAVs.
The first NZLAV/LAV III hypothesis was closed because all submitted variants were rejected by the API. Bushmaster was accepted for question 1, then the remaining accepted values matched Bushmaster OSINT facts and the API's expected answer format.
Solve
Run:
python3 solve/solve.py <TARGET> 30796 --save loot/flag.txtThe script starts a session, submits the five accepted answers, requests the final flag, prints it, and optionally saves it to loot/flag.txt.
Flag
Raw flag is stored in loot/flag.txt.
Lessons
- Treat live API output as source of truth when the provided scenario conflicts with the deployed target.
- For OSINT challenge UIs, inspect the frontend bundle before manual browsing; static assets often reveal the primary evidence.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: The Puppet Master
- Category: OSINT
- Difficulty: Unknown
- Remote instance:
<TARGET>:30796 - Start time: 2026-05-11T18:31:26Z
- Operator: Codex
Scenario Mismatch
The prompt supplied in chat described a RivalTech/BreachScope fake-review campaign. The live target at <TARGET>:30796 served a React/Vite OSINT challenge about identifying a military vehicle from a NZDF evidence image. Live target responses were treated as source of truth.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
analysis/http-index-response.txt | 829 | <hash redacted> | HTTP response | Static app shell |
analysis/index.js | 160894 | <hash redacted> | JavaScript | Frontend bundle and API calls |
analysis/source-image.jpg | 84699 | <hash redacted> | JPEG | NZDF evidence image |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-05-11T18:31:26Z | Fetched / | analysis/http-index-response.txt | nginx serves React/Vite app titled Puppet Master | High | Inspect bundle |
| 2026-05-11T18:31:40Z | Downloaded frontend assets | analysis/index.js, analysis/index.css | Bundle exposes /api/start-challenge, /api/submit-answer, /api/get-flag | High | Query API |
| 2026-05-11T18:32:11Z | POST /api/start-challenge | analysis/api-start-response.txt | API returns five vehicle OSINT questions and session cookie | High | Identify image |
| 2026-05-11T18:33:00Z | Downloaded embedded NZDF image | analysis/source-image.jpg | Image shows Bushmaster protected mobility vehicles | High | Test answer formats |
| 2026-05-11T18:34:00Z | Submitted candidate answers | analysis/answer-format-attempts-2.txt | Accepted answer set found for all five questions | High | Request final flag |
| 2026-05-11T18:34:10Z | Requested /api/get-flag | loot/flag.txt | Final HTB-format flag captured and stored in loot only | High | Write solve script |
Key Findings
- Live task is a vehicle-identification OSINT flow, not the RivalTech/BreachScope scenario from the chat prompt.
- The embedded evidence image is hosted under
www.nzdf.mil.nzand shows Bushmaster protected mobility vehicles. - Accepted answer components:
- vehicle: Bushmaster
- manufacturer: Thales Australia
- first service year: 1997
- origin: Australia
- capacity: 9 passengers and 1 driver
Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Do not paste them here.
| 2026-05-27T23:35:17Z | backfill | challenge-state.json | Legacy workspace backfilled with deterministic state | High | Validate before further work |
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: OSINT
- Challenge: The Puppet Master
- Difficulty: Unknown
- Source workspace:
<local workspace>
Validated Solve Chain
- Inspect static frontend bundle for API endpoints and embedded evidence URLs.
- Start the API session and save question metadata.
- Resolve scenario mismatch by prioritizing live API evidence over prompt text.
- Identify NZDF evidence image as a Bushmaster protected mobility vehicle.
- Submit accepted answer components and request final flag.
Reusable Lessons
- In HTB web-backed OSINT challenges, frontend bundles may expose the authoritative evidence image and all API routes.
- If the chat prompt and live API disagree, record the mismatch and proceed from live target evidence.
Dead Ends
- NZLAV/LAV III identification was rejected by the live API.
Tool Quirks
/robots.txtand/sitemap.xmlreturned the SPA shell rather than useful discovery content.- The API required exact-ish accepted strings for some answers, especially capacity.
Evidence Paths
analysis/index.jsanalysis/source-image.jpganalysis/api-start-response.txtanalysis/answer-format-attempts-2.txtsolve/solve.py
Ingestion Decision
- Proposed for LightRAG: yes
- Requires user approval before ingestion: approved for sanitized learning auto-ingest by user instruction
- Ingested into CTF LightRAG: 2026-05-11T19:22:13Z via track
scan_20260511_192213_765c608c
Hypothesis Board
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Live API challenge is vehicle OSINT despite RivalTech prompt mismatch | Bundle embeds NZDF image and API questions ask vehicle identification | Exact accepted strings | Submit candidate answers to /api/submit-answer | High | Confirmed |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|---|---|---|---|
| RivalTech/BreachScope fake-review scenario | Static bundle and /api/start-challenge response | No BreachScope/RivalTech strings in live bundle or API | Live instance serves different OSINT challenge | Revisit if HTB respawns a different instance or user provides another port |
| NZLAV identification | Submitted NZLAV/LAV III variants | All rejected by API | Evidence image is Bushmaster, not NZLAV | Revisit only if evidence image changes |
Technical analogy
How to remember this solve
Think of OSINT like building a detective board. Each source is one pinned note; the solve comes from connecting the notes that agree with each other and rejecting the ones that only look plausible.
For ThePuppetMaster, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.