Challenge / OSINT

TheSuspiciousDomain

By Jennofrie Daguil ยท Cybersecurity and Red Team Operator

TheSuspiciousDomain is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator

Very EasyPublished 2025-02-24Sanitized local writeup

Scenario

TheSuspiciousDomain attack path

TheSuspiciousDomain is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator

Objective

Challenge walkthrough focused on OSINT evidence, validation, and reusable operator lessons.

TheSuspiciousDomain sanitized attack graph

Walkthrough flow

01

Inspect static React/Vite bundle for API routes and...

02

Start API session to enumerate exact...

03

Extract WHOIS contact fields, creation date, transfer...

04

Resolve scenario mismatch by using live app evidence:...

05

Submit accepted answer strings and request final...

Source coverage

High source coverage

Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

87% coverage
Evidence verdict

Good confidence: the page has enough source material to read as a complete walkthrough, but the supporting evidence set is smaller than the highest-confidence cases.

  • OSINT/TheSuspiciousDomain/writeup.md
  • htb-challenge/OSINT/TheSuspiciousDomain/notes.md
  • htb-challenge/OSINT/TheSuspiciousDomain/memory-summary.md
  • htb-challenge/OSINT/TheSuspiciousDomain/hypothesis-board.md

Technical Walkthrough

Writeup

Challenge

  • Name: The Suspicious Domain
  • Category: OSINT
  • Difficulty: Very Easy
  • Remote: <TARGET>:30162

Summary

The live app is a React/Vite DomainScope single-page app. The frontend bundle contains the WHOIS record for alexmorgan-reviews.net, DNS/hosting records, website preview content, and the API challenge flow.

The solve is to extract the WHOIS contact details and related infrastructure facts, submit the API's accepted answer formats, and request the final flag.

Artifact Inventory

  • analysis/http-index-response.txt: app shell.
  • analysis/index.js: frontend bundle with WHOIS/domain intelligence data.
  • analysis/api-start-response.txt: sanitized API question response.
  • analysis/whois-evidence.md: extracted WHOIS findings.
  • analysis/answer-format-attempts.txt: accepted answer validation.
  • solve/solve.py: reproducible API solve.

Analysis

The WHOIS record in the bundle shows privacy disabled and identical registrant/admin/tech contacts. The key contact fields were:

  • Email: <email redacted>
  • Phone: +1-408-555-0987
  • Organization: Morgan Tech Reviews LLC
  • City: San Jose
  • Creation date: 2024-01-20
  • Status: clientTransferProhibited

The DNS tab shows four GitHub Pages A records. The website preview and API accepted TechFlow as the targeted company, even though the chat scenario mentioned XyloPhone.

Solve

Run:

bash
python3 solve/solve.py <TARGET> 30162 --save loot/flag.txt

The script starts a session, submits all accepted answers, prints the flag, and optionally saves it to loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt.

Lessons

  • Inspect SPA bundles for embedded WHOIS/DNS data in web-backed OSINT challenges.
  • Treat live target content as authoritative when scenario text and deployed app disagree.
  • Preserve failed answer attempts to document exact answer-format quirks.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Challenge: The Suspicious Domain
  • Category: OSINT
  • Difficulty: Very Easy
  • Remote instance: <TARGET>:30162
  • Start time: 2026-05-11T19:14:19Z
  • Operator: Codex

Scenario Note

The chat scenario named alexmorgan-reviews.net and mentioned XyloPhone. The live DomainScope app uses the same domain but its preview/threat data targets TechFlow; the API accepted TechFlow as the targeted company.

