TheSuspiciousReviewer
Name: The Suspicious Reviewer - Category: OSINT - Difficulty: Very Easy The target is a static SocialConnect profile page for TechReviewer2024. The About tab hides contact details until Show Contact is selected, but the frontend bundle already contains the...
Scenario
TheSuspiciousReviewer attack path
Name: The Suspicious Reviewer - Category: OSINT - Difficulty: Very Easy The target is a static SocialConnect profile page for TechReviewer2024. The About tab hides contact details until Show Contact is selected, but the frontend bundle already contains the...
Objective
Challenge walkthrough focused on OSINT evidence, validation, and reusable operator lessons.
Walkthrough flow
Fetch the React/Vite SPA shell and identify the...
Search the bundle for the target username to locate...
Confirm API-like routes are static fallbacks or 404...
Derive the submission candidate from the only exposed...
Source coverage
High source coverage
Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Good confidence: the page has enough source material to read as a complete walkthrough, but the supporting evidence set is smaller than the highest-confidence cases.
- OSINT/TheSuspiciousReviewer/writeup.md
- htb-challenge/OSINT/TheSuspiciousReviewer/notes.md
- htb-challenge/OSINT/TheSuspiciousReviewer/memory-summary.md
- htb-challenge/OSINT/TheSuspiciousReviewer/hypothesis-board.md
Technical Walkthrough
Writeup
Challenge
- Name: The Suspicious Reviewer
- Category: OSINT
- Difficulty: Very Easy
Summary
The target is a static SocialConnect profile page for TechReviewer2024. The About tab hides contact details until Show Contact is selected, but the frontend bundle already contains the underlying profile object. The exposed contact email is the key finding.
Artifact Inventory
analysis/http-index-response.html: React/Vite shell.analysis/index.js: minified bundle containing the profile data.analysis/profile-evidence.md: extracted profile/contact evidence.analysis/routes.md: route and API behavior notes.
Analysis
The SPA loads /assets/index-fPbXfhd6.js. Searching the bundle for the target username finds the embedded profile object:
username: TechReviewer2024
displayName: Tech Reviewer
location: San Francisco, CA
joinDate: March 15, 2024
email: <email redacted>The rendered UI only exposes the email after toggling Show Contact; phone and location contact rows remain hidden. No backend answer-checking API is exposed: the prior challenge API routes return the SPA shell for GET and 404 for POST.
Solve
Run:
python3 solve/solve.py <TARGET> 31898 --save loot/flag.txtThe script fetches the SPA shell, locates the Vite bundle, extracts the profile email, and wraps the exact lowercased contact address in HTB flag format.
Flag
Raw flag is stored in loot/flag.txt.
Lessons
- Some very easy OSINT instances are static profile pages, not interactive answer APIs.
- For SPA-only OSINT challenges, inspect the shipped bundle for the same data the UI reveals after clicks.
- Preserve uncertainty when there is no live verifier API; document the derivation path clearly.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: The Suspicious Reviewer
- Category: OSINT
- Difficulty: Very Easy
- Remote instance:
<TARGET>:31898 - Start time: 2026-05-11T19:28Z
- Operator: Codex
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
analysis/http-index-response.html | 486 | <hash redacted> | HTML document | React/Vite shell. |
analysis/index.js | 161356 | <hash redacted> | JavaScript | Minified app bundle containing profile data. |
analysis/index.css | 11809 | <hash redacted> | CSS | Frontend styling. |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-05-11T19:28Z | Queried CTF LightRAG for related TechReviewer/SocialConnect memory | command output | Results were unrelated machine notes; ignored as non-evidence. | High | Use live instance artifacts. |
| 2026-05-11T19:28Z | Fetched / | analysis/http-index-response.html | SPA loads /assets/index-fPbXfhd6.js. | High | Fetch bundle. |
| 2026-05-11T19:29Z | Fetched Vite bundle | analysis/index.js | Bundle embeds TechReviewer2024 profile, posts, friends, and contact email. | High | Extract contact evidence. |
| 2026-05-11T19:29Z | Tested API-like routes and source map | analysis/routes.md | No verifier API or source map exposed; POST API probes return 404. | High | Derive submission from exposed contact info. |
Key Findings
TechReviewer2024maps to display nameTech Reviewer.- The exposed contact email is
<email redacted>. - Phone and location contact rows are intentionally hidden in the UI.
- Posts target
TechFlow/TechFlow Pro; friend names and join dates support astroturfing indicators. - No live answer-checking API is present on this instance.
Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Do not paste them here.
| 2026-05-27T23:35:17Z | backfill | challenge-state.json | Legacy workspace backfilled with deterministic state | High | Validate before further work |
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: OSINT
- Challenge: The Suspicious Reviewer
- Difficulty: Very Easy
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
- Fetch the React/Vite SPA shell and identify the bundled JavaScript asset.
- Search the bundle for the target username to locate embedded profile, post, friend, and contact data.
- Confirm API-like routes are static fallbacks or 404 for POST; no live verifier is exposed.
- Derive the submission candidate from the only exposed contact value, preserving email punctuation inside the HTB wrapper.
Reusable Lessons
- Very Easy social-profile OSINT challenges may be static SPAs with the answer embedded in the frontend bundle.
- UI-hidden contact fields can often be read directly from minified app state constants.
- If no verifier API exists, document the derivation and avoid over-normalizing evidence values that may be expected verbatim.
Dead Ends
- Prior
/api/start-challenge,/api/submit-answer, and/api/get-flagworkflow was not present on this target. - Source map and direct flag endpoints did not expose additional data.
Tool Quirks
- In zsh, using
pathas a loop variable shadows the shellPATHarray and breaks command lookup. - GET requests to unknown paths return the SPA shell, while POST to those paths returns 404.
Evidence Paths
analysis/index.jsanalysis/profile-evidence.mdanalysis/routes.mdsolve/solve.py
Ingestion Decision
- Proposed for LightRAG: yes
- Requires user approval before ingestion: approved for sanitized learning auto-ingest by user instruction
- Ingested into CTF LightRAG: 2026-05-11T20:13:29Z via corrected track
scan_20260511_201329_104b45a2
Hypothesis Board
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Contact email in SocialConnect About section is the target answer | Bundle Ku object and UI Show Contact section expose email | Exact HTB platform submission wrapper cannot be server-verified on this static instance | Normalize email into HTB flag format and preserve evidence | High | Accepted locally as solve candidate |
| 2 | There is a hidden challenge API like prior OSINT instances | Prior challenges used /api/start-challenge, /api/submit-answer, /api/get-flag | Current GET routes are SPA fallback and POST routes are 404 | Probe low-volume API endpoints | Low | Closed |
| 3 | Source map or static file contains explicit HTB{} flag | Vite assets sometimes expose source maps | /assets/index-fPbXfhd6.js.map is SPA fallback/404 depending method; bundle has no HTB{} string | Search bundle and request source map | Low | Closed |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|---|---|---|---|
| API verifier | POST /api/start-challenge, /api/submit-answer, /api/get-flag | 404 responses | Static SPA instance lacks challenge API | New route discovered in bundle or server behavior changes |
| Explicit flag in bundle | Regex search for HTB{...} and flag | No HTB flag literal; flag hits React internals only | No embedded flag literal | New asset or source map discovered |
Technical analogy
How to remember this solve
Think of OSINT like building a detective board. Each source is one pinned note; the solve comes from connecting the notes that agree with each other and rejecting the ones that only look plausible.
For TheSuspiciousReviewer, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.