Artifact Inventory

FileSizeSHA256TypeNotes
analysis/http-index-response.txt850see analysis/sha256sums.txtHTTP responseStatic app shell
analysis/index.js171488see analysis/sha256sums.txtJavaScriptFrontend bundle with WHOIS data
analysis/api-start-response.txt1353see analysis/sha256sums.txtHTTP/JSON responseSanitized API question response

Evidence Ledger

TimeActionOutput/FileFindingConfidenceNext
2026-05-11T19:14:19ZFetched /analysis/http-index-response.txtnginx serves DomainScope React/Vite appHighInspect bundle
2026-05-11T19:14:36ZDownloaded frontend assetsanalysis/index.js, analysis/index.cssBundle contains WHOIS, DNS, hosting, threat, preview data plus API callsHighQuery API questions
2026-05-11T19:14:59ZPOST /api/start-challengeanalysis/api-start-response.txtAPI returns nine WHOIS/domain intelligence questionsHighExtract WHOIS evidence
2026-05-11T19:16:00ZReviewed bundle dataanalysis/whois-evidence.mdContact email, phone, creation date, organization, status, target, email service, IP count identifiedHighSubmit answers
2026-05-11T19:17:00ZSubmitted answer candidatesanalysis/answer-format-attempts.txtAPI accepted all nine answers; TechFlow and TempMail required exact formattingHighRequest final flag
2026-05-11T19:17:10ZRequested /api/get-flagloot/flag.txtFinal HTB-format flag captured and stored in loot onlyHighWrite solve script

Key Findings

  • WHOIS privacy is disabled, exposing contact details directly.
  • Registrant/admin/tech contacts are identical.
  • Disposable email infrastructure appears in the registrant email and MX records.
  • The live API expected TechFlow as the targeted company, not XyloPhone.

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Do not paste them here.

| 2026-05-27T23:35:17Z | backfill | challenge-state.json | Legacy workspace backfilled with deterministic state | High | Validate before further work |

Memory Summary

Metadata

  • Platform: HackTheBox Challenges
  • Category: OSINT
  • Challenge: The Suspicious Domain
  • Difficulty: Very Easy
  • Source workspace: <local workspace>

Validated Solve Chain

  1. Inspect static React/Vite bundle for API routes and embedded DomainScope data.
  2. Start API session to enumerate exact WHOIS/domain-intelligence questions.
  3. Extract WHOIS contact fields, creation date, transfer status, DNS record counts, and preview target.
  4. Resolve scenario mismatch by using live app evidence: target company accepted as TechFlow.
  5. Submit accepted answer strings and request final flag.

Reusable Lessons

  • Domain OSINT challenge SPAs may embed full WHOIS, DNS, historical, threat, and preview data client-side.
  • Live app content can supersede chat scenario wording; record mismatches explicitly.
  • Answer validators may expect display/service names (TempMail) instead of raw domains (tempmail.com).

Dead Ends

  • XyloPhone Pro and XyloPhone were rejected for targeted company; TechFlow was accepted.
  • tempmail.com was rejected for email service; TempMail was accepted.

Tool Quirks

  • /robots.txt and /sitemap.xml returned the SPA shell.
  • Session cookies and session ids appear in API captures and must be redacted before memory export.

Evidence Paths

  • analysis/index.js
  • analysis/api-start-response.txt
  • analysis/whois-evidence.md
  • analysis/answer-format-attempts.txt
  • solve/solve.py

Ingestion Decision

  • Proposed for LightRAG: yes
  • Requires user approval before ingestion: approved for sanitized learning auto-ingest by user instruction
  • Ingested into CTF LightRAG: 2026-05-11T19:22:13Z via track scan_20260511_192213_765c608c

Hypothesis Board

RankPathEvidenceMissing ProofCheapest ValidationConfidenceStatus
1DomainScope bundle contains authoritative WHOIS and answer dataReact bundle includes WHOIS record, DNS records, preview content, and API callsExact accepted answer stringsSubmit candidates to /api/submit-answerHighConfirmed

Closed Branches

BranchEvidence TestedFailure OutputReason ClosedRevisit Condition
XyloPhone as targeted companySubmitted XyloPhone Pro and XyloPhoneAPI rejected bothLive app preview/threat data targets TechFlowRevisit only if instance content changes
Email service as domain stringSubmitted tempmail.comAPI rejectedAPI expected display/service name TempMailRevisit only if answer validator changes

Technical analogy

How to remember this solve

Think of OSINT like building a detective board. Each source is one pinned note; the solve comes from connecting the notes that agree with each other and rejecting the ones that only look plausible.

For TheSuspiciousDomain, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.

Related insights

AI-MLAI SpaceAI-MLLike A GloveAI-MLLost In Hyperspace